Hacker News new | ask | show | jobs
by znelson 4526 days ago
Hey, that's a great question. We've put a lot of time and effort into thinking about this and have been working with some key people in the industry who have a lot of experience in this area.

We've comprehensively addressed this issue on our blog. Here's the direct link: https://blog.virtru.com/faq-on-government-surveillance/

Let us know what you think.
1 comments
cschmidt 4526 days ago 

     > Q. What would Virtru do if it received a request 
     >    from the United States government for encryption keys?

     > A. We will require the government to go to court, 
     >    and if we can, we will notify you.
To me that seems naive. You won't be able to notify anyone if you get a National Security Letter (NSL). Lavabit had turned over encryption keys for individual users, because they had to [1]. They only shut down when the government wanted their SSL key, to give access to everyone.

How are you any different?

[1] http://en.wikipedia.org/wiki/Lavabit

link
DHowitzer 4526 days ago
Hi, it's Will Ackerly here. We've thought a lot about the National Security Letter scenario, and so, we're going to be pushing to our website a Canary (in the coal mine) icon, linking to a statement declaring that we have never received an NSL. Our special counsel on privacy (Tim Edgar, who used to work at ACLU) came up with the idea for us, which I believe Apple is using through regular reports (not a literal canary icon on their website).
link
cschmidt 4526 days ago
Rsync.net uses a warrant canary as well:

http://www.rsync.net/resources/notices/canary.txt

I've actually found it kind of surprising that they haven't had any warrants yet.

But you're going to be served with an NSL if you get big enough to be interesting. It seems to happen to everyone. An then you won't be able to update the canary any more. That's a good idea, but I don't think it is enough.

I don't mean to be negative, I just guess I don't see why you'll succeed against the government when the others have not.

link
DHowitzer 4525 days ago
Great points, definitely not negative, just realistic.

There may be no single silver bullet here. In addition to pursuing open source key servers, we're also working on UI/UX for easy addition of public key wrapping using the same crypto as PGP. Our hope is that we can deploy public key in a way that most people start using it to minimize the proportion of unwrapped keys on Virtru's server.

link
znelson 4526 days ago
Unlike lavabit we're not a content provider and therefore not bound by the same laws. We're just a third-party provider that holds the keys. #7 on the blog post here goes into more details: https://blog.virtru.com/faq-on-government-surveillance/
link