The other day I wrote that CryptoSeal, a company offering virtual private network (VPN) services, joined the ranks of companies shutting down privacy-enhancing offerings for fear they'd be forced to surrender user data or even compromise their technology by order of the U.S. surveillance state. Ryan Lackey who, along with Tom Sparks, is one of the men behind CryptoSeal, tells me that there may still be hope for the company's consumer service.
In an email, Lackey wrote that the company is working on a way to be compliant with the law while still protecting user data to the extent possible—that is, to mimize whatever is surrendered under legal pressure.
The goal for the system to launch in 2014 is that the Government will be able to demand records on any user (under pen register), and will receive the bare minimum (ideally, a username only, in response to a username….so basically nothing), but realistically name and billing info, possibly anonymous or incorrect). They can demand more under a warrant, and will receive similarly helpful levels of information (since we don't retain anything).
Any changes made to the system will cause end-user-visible changes. We're still working on whether it's "all or nothing" or "per user" — i.e. if changes made to a single user's account will be visible to all users or just that one user. This protects against both a pen trap order and a warrant (and NSL, and whatever else)
This stuff is all incidental to protecting users from insider threats (e.g. if one of our staff is forced by a criminal gang at gunpoint to subvert the system), but it happens to protect against governments as well, which might be a statement about government's true nature… Also protects against the company being sold, outside hackers, etc. Hoping to do more than just a VPN with the technology.
The idea, then is to minimize the data the company possesses, so that full compliance with legal orders is minimally revealing. If this can be made to fly under the current legal regime, it should offer about the most confidence you can expect from a firm working subject to U.S., or any similarly intrusive, jurisdiction.
Lackey hopes, though, for legislative or judicial solutions to tighten up restraints on the government. He describes himself as "a bit more minarchist vs. anarcho-capitalist than I was in the past," so he's open to something in the form of a strong interpretation of the Fourth Amendment—much stronger than what we have now.
Meanwhile, as I've pointed out, snooping by the NSA and other U.S. government agencies creates an opening for overseas competitors. After my last piece, a representative of CryptoExpress, a British company, wrote me to say his firm "offers similar services" (though only at the corporate level) to those once offered by the American firms that have been shutting down, and that it "is not subject to the USA legal system." The company has a nonfunctional Website and a sparse online presence, so buyer beware. Not to mention that U.K. legal protections aren't necessarily any better than those in the states.