Hacker News new | ask | show | jobs
by rayiner 4727 days ago
I don't disagree that many people aren't making an informed decision about this, especially all the kids and young teenagers who use Facebook and Google, etc. But my point is about the technology, not the people. The technology isn't designed to keep information private. SMTP sends plain-text e-mails through intermediate servers. Anybody can inspect the packets flying by on their network, which mostly have plain-text contents. Apparently at Google (from what we've learned from the David Barksdale stalking story: http://gawker.com/5637234/gcreep-google-engineer-stalked-tee...) lots of people have extensive access to customer data. I don't imagine the situation is much better at Facebook.

The technology didn't have to be designed that way. Google could, e.g. encrypt your gdrive contents client-side, and I bet there would be a way to store e-mail accounts encrypted so only the inbox/outbox would be stored in plain text on Google's servers. Facebook might be harder but it would be an interesting technical challenge to see what extent to which Facebook accounts could be stored encrypted on Facebook's servers. But by and large the internet is not designed that way. It is designed to leak your data all over the place, to every sysadmin at every intermediary, which makes privacy very hard to achieve, whether from the government or from companies.
1 comments
sneak 4727 days ago
> I bet there would be a way to store e-mail accounts encrypted so only the inbox/outbox would be stored in plain text on Google's servers.

What makes you think that's not being done now?

link
krallja 4727 days ago
The fact that search works implies that the contents of your email are not encrypted.
link
sneak 4727 days ago
It's easy to search encrypted data, you just decrypt it first.

What makes you think Google would be reckless enough to store unencrypted private data on disk, or incompetent enough to not implement search over an encrypted set of data?

link
rayiner 4726 days ago
My suggestion was to encrypt the data client-side and store the accounts encrypted, so Google couldn't themselves decrypt the accounts. The purpose is to think of ways to structure the technologies so the hosting providers don't have to be trusted entities.
link
sneak 4723 days ago
That doesn't work, as anyone providing you a clientside cryptosystem can provide you a backdoored clientside cryptosystem at the government's demand (one that silently uploads your key material to the server).

It doesn't matter if they don't normally store the key. It's a webapp.

Also, they need the key to do search. Furthermore, this does nothing to hide the metadata surrounding your communications, which necessarily must not be encrypted for services to work.

link