I'll repeat my question, which you ignored in favor of quibbling with a tangential point: What makes you think U.S. law treats makers of products any differently, assuming TrueCrypt's creators and maintainers can be identified?
If you want examples of FBI surveillance untethered to the law, we can provide those. Look at the video of the public forum I hosted with Ladar (of Lavabit) in SF last fall. Look at warrantless cell tracking, which I was the first to disclose circa 2006, and which is now the subject of significant litigation. Look at the warrantless use -- not just by the bureau but other police agencies as well -- of physical GPS tracking devices. How about surreptitious black bag jobs to install key loggers to extract PGP passphrases before this was authorized by the 2001 Patriot Act?
Here's another from last summer, which I was the first to disclose:
Huh! Where does the FBI get the legal authority to do that? Shouldn't, you know, Congress set the rules here after openly debating them in a public hearing?
Again, all these points are tangential to the question of FedGov product backdoors. (Note I'm expressing no opinion here about what's going on with TrueCrypt.) This survey I did in 2007 is probably worth repeating:
http://news.cnet.com/Will+security+firms+detect+police+spywa...
I'm no longer doing this kind of reporting (and left to found the SF-area startup http://recent.io instead) but I hope someone tries to replicate it today with a broader set of companies.
I'll repeat my question, which you ignored in favor of quibbling with a tangential point: What makes you think U.S. law treats makers of products any differently, assuming TrueCrypt's creators and maintainers can be identified?
Something must be wrong because this is 100% the question I believe I responded to. I will attempt so again now:
* Statute gives the government the right to compel certain service providers to actively assist in wiretapping. Example law: CALEA
* There is no U.S. law that gives the government the right to compel arbitrary third-parties to modify their products to make wiretapping easier.
You give a long list of bad things the USG has done, but none of them involve vendors being compelled to modify products.
(In another domain, banks have to report transactions over 10K, but that's completely the result of statute, the Bank Secrecy Act.)
> There is no U.S. law that gives the government the right to compel arbitrary third-parties to modify their products to make wiretapping easier
This is an interesting claim. It would be more interesting if the U.S. government publicly said its interpretation of the law is the same as yours. It has not. :)
If you want examples of FBI surveillance untethered to the law, we can provide those. Look at the video of the public forum I hosted with Ladar (of Lavabit) in SF last fall. Look at warrantless cell tracking, which I was the first to disclose circa 2006, and which is now the subject of significant litigation. Look at the warrantless use -- not just by the bureau but other police agencies as well -- of physical GPS tracking devices. How about surreptitious black bag jobs to install key loggers to extract PGP passphrases before this was authorized by the 2001 Patriot Act?
Here's another from last summer, which I was the first to disclose:
http://www.cnet.com/news/fbi-pressures-internet-providers-to... "The U.S. government is quietly pressuring telecommunications providers to install eavesdropping technology deep inside companies' internal networks to facilitate surveillance efforts..."
Huh! Where does the FBI get the legal authority to do that? Shouldn't, you know, Congress set the rules here after openly debating them in a public hearing?
Again, all these points are tangential to the question of FedGov product backdoors. (Note I'm expressing no opinion here about what's going on with TrueCrypt.) This survey I did in 2007 is probably worth repeating: http://news.cnet.com/Will+security+firms+detect+police+spywa...
I'm no longer doing this kind of reporting (and left to found the SF-area startup http://recent.io instead) but I hope someone tries to replicate it today with a broader set of companies.