Re: 3 questions (@Anon, 13:22 GMT)
You (and I mean this respectfully) sound a lot like your average ex-government "security consultant", who's approach is compliance-based, rather than risk-based
:). I'm also conversant with applied deception, so maybe not, but I agree my posts may look that way. I have worked a lot on crisis management and prevention so I think I'm still more on the risk side, but knowing applicable laws means you can incorporate government stupidity into your risk models too. I work a lot with lawyers who have to protect sensitive clients - client privilege is a very difficult thing to protect.
I go back to my original point - yes, making the tech secure (defined as "secure enough for the field of application") is indeed doable, and Phil has been at the root of much of it. My angle is that of protection your average VIP or celebrity who (a) jets around the planet, (b) has really zero time or desire to correct any risky behaviour and (c) wants to use their toys as they're used to. In order for any product or tool to be acceptable, I don't just look at the tech, I also look at what abuse of law can be used to get around it, and in contrast to what you seem to have read, there is NO corporate registration in Switzerland unless they use a different name (check for yourself at http://zefix.ch). And then it has to be usable too. PGP and GPG do not rank about the most usable schemes in my book - the best test is to find a bright 12 year old and an intellgent 70 year old and see how they get on unprompted (an approach MANY software companies should take IMHO, but I digress).
Back to law - it's not enough to HOST data somewhere. If your governing company is located in a nation who plays fast and loose with privacy laws you can be compelled to comply, or close shop. The EU has joined the US "let's turn back the clock on human rights" game by implementing anti-terror legislation that overrides due process (and thus Human Rights) - this leaves only a few places left where you should host the company as well as the data. If you're UK based I'm sure I don't have to point out that the UK Regulation of Investigative Powers Act leaves lots of opportunity for abuse - this you have to protect people from too.
However, the opposite is true as well: you also do not want to get in the way of due process itself. Otherwise you will end up with a service that hosts every terrorist, child pornographer and drug lord on the planet - you want to be flexible enough to accommodate due process investigations because with rights come obligations.
Yes, I have been in government as well as military level security, but that was many years ago. I prefer to deal with people, so I do less and less IT and business security - that was getting a tad repetitive. Dealing with the end user of security forces me to come up with new answers, which is *much* more fun..