Even if you run your own proxy and caching, you can’t trust your cloud provider not to DMA your keys unless you’re using trusted computing[0] (which ironically requires remote attestation if a company wants to verify it’s active on their CPU), and then chances are a dedicated three-letter-agency has exploits at the ready if they really need to extract information.
If a company isn’t running their own bare metal, nothing is safe.
0: https://aws.amazon.com/blogs/security/confidential-computing...
> On-premise, open-source, customer-owned remote attestation servers are possible. Avoid outsourcing integrity verification to 3rd-party clouds.
With owner-operated OSS MDM & attestation servers, PCs can have diverse, owner-customized OS and configs, reducing monoculture binary blobs.
That's called overreach. Absolutely massive overreach. To go one step further, do you also want to prove that my house has no windows, so "attackers" can't see what you show me?
Trust is trust, not proof. Asking someone to prove to you something is to say that you are not trusting them! It's like asking your spouse to prove that he/she is not cheating on you --- and we don't find that acceptable in the physical world either. The whole idea of trusting someone is that you do not have to constantly monitor and enforce what they're doing. I elaborated more about this "destruction of trust" here: https://news.ycombinator.com/item?id=32283134
You may say that you want to be able to steal this token for yourself
The fact that you're calling it "stealing" is also insane. As soon as that token leaves your system, it is no longer yours.
And in fact, if your provider is doing ePrescribing, odds are they are contributing to supporting a Monopoly by SureScriots who has cornered the market emwith anti-competitive business practices!
DEA still issues serialized paper prescription pads.
https://www.ftc.gov/news-events/news/press-releases/2019/04/...
Everytime an ePrescription goes over the wire, this one weird company based out of Virginia is likely shotgunning your personal info as collected by PBM's/health insurers between all parties involved, (with the obligatory copy for themselves, probably "anonymized and repackaged for monetizable exposure to research groups), and in the contractual terms requiring that people in the network not make arrangements with anyone else for the service.
As a common victim of the perniciousness of this arrangement. I'm more than familiar with how this nonsense goes.
Also, since a lot of different movie streaming services (e.g. Hulu, Disney+) have launched, a lot of content has moved off of Netflix, leading to a higher piracy rate.
If you are in the US, take a look at the recently approved UCC changes for CERs (controllable electronic records, e.g. blockchains and CBDCs), which will now proceed to US state legislatures, https://www.clearygottlieb.com//news-and-insights/publicatio...
The US gov can walk into any company and demand everything and anything they want while making it illegal for anyone at that company to say a damn thing to anyone about it. This includes taking over parts of that company's facilities and taking a copy of every last bit of data that goes in and out (see room 641A - they've been doing it for ages).
"secure" enclaves can't save us here because the companies who develop them are subject to the same government who can insist on adding backdoors in their products. Even without explicit support of the companies involved we've already seen side-channel attacks that allow access to the data in enclaves.
As for end to end encrypted messengers, it's reasonable to suspect that once they gain enough popularity they will be compromised in some form or another. Signal, for example, had gotten a lot of attention followed by another huge jump in popularity after WhatsApp changed their privacy policy.
Signal also suddenly started collecting and storing sensitive user data in the cloud, they ignored protests from their users about it, were extremely shady in their communications surrounding that move, and have never updated their privacy policy to reflect their new data collection practices. Does that mean that Signal has been compromised? In my opinion, probably (refusing to update their privacy policy is a huge dead canary), but even if it hasn't it absolutely means the government can march in and take whatever they want including data they'd have to use a backdoor or an exploit to access.
Lawmakers have been trying to ban or control end to end encryption for years. (See https://www.forbes.com/sites/zakdoffman/2020/06/24/new-warni... or https://www.eff.org/deeplinks/2020/07/new-earn-it-bill-still... or https://www.cnbc.com/2020/10/12/five-eyes-warn-tech-firms-th...) and while they've so far been kept at bay eventually they'll succeed in sneaking it past us in one form or another.
For now, it's perhaps better in their view to let us think our communications are more secure than they are. (See https://www.zdnet.com/article/australias-encryption-laws-use... and https://gizmodo.com/the-fbis-fake-encrypted-honeypot-phones-...)