EFF Warns That Email Privacy Is In Jeopardy 152
MojoKid writes with this excerpt from HotHardware:
"According to the Electronic Frontier Foundation (EFF), a
dangerous legal precedent has just been set that can potentially unravel existing federal privacy protections for e-mail and Internet usage. The alert from the EFF is not just to sound a general warning, but it also takes the form of an Amicus curiae (friend of the court) brief, filed with the federal 9th US Circuit Court of Appeals, asking for the court's legal finding to be overturned... The findings of this case
could become the foundation of a legal precedent upon which other similar cases can subsequently be based. If that were to be the case, then the unauthorized retrieving of e-mails from an e-mail server would not be considered a violation of the federal Wiretap Act, which
will then open the door for government-sponsored snooping."
Privacy? (Score:5, Informative)
Re:Privacy? (Score:5, Insightful)
Re:Privacy? (Score:5, Interesting)
Being "not technically secure" is not the same thing as "not private".
Re:Privacy? (Score:5, Interesting)
I'm a bit divided about this subject. On the one hand I think that you should be able to expect some privacy in your email conversations. On the other hand I think you're kind of naive to let the privacy of a mail conversation depend solely on the willingness of others to not look at it.
The government, not just the US but any government, cannot be trusted, simply because they're just a bunch of people. The only way to have a reasonable expectancy of privacy is to enforce it yourself by using insane amounts of encryption. e.g. encrypt a message in AES, 3DES, 32768 bit RSA, and ROT13 for good measure, then stenographically encode the message in a photograph. etc. etc.
Laws guaranteeing privacy in email are great, but they don't actually give you 100% certainty that your email will be private.
Re: (Score:1, Insightful)
The government, not just the US but any government, cannot be trusted, simply because they're just a bunch of people with an agenda.
Fixed that for ya.
Re:Privacy? (Score:4, Insightful)
Don't all people except for those in a coma have an agenda? Doesn't that make your 'fix' about as informative as saying that water is wet?
Re:Privacy? (Score:4, Funny)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
I don't understand that.
What is so wrong about having an agenda?
Having a hidden agenda _might_ be a bad thing, in a perfectly free society.
I think modern people despite so much politicians that they even renounce to their duty to be political themselves. People are supposed to have political ideas. It's a good thing, not a bad thing.
When people do not have and agenda, they lack depth in their political decisions, and only think day to day stuff, what doesn't seem wise to me.
Re: (Score:2)
There's no need to encrypt it that far. A single pass with AES256 should be sufficient. There is no reason to believe that there is any organization on Earth (the NSA included) that can break AES.
If you're willing to go to the "insane" methods you talk about, then you're in the sort of inconvenience level where using one time pads would be worthwhile. You can transfer around gigabytes of OTP material relatively easily and securely these days. I mean you can hide one of those 4gb Micro SD cards just about an
Re: (Score:2, Flamebait)
Not to worry citizen, the govt. in all its wisdom and foresight, has thought of this eventuallity, and is currently working on different methods....some are a bit more painful than others, but, you needn't worry about that.
Of course, they will use the proper method based on the situation.
EOM
Re: (Score:1)
You have a card reader in your urethra? I want! (The reader, not your urethra.)
Re: (Score:2)
Thanks.
Re: (Score:2)
I mean, who's going to check the inside of your pee hole?
Mine? Nobody. But since you posted this comment on an open forum, you'd better be careful the next time you make an international flight.
Re: (Score:2)
been invalidated?
Maybe you can say that since it was done by a lame duck Congress+President just a few months before elections, then it's not a real national policy despite now being the law. Fine, we'll defer judgment until aft
Re:Privacy? (Score:5, Insightful)
Even if the ISP or whomever cannot share or pry into email for whatever reason, what's to prevent someone from accidentally hitting "reply all" or copying their entire address book and sending it out to the world? That's what I meant by my original statement. It's not so much folks prying, it's "accidents" that I'm worried about.
Re: (Score:2)
If I want communication to be private I snail mail, fax, or phone on landline.
Even if the ISP or whomever cannot share or pry into email for whatever reason, what's to prevent someone from accidentally hitting "reply all" or copying their entire address book and sending it out to the world? That's what I meant by my original statement. It's not so much folks prying, it's "accidents" that I'm worried about.
Don't you know about warrantless wiretapping?
You must be new here.
Re: (Score:2)
Only face to face meetings in a surveillance-proof setting is guaranteed private like out in the middle of the desert or off at sea with no other ships seen as far out as the horizon.
You do know surveillance satellites don't always point straight down and can be pointed at the limb of the Earth just as easily to get nearly horizontal views, right?
That reminds me: has anyone transcribed the HAL-lip-reading scene in 2001?
Re: (Score:2)
And didn't they make sealing envelopes with tamper-evident wax illegal in the late '70s or early '80s?
Re: (Score:2)
Well you should, as it is a reasonable expectation.
True, it turned out not to be, but it should have been.
Re: (Score:2)
I hope your not a sys admin.
Re:Privacy? (Score:5, Insightful)
Of course we should take technical precautions, but that doesn't mean we shouldn't stop this through legal action either. It seems like a Sisyphean task at this point, but we have to hold firm to our principles nonetheless.
Re:Privacy? (Score:4, Insightful)
The idea that any communication involving telecommunication companies in the US is private is quite laughable, however, if there's even going to be the slightest chance of restoring or at least slowing down the rate of erosion of the right to a reasonable expectation of privacy every battle must be fought and thank the matrix we've got the EFF to do it.
Personally I'd sign up for the government spy net - after all, the government doesn't listen to my complaints - if they read everything I write maybe something will sink in.
Re: (Score:1)
Re:Privacy? (Score:5, Informative)
Exactly. How is unencrypted email different to a postcard? Every server along the path has full access (and probably stores a copy for hours to days) to the contents along with the routing information. Due to addressing problems I was receiving CC orders and other confidential emails for some mail order company, for about two months. I had to respond to every one and tell them not to be so stupid.
The problem is that so few people are set up to read encrypted email, that it isn't useful in day to day work.
Re:Privacy? (Score:5, Insightful)
Look, the fact that postcards and most emails are sent in plaintext isn't what this is about.
So far as I'm aware, the United States Post Office doesn't scan, OCR, and store the contents of every postcard that goes through its facilities. If they did, and then made that information available to the government or anyone else that wanted it, you would have a point. In other words, unencrypted does not mean "indexed, cross-indexed and searchable."
Re: (Score:2)
So far as I'm aware, the United States Post Office doesn't scan, OCR, and store the contents of every postcard that goes through its facilities.
They scan, OCR, and store the to and from address of every piece of mail that goes through their facilities.
Is it that much of a stretch to assume that they would do the same with a postcard?
Re:Privacy? (Score:4, Informative)
How is unencrypted email different to a postcard?
Differing expectations of privacy.
An intermediate mail server is not a postal worker.
Perhaps most importantly:
Different laws regarding e-mail and postcards.
Re: (Score:2)
Its quite a bit different, and besides the PO isn't supposed to be reading your post card's content anyway.
Besides, this isn't about plain text/or encryption, its about the government getting their hands on your data to use how they please, whenever they feel like it.
Re: (Score:1)
Re: (Score:2)
Actually email is more similar to mail than a postcard in that you do have to open it. Of course there is no way to tell if an email has been opened by someone else.
I am on the side that knows it's not secure, but it is a matter of professional ethics that you should expect that it is private.. Just as you should expect that people in the medical profession will protect your privacy.. Sure anyone in the hospital can find out what's wrong with you, but would you expect the janitor to be fired for looking at
Re: (Score:2)
Exactly. How is unencrypted email different to a postcard?
The only similarity between the two is they are both sent in plain text.
Email is private, reading someones email is the same as opening their snail mail.
Do you consider it ok to read someone else's postcard, or how about that letter sitting on your co workers desk?
Re: (Score:2)
The problem is that so few people are set up to read encrypted email, that it isn't useful in day to day work.
Wrong. Anyone who uses Microsoft Outlook or Mozilla Thunderbird is more than set up to read encrypted email. Personally I use Claws Mail, but using something that's not made by an über-corp certainly isn't a step people need to take.
If you want to give up your personal information, you can go to Thawte [thawte.com] and start sending signed emails right away, which will enable anyone with Outlook or Thunderbird to begin encrypting emails to you. Some people may find cacert [cacert.org] an option, but all-in-all if I needed
Re:Privacy? (Score:4, Insightful)
To me, the "expectation of privacy" says that I am supposed to have privacy, not that I have it.
Re: (Score:1)
it's sad that i'm completely unsurprised by this.
Re: (Score:3, Insightful)
While i agree, they do, they still shouldn't be reading it, even if its in open text, without a warrant.
You should be able to expect a certain level of privacy.
Its not just our government btw ( and its debatable if the government is 'ours' anymore anyway.. )
Re: (Score:2)
That begs the question, and not just for the USA or relating to NSA backdoors (is that the funny all-body underpants you see in Klondiker comedys?), just when, and why, did "any expectation of privacy" come in the window? Particularly in respect of any electronic communications?
Re: (Score:1)
Re: (Score:2)
So if you have a problem with the government, maybe you need to look at why you are so socially maladjusted.
If the majority of the people chooses a government, which forces people to adjust to its rules, needs and whishes, you could call it a democracy but you couldn't call a free society. I'd rather be free and maladjusted than be a sheep with no principles and opinions of its own.
An analogy (Score:5, Insightful)
Even if breaking in houses is illegal, I still have a lock on my door. Why? Because some people don't care about the law.
Even if snooping on e-mail is illegal, you still need to encrypt your mails. Why? Because some governments don't care about the law.
Re:An analogy (Score:4, Interesting)
Whether I'd like to use encryption or not is irrelevant if those with whom I am communicating do not.
<sarcasm>
Why? Because some governments don't care about the law.
Well, I'm sure you could write them a nice letter asking them if they are illegally syping on you to find out. I see no reason why you wouldn't get an honest answer....
</sarcasm>
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Informative)
If you think your padlock is keeping the Government away (the guys with aircraft carriers and nukes), you must be crazy.
US Government very much cares about the laws since that's about the ONLY thing that can stop them from doing to you what they do to everybody else. For example, the CIA torture manual advises you to always check the local laws first: http://en.wikipedia.org/wiki/The_Torture_Manuals#CIA_manuals [wikipedia.org]
Re: (Score:1)
Daimanta:
Even if breaking in houses is illegal, I still have a lock on my door. Why? Because some people don't care about the law. Even if snooping on e-mail is illegal, you still need to encrypt your mails. Why? Because some governments don't care about the law.
megaditto:
If you think your padlock is keeping the Government away (the guys with aircraft carriers and nukes), you must be crazy.
The key, megaditto, is in the word "analogy". No one is trying to stop aircraft carriers with padlocks. (Or maybe padlock was your analogy for encryption and nukes, an analogy for decryption?)
Re:An analogy (Score:5, Informative)
Regardless, it's not a very good analogy. It takes considerably more than the technological equivalent of a hacksaw to break a solid encryption scheme.
Re: (Score:2)
Gah, it's an analogy. Burglars will probably break a window, ignoring the lock on your door. Governments will probably try to read the e-mails at the endpoints, that is when they are stored on your or the reciever's pc. Analogies are not supposed to be 1:1 correct, that's why they are analogies.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
I have a password on my email.
Do you encrypt all paperwork inside your house?
Even worse (Score:3, Interesting)
IANAL, but as I understand it, this does not just apply to the government. Anyone can snoop without legal liability.
precedents not needed (Score:1)
Yet another reason... (Score:3)
Re:Yet another reason... (Score:5, Informative)
And how does maintaining your own email server help? Those outgoing mails are going to somewhere right? And the incoming ones arrived from somewhere? Then they're likely being transmitted in the plain somewhere along the line.
Unless you encrypt the messages themselves, you're on your own. Having your own mailserver, which I do, simply doesn't help with this problem.
Cheers,
Ian
Re: (Score:3, Interesting)
Well, you can also set your email coming to you and going out, to hop through several remailer servers, and a nym server [iusmentis.com] .
Sure you still have a hole on the receiver end if they don't encrypt, but, it sure can make it hard for the govt. to see where you're sending to...or receivi
USENET is dead, long live USENET... (Score:2)
Somehow I suspect this is a contributory reason for why USENET is being killed off...
Powers that be, be they governmental or corporate or what-have-you, don't like fully distributed no-one-owns-them systems like USENET. Note too how the intarwebs are becoming increasingly being consolidated as the property of thes
Re: (Score:3, Informative)
Re:Yet another reason... (Score:5, Insightful)
Grabbing a message from the stream is not that hard. Yes.
Getting access to a pile of email that was sent over the course of days to years, I believe, is a much bigger issue. The stream takes good timing, access and preparation. Access to inbox or other folders of an entire email collection is scary. If the private sign leaves the stored email it will allow providers to do what they will with these email documents in the collections of users. Sending a message to a friend about a need for a product could turn into a barrage of ads for same or competing products. Storing old messages with idle threats with a buddy could turn into law suits. There could be corporate theft of ideas and more. How about getting fired from a job for idle discussions of other things you think about regarding other lines of work or even a competing company. Then there are the criminal cases that could be setup against you for some idle "what-if" messages with a child, friend, or co-worker. Information and insight about an individual could cause all kinds of difficulties in the wrong hands. If I wanted someone to be party to a conversation, I would have sent the message to that party when I wrote it.
Email server ownership is a big help in these times. "Guilty until proven Innocent" is the opponent of privacy laws and practice. I do not have the time to waste proving every little aspect of my life was not a crime just because someone came into a conversation late, reading their own storyline into my existence. As it is now in consumer America, I have to open boxes at the checkout counter just to ensure the actual item purchased is in the box, and not just floor tiles. I also have to call phone and credit companies over charges that were added in error. Do I need to mention the corrections on food from a drive through, even after seeing the list in perfect order on the screen before getting to the window?
Do not add to my itinerary, as it is full.
Just copyright your emails (Score:5, Funny)
Re: (Score:1, Informative)
Anything you write is automatically covered by the copyright laws.
Already done (Score:2)
Your e-mails are already copyrighted essentially. The metric is basically 'anything with a minimal amount of creativity fixed into a tangible medium of expression"
just encrypt it (Score:2)
Any E-mail that you don't want to be seen, you have to encrypt. Otherwise, you can be sure that it will be data mined, analyzed, and keyword spotted.
Re: (Score:2)
Re: (Score:2)
I have never in all my time working with computers EVER seen an encrypted email. I have also cannot name a single corporation that uses encryption for email.
Encrypted email just doesn't happen, when I can't even get people to use secure voice communications what chance do I have with email?
I agree encryption needs to be more widely adopted even as a "Just in case" measure but the problem is getting people educated in its use.
HIPAA says no privacy (Score:5, Interesting)
Re: (Score:2)
I think such generalizations are dangerous. If I send an email to one of my kids, it is sent over an SSL-encrypted link to a private machine. When My kids download it, they do so over an SSL-encrypted session. The email might also be sent onto Gmail. Again, to connection from my mailserver to Gmail is protected by SSL/T
Re: (Score:2, Interesting)
What are the options? (Score:3, Interesting)
You can use BetterMail for a secure connection to Gmail, but Google still has all your messages and they're unencrypted when they go out from there. In this case store and forward is not your friend.
You could use a simple encryption tool like this one [fourmilab.ch]. It's a little less difficult than a system that requires a key exchange but it's also less secure. And there's still a decryption process. Copy, paste, type pass phrase, read.
If there's something that's easy to implement and lets you exchange encrypted messages with other email clients that don't support your encryption scheme, then I don't know about it. Far as I know you have to make a decision to encrypt or not every time you send a message. When you're sending to a compatible client you can at least encrypt the body of the message, but as far as I'm aware, that's the state of the art.
Re: (Score:2)
Just use IMAP with Gmail, then you can use whatever encryption your mail client supports.
Economics (Score:1, Troll)
So not only are businesses and tourists stopping going to the USA because of their over the top (and widely meaningless) security, now the US. wants to finish off their economy with people not doing trade altogether with the US. Smart thinking.
Re: (Score:2)
I totally agree its bullshit like this that makes me consider relocation of my servers to more friendly soil.
Assert your rights (Score:4, Insightful)
I have discussed this issue with some friends who seem to believe that Obama will reverse the current warrantless surveillance practices. If history is to serve as a guide, it seems clear that he will not. I am convinced that contacting our legislators and voting for Democrats are two of the least effective means of protecting our rights. Indeed, the most effective way of protecting our rights is by asserting them. We as Americans have the responsibility of actively protecting our rights, rather than depending on the ineptitude and conflicted interests of our elected officials. This is why I propose not only opportunistic encryption, but also what I call gratuitous encryption. This means the ubiquitous use and advocacy of PGP, SSH, SSL, VPNs, tor, full disk encryption, and every other tool we have at our disposal.
Check out this page [tamu.edu] for ways to assert your rights.
Thunderbid? (Score:1)
Re: (Score:2)
Re: (Score:2)
A postcard is like an "ATTN: [username]" post on usenet.
A Letter is like an email.
An encoded letter is like an encrypted email.
What goes around ... (Score:5, Interesting)
Time to revive the good 'ole FIDO mail system and BBS technology. This is not such a bad thing though as it is NOT the internet - it's the phone lines. Hmm .... Oh well, so much for freedom. It was nice while it existed.
Still, one can PGP that style of mail easily and it is by today's standards pretty secure in it's travels to and from. The phone company is involved though so look out. Short of floating our own satellites and running the entire thing end to end, there is NO WAY ANYTHING WE DO from this point on is beyond scrutiny or observation, "we" being those that still believe in the Constitution, Bill Of Rights, etc. and they that watch and record are those we think we'd like to avoid.
I work a FL county GIS and in 1998, our aerial maps were good enough that we zoomed down to look in the back of a co-worker's pickup truck and could easily read "Budweiser" on the case of beer in the truck bed. We were told that the military had these same maps but in 4 or 5 stages better resolution! THAT was 10 years ago - now it's LIVE.
I ran a multi-line BBS for 15 years and hubbed mail for FIDO most of that time. The mail "bags" came in, got sorted and went back out. It was true store and forward technology and with today's packer and encryption options, I believe that FIDO could once again offer relatively secure email. It would take a network though and with each added "node" would come potential trouble. Who's to say that hub in New Hampshire is not the FBI? With the right email client software, the playing field could be vastly leveled - are you listening Santos's?? End to end PGP enabled mail times the quantity factor would be REALLYPGP and the hardware that would have to be dedicated to breaking all that mail would be ridiculous. All this could run on old time BBS systems. Imagine this - NO SPAM (yet).
Rx --> Doctor Smith
I'm sure the public would like to take a look at.. (Score:2)
.....The emails of various Politician and Corporate government relationships.
And lets not leave out stock market related emails from those in the know.
Not just e-mail... (Score:4, Insightful)
Not to be flippant, but does anyone really believe there is any privacy anymore with simple, unencrypted email?
Does anyone really believe there is any privacy anymore with ANYTHING? Technology, government and law enforcement practices, and the general public indifference are all converging to insure that nothing is hidden. Rant and rave, fight the good fight, but those of us who give a shit are becoming increasingly rare. It's an out of control freight train that can't be stopped -- delayed maybe, diverted to do less damage perhaps, but unstoppable.
The only thing you can do is try to leave as small a footprint as possible. I know damn well that if someone really wanted to find me, or know my business, they could do so. I long ago abandoned any notion of being able to prevent any and all personal, corporate, or governmental snooping. All I can do is use some common sense, do nothing to call attention to myself, and try to make it as difficult as possible so as to not be worth the effort for all but those who are truly determined. And try to avoid doing the things that would make those determined folks want to find me.
Unfortunately, the list of those things gets longer everyday, and all those peculiar interests and eccentric foibles I used to take pride in may now well brand me as "suspicious" and worthy of further scrutiny.
Klingon Proverb (Score:2)
If you do not wish a thing heard
do not say it.
I wonder though, is a walk in a random park still private enough for some sensitive communications.
Works both ways (Score:3, Interesting)
If selling e-mail off of servers is not wiretapping, then its not wiretapping if the e-mail being sold belongs to the government, GOP, or whomever. Even if that e-mail is encrypted, the traffic analysis data is quite valuable. Law enforcement is way behind the game in link analysis. That is: who phones, or e-mails who, when and how often. That data has been gold to marketing departments for years. Undoubtedly, it will be valuable to political competitors, foreign intelligence agencies and others.
It sounds like the door is wide open for a whole new business plan. The "3) ????" just before "4) Profit!" has now been solved.
Re: (Score:2)
How many stories do we see of government laptops being stolen?
I doubt encryption is used in governmnet email, even if it is the keys are on the unencrypted laptops that keep getting stolen.
DIY (Score:2)
Aaaaannndd...
If anyone out there still thinks their libertarian IT-guy-next-door is a bit over-the-top or paranoid for running his own email server in his basement, here's why*!
Time to get an unfettered DSL line with a static IP and setup my own server.
(Actually, time to become an email server configuration consultant)
* - and yes, I RTFA'd and this has to do with slurping email off of a server's storage area and not making a copy of an email being transmitted
SSL to E-Mail (Score:2)
I learned from my time working for a web site design company (now long out of business) that even though your connection to a site may be secure, that doesn't mean that the site doesn't immediately forward your submitted form data to an aol.com address without the benefit of any encryption.
Re:outlook encryption for POP3, SMTP, IMAP usage (Score:5, Informative)
Re: (Score:1, Insightful)
Install Thunderbird, GnuPG and the EnigMail extension.
And get everyone you correspond with to do that as well.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
http://en.wikipedia.org/wiki/GNU_Privacy_Guard [wikipedia.org]
GnuPG is also a world recognized standard. Proper mail clients should support it out of the box.
Re: (Score:2)
Well said! The "trouble" is the PGP model completely decentralises and popularises certification — it's cryptographic anarchy, there is no authority but Number One, and control and responsibility is largely in my hands. I get the impression some people don't really like this idea. With S/MIME I have to trust the certificate authority to do a Proper Job. Heh, no thanks.
Re: (Score:2)
Re: (Score:2)
Yes, it's called "mine".
Re: (Score:2)
Outlook supports S/MIME.
Re: (Score:2)
Or better still, a plain-text to spam encryption/decryption plugin for our E-mail applications.
Re: (Score:2)
"Make ur pen!s bigger in seconds! Satisfy your gf! We have name-brand v!agka on sale cheap!"
Would translate to:
Would you mind stopping off at the store for a loaf of bread on the way home, dear?
Re: (Score:2)
Someone already thought of this.
I love the "fake pgp" option.
Spam Mimic [spammimic.com]
Re: (Score:2, Funny)
Hi Alice,
just tell Bob he's not getting any until he learns about encryption.
Re:IPSec, S/MIME, SSL, SSH, VPN, etc. (Score:4, Insightful)
You do realise that it's a matter of time before mandatory backdoor to all encrypted traffic is required by law.
Re: (Score:2)
The point of security is to keep people out. Not make it easyer.
Re: (Score:2)
I know I'm feeding an unskilled troll. I don't care. Maybe he's genuinely stupid and can be set right. Dammit, I've got to try!