Hacker News new | ask | show | jobs
by maffydub 4575 days ago
You're right that we may have been naive about trusting our governments.

What I don't understand is why anyone trusted businesses (such as CertiVox and Lavabit) to keep their emails secure?

If the businesses themselves couldn't decrypt these emails, there's nothing the government could usefully ask them for.
2 comments
rhizome 4575 days ago
What I don't understand is why anyone trusted businesses (such as CertiVox and Lavabit) to keep their emails secure?

Because they didn't consider "because terrorism" to be a security threat that could penetrate privacy and property laws. Lavabit has proven that the Third-Party Doctrine means that once you give data to a business, you're giving it to the government.

link
maffydub 4575 days ago
Sorry, maybe I wasn't clear.

I have an email I want to be secure.

Why am I giving this data to Lavabit in a form that they can decrypt? (Forget the government for the moment.)

Why aren't these systems engineered to mean that only _I_ have the key to decrypt them?

link
rhizome 4575 days ago
I don't know. Why aren't you running your own email server?
link
maffydub 4575 days ago
Me personally? Because I don't actually need secure email (and so didn't use Lavabit or CertiVox).

My point is that if I did want secure email, I wouldn't trust a company whose email system architecture meant that they could read my email.

A personal email server might be a good solution, but then you have to maintain it. It seems as though it should be possible for a company to build an email system (and offer it as a service to customers) whereby they _couldn't_ read user's email.

This seems like a good thing. (And as a nice side-effect, the government can't then issue them with a warrant to read your email. Although that's not to say they can't read your email in other ways.)

link
rhizome 4575 days ago
I'm not aware of any companies providing double-blind encrypted email services, but they may be out there. Certainly they would eventually be accused of providing harbor to terrorists and other unsavories. At best, it sidesteps the problem of the lack of legal privacy protections when using a service provider of any kind.

http://www.legaltechnology.com/latest-news/data-security-in-...

link
JulianMorrison 4574 days ago
You can trust an established business with a reputation to lose, not to defecate where it eats.

The upset in the threat model is that you can no longer trust that a business is free to choose according to self interest. You have to assume the government will be force-feeding it laxatives.

link