The NSA doesn't need cooperation. It can pwn sysadmins, plant covert operatives, and backdoor equipment in transit (including foreign-made equipment, so long as US intelligence can influence the shipping carrier, for example by recruiting employees or hacking ancient legacy software). If it can't, then it can pwn the other side of the conversation, or watch the SMTP in cleartext through a submarine-tapped undersea cable.
Disband the NSA and some other agency, some other country, will do the same thing.
You're bikeshedding. End-to-end encryption with HSMs and trusted execution environments everywhere, always. Verifiable, deterministic builds. A genuinely trustworthy, decentralized PKI. Better software engineering security practices, a professional barrier to entry, and an ethical system (ala the Bar or medical boards) with teeth that will reliably eviscerate people and companies who write and run irresponsibly sloppy code.
The cat's not going back in the bag because you avoid the US. Fighting over which service providers you send cleartext through, whose hard drives your unencrypted data sits on, who has the power to MITM you, is a waste of time and a distraction from the real challenge of developing and adopting security systems and practices that make doing what the NSA is doing actually difficult.
But of course it does. Security is not a black and white issue, but rather a matter of cost. And the fact is US companies are much easier and more cost effective to crack because they can be (legally) coerced and nobody has unlimited resources, not even the NSA.
> Disband the NSA and some other agency, some other country, will do the same thing
This is one of those logical fallacies that keeps popping up. So we should bend over and take it like a man, because if it's not the NSA, then it will be somebody else. Even if you're right, bad actors in society should get punished, otherwise they'll never learn. And indeed, it doesn't seem fair to punish US companies, many of whom really want to be good and faithful for their customers, but I've seen many signals that the american public approves and finances this behavior, which includes the above comment and the US government never apologized (to us, foreigners), therefore avoiding US services and products can become a matter of necessity.
> The cat's not going back in the bag because you avoid the US.
Yeah, but you see, I'm not an US citizen so I don't even get to vote on your laws and your government has made it clear that when it comes to foreigners then everything is allowed. And we do have intelligence agencies and they are cooperating even with the NSA and so on and so forth, but here there is no behemoth like the NSA is. And as an EU citizen at least I would have ways to fight it.
> developing and adopting security systems and practices that make doing what the NSA is doing actually difficult
Only a software developer would end up thinking that all political and social issues can be solved with technology. The world doesn't work that way. You want cryptography? It will eventually get outlawed and there is already precedent in the US.
The NSA doesn't need cooperation. It can pwn sysadmins, plant covert operatives, and backdoor equipment in transit (including foreign-made equipment, so long as US intelligence can influence the shipping carrier, for example by recruiting employees or hacking ancient legacy software). If it can't, then it can pwn the other side of the conversation, or watch the SMTP in cleartext through a submarine-tapped undersea cable.
Disband the NSA and some other agency, some other country, will do the same thing.
You're bikeshedding. End-to-end encryption with HSMs and trusted execution environments everywhere, always. Verifiable, deterministic builds. A genuinely trustworthy, decentralized PKI. Better software engineering security practices, a professional barrier to entry, and an ethical system (ala the Bar or medical boards) with teeth that will reliably eviscerate people and companies who write and run irresponsibly sloppy code.
The cat's not going back in the bag because you avoid the US. Fighting over which service providers you send cleartext through, whose hard drives your unencrypted data sits on, who has the power to MITM you, is a waste of time and a distraction from the real challenge of developing and adopting security systems and practices that make doing what the NSA is doing actually difficult.