On Thu, Nov 27, 2014 at 3:52 AM, Mike Hearn <[email protected]> wrote: > The events of recent days in the UK have made me see e2e crypto in a new > light. Perhaps instead of seeing it as a technique to protect innocent > users from malicious service providers, it can also be seen as a way to > protect innocent service providers from malicious users. >
I like this framing, though I prefer "protect innocent service providers from malicious governments." The best evidence I have seen for it is Kik Messenger. Check out the user-facing page: http://kik.com/. There is no mention of security or privacy whatsoever. Compare to this page for law enforcement agents: http://kik.com/lawenforcement/. Here they start talking about how their service is (purportedly) end-to-end encrypted so they can't really supply much information if asked. Seems consistent with the explanation that crypto is there to simplify their dealings with governments, not as a selling point to users. > Inverting the threat model neatly solves a few hard problems. For example, > key verification UI is irrelevant now because the crypto isn't there to > protect users. Whilst a company could still do the silent key switcharoo > when served with a precisely targeted court order, they can't be told they > should have reported some user who went on to do something bad just because > the data happened to flow over their wires. > Interesting angle. Companies might want to take it a step further and argue that they can't do the silent key switcharoo even faced with a court-order. We're badly in need of some insight into how effective this claim actually is in practice.
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
