Separately I think the most susceptible CALEA component is Silent Mail - because it's not using a peer-to-peer model by default. So, as of now, I don't think CALEA can force the software to be poisoned unless SC is also does store-and-fwd of the message. This has always been a point of confusion between attorneys and actual companies complying in my experience. I trust other people here know exactingly how this all works.
Either way, I want some verbiage clarification from SC on the topic anyhow. Cheers, -Ali On Wed, Nov 21, 2012 at 2:45 PM, Ali-Reza Anghaie <[email protected]>wrote: > They have a bit about what they can and will turn over at: > > https://silentcircle.com/web/law-compliance/ > > > > And make mention of CALEA. There is some ambiguity IMO I'm not thrilled > with so I'm reaching out about that. I know it's not enough for you but I > still think that given the target audiences using nothing, this is still a > huge (potential) win fi they hit a stride. -Ali > > Key quotes: > > "We retain the following information as part of our normal business > functions: > > Authentication information — your user name and hashed password. We hash > passwords with a twelve-character random salt and 20,000 iterations of > HMAC-SHA256 via PBKDF2. > > Your contact email address. > > Your Silent Phone number that we issue you > > Server IP Logs for login only. We currently retain these for 7 days, and > are working to reduce this to 24 hours" > > "We are a law-abiding company, and US law (the Communications Assistance > for Law Enforcement Act, CALEA) makes it clear that communications service > providers can deliver products to their customers that use encryption to > protect their communications without having the ability to decrypt those > communications. This means no Government-mandated backdoors. Indeed, > history has shown that backdoors created for law enforcement interception > are themselves a security liability, and present an irresistible target for > hackers and state sponsored attackers." > > And > > "We must and will comply with valid legal demands for the very limited > information we hold. Thus, we want to make it clear that when legally > compelled to do so, we will turn over the little information we hold, > described above. Before turning it over, however, we will evaluate the > request to make sure it complies with the letter and spirit of the law. > And, consistent with best privacy practices followed by other companies, > when possible and legally permissible, we will notify the user in order to > give him or her the opportunity to object to the disclosure." > >
-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
