Theymos of the Bitcoin Talk forum today revealed he recently received a subpoena to which he satisfied a request for posts made by current and ex-employees of BFL in addition to the content of their private messages.
I recently received a subpoena related to a case against BFL (Case No. 14-CV-2159-KHV-JPO). I had to release all database info on a few employees/ex-employees of BFL (including their PMs), plus a complete copy of every thread in which anyone mentioned BFL or in which a BFL employee participated. (It was a huge hassle to put all of this info together.) The subpoena originally demanded all PMs that even mentioned BFL, which is ridiculous, but I managed to get this part eliminated.
If a PM of yours was released due to this, then I already sent you a PM about it.
I don't think that I'm going to send PMs about deleted posts that were released. 3196 users had deleted posts released, and I don't really want to send that many PMs when almost no one would care. I feel like people should have basically no expectation of privacy for something that they posted publicly anyway.
I also released all "report to moderator" reports involving or mentioning BFL. I don't think that these are very sensitive, so I'm not going to send out PMs about these.
This is not the first time that Theymos has complied with a request for further information on users of his forum. In December of 2014, he revealed he had turned over deleted posts made in the "A Heroin Store" thread to the United States in relation to the Ross Ulbricht case.
Today's announcement is surely a cause for concern for anyone who was foolish enough to believe private messages sent and received on Bitcoin Talk were actually private.
Here is how you have to deal with a subpoena: https://www.youtube.com/watch?v=XYe94GtMkJQ
This is yet another example of how using GPG could completely remove a forum operator's liability for the content on his forum, and his ability to supply its contents on demand to the State.
If each forum user was compelled to use a GPG key management and posting client to access the forum, the system operator would only be running a database of encrypted entries and PMs that are useless to any state imbecile with a subpoena.
Every post encrypted with GPG, means the database holds only ciphertext. The client that accesses the forum manages all the keys, so you can read and post; as far as the user can see, the entire forum is plaintext, but in fact, it isn't at all, until it its decrypted in the client. In transit and in the database tables its completely inaccessible to everyone.
Breaking into the PMs on the system would mean capturing the physical machines of one of the two participants in any chat, and if the keys were per session, getting the machine would be useless for that, since the keys are destroyed at the end of the session. At the very least it makes fishing expeditions infeasible.
Failing a fully encrypted forum system, anyone running a Bitcoin related forum inside US jurisdiction is completely insane. Anything that is posted there can cause your operation to be subjected to a subpoena, causing you at the least to spend hours retrieving hundreds of posts, and of course, violating the users of your system. Saying, "its all public anyway" is no consolation; the system operator has cherry picked whose messages get the special care and attention of the state. And if, "its all public anyway" why would they need to ask the system operator to do their unpaid work for them?
The very least that board runners should do, failing the creation of a whole new layer on top of the forum software like Discourse http://www.discourse.org/, is move the hosting and incorporation if you have one, outside of US jurisdiction, so you can politely decline to provide any data or abuse your users, as Mircea Popescu did for one of his clients.
If Apple and Google are choosing to lock out the State and de facto refusing to comply by rolling out military grade encryption of everything by default, no one on any Bitcoin related forum should expect anything less than absolute privacy.
The US is completely toxic, not only to Bitcoin itself and companies that work with it, but its toxic even people who talk about it. In the past, when there were scant few solutions barring silence, you could be forgiven for just putting up with this totalitarianism, but now with GPG and Bitcoin there is no excuse at all for tolerating it. Move jurisdiction, use GPG and remove yourself from the stink.
Huh ?? Apple and Google can no more "lock out the State" than ISIS can lock out the Arabs. They're indistinguishable from one another and any pretense to the contrary is very, very suspicious. It's a bunch of security theatre and "teaching the controversy." Nothing more.
The important word there is "if", its a hypothetical, nothing more. As for ISIS locking out the Arabs, this is obviously a bad analogy. I don't think its ever a bad idea to think about how to lock out the State and other attackers.
The really interesting question here is whether or not it is possible to create a handset, or any platform, that can completely exclude an attacker. Thats the first step to actually doing it. Whatever its merits, Silent Circle is trying to do this.
I am always suspicious of anyone, especially a journalist, who imputes omnipotence on the State and the false idea that they can get into everything, no matter what it is. This was a meme in the late 90's with PGP, "They can get into anything, even PGP" when it was never true. That sort of talk (quite apart from the difficulty of using PGP) undoubtedly made some say, "what's the point if they can read your email anyway?" slowing its adoption.
What is the purpose of spreading doubt (doubt, not the truth) about the security of any product? It causes people to stop speaking openly on them or adopting them, which ultimately serves the purposes of the State, who even if they could get into every communication, which we now know they cannot, do not have and never have had enough staff to get everyone or put a human ear or eye on everything.
The effect of saying that the state is omnipotent, "so don't even bother" is to stop people adopting good practices en masse. The question anyone who can think asks, is what does anyone have to gain, personally, from stopping mass adoption of strong cryptography? Or the idea of it?
In any case, the question is moot. The direction of travel is towards "encrypt everything", the State will never ever have enough men to violate the vast majority, and non state actors don't have the means to break into platforms that have poorly implemented encryption, never mind well implemented ones.
Using my cypher would count as 'encrypt everything', too. So people like you will think you're being protected from the state and your electronic communications are safe in the hands of the Google and Apple guys.
As for the Silent Circle you mention, much lols are being had: http://qntra.net/2015/01/blackphone-less-opaque-than-promised/
Using my cypher would count as 'encrypt everything', too.
Your cipher was broken o mighty Emperor, master of the known world; for your citizens, it's back to "year 0". Oops, Romans didn't have a zero. Mebbe give the peasants simple math before unleashing your private perfect cipher Imperator Rex Omniderp?!