Who Will Take The Privacy Seppuku Pledge?
from the after-you dept
When Techdirt wrote recently about yet another secure email provider opting to close down its service rather than acquiesce in some future US government demand to spy on its users, we noted that Cryptocloud has promised something similar for a while -- what it terms "corporate seppuku":
In the context of privacy issues, "corporate seppuku" means shutting down a company rather than agreeing to become an extension of the massive, ever-expanding, secretive global surveillance network organized by the U.S. National Security Agency. It means, in short, saying "no." Sometimes, we hear people say that this or that company "had no choice" in what they did. Bullshit. There's always a choice; it's just that the consequences of certain options might be really severe, and are thus not chosen. But that's a choice. It's always a choice.
It has even formulated what it calls the Privacy Seppuku pledge:
if a company is served with a secret order to become a real-time participant in ongoing, blanket, secret surveillance of its customers... it will say no. Just say no. And it will shut down its operations, rather than have then infiltrated by spies and used surreptitiously to spread the NSA's global spook malware further. You can't force a company to do something if there's no company there to do it.
It's a noble gesture, but would it do much good in the real world of US government spying? Cryptostorm, the company behind Cryptocloud, has provided a fuller analysis of why it thinks such a pledge would work. Here's a key point:
That one that went thru with the seppuku? She'll likely have a new service up and running in a few days or weeks. The customers who got dinged by the shutdown? They'll all get up and running on her new service. This is all 1s and 0s, remember? You don't have to demolish a car manufacturing plant, after all -- you're just wiping some VMs and reincorporating elsewhere. Lease new machines. Call it "lavabutt" on the new corporate docs, in Andorra. Sign on to the Privacy Seppuku pledge, as lavabutt, again. Off you go. Do you think it'll be hard to get customers -- old ones migrated over, and new ones alike? Think on that: a privacy company that shut down rather than be #snitchware... do you trust them, now?
That resilience flows from the service's digital nature, the availability of powerful but free software, and Moore's Law driving down the cost of commodity hardware. Put together, they make it easy to to recreate a business if it is shut down (apart from the lost data, of course.) The NSA will get this salient feature, CryptoStorm believes:
Spooks aren't dumb -- far from it. They do these kinds of analysis -- hell, they hire some of the best game theoretic minds in the world, and always have. Local cops might be power-drunk and unable to see how their actions play out over time; the NSA isn't any of that. They have whole buildings full of very smart people paid good money to think about this stuff. They won't get it wrong.
It's an optimistic vision, but the fact is that at the time of writing, only two services are listed as having made the Privacy Seppuku pledge -- Cryptocloud and Cryptocat. Until more join the club, it remains more a nice idea than a practical way of fighting back against today's mass surveillance.
And the outcome is simple: if the Privacy Seppuku concept spreads, it becomes useless to target companies on the pledge list! You won't get what you want, you'll make some heroes who go out and do bigger stuff next, you'll out yourselves as dangerous thugs, your "secrecy" is shot to hell, and after all the effort involved you end up backwards from where you were before. That's the scenario, it's how it plays out. There's really no alternative scenario.