Facebook CSO Alex Stamos also previously told us the company would refuse to comply if the UK government handed it a so - called Technical Capability Notice (TCN) asking for decrypted data — on the grounds that its use of e2e encryption means it does not
hold encryption keys and thus can not provide decrypted data — though the wider question is really how the UK government might then respond to such a corporate refusal to comply with UK law.
Who
holds the encryption key?
Not exact matches
That's why it is imperative to enforce strict standards for not only the security posture of the application
holding the
key, but the
encryption protecting the
key itself.
In public
key encryption, you
hold onto the private
key and the public
key is used to encrypt your information.
There was a time when law enforcement in the US and UK offered to
hold onto those
encryption keys.
In re Boucher (2009): The United States District Court for the District of Vermont
held that if the contents of the encrypted files are generally known to the government, then revealing the
encryption key is not self - incrimination, and Fifth Amendment protections do not apply.
The new security architecture includes up to three separate
encryption keys for each data file and allows firms and corporations that use NetDocuments to
hold -LSB-...]
In a recent survey of 500 information technology and data security workers, 40 percent said they could easily use their knowledge of
encryption keys, shared passwords, weak controls and loopholes in data security programs to make off with information, or
hold their organization's data hostage.
United States v. Doe (2012): The 11th Circuit Court of Appeals
held that revealing the
encryption key for encrypted data (or equivalently, revealing the decrypted data) constitutes self - incrimination, so the government can not force you to reveal it.
Microsoft's
encryption works a bit differently — Microsoft
holds the
keys and could hand them over to the FBI.
Encryption keys are
held by subscribers themselves, not by Silent Circle, so while your encrypted messages may pass through Silent Circle's network, the company can't read your data.
Due to this very reason, the hacker / attacker could then get
hold of the
encryption keys, and expose the devices to a full decryption, thus making it open to manipulations.