[JoshTriplett]

When implementing technology intended to provide user privacy, both fall under "attack on user privacy", and should be treated as such. Either the service has access to user data, in which case it can be arbitrarily compromised for reasons of varying "legitimacy", or the service does not have access to user data, in which case the legitimacy of the request is irrelevant.

[jaredklewis]

Unless the courts ask you to modify your software to access the user data next time they login (iirc, this was the case with bit mail).

[JoshTriplett]

That's a strong argument against creating services where JavaScript code served by the server has access to user data.

[jaredklewis]

So don't, but then when the government wants some user you have, they'll ask you to modify the code so the JS does access their data and send it back to you. Comply or shutdown.

My understanding is that in the bit mail case, the government didn't just ask for data. They also asked for code to be modified. So really, any technical solution done by coding, well, the government can just ask you to un-code it.

[JoshTriplett]

There's a big difference between a warrant to provide user data you trivially have access to and a demand to modify your code to intercept user data when it previously did not have that capability. I'd love to see a court case over the latter, considering that a request to insert a backdoor would require a coder to risk their entire career to comply with.

(Leaving aside that any such request would necessarily have to be a "secret warrant", which is dubious to begin with. And leaving aside mechanisms like warrant canaries, signed binaries, and Open Source clients, all of which would provide additional avenues for both detection and legal challenge.)

[dublinben]

It's unlikely that such an order would hold up to a challenge, since the government can't generally compel you to deliver speech you don't agree with.

http://law2.umkc.edu/faculty/projects/ftrials/conlaw/compell...