As you all know, there has been a huge amount of discussion in the news lately vilifying encryption. Especially after the horrible events in France.
In a nutshell, the media are pretty effectively convincing the general public that only criminals and terrorists use encryption. In none of the stories I have seen so far is there any mention whatsoever of the positive points of the legitimate use of ANY type
If you use encryption of any type (e.g. encrypted files, encrypted e-mails, etc.), or (God forbid!
) even Tor, you are most likely a terrorist.
If and when the public is sufficiently swayed to persuade legislators to enact laws forcing backdoors into any and all encryption, or outright outlawing it's use, our personal privacy is gone.
Now, my question here is if and when the developers of VeraCrypt get that dreaded order from law enforcement and demand secret introduction of a backdoor into VeraCcrypt, how will we know it?
Yes, I know all about the "Anyone can inspect the source code!!!". That's great but can I see a show of hands of people who can actually inspect line-by-line and -character-by-character of a huge pile of source code?
Don't brag and say "I can! I can!" because if you will note there has only been 2 official inspections of TrueCrypt source code. Ever.
And those were major undertakings of well funded teams of inspectors and both of them even admitted that they had not exhaustively inspected the whole, complete source code.
So that still leads to the question of whether VeraCrypt has been compromised at some point in time.
Some sites use what is called a 'Warrant Canary'. For those that don't know what that is, it's simply a signed message saying something along the lines of "We haven't been issued a warrant" and it's updated usually weekly. If at some time the message
is OLDER than the specified time, the site can be considered compromised.
Currently, (Nov 2015) the U.S. Justice Department has ruled that this is legal, as long as the message is passive, meaning you cannot say "Hey we've been compromised" but you can leave a message that was posted previously alone and let it expire..
Australia has ruled that this is NOT legal. You may not use either active nor passive communications that you have been served a warrant or in some other way been contacted by the authorities or some entity of the government to either perform an action of their
demanding or cease an activity, such as encryption program development.
What are you suggestions or ideas on this topic?
And please, like I mentioned before, don't just harp on and on that the source code is available for review by anybody at all. We know that. For 99.9% of us, that doesn't mean a thing.
If you have 40 years experience and 13 PhDs in cryptography, then feel free to inspect the source code and let us know if it's clean.
Please don't think that I'm accusing anyone of anything. It's just simply playing the devil's advocate and asking 'What if?"
Thank you in advance for your input.
EDIT: One silly idea that crossed my mind was to post all over Twitter and elsewhere that "VeraCrypt has a backdoor!!!" and see if it was immediately removed or I was contacted and ordered not to post that again. However, I will not do that for the
simple reason that I love VeraCrypt and use it daily and am eternally grateful for the skillful and talented developers who continue to make it better and better and I don't want some un-informed person to see what I had posted and think that VeraCrypt had
indeed been compromised.
Again, thanks for your input.