Instantly share code, notes, and snippets.

What would you like to do?
Privacy Seppuku (Note: IANAL)

Let's say that you are an American whom produce software that respects user's privacy. And one day, the FBI comes knocking armed with a National Security Letter (NSL) and demands your signing key so they can distribute malware to your users, pretending to be you. There is no legal defense you can mount, they covered their bases.

What do you do? Lavabit fought, and was ultimately destroyed. If more companies pushed back, maybe the government would stop using it as an easy way to force compliance and silence. Or maybe they would just carry a bigger stick.

Here's another idea. Comply, then get "hacked" and have the keys they're demanding get leaked online and/or published via full disclosure.

Here, being "hacked" means either:

a) leaking the key to someone, discretely, over e.g. Tor with PGP and having them do it
b) leaking a backdoor to someone and having them actually hack in (over Tor) and steal the key

When the news of your signing key being leaked makes the news, throw your hands up in the air and proclaim, "I don't know how we can recover from this! We have no choice to shut down. Our source code is available, as always, at $link." Then do that.


This comment has been minimized.

Copy link

pjstorm commented Jan 9, 2015

This is an interesting form of inverse warrant canary, in a sense: if things go bad, a predefined "dead man's switch" opens up and allows the key to leak...


This comment has been minimized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment