[013a]

Maybe you trust Google or Facebook or Microsoft. That's fine. And probably sane; they're large corporations with huge numbers of processes and procedures in place to make sure data is used in ways that is at least parallel with their terms of use.

Do you trust that these companies will never be hacked? In a world where, this year, we discovered that a fundamental optimization in the literal silicon of processors, which went unnoticed for a decade, and affected every modern processor on the planet, allowed for some level of unintentional data leak, do well-meaning intentions even matter?

Just a few days ago, Twitter announced that an unintentional bug leaked private DMs to third-party app developers. Oh darn, we're sorry, we didn't mean for that to happen, it just did.

So, do you trust any of your personal information being obtained by any random person on the planet?

This is our world, its just taking everyone a bit of time to realize it: If you have information stored on the internet, it will get leaked eventually. Then at that point, its just a matter of having enough attention for one person who wants to do you harm find it. Do you have no enemies at all?

Oh you don't? Are you alright with your credit card and social security numbers being available for anyone to grab? Look at that, you do have enemies, they just don't care about you personally, all they care about is themselves, and they'll hurt you to accomplish that. Let's say you're a woman. Are you alright with your address being publicly available? How about your Google Calendar? Snapchat real-time location? Feed from your Nest security camera? Didn't think so.

"Privacy" is not when a company says they care about your privacy. Its when they fucking implement End-To-End Encryption and physically deny themselves even the ability to see your data. Any company who says they care about privacy but isn't doing this is fucking lying to you, full stop, no exceptions, because if they really cared then they (A) wouldn't put concessions on their position like "well we need to be able to see this data for X", and (B) would have the humility to recognize that the world is more vulnerable than its ever been before, and they will be hacked, its just a matter of when.

[thrmsforbfast]

> Do you trust that these companies will never be hacked?

I trust them more than I trust myself, unfortunately.

I generally try to avoid uploading unnecessary/extra data. But email and remote document access aren't optional, and while I don't trust BigCorp to do security right, I also know that I don't have the resources to do it right for myself...

[013a]

That's fair. You shouldn't trust yourself, or the companies, because your trust will be betrayed one day. Everyone is a little incompetent, its just a matter of when.

That's why End To End Encryption is the best solution we have, which balances usability with good security. It reduces the surface of attack to just the encryption algorithms, their implementation, and the keys, which is substantially easier to audit and doesn't change when the products evolve. It also allows you to say "fuck it, have the data, its encrypted so who cares". Finally, it logically separates the attack surface into two distinct parts; attackers need both the keys and the data to do harm, either alone does nothing.

In practice, trust comes down to "can I protect the keys". That's something I can trust myself to manage well, and plenty of companies sell solutions to make it easy (ex: Apple and the secure enclave of your phone).

[thrmsforbfast]

Any suggestions for how to combine end-to-end encryption with document storage in a way that still allows me to access documents on my phone/tablet/computer and also share documents with others?

Unfortunately end-to-end encryption for email is completely impossible because almost everyone I interact with via email does not know how to use gpg...