Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] PrivateSky Takedown

Nathan of Guardian nathan at guardianproject.info
Thu Dec 12 09:51:07 PST 2013


On 12/12/2013 12:07 PM, Yosem Companys wrote:
> Why? Because as you can probably surmise, there is an inherent
> impedance mismatch between being able to host a commercial
> communications service that gives the upmost in privacy to its users,
> against any breach, whilst at the same time being able to operate
> safely within the confines of the law as it is on the books in most
> countries on the planet.

This bit is fascinating, when combined with a stackexchange response
from their CEO back in March... I guess they were too optimistic about
their ability to comply by providing encrypted blobs.

http://security.stackexchange.com/questions/13226/how-can-privatesky-not-see-your-data

"From a business perspective, our architecture also accomplishes the
following: We will be served with requests for information from
authorities. That’s a fact of life when you run a Saas business.
Thankfully, in the UK and the EU, there is due process and law for this.
How we comply, and our ability to prove the extent of our compliance,
rests with the architecture we develop. If your data is accessible by us
in the clear, then we have to turn it over. If it’s not, then we still
have to turn it over. But if what we turn over is encrypted, and we
don’t possess the keys, then what good is the data (it’s encrypted), and
what good is serving a FISMA warrant or EU equivalent on us? Complying
with requests for information is really, really expensive for a young
company. Not being a target for such requests is a competitive edge."
***

In summary, any secure service that relies upon one group or legal
entity running servers is not robust or resilient from a lawful
intercept perspective, even if you have properly end-to-end encryption
implemented. This is what distinguishes this case from the Lavabit one,
it seems.

Does this mean Freenode or OFTC could be shutdown for allowing
OTR-encrypted chat? What about Google, Facebook or DuckDuckGo, for
having open XMPP services that allow OTR? In the case of Facebook, they
do flag when OTR is used (it shows an "[encrypted]" tag in the web
interface), which I have been meaning to ask someone about...

+n





More information about the liberationtech mailing list