If a law exists that requires a software company to retain the capability to provide plaintext transcripts of encrypted messages, and to provide those transcripts on demand, you've been unable to provide any citation to it.
Lavabit is exactly the problem with your analysis. The core problem of Lavabit wasn't that that the government compelled Levison to retain the ability to decrypt messages. No, Levison chose to do that, because the market punished real secure message providers for forcing users to install software. (a) If you have the ability to decrypt messages, (b) the government is allowed under current law to exploit that. Now Levison's defenders want to point the finger at the DOJ and surveillance law, insulating him from the consequences of his own (frankly) terribly irresponsible decision to expose his users secrets in exchange for market share.
The original citation to CALEA which people "fixated" on was yours. Your claim was that CALEA compelled software companies like Apple to backdoor encryption. It does no such thing.
No law exists preventing anyone from building a truly secure messaging service. TextSecure and Silent Circle are doing it out in the open right now. A disinformation campaign suggesting otherwise would be harmful to end-users.
I think that it says nothing whatsoever about encryption. What am I missing? If you're going to claim something in here could be interpreted to apply to encryption, cite some authority that says so. In the unlikely event that you're right, a lot of big companies are in serious legal trouble.
I included this law in the discussion since it applies to digital services.
What you are missing is that unless encryption is used directly by the endpoints (not added by the provider) by definition (a) holds from your previous comment.
Skype is an example of a communications service (like TextSecure) that offered secure E2E communications but was stripped of that functionality.
Blackberry is an example of a company that has drowned because political pressure to backdoor communications was greater than the market incentive to provide real security.
Apple today stores electronic communication and service records, logs and artifacts from your phone encrypted in the cloud. But it will decrypt for law enforcement upon request. Are you suggesting they do this voluntarily or are they compelled to by law?
For the record I am a strong advocate of TextSecure/Silent Circle/others. To be a strong advocate, however, one must be a strong skeptic. So far I do not believe these two projects have been compromised ("CryptoCat" on the other hand...)
I do not believe that there are laws requiring all crypto implemented by every provider everywhere to be subverted. The laws that exist however do ensure that any encryption provided transparently are subverted. When E2E crypto becomes a problem (e.g. Skype) the intelligence community has other ways of dealing with it.
What this means for the surveillance state is that anything that becomes popular enough to represent a non-neglegible portion of traffic will be subverted. Mom and pop can't have secure communications. It's only us cipherpunks who get to have any short reprieve.
I'm lost. You claimed in the previous thread you linked to that CALEA (or, charitably, some other law) required US companies to backdoor their encryption schemes. I said you were wrong about that. You claimed I was merely fixating on the specific law you cited, to the detriment of the more general truth of your argument. I asked you to cite any authority anywhere backing that argument up. Your response is to cite examples of crappy software security, and then to sneakily reformulate your argument so that it applies only to encryption that isn't "end-to-end".
The saving grace of this unproductive conversation is that we at least agree that end-users should reject forms of encryption that don't require them to install anything.
> You claimed in the previous thread you linked to that CALEA (or, charitably, some other law) required US companies to backdoor their encryption schemes.
As a customer, encryption provided by a third party (especially in situations where it is difficult or impossible to provide my own encryption - like how would I provide my own encryption that goes over Skype?) which is designed to be removed upon request by the government is backdoored.
> I asked you to cite any authority anywhere backing that argument up. Your response is to cite examples of crappy software security, and then to sneakily reformulate your argument so that it applies only to encryption that isn't "end-to-end".
Neither Blackberry nor Skype were crappy software security solutions until they were subverted. They were subverted on purpose. It's disingenuous to call them crappy without digesting the context by which they came to remove strong security garuntees. Like the case with Apple (you didn't reply to that) either this subversion was done voluntarily or it was compelled.
My thesis is that the constellation of laws and their interpretation are such that the any products which become leading communication services will be subverted. Through mandatory data ecrow and the TPD as we spoke about earlier, and through financial and political pressures, incentives and (as we know in extreme cases from the Snowden docs) sabotage.
So perhaps it's a vocabulary issue? Companies that will sell in-transit encryption but remove it or store plaintext I would call a backdoor. We agree that this is required by law.
Where we seem to disagree most is the canonical case of Skype. Skype was purposefully subverted and I argue that the constellation of laws we've been discussing were used to do it. I can imagine two other stories one could tell:
1) E2E encryption was removed voluntarily; no compulsion (I would need a lot of convincing)
2) E2E encryption removal was a silly regression that has been noted but not fixed for years (I would need even more convincing)
I would agree wholeheartedly that when it comes to the Skype case there are technically, by letter of law, no laws that force companies to remove or backdoor E2E.
I think here is where we disagree: I think in practice, by the examples we've been able to witness, that broad interpretations of these laws, in conjunction with financial and political pressure are in fact used to leverage changes law enforcement and intelligence community members need.
Lavabit is exactly the problem with your analysis. The core problem of Lavabit wasn't that that the government compelled Levison to retain the ability to decrypt messages. No, Levison chose to do that, because the market punished real secure message providers for forcing users to install software. (a) If you have the ability to decrypt messages, (b) the government is allowed under current law to exploit that. Now Levison's defenders want to point the finger at the DOJ and surveillance law, insulating him from the consequences of his own (frankly) terribly irresponsible decision to expose his users secrets in exchange for market share.
The original citation to CALEA which people "fixated" on was yours. Your claim was that CALEA compelled software companies like Apple to backdoor encryption. It does no such thing.
No law exists preventing anyone from building a truly secure messaging service. TextSecure and Silent Circle are doing it out in the open right now. A disinformation campaign suggesting otherwise would be harmful to end-users.