[rasengan]

> They can be forced to log

There is no legislation in the US that can be used to do this [1]. Some very misguided companies may voluntarily log, but those that care about privacy or, at the least, realize that holding people's data is a liability, won't make poor decisions like that.

[1] https://en.wikipedia.org/wiki/Data_retention#Failed_mandator...

[nickpsecurity]

Nah, he's right. The Core Secrets leak said the FBI was using some secret method to "compel" domestic targets to do the "SIGINT-enabling" of their networks. It might have been just fines and jail threats under the secret court (FISC). On top of that, the Patriot Act let them hold people indefinitely, they were kidnapping folks at airports for "extraordinary rendition" (torture), and there's the old civil forfeiture laws on top. That's the extreme stuff.

Less extreme, Lavabit was hit in court. Lavabit said giving their private key to the government would expose all their users' data. They said it would be bad for their business. The FBI countered that there would be no damage if nobody knew they did that. So, they just wouldn't tell anyone what the judge had ordered. Judge went along with that idea. So, that's how legislation and liability in the U.S. works. Especially when there's secrecy orders.

Pro tip: don't host anything that's supposed to be private in the U.S.. It's a surveillance/police state slash plutocracy disguised as a democracy. Anything that might be private can be ordered to not be private secretly with immunity.

[bitreality]

Oh come on now. The US Government forces tech companies to share information all the time.

http://www.msnbc.com/msnbc/us-government-threatened-yahoo-bi...

They certainly can, and will, go after any company they want to, without referencing any specific US legislation.

[rasengan]

ISPs and VPNs have different laws then, for example, email providers. Further, Yahoo Mail, would be storing data (thus "voluntary" logging, or in their case, there's few ways around it to deliver their services in any kind of usable way).

I repeat, after having evaluated this quite deeply, that there are no mandatory data retention laws in the US, period, for ISPs and VPNs. This is contrast to quite a few jurisdictions, and the poor actions taken by ISPs and VPNs in said areas seem to speak louder than words.

That being said, I can relate to the author. Trusting a random service without any reason to trust is definitely blind. However, trust can be earned, over time, and validated, but should never be absolute. Trust is earned, daily, forever.

That being said, at the end of the day, the best bet is to remove trust from the equation - to get closer to a zero knowledge state, thus creating zero trust.

We're working toward that, every single day, and I would love to hear from anyone that's interested in helping or has thoughts.

[bitreality]

You're saying that organizations can avoid being subject to providing data if their service does not store the data. But I am not convinced. If the NSA or whatever 3 letter agency demanded the data be made available in a secret court, the company would have no choice but to comply.

They could require this in several ways. They could store the data directly on government servers, or set up a third party server and store the data on there, where both parties could access it. Either way, there is no technical reason the data can NOT be collected, so if the big boys want it, they will get it.

[comex]

The demands mentioned in your link did reference specific US legislation: FISA section 702.

[bitreality]

Before all this information got leaked, nobody knew about FISA section 702, nor had any idea how it was being interpreted and acted on by government agencies. I think it's quite clear that the secret courts in the US put huge demands on organizations to share and collect data on government behalf. Even worse, the organizations can not even publicly disclose information from the proceedings.

Until I see something to convince me otherwise, I assume any sizable organization that is operating within the United States shares any/all data requested. No loophole will protect them. If they don't collect the data, guess what, time to start collecting.

[okmokmz]

US companies perhaps. That's why so many recommend non-US VPN services

[comex]

Perhaps not (I’m not certain about the issue), but they can be forced to hand over their private keys to let the NSA [ed: or other agency] do the logging for them – as happened with Lavabit.

[tptacek]

s/NSA/DOJ.

[comex]

Good catch, although... I looked it up, and apparently in Lavabit’s case the demand (under the Stored Communication Act) was actually issued by the FBI?

[tptacek]

The FBI is part of the DOJ. :)