On 12/12/2013 12:07 PM, Yosem Companys wrote: > Why? Because as you can probably surmise, there is an inherent > impedance mismatch between being able to host a commercial > communications service that gives the upmost in privacy to its users, > against any breach, whilst at the same time being able to operate > safely within the confines of the law as it is on the books in most > countries on the planet.
This bit is fascinating, when combined with a stackexchange response from their CEO back in March... I guess they were too optimistic about their ability to comply by providing encrypted blobs. http://security.stackexchange.com/questions/13226/how-can-privatesky-not-see-your-data "From a business perspective, our architecture also accomplishes the following: We will be served with requests for information from authorities. That’s a fact of life when you run a Saas business. Thankfully, in the UK and the EU, there is due process and law for this. How we comply, and our ability to prove the extent of our compliance, rests with the architecture we develop. If your data is accessible by us in the clear, then we have to turn it over. If it’s not, then we still have to turn it over. But if what we turn over is encrypted, and we don’t possess the keys, then what good is the data (it’s encrypted), and what good is serving a FISMA warrant or EU equivalent on us? Complying with requests for information is really, really expensive for a young company. Not being a target for such requests is a competitive edge." *** In summary, any secure service that relies upon one group or legal entity running servers is not robust or resilient from a lawful intercept perspective, even if you have properly end-to-end encryption implemented. This is what distinguishes this case from the Lavabit one, it seems. Does this mean Freenode or OFTC could be shutdown for allowing OTR-encrypted chat? What about Google, Facebook or DuckDuckGo, for having open XMPP services that allow OTR? In the case of Facebook, they do flag when OTR is used (it shows an "[encrypted]" tag in the web interface), which I have been meaning to ask someone about... +n -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
