[Zigurd]

It's all very do-able. Even carrier voice could be pulled up into userland code in LTE, and therefore could use open source strong encryption.

Social networks are the ideal medium to exchange keys and form and maintain a web-of-trust.

This does not fix traffic analysis, but it would blind Sauron's eye enough to make the current surveillance infrastructure so unreliable as to be useless.

What's needed is for one or two national governments to come to the conclusion that their own surveillance is so far behind the NSA that the only way to win is not to play the game and actually secure their nation's communications and sell this the way tax havens sold financial privacy.

[jacquesm]

> Social networks are the ideal medium to exchange keys and form and maintain a web-of-trust.

I can see some real problems with that method.

[bigiain]

I agree.

I've noticed my use of Facebook has been restricted and constrained by mistakes I made when I first used Friendster and Tribe and Orkut. I see my family and friends making many of the same mistakes I made - playing the competitive "more friends" game and connection to people they've never met or who they really don't want "snooping" on their social life - exes, coworkers, bosses, friends-of-friends…

There's no way I'd want Facebook (or Twitter or Google or Yahoo or Microsoft or … ) being any part of a "web of trust" I was using for privacy/encryption/authentication – partly because there's no doubt they're deeply in bed with the NSA (are you really suggesting Facebook's platform is trustworthy enough to exchange keys?), but at least as much because I can clearly see that most people haven't curated their social networking "connections" with anything like the rigor they might have done if they'd been told up-front that "these connections might be used to authenticate your identity and communication to others (potentially including government, law enforcement, and other legal/contractual entities), and also to authenticate your connections identities and communication to those entities."

Do you _really_ know who all of your Facebook "friends" are? Are you _sure_ the person you think that account represents is actually in control of that account? Even if they are, do you trust them enough to vouch for your identity? Are you sure enough of that trust that they wouldn't "betray" you if the NSA, or a police officer, or their local council's dog-catcher, or your car/health insurance company approached them with either a threat or a handful of cash?

[Zigurd]

Key signing enables keys to be exchanged in a hostile environment. Compare web-of-trust to x.500 directory services, which are dependent on CAs.

It also isn't necessary to use Facebook for key exchange in order to adopt social networking functionality to enhancing a web of trust.

The bottom line is you have to design a secure system to avoid having to trust cloud services. While Facebook may be the poster child for untrustworthyness, you can't trust your own machine in the basement of your house not to get hacked. What you can trust is key signing, because it requires stealing a number of identities all at once.

[hipsters_unite]

Also, c'mon, if Facebook has your data then the NSA has your data... I wouldn't want any of this type of info on there.

[Zigurd]

More or less than an x.500 directory service?