Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phil Zimmermann's New Venture Will Offer Strong Privacy By Subscription

Posted by timothy on from the sounds-like-a-pretty-good-plan dept.

New submitter quantic_oscillation7 writes with this excerpt from the Register: "Phil Zimmermann and some of the original PGP team have joined up with former U.S. Navy SEALs to build an encrypted communications platform that should be proof against any surveillance. The company, called Silent Circle, will launch later this year, when $20 a month will buy you encrypted email, text messages, phone calls, and videoconferencing in a package that looks to be strong enough to have the NSA seriously worried. ... While software can handle most of the work, there still needs to be a small backend of servers to handle traffic. The company surveyed the state of privacy laws around the world and found that the top three choices were Switzerland, Iceland, and Canada, so they went for the one within driving distance."

5 of 219 comments (clear)

  1. They better not do the mistake of Hushmail... by Anonymous Coward · · Score: 5, Interesting

    Canada is decent, but they can still be forced to modify their code to catch people on demand of Interpol there.

    Look what happened with Hushmail.

    1. Re:They better not do the mistake of Hushmail... by Anonymous Coward · · Score: 5, Interesting

      If I were doing a service like this, I'd split the company into five independent divisions, either owned by a holding company in Antigua, or otherwise protected the same way the telephone scammers keep a step ahead of the authorities.

      First company does the billing. Then it sends money to the other three companies, using tokens that change often. This separates users from their online userIDs.

      Second company does the client coding and makes packaged, signed executables.

      Third company takes the packaged code from company #2 and installs it. The reason for this is to make it harder for backdoors to be inserted at the whims of a local government. Users will easily see the executables have invalid signatures. Because company #2 is a separate firm, it is harder to demand they create a bongoed executable.

      Fourth company provides the VPN service, and tosses logs between IPs.

      Fifth company does the servers. Since the clients do a layer of encryption, commanding the server holding company to cough up user data is going to not give much, other than perhaps traffic analysis reports.

      This isn't perfect, but it means that if the servers get seized, the data isn't compromised. Same if the client making company gets demanded they insert a backdoor, or the network between the servers is seized.

      I would like to work on a service like this However, the main reason why I wouldn't run it is because of cynicism -- it would turn into a nice stomping ground for the child pornography crowd, not to mention a haven for people who are interested in turning the a local church or synagogue into rubble.

    2. Re:They better not do the mistake of Hushmail... by rioki · · Score: 5, Interesting

      Ok kill me if you like. I really do not endorse CP in any form. But sending JPEG or AVI files around does not do any real harm. Cut the balls off the dude who actually took the pictures; do whatever you want.

      But there is a good case for strong encryption within legal bounds. Why do we have to hand over all our civil liberties just because someone says Terrorism and Pedophiles?!

      The police should do real police work, like infiltrate the organisations, instead of relying on stupid criminals and technological gizmos. I can still use strong stenography and encryption on my open e-mail connection, if I feel like it.

  2. Maybe I'm just a retard..... by Anonymous Coward · · Score: 2, Interesting

    But if it's made up of a bunch of ex-navy seals, can you really trust that it's going to be secure against american intelligence access? And if it *IS*, what does that say about these EX-SEAL personnel? The old 'loyalty to your job' versus 'loyalty to your country' :D

  3. Re:Help me out here... by Anonymous Coward · · Score: 2, Interesting

    why does the server location even matter?

    I'd go one step further and wonder why it needs dedicated servers at all.

    If email is end to end encrypted (a thing that's very easy to do already) it does not need any NEW infrastructure. The existing email infrastructure works just fine, the only difference being that the messages are encrypted, and anyway the encryption keys better be known only to the endpoints, or it defeats the entire purpose.

    Same for IM and other things - all that's needed is client support. The very fact that there is some custom server involved would make me REALLY nervous about whether this is trustworthy.