On Tue, May 26, 2015 at 10:02 PM, Not Available <[email protected]> wrote:
> The old system kept Mozilla from knowing enough information to decrypt my > private info and give to a court. I couldn't be compelled to provide a > "password" because there wasn't one. > There were private keys, stored on any device capable of Syncing. You could be compelled to provide your private keys (or the devices themselves). But yes, it would not be reasonable to expect a user to know those keys in the way that they might know a password. > The new system sends my private key (encrypted) to Mozilla, but there is > now a password I can possibly be compelled to provide. Also I must have a > valid email address to sign up for Sync as well. > It's not quite correct that we see your private key, even encrypted; but it's close enough for these purposes. Mozilla could be compelled to provide information that gives law enforcement a privileged attack on your password. If you choose a strong password, this is as hard as breaking the private keys that were used in Old Sync. As for a valid email address -- it's true, but not a restriction. There are a bunch of services (I like mockmyid.com and mailinator.com) that provide trivial temporary free email services. I use them for testing all the time. It would be very hard for law enforcement to connect such an email service with a person unless they already knew the email address. > If Mozilla doesn't know something, they can't be compelled to provide > it... Now they will be. > > Am I understanding this correctly? > More or less. Happy to go deeper. Nick
_______________________________________________ Sync-dev mailing list [email protected] https://mail.mozilla.org/listinfo/sync-dev
