|
Really uncomfortable with (otherwise cool) organizations using the presence of cryptography to back up a security/privacy claim that is 100% policy based. Just because they don't do a thing doesn't mean they can't do a thing. "We don't know who you talk to" (because we don't log that information as it passes through our servers) is a very different claim than... "We don't know who you talk to" (because we physically and computationally will never have access to that information) 7 comments
 @sarahjamielewis are you saying the latter is worse? If so I presume you are worried about quantum computing one day cracking every communication, or maybe just a flaw in the encryption algorithm? @sarahjamielewis A tad confused by the first sentence here. I mean backing up a security/privacy claim with the presence of cryptography is a good thing right? But if its 100% policy based that would imply the absence of cryptography not the presence of cryptography? @sarahjamielewis doing privacy analysis for living, this is a daily dilemma for me. I rather see the data not processed at all, but some has to be processed for functionality. Ideally an organization acknowledges the sensitivity of the data with both legal (policy) and technological mitigations. And I often see encryption deployed in an ineffective way.   @drewdevault @sarahjamielewis Care to clarify? I always "felt" there was something wrong with Protonmail, but I just can't put a finger on it.  |
Gregory's Server
I get that, to many people, they are the same statement. And I understand why the world is the way it is.
But it really does make talking to people about security and privacy that much more difficult when people (who definitely know better) conflate the two.
And I think it makes the world just that little bit worse.