Would this be a Lavabit-like situation? The governement asking for a backdoor and the developers are refusing it.
Suddenly (while there is an audit), they quit everything, change the assemblies and the website, so users can get to another product... It seems weird that after 10 years of hard-work, they suddenly quit without further explanation.
Lavabit had access to all their customers' data, and told investigators that they had it. It's completely straightforward law that, given a subpoena, Lavabit must turn over evidence to the government.
TrueCrypt is a product. They do not have access to customer data. There is no requirement for TrueCrypt to "help out the government" in this case.
If you want to hang a conspiracy theory on this news[1], find some hook besides Lavabit.
[1] And I can't fault the conspiracy theorists for trying to find some explanation over this, because the damn thing is so weird and unusual.
You're correct to point out the useful distinction that TrueCrypt is a product.
But what makes you think U.S. law treats them any differently, assuming TrueCrypt's creators and maintainers can be identified?
Here's my article from 8 years ago talking about how the FBI was demanding that makers of certain products include backdoors for FedGov surveillance:
http://news.cnet.com/FBI-plans-new-Net-tapping-push/2100-102...
The FBI has drafted sweeping legislation that would...force makers of networking gear to build in backdoors for eavesdropping... FBI Agent Barry Smith distributed the proposal at a private meeting last Friday with industry representatives and indicated it would be introduced by Sen. Mike DeWine, an Ohio Republican, according to two sources familiar with the meeting...
Your use of "demand" is misleading. Your own words at the time say "drafted sweeping legislation." Did that legislation pass?
Anyone can "draft legislation." I can draft legislation right now. That doesn't make it U.S. law. Getting it passed is the hard part.
Phone companies are required to enable wiretaps. But that happened through the public legislative process, and the legislation even lets the phone company bill the government for costs to comply. (Your linked article explicitly points out CALEA.)
We are talking about a government that has, in the recent past, sent nastygrams to people telling them that not only did they have to comply with the orders in the letter, but that it would be a crime to consult a lawyer about the letter.
So you, a non-lawyer developer, get one of these letters. You are pretty damn sure it is a bluff (didn't that clause in NSLs get shot down? Pretty sure I heard something about that... Something about Nicholas Merrill?). What if you are wrong though? What if this is a different kind of letter that you and the rest of the general public are currently unfamiliar with? What if the government has found a new way to create such a clause? Is "pretty damn sure" a high enough standard of sureness for you to call their bluff and talk to a lawyer anyway? How much do you value your freedom, and how much do you value your work?
Not being willing to call their bluff and contact a lawyer means that you are not able to question or interpret anything else in that letter as well. The best you can do is ask the government to interpret the letter for you, and tell you exactly what you need to do in order to comply.
The next best option is likely to burn what they want to the ground.
This is pretty much why I said "If you want to hang a conspiracy theory on this news[1], find some hook besides Lavabit."
Linking an abuse like you describe to Lavabit only harms developers, who if they were to receive such an illegal demand might remember "wait, Lavabit was required to install back doors, right? I guess I have to, as well!"
I'm not even talking about Lavabit. They have done this to others (it was unconstitutional at the time, but was not yet declared as such). They could do it again. Only the most selfless person would be able to bring it to the publics attention.
Until the current regime is dismantled, we cannot rule out the possibility that these abuses are ongoing. To label it as a conspiracy theory is just shameless apologetics.
What's "this"? Is it "the USG compels vendors to install back doors into their software products they ship to others, under threat of jail time and/or fine and/or vacation at Gitmo"? To whom was this done?
NSLs are nasty in many ways. That doesn't mean they are nasty in any way you can imagine.
I'll repeat my question, which you ignored in favor of quibbling with a tangential point: What makes you think U.S. law treats makers of products any differently, assuming TrueCrypt's creators and maintainers can be identified?
If you want examples of FBI surveillance untethered to the law, we can provide those. Look at the video of the public forum I hosted with Ladar (of Lavabit) in SF last fall. Look at warrantless cell tracking, which I was the first to disclose circa 2006, and which is now the subject of significant litigation. Look at the warrantless use -- not just by the bureau but other police agencies as well -- of physical GPS tracking devices. How about surreptitious black bag jobs to install key loggers to extract PGP passphrases before this was authorized by the 2001 Patriot Act?
Here's another from last summer, which I was the first to disclose:
Huh! Where does the FBI get the legal authority to do that? Shouldn't, you know, Congress set the rules here after openly debating them in a public hearing?
Again, all these points are tangential to the question of FedGov product backdoors. (Note I'm expressing no opinion here about what's going on with TrueCrypt.) This survey I did in 2007 is probably worth repeating:
http://news.cnet.com/Will+security+firms+detect+police+spywa...
I'm no longer doing this kind of reporting (and left to found the SF-area startup http://recent.io instead) but I hope someone tries to replicate it today with a broader set of companies.
I'll repeat my question, which you ignored in favor of quibbling with a tangential point: What makes you think U.S. law treats makers of products any differently, assuming TrueCrypt's creators and maintainers can be identified?
Something must be wrong because this is 100% the question I believe I responded to. I will attempt so again now:
* Statute gives the government the right to compel certain service providers to actively assist in wiretapping. Example law: CALEA
* There is no U.S. law that gives the government the right to compel arbitrary third-parties to modify their products to make wiretapping easier.
You give a long list of bad things the USG has done, but none of them involve vendors being compelled to modify products.
(In another domain, banks have to report transactions over 10K, but that's completely the result of statute, the Bank Secrecy Act.)
> There is no U.S. law that gives the government the right to compel arbitrary third-parties to modify their products to make wiretapping easier
This is an interesting claim. It would be more interesting if the U.S. government publicly said its interpretation of the law is the same as yours. It has not. :)
> * There is no requirement for TrueCrypt to "help out the government" in this case.*
That's what the publicly available laws say, but America has secret interpretations of laws now. We know, for example, that every Internet service is, in theory, free to provide tools that would put user data out of reach of anyone with, or without a warrant. And yet, nobody has.
Nobody except Silent Circle, who have decided to domicile their company in Switzerland, is a new entrant based on the premise of providing truly secure communication. So, what to make of all the CEO-level complaining but no end-to-end encryption tools and no web-of-trust?
If a major Internet portal provided end-to-end secure mail, real-time communications, and secure storage we would know that, yes, there is no legal or extralegal obligation to keep us all naked in the panopticon. But so far all the indicators are in the wrong direction.
This is something to be precise about. You won't find language in the USA PATRIOT Act that tells businesses they may not provide privacy and security tools for their customers. Similarly, CALEA requires access to carriers' networks and equipment providers must support "lawful intercept" of a certain percentage of traffic, but there is nothing that would prevent networks from providing easy tools for end to end encryption and web-of-trust.
The fact that nobody is doing that is a kind of probe. Do we really live in a free country, or is pervasive monitoring a condition being imposed on us, with no choice of services that would prevent it?
Reminiscent of Jeremiah Denton, the American prisoner of war in Vietnam, who was forced to appear before the cameras to say how well he was being treated - but used the opportunity to blink out "TORTURE" in morse code, to place those words in context.
If so, I would at least like to think they would have likely pointed people towards something which gives at least comparable security, rather than a backdoored product.
Suppose someone has a girlfriend who is a vegetarian chef. She was kidnapped. The kidnappers forced her to make a phone call saying that everything is fine. She says "don't forget to buy some spam". At least she could have recommended something healthy?
Suddenly (while there is an audit), they quit everything, change the assemblies and the website, so users can get to another product... It seems weird that after 10 years of hard-work, they suddenly quit without further explanation.