It seems like there is this new narrative in some peoples minds about "all
companies backdoor everything and cooperate with law enforcement with no
questions asked, what do you expect". I have to disagree strongly with this
narrative to combat this narrative displacing reality! I've seen several
people saying similar things in this thread. No I say.
I think the point is not that a company could backdoor something. We know
that companies that have information for whatever pre-existing reason that
may help investigations will typically be expected to hand it over with
appropropriate legal checks and balances, a court order, subpoena etc.
Sometimes their lawyers will fight it if the subpoena is ridiculously broad,
and thats not that unusual. Sometimes there are gag orders to prevent the
fact that a subpoena was received from being disclosed to the target, or
disclosed ever. The latter is considered fairly obnoxious.
Now and then there are rumours or claims of forced changes that eg hushmail
maybe changed some code in response to law enforcement request of some kind.
However it is not the case that anything that could be backdoored is
backdoored. Do you think all SMIME email clients, all SSL clients (embedded
and browser), all SSL web servers, all VPNs are backdoored? I seriously
doubt any of them are backdoored in fact. Would those taking the "what do
you expect" narrative like to try your narrative against web servers and
VPNs?
Now web2.0 types of things that involve social media and messages being
stored online obviously are targets for subpoenas and dont typically involve
more than transport encryption.
IM most of the clients are not end2end by design - ie like web20 there is
transport encryption from client to server, but a central server that sees
all traffic. As someone mentioned many companies run their own server for
this reason (to avoid traffic being readable to the internet scale IM server
operator). Skype was claimed to be end2end secure. The skype security
review white paper saying so is still on their web page. The privacy policy
just says they will hand over information they have, in response to valid
legal requests, which is a non-statement, companies operatate in
jurisdictions which issue legal requests. For all we know skype may still
be end2end secure when used with a strong password, except for uploading
URLs for some ill thought out malware checking. Or not, maybe thats
happening server side, no one took the trouble to determine (its easy enough
I think as I said just upload lots of URLs and same character count with no
URLs and count the byte count of the traffic flow). The password reset
doesnt sound so good, possibly not being technically end2end, but presumably
you dont have to use that.
So anyway, no, products riddled with backdoors is not acceptable, its not
business as usual, and we do expect better. And if companies are
advertising end2end security, and yet routinely decrypting all traffic, in
many countries that could open them up to fines and possible prosecution for
false advertising.
Adam
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
