Linked by Thom Holwerda on Sat 8th Jun 2013 14:57 UTC
Legal And yes, the PRISM scandal is far, far from over. More and more information keeps leaking out, and the more gets out, the worse it gets. The companies involved have sent out official statements - often by mouth of their CEOs - and what's interesting is that not only are these official statements eerily similar to each other, using the same terms clearly designed by lawyers, they also directly contradict new reports from The New York Times. So, who is lying?
Permalink for comment 564221
To read all comments associated with this story, please click here.
RE[7]: Comment by Nelson
by voidlogic on Sun 9th Jun 2013 14:25 UTC in reply to "RE[6]: Comment by Nelson"
Member since:

I've worked with similar encryption schemes, but unfortunately there are a lot of technical issues arising from the proposal.

I never said it would be trivial. I believe it is feasible, and futhermore, my idea was just an example, I'm sure other people could come up with a better design for such as system.

Even if it didn't interfere with google's business model (I agree with tylerdurden that it does), it introduces usability problems due to the lack of server side processing & indexing.

In the proposed system indexing is still happening, yes that means the government could get a dump of the indexes, but depending on what is being indexed that still may not be to useful. I suggest two levels of indexing, "vague" indexing at the server side (pre-encrypt) and detailed indexing/filtering client side.

but web-apps are a different story. Consider phone users who have limited ram, limited storage, limited cpu, limited battery, and pay $$ per meg: god forbid they need to regenerate an index or run an adhoc mail search.

What I am suggesting is that the "rough" indexing be done server side with its limited indexes, any of the operations you describe would further filter the results client side. Is this less efficient bandwidth-wise? Yes, but not as bad as making the client index everything.

Don't get me wrong, I understand where your coming from. Unfortunately though it would still be trivial for a service provider to modify a client side web app to leak your keys back to themselves anyways. Who knows if a court would legally compel them do to so if they knew it was possible. In the end maybe it's better to use your own server if you do not trust your service provider.

Using your own server might be an option for you or I, but it is not for the average gmail user. Also if people are running an HTML5 thickclient they could have and code from a third party non-profit in a neutral jurisdiction verify the SHA256 hash of the HTML5 client code.

I'm not saying there are not problems with my proposal (which was meant as an example to get people think), but their are always solutions and I think some of you guys are being a bit pessimistic and close minded.

Reply Parent Score: 1