Originally Posted by
beanlicker
Great info from another board. This is a great reply to a subscriber's questions and is similar to others I have seen from admin at securenym........
-------------------------------------------------------------------------------------------------------------
> Where are your servers located? If in the USA , the US Gov can
> force you to give up info like they did for Hushmail correct?
>
> Your program may not send out personal info but does it collect it
> as in you know who signed up for your Service and the method you use
> to collect payment stores info... Correct?
Your message was forwarded to me by one of our administrators. As one
of SecureNym's owners, I wanted to take the time to answer your
questions personally.
SecureNym has gateway servers in the US and our database servers are
located in Canada. We have a backup location, for emergencies, in
Nassau, Bahamas.
A government can certainly try to force us to provide information, as
can anyone else via legal proceedings. They do so all the time. Some
of the subpoenas are quashed immediately, due to errors or
incompetence. Those that survive the initial scrutiny from our
attorneys have not been a problem to date.
SecureNym, from day one ten years ago, chose a much different
security model than Hush. The whole premise of our security is that
we cannot be forced to reveal what we don't know. Ignorance is a
simple, and very reliable, defense that has served both our users and
us quite well.
We do NOT have any way of knowing who has what account. When a user
receives an account creation key, and enters it into our system, the
key is securely deleted BEFORE the user is directed to the account
creation page. Thus, the connection between an account key and a
specific account never exists. This is why we admonish users to be
sure to complete the process immediately, because otherwise we have
no way of recovering the key.
This means that it might be possible for someone to discover the
user's payment to SecureNym, via financial records at a credit card
company, but there is no way to prove that the account key was even
used, much less what account it might have been used to create. A
payment is circumstantial evidence, at very best.
Next, we have no way of recovering a password. SecureNym uses a
Catch-22 to make sure that we can't do so, and that no one else could
either. All passwords are encrypted and stored in our databases. The
decryption key is a cryptographic 'hash' of the account name and
the...... password. In short, you must know the password to decrypt
the password.
Your messages are all encrypted with that same cryptographic hash, on
the fly, as they arrive at our servers. The same rule applies; the
messages can be decrypted ONLY with the user's account name and password.
God knows, we've defended our security practices in countless legal
proceedings. So many that government agencies rarely bother trying
anymore. The fact is that our security protects us just as much as it
protects our users. If it were ever to be proven that we could access
the information we claim we can't, we'd face some very serious
contempt and perjury charges.
As a defense, ignorance must be absolutely demonstrable and provable.
Ours is, and has withstood legal scrutiny many times.
Hushmail gave up information that they should have never had, plain
and simple. Once you have it, you don't have much choice in the face
of a proper subpoena. And once it's been proven that you have
information, it's almost impossible to turn off the information tap
without being charged with obstruction of justice. The solution is to
NEVER have anything.
SecureNym was subpoenaed at exactly the same time as Hush was. We
fought the subpoena, and beat it, so it didn't get far, but Hush just
submitted. The agencies involved even tried to force us to change our
programming, to facilitate their efforts. That's illegal, by any
standard, so our attorneys were able to stop this before it got off
the ground.
We can only speculate as to why Hush chose not to fight for their
users, but they did not.
In the end, it comes down to the business objective. Hush wants to go
public one day, and has accepted money from venture capitalists
toward that end. This is a slippery slope, and once you step foot on
it, things can go downhill rather quickly.
Investors don't like controversy, such as is provided by fighting the
DOJ. This is evidenced by the fact that most public companies will
furnish anything the government wants, often without even a subpoena.
ATT, AOL, and countless others fall into this category of gutless wonders.
SecureNym has had ample opportunity to be either acquired or diluted
with money from investors, such as Microsoft. SecureNym is privately
owned, and is going to stay that way. There are three principals, two
Americans and one Canadian. We have never accepted investments from
anyone, nor will we, because the day we do, we start losing control
of our company, and our security.
When that happens, you can no longer give your users what they pay
you to provide.
I hope this helps answer your questions.
Admin
SecureNym.net
Reply With Quote
Bookmarks