[liberationtech] Trusting tools under US jurisdiction

[Shava Nerad]

Speaking as an American...

Let's take the example of DuckDuckGo first.  Here is a search engine that
does not log searches, does not use cookies, and does not track users.  So
unless you think they are doing that, even though they say they do not,
there is no information for the NSA to requisition.

This is very similar to Tor, for example, where you don't have to trust the
system because the system does not retain logs etc. (although in the case
of Tor, exit node operators have abused the system historically, if users
are cautious the damage from such abuse is minimized).

In the case of riseup, with which I'm less familiar -- but I'm familiar
enough with the sort of situation they might be in -- I'd assume they'd do
a Lavabit if necessary.  But that might be a lot to expect.  Knowing that
they would is often enough to keep such things at bay.

When I was running the Eugene Free Net/Oregon Public Networking, we
regularly got improper requests for access from LE, and we regularly
resisted them.  This likely resulted in an attempt by the IRS to shut us
down, which we parlayed into a four year PR fight making the exempt
organizations branch of the IRS look rather bad.  Dead man switches and
those willing to sacrifice to make the administration look like raptors --
which big data is not willing to do -- is an odd sort of armor.

Honestly, I suspect entities such as riseup are more likely to be hacked
than served with NSLs.  I doubt they invest enough in security to withstand
penetration, but I could be wrong.  Happy to be corrected and find out that
they have enterprise level pentesting and such.  But most lefty
organizations are not budgeted for anything close to that level of
security, and that level of security might still not keep out a state level
actor.  (Regardless of where the machines were hosted, of course -- we are
not unique in this.)

We are not exactly passive naifs over here, those of us who are fighting
for privacy.

You have Lavabit as an example, and you have Calyx, and you have folks such
as myself, and you have folks such as the Lebanon Library System who, when
the DHS put pressure on them to not have a Tor relay in their library and
it made national and international news, stood by their guns and politely
told the DHS to stick it.

That said, there is nowhere on this earth safe from the NSA.  The various
revelations have shown that it is not only US companies that are intruded
upon.  Ask Merkel's administration how they feel about their privacy, if
you would.  This is not a menace special to us, although we are subject to
special laws -- but that means we know more what to look for, as US based
privacy advocates.

I hope and pray that as privacy advocates overseas, your SIGINT and HUMINT
vulnerabilities do not lead you into bad places.  Because the fact is we
have many more laws protecting us from the NSA than you do, and a few that
make us vulnerable.

But as foreign nationals, you are the NSA's special prey, for which I
abjectly apologize, and wish it were not so.

Keep your opsec up. :)   We'll try to watch your back and do everything we
can to reform things from here.

Sincerely,

On Fri, Nov 27, 2015 at 5:28 AM, carlo von lynX <lynX at time.to.get.psyced.org
> wrote:

> On
> https://torrentfreak.com/anonymous-vpn-service-provider-review-2015-150228/
> I frequently see VPN service providers explaining their reason for
> operating
> from the US as follows:
>
>         >> We choose to operate in the US in order to provide no logging
> service, as there is no mandatory data retention law in the US.
> Additionally, our beloved clients are given access to some of the strongest
> consumer protection laws, and thus, are able to purchase with confidence. <<
>
> ... which may be correct if you look at all the laws except for the
> Patriot Act
> by which companies such as DuckDuckGo, OpenWhisperSystems and even NGOs
> such as
> riseup.net must quietly allow the authorities to obtain full access to all
> data, tell as little as possible people about it (frequently the CEO is not
> informed so that they can evangelize convincingly how safe their product
> is,
> not be all shaky and nervous like Gen. Clapper), and order the company to
> carry
> on promoting the notion that privacy be in safe hands. We know from PRISM
> and
> Lavabit how much that isn't true, but since then the US is pretending times
> have changed, which - knowing the NSA - cannot be true. It would be
> strategic
> madness to leave the knowledge over data to other nations.
>
> In any case it is reasonable to assume that all of these privacy companies
> based in the US are selling snake oil because they just cannot refuse when
> the letter comes. The question is if *formally* anything has changed with
> the adoption of the Freedom Act. Is PRISM a little bit more illegal now
> than
> it was before? Would there be any judicial consequence if companies get
> caught selling out to authorities again?
>
> In any case I don't understand how people happily use riseup instead of
> a/i,
> Duck Duck Go instead of ixquick, Signal instead of Telegram. I haven't
> found
> any place that offers an independently built Android binary for Signal. How
> reasonable is it to assume that OpenWhisperSystems can operate on US soil
> without shipping an NSA backdoor in all Signal installations? What other
> reason can there realistically be to actively fight the existence of
> deterministically or alternatively built copies of the Signal client?
>
> Have we learned anything from the Snowden revelations at all? The last
> thing
> we can do is trust humans to have the integrity to withstand the power of
> the
> US government. It is inappropriate to expect all the crypto pop stars to be
> heroes and entrust our safety to them. Trust the maths and the facts, not
> the
> figureheads. Do not overload the people with responsibility. One thing
> humanity
> knows very well is how to corrupt people.
>
>
> --
>   E-mail is public! Talk to me in private using encryption:
>          http://loupsycedyglgamf.onion/LynX/
>           irc://loupsycedyglgamf.onion:67/lynX
>          https://psyced.org:34443/LynX/
> --
> Liberationtech is public & archives are searchable on Google. Violations
> of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu.
>



-- 

Shava Nerad
shava23 at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20151128/a9a9ee87/attachment-0001.html>