[andreyf]

False and false.

The article linked complaints that traditional legal interception means do not work. Those are the ones where they nicely ask the cellular providers for the data. It's not about "stingray like devices", it's about sending a letter and getting the data. End-to-end encryption protects against that, be it iMessage or BBM.

Prism collects data directly from companies that participate, and Apple has said they do not have access to iMessages contents. There was some speculation about courts being able to force Apple to abuse their authority as the iMessage certificate swapper, but I've seen no evidence or convincing argument for that to be the case.

Xkeyscore does not collect any data, but searches it.

[task_queue]

Apple is still subject to NSLs, and like Lavabit, can be coerced into operating in such a way that they're able to provide message contents to authorities while advertising that they are in fact secure.

[LLWM]

It's much simpler than that. Their marketing team gets their material from the R&D team, and neither group knows about the NSLs, because why would they? Only compliance and a few people on legal know, and everyone hates them already anyway.

[andreyf]

And how would "compliance and legal" get access to something engineering designed to be end-to-end encrypted?

[task_queue]

Assuming it's actually end-to-end encrypted, it is susceptible to MITM attacks because you're trusting a centralized source with key exchange and verification.

You cannot perform an audit on your own. You are trusting that you received the correct keys without a way to verify identities outside of the network.

That is not secure. Please read http://blog.quarkslab.com/imessage-privacy.html

[LLWM]

>something engineering designed to be end-to-end encrypted?

Is that seriously what you believe?

[andreyf]

How exactly do you imagine this is possible? End to end encryption means Apple cannot access the message contents.

[task_queue]

Can you provide the source code that shows the implementation of the end-to-end encryption? Can you verify that you REALLY have Alice's public key and she has yours? Or are you trusting that the keys you're receiving from Apple's network belong to exactly who Apple says they do?

White paper on the topic: http://blog.quarkslab.com/imessage-privacy.html Consumer grade article: http://arstechnica.com/security/2013/10/contrary-to-public-c...

Lavabit offered in-network public key encryption for its users. Its implementation was faulty and investigators only needed an SSL key to get the information they wanted from suspects. They also ordered Lavabit to keep operating under the pretense that they were secure. http://www.infoworld.com/article/2609583/encryption/how-secu...

Skype was advertised as "end-to-end" encrypted AND peer-to-peer networked for years, until it was slowly exposed as a lie. Skype's content is not end-to-end encrypted and the network is centralized. http://arstechnica.com/security/2013/05/think-your-skype-mes...