Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Whatsapp, a Trojan horse for seekers of easy privacy?

Leif Ryge leif at synthesize.us
Fri Jan 16 14:37:01 PST 2015


On Fri, Jan 16, 2015 at 02:12:38PM -0800, Al Billings wrote:
> 
> > On Jan 16, 2015, at 2:07 PM, Leif Ryge <leif at synthesize.us> wrote:
> > 
> > 
> > I did see two answers earlier, Iceland and Switzerland. There are many
> > other countries besides those two where it also seems very unlikely that
> > companies would be subjected to the sort of legal orders that we now know
> > US companies routinely receive. That obviously doesn't mean that TAO or
> > GCHQ's equivalent won't try to compromise them without their knowledge, but
> > that approach is obviously a much riskier and less reliable than the legal
> > means used in the US.
> 
> What makes you think Iceland and Switzerland don’t have security and
> intelligence services that could have legal orders issued or that
> occasionally cooperate internationally with other organizations? Is it simply
> because Wikileaks managed to be in Iceland for quite a while?
> 
> Al

Secret orders requiring technology companies to help spy on their customers are
unheard of in many countries, and something that would cause significant
public outrage were they found to exist, but they're something we've known
about in the US for at least a decade (long before Snowden or Wikileaks).

I'm sure similar orders exist in places where we don't know about them, but
given the possibility of leaks that each secret order entails I maintain that
it seems unlikely it's happening on a large scale in places like Iceland.

But, given that we can't prove that negative, it is obviously necessary to
remove single-points-of-failure in our software distribution systems.
Deterministic builds (with independent signers of each build in many legal
jurisdictions) and recording releases in public append-only logs (with notaries
in many different legal jurisdictions) are the two ways that I know how to
solve this problem. Either is good, and doing both would be better.

Hopefully in a few years everything will work that way. Probably the NSA will
try to sabotage some standards along the way, but I'm optimisitic that they'll
fail. However, until that reality exists, where we don't need to rely on
("trust") single entities to authenticate our software updates, I think
preferring to rely on 3rd parties in non-US countries is hardly unreasonable.

~leif



More information about the liberationtech mailing list