Linked by Thom Holwerda on Sat 8th Jun 2013 14:57 UTC
Legal And yes, the PRISM scandal is far, far from over. More and more information keeps leaking out, and the more gets out, the worse it gets. The companies involved have sent out official statements - often by mouth of their CEOs - and what's interesting is that not only are these official statements eerily similar to each other, using the same terms clearly designed by lawyers, they also directly contradict new reports from The New York Times. So, who is lying?
Permalink for comment 564132
To read all comments associated with this story, please click here.
RE[3]: Comment by Nelson
by voidlogic on Sat 8th Jun 2013 19:24 UTC in reply to "RE[2]: Comment by Nelson"
Member since:

Right. So you're running a large company, and the government comes to you and says, 'We need some information from your servers about Joe Sixpack, and by law, you must provide us with this information.' So, what are you going to do? Are you going to play the hero and get yourself thrown in jail, and your company possibly put out of business? I'm sure we could get a good debate going about whether such things should be legal, but the point is that they ARE legal, and businesses are legally obligated to hand this information over. So I personally don't hold it against them.

Fair enough, the first few times it happened. Then I would like to see companies like Google to take technical measures to make it impossible to comply with these kind of orders in a meaningful way (Ideas follow):

It could be as simple as making sure non-encrypted user data is in jurisdiction non-amenable to assisting other security states and owned by a subsidiary local to that jurisdiction.

So they might comply, but the powers that be would get no useful information. For example, my gmail messages could be encrypted using my public key and only decrypted client side using my private key. Then Google could not read my mail (after storing it) and they could not provide anything but cryptotext to governments. They could still do all their advertising/search stuff by doing keyword indexing or whatever they do at receive time.

Q: How much extra work is this?

Not much, the server has one extra public key encrypt (which is cheap and happens every-time you visit a HTTPS page), after that the extra work is done client side (and is still pretty cheap). The only thing burdensome perhaps is that any search/ad indexing must happen are receive time and is not deferred (which may or may not be the case now for gmail).

The real technical challenge here is how to make sure the user has their private key on their devices/browsers without storing the key at Google, etc. Perhaps putting this key server in a different legal jurisdiction or letting users sneaker-net it at their choice is an option.

Reply Parent Score: 2