On 9/9/2015 9:23 AM, Mike Hoye wrote:
"Any requirement that systems be designed or modified to enable third-party access to encrypted data undermines user security. The goal of computer security is to protect users' data from any access that user has not authorized; any mechanism that allows the state to circumvent the users' wishes can be co-opted and abused by other states or non-state actors to do the same. The same is true of surveillance and monitoring tools; it is impossible in practice to tell a lawful actor with "backdoor" access from an unlawful one. Without the transparency and accountability of open source software and open systems designed to secure user data rather than facilitate third-party access, those systems that states use are increasingly vulnerable to foreign and non-state compromise."
There is an implicit assumption in the way this is worded that "MY government is assumed to be benign, but YOUR government may be dangerous."
There's a hint of trying to being politically sensitive to the fact that we all have to live under some government that we don't want to antagonize, but we want to find acceptable reasons why we will deny them access to our user's data without actually coming out and saying that the government itself might be evil. But face it, some are - maybe even yours (or mine) without naming any nationalities here.
Do we really have to be that cautious in our wording? Is there some way that you can say that Mozilla is an international organization that appeals to a diverse audience, and we cannot make any a priori assumptions about who is or is not a legitimate entity that should have privileged access to our user's data (subject to the laws that we are forced to obey)?
Nit: "from any access that user has not authorized" is really begging for a double that "access that that user". I agree with http://english.stackexchange.com/questions/3418/how-do-you-handle-that-that-the-double-that-problem : "it was a logic distractor, could lead to confusion, and therefore should be reworded to avoid this."
As a side note, Thunderbird is starting to work closely with the Pretty Easy Privacy Foundation http://pep-project.org to make end-to-end communication encryption a priority, so this issue is pretty close to our heart these days. See also the large number of comments at https://blog.mozilla.org/thunderbird/2015/08/thunderbird-and-end-to-end-email-encryption-should-this-be-a-priority/
R Kent James Chair, Thunderbird Council _______________________________________________ governance mailing list [email protected] https://lists.mozilla.org/listinfo/governance
