(Writing in my personal capacity) On Tue, Feb 26, 2019 at 7:31 PM Matthew Hardeman via dev-security-policy < [email protected]> wrote: [...]
> All of Google, Amazon, and Microsoft are in the program. All of these have > or had significant business with at least the US DOD and have a significant > core of managing executives as well as operations staff and assets in the > United States. As such, it is beyond dispute that each of these is > subordinate to the laws and demands of the US Government. Still, none of > these stand accused of using their publicly trusted root CAs to issue > certificates to a nefarious end. It seems that no one can demonstrate that > DarkMatter has or would either. If so, no one has provided any evidence of > that here. > > > I don't think this is well reasoned. There's several things going on here. First, the United States government's sovereign jurisdiction has nothing to do with any of these companies' business relationship with it. All would be subject to various administrative and judicial procedures in any event. Probably most relevantly, the All Writs Act (see; Apple vs FBI) -- although it's not at all clear that it would extend to a court being able to compel a CA to misissue. (Before someone jumps in to say "National Security Letter", you should probably know that an NSL is an administrative subpoena for a few specific pieces of a non-content metadata, not a magic catch all. https://www.law.cornell.edu/uscode/text/18/2709). Again, none of which is impacted by these company's being government contractors. Finally, I think there's a point that is very much being stepped around here. The United States Government, including its intelligence services, operate under the rule of law, it is governed by both domestic and international law, and various oversight functions. It is ultimately accountable to elected political leadership, who are accountable to a democracy. The same cannot be said of the UAE, which is an autocratic monarchy. Its intelligence services are not constrained by the rule of law, and I think you see this reflected in the targetting of surveillance described in the Reuters article: journalists, human rights activists, political rivals. While it can be very tempting to lump all governments, and particularly all intelligence services, into one bucket, I think it's important we consider the variety of different ways such services can function. Alex _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
