Q: Where are your servers located? If in the USA , the US Gov can force you to give up info like they did for Hushmail correct?
Your program may not send out personal info but does it collect it as in you know who signed up for your Service and the method you use to collect payment stores info...Correct?
A: Your message was forwarded to me by one of our administrators. As one of SecureNym's owners, I wanted to take the time to answer your questions personally.
SecureNym has gateway servers in the US and our database servers are located in Canada. We have a backup location, for emergencies, in Nassau, Bahamas.
A government can certainly try to force us to provide information, as can anyone else via legal proceedings. They do so all the time. Some of the subpoenas are quashed immediately, due to errors or incompetence. Those that survive the initial scrutiny from our attorneys have not been a problem to date.
SecureNym, from day one ten years ago, chose a much different security model than Hush. The whole premise of our security is that we cannot be forced to reveal what we don't know. Ignorance is a simple, and very reliable, defense that has served both our users and us quite well.
We do NOT have any way of knowing who has what account. When a user receives an account creation key, and enters it into our system, the key is securely deleted BEFORE the user is directed to the account creation page. Thus, the connection between an account key and a specific account never exists. This is why we admonish users to be sure to complete the process immediately, because otherwise we have no way of recovering the key.
This means that it might be possible for someone to discover the user's payment to SecureNym, via financial records at a credit card company, but there is no way to prove that the account key was even used, much less what account it might have been used to create. A payment is circumstantial evidence, at very best.
Next, we have no way of recovering a password. SecureNym uses a Catch-22 to make sure that we can't do so, and that no one else could either. All passwords are encrypted and stored in our databases. The decryption key is a cryptographic 'hash' of the account name and the...... password. In short, you must know the password to decrypt the password.
Your messages are all encrypted with that same cryptographic hash, on the fly, as they arrive at our servers. The same rule applies; the messages can be decrypted ONLY with the user's account name and password.
God knows, we've defended our security practices in countless legal proceedings. So many that government agencies rarely bother trying anymore. The fact is that our security protects us just as much as it protects our users. If it were ever to be proven that we could access the information we claim we can't, we'd face some very serious contempt and perjury charges.
As a defense, ignorance must be absolutely demonstrable and provable. Ours is, and has withstood legal scrutiny many times.
Hushmail gave up information that they should have never had, plain and simple. Once you have it, you don't have much choice in the face of a proper subpoena. And once it's been proven that you have information, it's almost impossible to turn off the information tap without being charged with obstruction of justice. The solution is to NEVER have anything.
SecureNym was subpoenaed at exactly the same time as Hush was. We fought the subpoena, and beat it, so it didn't get far, but Hush just submitted. The agencies involved even tried to force us to change our programming, to facilitate their efforts. That's illegal, by any standard, so our attorneys were able to stop this before it got off the ground.
We can only speculate as to why Hush chose not to fight for their users, but they did not.
In the end, it comes down to the business objective. Hush wants to go public one day, and has accepted money from venture capitalists toward that end. This is a slippery slope, and once you step foot on it, things can go downhill rather quickly.
Investors don't like controversy, such as is provided by fighting the DOJ. This is evidenced by the fact that most public companies will furnish anything the government wants, often without even a subpoena. ATT, AOL, and countless others fall into this category of gutless wonders.
SecureNym has had ample opportunity to be either acquired or diluted with money from investors, such as Microsoft. SecureNym is privately owned, and is going to stay that way. There are three principals, two Americans and one Canadian. We have never accepted investments from anyone, nor will we, because the day we do, we start losing control of our company, and our security.
When that happens, you can no longer give your users what they pay you to provide.
I hope this helps answer your questions.
Admin
SecureNym.net