[liberationtech] Cryptography super-group creates unbreakable encryption
Christopher Soghoian
chris at soghoian.net
Thu Feb 7 17:14:58 PST 2013
See Inline
On Thu, Feb 7, 2013 at 12:15 PM, Andy Isaacson <adi at hexapodia.org> wrote:
> Silent Circle may be an excellent privacy app. It might not have any
> significant security problems. It might even do a good job of
> mitigating important platform-based attacks and supporting important new
> use cases (the "burn after reading" feature). When it's actually open
> source I'll take a look and if it is good, I'll recommend it to users.
>
> Until that open review happens, I think it's inappropriate for voices in
> our community to commend or recommend such a proprietary system. Each
> person makes their own choices, of course, and nobody should base their
> actions solely on what *I* think is right, but I hope you can hear my
> concerns and consider the outcomes of your actions.
>
Twitter's official client and server code are not open source. That hasn't
stopped the good folks at EFF, as well as many other privacy advocates from
praising the company's law enforcement transparency policies, as well as
Twitter's willingness to go the extra mile when responding to various forms
of legal process.
Much of Google's code, including all of the Gmail backend code is not open
source, but that hasn't stopped privacy advocates from legitimately
praising the company for voluntarily publishing some really useful data on
government requests and DMCA takedown demands.
Although I have not recommended Silent Circle to anyone, I believe that it
is entirely legitimate to praise the company for its commitment to
transparency regarding law enforcement requests and the company's overall
law enforcement policy.
Hell, looking at the list of companies ranked on EFF's "Who's got your
back" website, closed source is by far the norm, not the exception. That
hasn't stopped EFF from giving out gold stars where they feel they are
deserved. See:
https://www.eff.org/pages/when-government-comes-knocking-who-has-your-back
In fact, for many of the factors that I am most interested in, source code
is completely irrelevant. Client source code does not reveal a company's
data retention policy, and server data retention configurations are
impossible to verify. Source code does not reveal whether a company will
tell its users about subpoenas submitted for user data where not prevented
from doing so by a gag order. Source code will not reveal a company's
willingness to spend hundreds of thousands of dollars on legal bills to
fight an improper request submitted by lawyers at the Department of
Justice. For such things, you have to evaluate the company on its public
policy (and, once the policy is put into action, you can judge the company
via its track record).
By all means, continue to harass Silent Circle about its source code.
Likewise, please do hold journalists accountable for the bogus headlines
they, or their editors have selected. But do not dismiss my legitimate
interest in the law enforcement legal policies adopted by companies. These
policies are often just as important, yet impossible to verify, even when
companies publish their source code.
Cheers,
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130207/ffa0e407/attachment.html>
More information about the liberationtech
mailing list