johnozbay
commented
3 years ago Hi there! 👋🏻 Deeply appreciate the time you're taking for filing these!
In short, after discussing this with our attorneys, we realized that there are a ton of legal things we need to figure out before we can enable sharing features.
Sharing comes with a lot of legal challenges due to a few legal edge cases it creates. Generally speaking, file sharing attracts a certain type of internet-crowd. (especially when things are encrypted, double so) And the legal challenges that come with sharing are quite creepy, be it illegal imagery content, or just plain silly pirated music albums, movies, photos etc. And media companies + governments love putting up fights to shut down sharing services because of a few users who decided to upload their pirated music catalog.
Basically, before we can enable sharing, we need to first prepare a legal process in which we can handle heavier / stronger legal cases from governments, defend our users against non-criminal court cases; And equally importantly, defend ourselves in all sorts of odd situations that will arise from being the platform provider for sharing illegal materials. (similar to, but worse than Pirate Bay in a way since in this instance Cryptee will be hosting the files, unlike Pirate Bay)
We have the code for sharing already written and ready otherwise. But we're being extra careful before enabling these features. Merely a legal hiccup, so that Cryptee can be better legally protected when/if the time comes.
And if you're rightfully thinking, "but hold up, all data is encrypted, how could this possibly cause any legal issues if you don't know anything and can't see anything" ... those were my exact thoughts too ... then I talked to our legal folks, and they gave me a few very good examples.
With Cryptee, everything is encrypted on your device, we don't know anything, and this line of defense works great for data requests, where a government can come asking for data. We can't give or provide anything even if we want to help, since we don't know anything. It's all encrypted on your devices.
The paradoxically tough part happens when it's a take-down request, governments are informed in some way that some user is keeping illegal material on our platform, and ask us to take it down.
Here's the best example:
Say a government catches two criminals, who in the respective country's courts, admit to hosting/sharing illegal things on Cryptee, (be it illegal imagery or other data) but don't give their keys to the government. The government's next step would be to ask Cryptee to take the content down, so that others who have access to the shared illegal material can't access it anymore.
Now here's the weird part. The government claims there's illegal material based on the admission of the criminals, but we can't independently verify it. Because :
a) all files are encrypted
b) –most importantly– you don't even need an email to sign up. Just a username. So we have no way of knowing or verifying that account actually does belong to that criminal individual.
The issue then becomes, if/when the time comes, should we take a government's word, when they claim any account has illegal content, and obey all gov't takedown orders? Especially in a world where legality changes from country to country? Like:
– In Iran, it's illegal to have mullet or ponytail haircuts... because it's a western haircut. [ The Guardian ] So what happens if you have a mullet haircut photo on Cryptee? Is that illegal? who knows ... 🤦🏻♂️
– In UK, it is "illegal to handle a salmon in suspicious circumstances" 😂🤦🏻♂️
By virtue of the Salmon Act 1986, s32, it is illegal for a person to receive a fish (including a salmon), to undertake or assist in its retention, removal or disposal, or to arrange to do so, if he believes, or it would be reasonable for him to suspect, that an offence is being committed by taking, killing, landing, or selling that fish, either in England and Wales or in Scotland.
Given how ridiculous laws are around the world, governments can easily utilize this loophole as a shortcut to silence journalists / lawyers / activists who may be using Cryptee for morally good and necessary reasons. I.e. what happens if a country declares documenting police brutality illegal, and someone's storing photos of police brutality on Cryptee?
Currently, the best way to deal with this issue is:
They'd need to come with a criminal court order, file it in Estonian court, and we can then comply with the takedown order. And even then, we'd have to trust that Estonian gov't would take the morally right decision on this. Which we think is a quite progressive government when it comes to privacy, encryption and tech in general.
– So much so that pretty much the entire population of Estonia is educated and knows about PKIs and encryption due to the fact that all ID cards carry a 2048-bit public key encryption.
– And there's even a research paper published about all this.
So we think that by the time we get to that point, legal systems of two different countries from two different political regions would get involved, and hopefully this alone would filter through bulk of the requests like these.
But in short, with sharing, in the context of take-down requests, it's bad if Cryptee complies, equally bad if it doesn't.
It's bad if we comply and turns out it's a mullet-photo, or someone documenting police brutality. Much worse if we don't take something down, and it's actually terrorist content.
So in many ways, having no-knowledge encrypted file storage with sharing opens a lot of loopholes, and creates a lose-lose situation for platform providers like Cryptee. And this is only one example. There's at least 100 other scenarios like this one that complicates things immensely from a legal perspective, and takes a great deal amount of time to make sure everything's thought and accounted for, so that our company can survive through potential legal battles like media companies or governments attempting to take down content.
Personally, it blows my mind to see so many privacy startups launching nowadays, most likely without doing all this due-diligence and legal research, and it takes lots of money, time and patience. I hope for their own sake and users' sake they're researching these and they won't have to sunset their products in a year due to being unprepared for legal challenges like the one I mentioned above.
Anyhow, hoping these makes sense! ✌🏻 Apologies for the current shortcomings of the platform. Hopefully these will be better very soon. – But I don't know how soon
Since I can't comment on when we'll be ready to launch these features, or make any promises yet, I'll close this thread for now.
All the very best,
J
frejaya
pabloscloud
Is your feature request related to a problem? Please describe. I really want to be able to share my photo library with family. Right now the only way I could really do that is to have a shared login, which isn't ideal.
Describe the solution you'd like I would like for us to be able to both have our own Crypt.ee accounts but we have a shared drive/photo library that we can both contribute to and view, even if that drive is technically mine but I have shared it with them.