Hi all, When considering the threat of legally compelled assistance, I think it is useful to spell out the specific threats. The two big ones, IMHO, are
1. Compelled disclosure of data retained about users. 2. Compelled insertion of backdoors into the product. Now, folks on this list are throwing around a lot of legal terms (subpoenas, warrants, gag orders), but the specific types of legal process matter less once you consider the data that Silent Circle has and doesn't have. [Note, the following is focused largely on the audio/video service aspect of the service, since AFAIK the text service uses some new protocol called SCimp about which there isn't really any public info] If conversations are taking place over ZRTP, and, assuming that the crypto works, and that there isn't a backdoor, then the only data that silent circle should have access to is conversation metadata and data about the subscribers (IP addresses, an email address, and whatever info is required for credit card billing, such as a name/address). [I'm not a lawyer, but I know a bit about US surveillance law. Even so, this isn't legal advice] Under US law, law enforcement agencies only need a warrant to compel the production of stored communications content. Non-content data doesn't require a warrant. I would argue that a court order order issued under 18 USC 2703(d) would be required to compel the production of stored metadata records of silent circle conversations, however, 18 USC 2703(c)(2)(C) permits the compelled disclosure of "local and long distance telephone connection records, or records of session times and durations" pursuant to a mere subpoena (no judge required). As such, the specific form of legal process required to compel the production of Silent Circle conversation metadata depends on whether or not Silent Circle is more like an Internet communications service (such as e-mail or IM) or a telephone service. As such, I don't think the right question is what if silent circle receives a search warrant, but rather, either a 2703(d) order or subpoena. The answer to this really depends on their metadata retention policy, which we currently don't know much about. I want to see more info about this before I trust the service. Now, you may be asking at this point, who cares about US surveillance law if the data is held on servers in Canada? At least when it comes to requests from the US gov, the location of the data probably doesn't really matter if the execs and most of the staff are in the US. The US government will no doubt argue that US law applies to the compelled production of stored data, regardless of where the servers happen to be located. Ok - as for the basic subscriber records the company keeps, they are apparently going to offer prepaid calling cards (see: http://www.fastcompany.com/3001938/phil-zimmermanns-silent-circle-builds-secure-seductive-fortress-around-your-smartphone). Hopefully, these will eventually be available for purchase from 3rd party retailers or even from a brick&mortar vendors via cash, which would go a long way to removing the need for Silent Circle to know basic identifying info about their customers. However, if you sign up over the web and give a credit card, the company could be required to disclose this basic subscriber info with a mere subpoena. Finally, with regard to the compelled insertion of backdoors in the service, this is obviously a serious threat (and something that governments have done in the past to other technology providers). I look forward to hearing public details from Silent Circle about what their plans are on this front. I'm not even sure what specific legal method would be used to compel such a backdoor in the US, since CALEA specifically addresses (and largely shields) communications service providers that provide encrypted communications but do not have access to the key. See: http://paranoia.dubfire.net/2010/09/calea-and-encryption.html However, on the compelled backdoor front, if this is a threat you are worried about, I would be equally (if not far more) worried about the government compelling Google or Apple to covertly push a malware update to your phone. Cheers, Chris On Thu, Oct 11, 2012 at 2:36 PM, Julian Oliver <jul...@julianoliver.com>wrote: > > With a credit-card payment system the client list is practically a click > away > for any Government client, itself a worry. Having the servers located on > Canadian soil garners little, I think: software in a position like this > configures the distributor under responsibility to the juristiction in > which its > business is registered whilst foreign governments become potential clients. > > Ultimately software promising this level of privacy needs to reflect that > people > come from differing geo-political contexts. As such both client and server > needs > to be freely distributed and installable such that communities can then > manage > their own communication needs, taking risks within their techno-political > context as they see fit. >
-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech