EFF Warns That Email Privacy Is In Jeopardy

MojoKid writes with this excerpt from HotHardware: "According to the Electronic Frontier Foundation (EFF), a dangerous legal precedent has just been set that can potentially unravel existing federal privacy protections for e-mail and Internet usage. The alert from the EFF is not just to sound a general warning, but it also takes the form of an Amicus curiae (friend of the court) brief, filed with the federal 9th US Circuit Court of Appeals, asking for the court's legal finding to be overturned... The findings of this case could become the foundation of a legal precedent upon which other similar cases can subsequently be based. If that were to be the case, then the unauthorized retrieving of e-mails from an e-mail server would not be considered a violation of the federal Wiretap Act, which will then open the door for government-sponsored snooping."

Even worse

[Anonymous Coward]

IANAL, but as I understand it, this does not just apply to the government. Anyone can snoop without legal liability.

Re:An analogy

[rustalot42684]

The problem, for me, at any rate, is twofold:

1. People with whom I communicate mostly use web-based clients like the GMail client, the Hotmail client, or some university's email site, all of which don't support encryption in an easy-to-use way. Also, at the moment (for several reasons) I happen to be using one of those clients.
2. Most of the same people don't see why encrypting their emails is neccessary in light of the previous point. Given that it takes a great deal of work do do it, why bother?

Whether I'd like to use encryption or not is irrelevant if those with whom I am communicating do not.

<sarcasm>

Why? Because some governments don't care about the law.

Well, I'm sure you could write them a nice letter asking them if they are illegally syping on you to find out. I see no reason why you wouldn't get an honest answer....

</sarcasm>

Re:Privacy?

[enrevanche]

By not expecting email to be private means that your email provider is allowed to do anything it wants with the information. It means that the government or anyone who wishes to pay for it should be allowed to have it.

Being "not technically secure" is not the same thing as "not private".

Re:Privacy?

[BorgDrone]

By not expecting email to be private means that your email provider is allowed to do anything it wants with the information.

I'm a bit divided about this subject. On the one hand I think that you should be able to expect some privacy in your email conversations. On the other hand I think you're kind of naive to let the privacy of a mail conversation depend solely on the willingness of others to not look at it.

The government, not just the US but any government, cannot be trusted, simply because they're just a bunch of people. The only way to have a reasonable expectancy of privacy is to enforce it yourself by using insane amounts of encryption. e.g. encrypt a message in AES, 3DES, 32768 bit RSA, and ROT13 for good measure, then stenographically encode the message in a photograph. etc. etc.

Laws guaranteeing privacy in email are great, but they don't actually give you 100% certainty that your email will be private.

HIPAA says no privacy

[m0s3m8n]

Working in the health care field as an IT admin exposes me to lots of HIPAA crap. One thing you learn on day one is that EMAIL IS NOT SECURE. And if it is not secure then considered public. I have no expectation that email is private UNLESS IT IS SECURE. This is why emailing of patient data is forbidden. It would sure make life easier if it were.

What are the options?

[HangingChad]

You can use BetterMail for a secure connection to Gmail, but Google still has all your messages and they're unencrypted when they go out from there. In this case store and forward is not your friend.

You could use a simple encryption tool like this one [fourmilab.ch]. It's a little less difficult than a system that requires a key exchange but it's also less secure. And there's still a decryption process. Copy, paste, type pass phrase, read.

If there's something that's easy to implement and lets you exchange encrypted messages with other email clients that don't support your encryption scheme, then I don't know about it. Far as I know you have to make a decision to encrypt or not every time you send a message. When you're sending to a compatible client you can at least encrypt the body of the message, but as far as I'm aware, that's the state of the art.

Re:Yet another reason...

[cayenne8]

"And how does maintaining your own email server help? Those outgoing mails are going to somewhere right? And the incoming ones arrived from somewhere? Then they're likely being transmitted in the plain somewhere along the line. "

Well, you can also set your email coming to you and going out, to hop through several remailer servers, and a nym server [iusmentis.com] .

Sure you still have a hole on the receiver end if they don't encrypt, but, it sure can make it hard for the govt. to see where you're sending to...or receiving from. If you really want to make it hard...have the nym server send your messages, encrypted to a USENET group...you can retrieve it from there and no one will be able to really trace what you're doing.

What goes around ...

[Anonymous Coward]

Time to revive the good 'ole FIDO mail system and BBS technology. This is not such a bad thing though as it is NOT the internet - it's the phone lines. Hmm .... Oh well, so much for freedom. It was nice while it existed.

Still, one can PGP that style of mail easily and it is by today's standards pretty secure in it's travels to and from. The phone company is involved though so look out. Short of floating our own satellites and running the entire thing end to end, there is NO WAY ANYTHING WE DO from this point on is beyond scrutiny or observation, "we" being those that still believe in the Constitution, Bill Of Rights, etc. and they that watch and record are those we think we'd like to avoid.

I work a FL county GIS and in 1998, our aerial maps were good enough that we zoomed down to look in the back of a co-worker's pickup truck and could easily read "Budweiser" on the case of beer in the truck bed. We were told that the military had these same maps but in 4 or 5 stages better resolution! THAT was 10 years ago - now it's LIVE.

I ran a multi-line BBS for 15 years and hubbed mail for FIDO most of that time. The mail "bags" came in, got sorted and went back out. It was true store and forward technology and with today's packer and encryption options, I believe that FIDO could once again offer relatively secure email. It would take a network though and with each added "node" would come potential trouble. Who's to say that hub in New Hampshire is not the FBI? With the right email client software, the playing field could be vastly leveled - are you listening Santos's?? End to end PGP enabled mail times the quantity factor would be REALLYPGP and the hardware that would have to be dedicated to breaking all that mail would be ridiculous. All this could run on old time BBS systems. Imagine this - NO SPAM (yet).

Rx --> Doctor Smith

Re:HIPAA says no privacy

[m0s3m8n]

Yes, I agree with you, but letters have a chain of custody (sort of). You can't sniff a letter in the mail carrier's bag. You can steal it and later return it after you have steamed it open, but you don't have to even "steam open" email.

Works both ways

[PPH]

If selling e-mail off of servers is not wiretapping, then its not wiretapping if the e-mail being sold belongs to the government, GOP, or whomever. Even if that e-mail is encrypted, the traffic analysis data is quite valuable. Law enforcement is way behind the game in link analysis. That is: who phones, or e-mails who, when and how often. That data has been gold to marketing departments for years. Undoubtedly, it will be valuable to political competitors, foreign intelligence agencies and others.

It sounds like the door is wide open for a whole new business plan. The "3) ????" just before "4) Profit!" has now been solved.