[liberationtech] Silent Circle Going Open Source
Ali-Reza Anghaie
ali at packetknife.com
Wed Nov 21 11:49:58 PST 2012
Separately I think the most susceptible CALEA component is Silent Mail -
because it's not using a peer-to-peer model by default. So, as of now, I
don't think CALEA can force the software to be poisoned unless SC is also
does store-and-fwd of the message. This has always been a point of
confusion between attorneys and actual companies complying in my
experience. I trust other people here know exactingly how this all works.
Either way, I want some verbiage clarification from SC on the topic anyhow.
Cheers, -Ali
On Wed, Nov 21, 2012 at 2:45 PM, Ali-Reza Anghaie <ali at packetknife.com>wrote:
> They have a bit about what they can and will turn over at:
>
> https://silentcircle.com/web/law-compliance/
>
>
>
> And make mention of CALEA. There is some ambiguity IMO I'm not thrilled
> with so I'm reaching out about that. I know it's not enough for you but I
> still think that given the target audiences using nothing, this is still a
> huge (potential) win fi they hit a stride. -Ali
>
> Key quotes:
>
> "We retain the following information as part of our normal business
> functions:
>
> Authentication information — your user name and hashed password. We hash
> passwords with a twelve-character random salt and 20,000 iterations of
> HMAC-SHA256 via PBKDF2.
>
> Your contact email address.
>
> Your Silent Phone number that we issue you
>
> Server IP Logs for login only. We currently retain these for 7 days, and
> are working to reduce this to 24 hours"
>
> "We are a law-abiding company, and US law (the Communications Assistance
> for Law Enforcement Act, CALEA) makes it clear that communications service
> providers can deliver products to their customers that use encryption to
> protect their communications without having the ability to decrypt those
> communications. This means no Government-mandated backdoors. Indeed,
> history has shown that backdoors created for law enforcement interception
> are themselves a security liability, and present an irresistible target for
> hackers and state sponsored attackers."
>
> And
>
> "We must and will comply with valid legal demands for the very limited
> information we hold. Thus, we want to make it clear that when legally
> compelled to do so, we will turn over the little information we hold,
> described above. Before turning it over, however, we will evaluate the
> request to make sure it complies with the letter and spirit of the law.
> And, consistent with best privacy practices followed by other companies,
> when possible and legally permissible, we will notify the user in order to
> give him or her the opportunity to object to the disclosure."
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20121121/7c6cfbe8/attachment.html>
More information about the liberationtech
mailing list