Xerobank Question

Discussion in 'privacy technology' started by Searching_ _ _, Dec 23, 2009.

Thread Status:
Not open for further replies.
  1. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    Indeed.

    Right. I can't imagine how Steve deals with that risk. I suspect that XeroBank (or Xero Networks AG, or whatever) isn't a typical corporation with offices, assets, staff, etc. Rather, I suspect that it's a network of like-minded individuals who trust each other well enough to work together, yet not enough to compromise each other. For example, if an effort to "conduct logging or tracing" required authorization by multiple administrators (perhaps anonymous) in multiple (perhaps unknown) jurisdictions, coercion might be problematic.

    I suspect that's true for many who post on Wilders ;)
     
  2. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,363
    Location:
    Oz
    The way I have understood this, as far as logging goes, is that you can't get anything by logging just one server in a single jurisdiction, which in the scenario mentioned, would be in Panama. Now please correct me if I have misunderstood, but even if Panama tried to force Xerobank to give them access to servers in Panama, they would not get anything but encryption.. But I assume that a country like Panama would welcome a company like Xerobank and would not want them to take their business elsewhere.....which is undoubtedly what they would do if they gave them any ~ Snipped as per TOS ~ about logging.. Beyond that, I wouldn't be surprised if Xerobank was offering some free services to the government of Panama. Services that they would not be able to obtain otherwise. For free. Think about it. Just a thought.
     
    Last edited by a moderator: Jan 29, 2010
  3. S.B.

    S.B. Registered Member

    Joined:
    Jan 20, 2003
    Posts:
    150
    -> caspian

    The implication was that since Xerobank's multiplexed servers are in two different countries, neither of which is subject to the jurisdiction of Panama, a court in Panama could not order logging with respect to those servers.

    But as indicated, a court wouldn't need to issue any order against those servers or the operators of the servers. The order would be issued against Xerobank to have logging carried out by Xerobank's employees, agents, or others who operate the extra-territorial servers that allow Xerobank to conduct its business operations. Moreover, according to conventional notions of jurisdiction, courts outside of Panama could also assert personal jurisdiction over Xerobank depending on the quantity and quality of contacts between the Panamanian company and other jurisdictions; or in the event a court were to view the Panamanian corporate structure as a mere pretext or sham (a complex determination involving detailed examination of the actual relationship between conduct of company business and the particular corporate structure in question).

    As to the encrypted nature of the data, Xerobank decrypts the data at least by the time it exits Xerobank's servers. Xerobank also knows or can determine the entry and exit servers for any particular stream of Xerobank customer data, and knows or can determine the form and arrangement of the data stream sufficiently to allow tracking of the known data stream through each of the designated servers.

    __
     
  4. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    Right, I don't see how you'd get much from one node (server, router or whatever). However, adversaries that could log one node could arguably log any node, or find partners who could, and then they could start crunching.

    Re XeroBank and Panama, what you say is plausible. Indeed, recall that Bush Sr ended up invading to get Noriega ;) ... not that XeroBank is in any way comparable to him, of course.
     
  5. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    The problem isn't the logging, it is the administration. The servers are protected and encrypted to prevent tampering. There would be no point it attempting to order logs on the servers, as the ability to log ON the server would not be provided. What can be done, in the applicable jurisdictions, is to log incoming and outgoing traffic. What you get looks like this:

    Jurisdiction 1: --Encryption--> (Entry Node) --> Multiplexed Encryption
    Jurisdiction 2: --Multiplexed Encryption--> (Exit node) --> Plaintext

    You would have to be logging in both jurisdictions, AND be powerful enough to perform attacks on the traffic, as the multiplexing will not allow the individual traffic to be correlated back to the single-stream encryption between the entry and the user.

    You would, by definition, need a global adversary to even attempt an attack on XeroBank traffic.

    Panama, the jurisdiction of authority, does not see it that way. We operate online, and do not have any jurisdictional nexus outside of Panama. When you buy from XeroBank, you are actually chatting with Xero Networks USA, another entity. That entity does business with Xero Networks AG. Customers aren't getting access to the Panama corporation.

    Another good point. There are additional provisions for such attempts. For the purpose of leveraged unpredictability, they are not enumerated.

    It comes down to us being a trust domain, instead of a distrust domain. We can potentially do that, but not really. It requires a manual real-time live trace, which just isn't done. The security and privacy is rock solid on the network. Wait till you see the whitepaper.
     
  6. S.B.

    S.B. Registered Member

    Joined:
    Jan 20, 2003
    Posts:
    150
    -> SteveTX

    Glad you replied so I can add a point I should have originally included; namely, your Panamanian corporate status does enhance your ability to protect customer data even if it isn't a "foolproof" solution. I'll explain a little.

    First the bad news. Litigation is a nightmare. An absolute nightmare. There is no absolute predictability or certainty except this: you will incur huge expenses, worries, and major interference with your ability to conduct business and live a normal life. This is particularly true when the opposing party (corporation or government) has substantial assets.

    Turning to the issue of courts in other locations asserting personal jurisdiction over Xerobank, the question you would face is whether a court in another jurisdiction, e.g., the US, would decide to allow a lawsuit against Xerobank to be filed in that jurisdiction instead of Panama. The legal code of Panama would play no, or essentially no, role in that determination. The issue would be whether the court in the other jurisdiction, e.g., a US Court, believes that Xerobank has had sufficient contacts (based on quality and quantity) with the US to conclude that, as a matter of fairness, Xerobank should be considered to be personally "present" in the US. If so, the court would essentially treat Xerobank the same as a US corporation and could issue orders and subpeonas directed at Xerobank. Assets, officers, and potentially owners of Xerobank, present in the US would be at risk if Xerobank did not cooperate.

    Another way an opposing party might try to accomplish the same thing would be to claim that the Panama corporation is a sham. The party would ask the US court to "pierce the corporate veil"; completely ignore the Panamanian corporate structure; and treat the individuals running the company as the true principals in the lawsuit. The legal decision whether to do this would be based on the law of the locality where jurisdiction is being asserted, and not on Panamanian law.

    As to what can and can't be logged, your opponent would retain technical experts to examine every issue of what you might claim to be not possible. The experts might suggest other ways to get the same information. Your US suppliers would get sucked into the mess and would be subject to interrogatories and depositions under oath. Depending on the circumstances, your overseas suppliers and/or affiliates might be subject to separate but related lawsuits in their jurisdiction if necessary to get the information sought. And based on that expectation, they might decide to help get the information your opponent seeks in your proceedings.

    Did I mention that this can be an absolute nightmare? I wouldn't wish it on anyone. But this sort of multi-national litigation can, and does, happen. Trust me on this; you are not, and can never be, absolutely safe. You cannot give your customers absolute safety from this sort of thing.

    To make matters even worse, should you find yourself in some sort of a Patriot Act nightmare, absolutely all bets are off. Even the major telecoms apparently choose to fold in this scenario.

    Neverthess, Xerobank's Panamanian corporate structure would represent a true hurdle on the path of anyone seeking Xerobank customer data. Intelligent and experienced opposing parties, including governments and corporations, are generally aware of the costs, delays, and difficulties involved in jurisdictional conflicts. One could reasonably assume that intelligent opponents would prefer to avoid this sort of legal conflict except in unusual cases involving high value assets. It would further be reasonable to assume that intelligent opponents would attempt to achieve their goals via a different parties and easier paths, if at all possible.

    __
     
  7. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    I am very aware. We are provisioned for this instance. :)

    There we go. There are no assets, officers, the owners... well that won't fly lol. I myself am hired as a consultant, and i have no managerial authority. There are no straws to grasp at, to begin with you will need the Panamanian government's cooperation.

    There is one small issue there. You would be right with a traditional corporation, but that is because the structure is transparent in the country of jurisdiction. Unfortunately, our structure is fully opaque. I, among two others, might be the only people you could put your hands on. Sadly, I don't have the power or authority nor know what they would want. Good luck bleeding a stone. I am aware of the consequences, and I accept them.

    We've got that covered. :)

    Sadly, it will be really easy to show they don't have the info either.

    You are presuming there is info to be had from someone who can be squeezed. There simply isn't.

    I know I'm not safe, but our users are. In a world of what-ifs, nobody will credibly be able to go after customers the same way a Nike stockholder isn't going to have an easy time sueing a client wearing Nike shoes; you can try, but it won't have any merit.

    The telecoms have no say in the issue beyond a global adversary. That is outside of the threat model for consumer level services.

    Absolutely, and that is one of the best reasons why you are protected, it presents and huge hurdle in cost with a very bleak chance of any success. If you are such a high value target that the NSA is coming after you, you already know you are to be using a black system of your own devising.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.