I kinda see Scryptmail's point on server location. No country is perfect. No email service is perfect. While it's true USA services can be ordered under a national security letter to give information the USA does have very good law of free speech.
Thanks for commenting on my response. Thanks for commenting on my response. I agree with most parts and concerns. Unfortunately being internet based business borders become very abstract and very hard to enforce, and offer service in such complex topic as encrypted service is not making it any easier.
The problem seems to me to be - with this class of browser-based email service - that the functionality is executed locally by javascript code sourced from the service. If my understanding is wrong here, please correct me. That being so, then, as you've said, legal coercion in the US could easily require the service provider to modify their client code using National Security Letters. For all that a previous version of the code may or may not have been audited, or that the code is open doesn't matter because you don't check it every time it changes. If the client code is compromised, then you're toast. So the problem IS the law in that jurisdiction, and deservedly, consumers do not wish to accept that (granted that other places are terrible too). Nor, when they're living outside the US, and given the US arrogant attitude that pesky foreigners are dirt and can be monitored without seeming restraint, many consumers are choosing to place their business elsewhere for that reason alone. Emotion does matter.
Well the German government is definitely spying on it's own citizens. The Swiss government probably has surveillance in place too. I don't think any where is safe. Sure there are places with good privacy laws but one court order and privacy will go out the window. The problem is you have to trust someone. Whether they be located in the USA, Germany or Switzerland. Location doesn't matter. You should be using PGP no matter what email service you use. I think in the end email services are much of the same really.
@ComputerSaysNo In terms of budget, collect-it-all mentality, ignoring international law such as it is (or that of its partners e.g. EU and the laughing-stock "safe harbor"), and megalomania, the US trumps pretty much everyone else. Plus they have their "partners"/vassals telling them all the bits they don't get directly (and threatening e.g. Germany with withdrawal of "sharing" = indiscriminate bulk data transfers). In the notions of Jaron Lanier, the US have the Siren Servers. There is a case that you should go for an email service in your own jurisdiction, because then there's a slight chance that they might actually obey the law in respect of their own citizens - but no, they don't do that either, or follow the constitution, or even common sense and decent behavior. Incidentally, I am OK - as a citizen - accepting individually warranted interception with probable cause (and decent auditing). and only accept foreign requests for information under MLAT similarly. But that's not what we're facing, and they have the nerve to complain that people are using strong encryption. As you say, the only chance you have is with a secure desktop with PGP etc, and that's getting increasingly hard to achieve, by design. But I am in the market for a country with the jurisdiction where they obey the Rule of Law, and will commit to following emerging international norms which respect privacy. They'd be wildly popular as a hosting and services destination, and wildly unpopular with repressive regimes everywhere.
Lavabit offered excellent privacy and look what happened to their clients. I'd be more than a little miffed if one day I woke up to find ALL my emails of many many years suddenly gone. If you're involved in illicit activities (terrorism, kiddie porn, etc), I would trust NO government to "protect your privacy". I prefer to hide in plain sight.
How does hiding in plain sight protect you from false positives, data loss to criminals, lovint, whatever. Not just in your country, but in all the countries your TLAs decide to share with. If you trust your LE with databases, then you will sleep sounder till you don't. We won't actually be safer until strong encryption is used on email routinely, which "should" already be done in a b2b context for data protection purposes. Businesses are negligently able to get away without this despite humongous data leaks and flouting of their DP responsibilities, because their governments and security services don't want it to happen.
After months of researching for encrypted service and a good way to do it, I can draw a few conclusion: a) no email service can offer you government protection (if you on the radar for NSA) they will get your data! Be it police calling to Iceland, and very liberal country with strong privacy laws just handle shadow copy of server without any problem (silkroad). Or use just $5 wrench method. It's inevitable. I would personally be alarmed if email service less than 1-3 years old claiming such a thing like protect your privacy from government, or "NSA can't break". - They only thing is NSA can't break, is they don't have to even break it. b) you can try to use servers located in Russia or China to hide from NSA. But who can guarantee their own agencies wont read what your are trying to hide? If you want to be safe, stay under radar is the only option. How you do that - complicated, years of experience and almost impossible. Best of all not to do anything "very illegal" they would not worry if you are cheating on your wife, or at least if you are not big politician figure and they looking for the way to blackmail. c) protect your data from rogue employee (Sony). Let say they did a lousy job, but who guarantee that gmail or yahoo have it better? End-to-end encryption can give you at least some sort of insurance/chance, that angry employee have less ability to cause such damage. We all know where is "free cheese". d) encrypted email wont give you absolute protection from day zero, but you have to start from somewhere.
I think that's well put. With all due respect to Scryptmail, there are real differences between legal jurisdictions--not just in terms of the letter of the law, but in terms of the practice of what specific governments have actually done. Saying that no solution is perfect or every country has its problems, to me, is really a hand waving excuse used to draw false equivalences. Of course, it is always true that no country is perfect, but using such a statement to efface real legal differences I think is intellectually dishonest. So I'm just not buying it. Technology and encryption matters, but so do other factors, like politics and legal jurisdiction. It is also just not true that Germany and Switzerland are spying on their own citizens the way the U.S. does. Germans are very senstive about privacy. The experience of the Stasi is still a recent and painful experience for Germans that they are very reticient to return to this sort of regime. The Swiss have a long tradition of respecting privacy for their own political and ecnomic reasons. These differences are real, no matter how much people want to wave their hands and deny them. Do they offer a perfect solution? No. Is the choice and either/or? No. There are encrypted email services (Tutanota, Protonmail) that are just as good as Scryptmail AND they are located in jurisdictions that have real privacy benefits over the U.S. Talking about servers in Russia and China, obviously deeply problematic regimes with no real rule of law, is also a way of obfuscating the issue and pretending that countries like Germany and Switzerland are different in real ways. Further, saying that if you become a specific target of the NSA then you are toast no matter what is also a way of avoiding the issue. This is not the situation for most people. For most people, the benefits of other legal jurisdictions are, again, quite real. If one wanted to make a good argument for using an encrypted email service in the U.S., I would say that for U.S. citizens (and only U.S. citizens), who are in fact located in the U.S., when they are sending non-encrypted email from a service like Scryptmail to people who are not Scryptmail users and those people are also located in the U.S., then legally their email is not subject to mass collection by the NSA. Whereas an email coming from a server in Germany or Switzerland would be. So for that specific purpose one could argue there is a benefit to having servers located in the U.S. (Although this assumes that the email is not routed out of the U.S. as some point as it travels from point A to point B, which can happen with email that both originates in and has a destination in the U.S.) Aside from that (non-trivial) scenario, however, the argument that there are no real benefits to encrypted email services located in Germany and Switzerland falls very flat for me. The reality is that a service like Protonmail has gone to great expense to not just locate its service in Switzerland, but to physically own and control its own servers. This has real benefits. But it's understandable that this sort of expense is not feasible for everyone who wants to set up an encrypted email service.
Everything what you said is make perfect sense if we live in perfect world and everyone play by the rules. Unfortunately situation in my point of view is far away for being even to be close to perfect. Without going deep into details, between two tutanota and protonmail, I can't see how is company located in USA but having server in Swiss can offer better protection than those who hosts in USA. If you have ties with USA it doesn't matter where servers are located. It just not. If you can bring some facts when being located outside of US have benefits or company denied to give out data it would be great to support your case, but not until then. I can give you examples when this countries cooperated with US DOJ, last FIFA scandal not to go far away is perfect example. It looks for me, that you assume I'm trying to protect SCRYPTmail and justify our USA location, but I'm not. We are hosted with SoftLayer and can have bare metal servers installed in Germany tomorrow, or France, or India. But to do so, we need slight evidence that user privacy will be protected better. Obviously I don't trust written laws, as I'm hearing everyday same laws has been violated and simply ignored by same entities who should stand behind them.
I'm not talking about a perfect world. I'm talking about the actual world in which there a real differences between different countries and laws do matter, even if not perfect. It comes across to me like you have constructed this false dichotomy between a "perfect world" and the "real world" in which there are no differences between anywhere and laws never make a difference and so it doesn't matter where an email server is located. So from my prespective your argument allows for no inbetween where things aren't clean cut, but that doesn't mean there are no differences at all. The examples you have cited of cooperation between countries and as found in the Scryptmail FAQ do not even have to do with email services. You cite the recording of Merkel's (unencrypted) phone calls (by the NSA not by the German government). The seizure of Silk Road's servers in Iceland. Switzerland's cooperation with the DOJ about banking accounts (having to do, I believe, with tax issues in the U.S. and terrorism cases). These are tangentially related cases that you invoke to create the appearance that there are no real differences, but which are poor analogies. Just because there has been some spying and some cooperation, doesn't meant that everyone is cooperating on everything. And there have also been some very pointed push back in Germany and Switzerland against U.S. pratices. There are also many examples that have come to light of the use of national security letters in the U.S. to secretly force disclosure of information and even force changes in how a secure system works to access such information; courts can also issue gag orders to the same effect (Lavabit). As far as anyone knows, this has not happened in Germany or Switzerland. Given that this sort of action is legal in the U.S., it should not be surprising that it has happened in the U.S. There is no reason, other than speculation, to believe anything like this has happened in Germany or Switzerland that have strong laws against it and strong historical and cultural reasons not to do such things. So, I think I'm talking about the practical world and how it actually is. Not perfect, but with real differences. Your arguments seem to create false equivalencies and work through straw man arguments and inappropriate analogies. The idea that everywhere is the same and everyone is cooperating I think is a vast over-generalization and over-simplification and it flies in the face of known (legal and governmental) opposition to this sort of spying in some countries. I will also say that hosting an email service with some hosting company anywhere in the world is quite different, as I already noted, from physically owning and controlling your own servers in a carefully chosen location, as Protonmail has done. Are Protonmail or Tutanota perfect? No. Are they fundamentally different, depending on an individuals needs from an email service hosted in the U.S.? Yes. Anyway, I don't think we are going to agree. And I don't mean to knock Scryptmail in general, which at least based upon the information on the website seems like a good, well constructed service with lots of great features. And as I stated above, I do think there can be some potential value to an email service located in the U.S., for U.S. citizens, as far as bulk collection of data is concerned. But I do find your arguments about server location to really not hold water and to deny obvious practical realities.
Yeah, I think we should agree to disagree I still appreciate your input and should revision some of my responses in FAQ.
Yes, I agree to disagree. And to be clear, the only reason I started commenting on Scryptmail to begin with is because someone mentioned it, I looked at the website and thought it looked like an interesting service with good features, but had some questions and was interested in other people's thoughts. So it was out of curiosity and interest in Scryptmail that I commented.
I must ask cb474 have you actually been to China or Russia? Have you ever been to Germany or Switzerland? Have you ever been to the Netherlands? It's easy to comment about privacy from your desk but unless you have been there you really have no idea. All countries have state sponsored surveillance.
I'm a bit confused here. Much of what you will be facing as a service provider is not to do with what you yourself or as a company think is right or reasonable, it's what your customers think. If a significant proportion of them are concerned with the jurisdiction issue, why are you fighting that? It's no big deal to incorporate somewhere else, and sometimes, not much bigger deal to operate somewhere else, in terms of equipment location. If you were choosing ab initio, I wouldn't be starting with the US, unless you are only serving the US internal market. Perception matters. Why else did Silent Circle move to Geneva (but retained gear/offices in the US and UK and elsewhere)? Yes, all nations have state sponsored surveillance. Have for hundreds/thousands of years. But the scale and arrogance of the current US programmes, done in secret with secret interpretations of secret laws is completely new, has never, ever been done before in the history of humanity. And they have applied it to a far greater extent than any other nation to all other nations they can get their hands on(without apparent constraint) . My reaction to that mirrors that of the Google engineer. The essential problem is lack of rule of law, constitutionality and due process, typified by the NSLs, FISA, and executive orders. Yes, other countries also have eroded the rule of law, but the scope, culture and laws do differ.
Hi @mirimir I have a chart here that might provide more depth for a few services that you are reiewing - http://www.emailquestions.com/encrypted-email-service-providers/ Has your review been published yet? I'll likely be able to use it to help improve what I've been working on, especially for the number of services. @cb474 - SCRYPTmail does have on their road map adding servers in other regions such as the EU. I think that point was missed previously in this discussion. We believe having your encrypted data in the U.S. is OK, but also plan on making service available in other regions for those that disagree. The EU service will be separate from the U.S. I appreciate all of the other input here too and will use it to help improve and clarify the SCRYPTmail FAQ. Thank you, -Ray
It's very legit question, but very hard to give short and clear answer. The main reason, it's because in my understanding, location plays an important role, but a little different that it understand by the most users. My goal is to stay clear with user as much as I can. For example two user in this forum: cb474 and ComputeSayNo both of them aware of location, but have different opinion on the fact. Lets assume for a second, I decided to host my servers in Europe, as cb474 adviced, but still living and being incorporated in US? What jurisdiction should I obey? In my opinion, if I want to be US independent, I should move to Europe at the beginning; otherwise there is 1001 way to leverage my cooperation with US agencies. Same apply not only to SCRYPTmail, but to another services as well. As long as users are well aware of my location and possible outcomes, I think my goal is accomplished. Another reason we all keep forgetting, is that US laws not only do things in favor of NSA, but it has laws protecting freedom of speech, Fourth Amendment. Same agencies disobeying European laws, seizing servers or capturing people, can not do the same in US without court decision, which you still can fight. We can import goods from China or technology from Japan, but if we try to outsource our privacy we better admit we live in prison state with no essential human rights and give up on fight before even try.
@deBoetie Please see my post 117 , it might get missed since there were additional replies before I was approved to post. I wanted to clarify and make sure it's known that SCRYPTmail does intend on offering service outside the U.S. Out of curiosity, if you had to rank your top 5 concerns & features about an encrypted service, what would those be, and does the server location rank in that top 5? Thank you, -Ray
Thank you for again saying, what I've been trying to say, more succinctly than I managed. I did see that, thank you for pointing it out again. I was responding to the fact that at the moment the servers are only in the U.S., so that is the current reality. Also Scryptmail is incorporated in the U.S. (correct?), so that means even if the servers are elsewhere I think that can be subject to U.S. court orders. But mostly I was responding to the FAQ that made an argument that location doesn't matter and everyone is spying, which, for reasons stated above and that don't need to be repeated, I don't agree with. I think the reality is a far less extreme than that. It does seem to me that many of your arguments are based on postulating an extreme and then using it to dismiss all other more nuanced gradations before that extreme. The U.S. is not a "prison state with no essential human rights," but it has undergone a severe degradation of privacy rights, when it comes to digital information moving through the internet or stored on servers, as well as a degradation of the right to be immune from unreasonable search and seizure in the digital realm. The U.S. has many freedoms and rights that are well protected and better than most other countries. We are only talking about what has happened in the digital realm. Using the advantages of different legal jurisdictions and political regimes to get back some privacy is a reasonable strategy and far from an admission that the U.S. has become a police state. It is only an admission that the U.S. isn't prefect, nor always the best in every domain. Just as the NSA, etc., takes advantage of the global nature of the internet to circumvent the privacy of U.S. citizens and foreigners, so too can U.S. citizens and others take advantage of this global nature to regain some privacy and rights. It's a new world, with new global possibilities. That doesn't make the U.S. a police state, just because it has a bad track record in certain areas. Reality is a lot more complicated than you make it out. It's not either the U.S. is a police state or location for email servers doesn't matter at all. Reality is in the complicated actual world that exists between those two extreme and entirely fictive poles. I know you weren't asking me, but I'll answer anyway. Yes I would definitely put location in my top five concerns. For certain purposes (I have multiple email accounts) I would consider location a sine qua non. For my most private encrypted email, I would definitely want a service entirely located and incorporated outside the U.S., in a country with strong privacy rights, a stable democratic regime, and which does not always cooperate the U.S. at every chance. Of course the next, better, step would just be to use PGP myself and not worry about location, but the chances that I'm going to get any of my friends, etc., to do that is about zero. For me I want 1) strong properly implemented end-to-end encryption, 2) open source code especially for the encryption, 3) a committment to seek out third party review of code and not just rely on people doing it themselves, 4) a transparent team of coders who seem to be legitmate people known by third parties who can vouch for them (i.e. not one anonymous coder doing it as a personal project), 5) location. Those are all essential to me an in no particular order. That said, when it comes to non-encrypted email the jury is out for me regarding the advantages of a location outside the U.S. vs. within the U.S., due to the fact that any email traveling outside the U.S. will get collected by the NSA as a foreign communication (as I explain above).
By the way, on the topic of location, I think it may be interesting for all involved in this thread to read the comments of Andrew Lee, founder of Private Internet Access VPN service, a couple years ago, after the Lavabit fiasco. He is commenting specifically on "how NSA proof are VPN providers." Scroll down for the Private Internet Access section of the article: https://torrentfreak.com/how-nsa-proof-are-vpn-providers-131023/ Although a VPN service is different from an email service, his thoughts seem worth considering. He points out that Private Internet Access in incorporated and based in the U.S., but after the Lavabit fiasco the entire administrative and development team (the people who actually have the keys to access and alter their code) left the country and spread out to keep things decentralized. Lee himself stayed in the U.S., but gave up his keys and access to the system. So it's an interesting take on the location issue. I think this is a respected, well known person, in the industry, with coding knowledge, who came to the conclusion that location matters a hell of a lot and took real action to address this. Is this solution perfect? No. Does it go a long way to mitigate certain potential problems associated with individuals within U.S. legal jurisdiction? Yes.
I'll have to check with the lawyers. Worst case, if possible and necessary, I don't have an issue with incorporating separate for the EU hosting & billing. The short answer is that if it's possible and makes financial sense then I don't see why not and we'll get it done. I'm not moving to Europe anytime soon. From your points above, I agree getting #3 done isn't a bad idea, and for #4 I'm visible and bring 15 years of email hosting and related experience to SCRYPTmail.
g I'm not suggesting anyone move. That's obviously a huge committment. But the (perhaps the unfortunate reality for Scryptmail) is that users have choices about email services. We're lucky enough that there are a number of well done encrypted services now. And others running other services have made committments like this. If the discussion is about what makes sense for encrypted email, the answer may not always be great for the people running the service, depending on where they happen to already be located. Regarding "4," the team behind Scrpytmail, I'm confused. On the website, under "Scryptmail Team," there is only one person mentioned, Sergei Krutov. That creates the impression that Scryptmail is in fact the pet project of one person. I've been assuming Sergei is the person posting as "Scryptmail" in this forum. But you seem to be a different person who also works for Scryptmail (or you are very cleverly changing your writing style for different screen names ). Anyway, if there is more to the Scryptmail operation than reflected on the website, perhaps it would be valuable to provide that information. I also think an "About Us" or "About the Team" link at the very top of the website linking to that information would also be useful.
