Here, try this on for size: Snowden was using LavaBit. The feds approached Lavabit and tried to force Ladar to hand over users' information. The flaw with LavaBit was the fact that users' data, or passwords, or keys, were momentarily in server memory. That momentary exposure, the feds said, meant the users had no reasonable expectation of privacy, so Ladar was legally required to hand it over, under penalty of obstruction of justice and various other charges.
Snowden has also been quoted, something about don't use Dropbox, use Spideroak instead. It is implausible to believe the NSA didn't know that he used both LavaBit and Spideroak, but there was no noisy implosion of spideroak, no mention of anything. While this doesn't prove anything, you have to wonder, were they approached too? Did they silently hand over data, as LavaBit refused? You might say, "spideroak, zero-knowledge, means they couldn't/wouldn't hand over data, and even if they did, it would be meaningless, because it's encrypted client-side without exposure of passwords or keys." If this is true, the canary report should be like ProtonMail's, itemizing the number of requests, the number of requests granted, and including the statement "ProtonMail can only turn over encrypted user data [...]. ProtonMail does not have the ability to decrypt user messages." Keep LavaBit in mind and see this: "Important Note: When accessing your data via the SpiderOak website or a mobile device, you must enter your password which will then exist in the SpiderOak server memory for the duration of your browsing session. [...] your data could potentially be readable to someone with access to the SpiderOak servers." https://spideroak.com/features/private-by-design _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
