[Cryptography] Gilmore response to NSA mathematician's "make rules for NSA" appeal

Wed Sep 25 18:14:54 EDT 2013

On Sep 25, 2013, at 2:52 AM, james hughes <hughejp at mac.com> wrote:

> Many, if not all, service providers can provide the government valuable information regarding their customers. This is not limited to internet service providers. It includes banks, health care providers, insurance companies, airline companies, hotels, local coffee shops, book sellers, etc. where providing a service results in personal information being exchanged. The US has no corner on the ability to get information from almost any type of service provider. This is the system that the entire world uses, and should not be our focus.

There are many places where there is no way to provide the service without having access to the data, and probably storing it.  For those places, we are stuck with legal and professional and business safeguards.  You doctor should take notes when you see him, and can be compelled to give those notes up if he can access them to (for example) respond to a phone call asking to refill your medications.  There are rather complicated mechanisms you can imagine to protect your privacy in this situation, but it's hard to imagine them working well in practice.  For that situation, what we want is that the access to the information is transparent--the doctor can be compelled to give out information about his patients, but not without his knowledge, and ideally not without your knowledge.  

But there are a lot of services which do not require that the providers have or collect information about you.  Cloud storage and email services don't need to have access to the plaintext data you are storing or sending with them.  If they have that information, they are subject to being forced to share it with a government, or deciding to share it with someone for their own business reasons, or having a dishonest employee steal it.  If they don't have that information because their service is designed so they don't have it, then they can't be forced to share it--whether with the FBI or the Bahraini government or with their biggest advertiser.  No change of management or policy or  law can make them change it.  

Right now, there is a lot of interest in finding ways to avoid NSA surveillance.  In particular, Germans and Brazilians and Koreans would presumably rather not have their data made freely available to the US government under what appear to be no restrictions at all.  If US companies would like to keep the business of Germans and Brazilians and Koreans, they probably need to work out a way to convincingly show that they will safeguard that data even from the US government.   

--John