The problem with email confidentiality


One consequence of the recent NSA revelations is that it has piqued my interest in the whole issue of encryption and internet confidentiality and security, topics about which I had at best a very hazy idea. For example, I had never even heard of Lavabit, the encrypted email service provider that apparently has attracted over 400,000 users in its ten years in operation. After word got out that Edward Snowden used it, the number of new monthly subscribers surged to three times its normal value.

Ladar Levinson, the head of Lavabit, said that he chose to shut down the company that he founded and nurtured from its infancy and that provided him with his income because he felt it would be wrong to comply with government demands that would force him to “become complicit in crimes against the American people”. In this news report, he explains that he was not entirely opposed to cooperating with the government.

Levison isn’t an privacy absolutist. He has cooperated in the past with government investigations. He says he’s received “two dozen” requests over the last ten years, and in cases where he had information, he would turn over what he had. Sometimes he had nothing; messages deleted from his service are deleted permanently.

“I’m not trying to protect people from law enforcement,” he said. “If information is unencrypted and law enforcement has a court order, I hand it over.”

In this case, it is the government’s method that bothers him. “The methods being used to conduct those investigations should not be secret,” he said.

So clearly the government was going well beyond what he considered reasonable and he hints at what it might be.

He says his customers’ encrypted data is secured with a public key and private key, and that the private key is protected by a password. He doesn’t have the technological capability to decrypt his customer’s data but if someone could intercept the communication between the Lavabit’s Dallas-based servers and a user, they could get the user’s password and then use that to decrypt their data.

Levinson says that he is taking a break from email, adding “If you knew what I know about email, you might not use it either.” What also bothers him is the gagging. “The fact that I can’t talk about this is as big a problem as what they asked me to do.” His lawyer echoes that sentiment.

Levison’s lawyer, Jesse Binnall, who is based in Northern Virginia — the court district where Levison needed representation — added that it’s “ridiculous” that Levison has to so carefully parse what he says about the government inquiry. “In America, we’re not supposed to have to worry about watching our words like this when we’re talking to the press,” Binnall said.

Meanwhile Phil Zimmerman, creator of the PGP encryption system and who also preemptively shut down his Silent Mail encrypted mail service, had a Q/A with Forbes magazine in which explains in more detail the security deficiencies of encrypting email and what the government can do.

At the very least they would be able to see the plain text headers of the e-mails, [which] would say who the mail is front, who it’s to, the date it’s sent, time stamp, and subject line. If the message body is encrypted to a key that we hold on our server, they could ask for the key, or ask us to decrypt it, or ask for the key so they could decrypt it. That’s what we were afraid could happen.

We didn’t have a PGP client that could run on a smartphone, and our market is primarily smartphone users. So how [could] we get it? Get a server side implementation of PGP, a Symantec product called PGP Universal, meant for enterprise customers who want to manage keys on the servers. So that’s what we were using. But if someone comes to us and forces us to hand over the keys, [we’re in trouble.]

There is no way to do encrypted e-mail where the content is protected. No way where the metadata is protected. Assuming that the e-mail is based in the country that can apply pressure to the mail provider… Almost any government has the ability to pressure a mail provider in that country to hand over what it has.

It looks like we need the equivalent of a Cayman Islands for email service providers. Just like that country profits from the secrecy and security it grants wealthy people, on the surface it looks like a country that protected its internet service providers could make a killing as a haven for such companies.

But of course the reason that the Cayman Islands can get away with being a tax haven for wealthy people is because the US government is in the pockets of those same wealthy people and has little interest in shutting it down.

In the case of countries that provide internet security, you can be sure that the US government will apply all the pressure it has at its disposal, so only a very determined and independent country will be willing to do that.

Comments

  1. unbound says

    It looks like we need the equivalent of a Cayman Islands for email service providers.

    Actually, all we really need is for e-mail to be treated the same as paper mail. It is illegal to intercept and open regular paper mail. There is zero reason the same laws shouldn’t be applied to e-mail. Ease of interception is no excuse. It is easy to break in the windows to my house and take my stuff…I don’t need to put up bars and lasers to make it illegal. It is simply illegal to go into my house and take my stuff.

    The 4th amendment logically applies to the government doing any type of data collection with our e-mails, file transfers, etc. We just need some legal representation willing to push what should be a rather basic interpretation of the the 4th amendment through…I just don’t know if it would have a realistic chance in this increasingly police state environment.

  2. wtf says

    Add onto that that the feds believe they can examine any of your cloud based email older than six months without a warrant because you’ve abandoned that email.

    http://www.aclu.org/blog/national-security-technology-and-liberty/fbi-documents-suggest-feds-read-emails-without-warrant

    I don’t know how anyone can expect to run any sort of business requiring confidentiality however slight if the Feds demand the rights to place backdoors in. In many ways, the Feds have killed the Internet, which may be what they wanted to do.

  3. left0ver1under says

    If reputable people can’t provide secure email service, then what about individuals doing it themselves? I thought the idea behind PGP was that the encryption key was public (thus allowing anyone to send to you) but the decryption key was private, only the holder could read the email.

    If people can’t trust third parties, they will resort to other secure means of transmitting messages.

    On thing that really makes me laugh about the alleged “need” for snooping on private emails is what the US military learnt. Al Qaeda was using email accounts, but NOT to send emails. Instead, they created messages and saved them in the draft folder. Messages were never sent, so the NSA could never intercept them.

  4. unbound says

    @2 – Killing the internet may very well be a goal. The vast majority of big money in the US are still predominantly non-internet business owners (e.g. Waltons, Kochs)…and, historically, they tend to create barriers for someone else taking their spots. This is an important behind-the-scenes reason that drugs like alcohol get defended while drugs like marijuana are strongly opposed.

    @3 – One of the issues with PGP is that you need to continually keep the encryption upgraded. Some of the earlier PGP keys have been broken (384-bit), so your older e-mails will eventually become unsecure from a government that has no rules against monitoring and hacking your account. Additionally, in a world increasingly looking to use cloud services, we may get to the point that we don’t have a lot of hardware at the endpoints to keep the messages secure at rest.

  5. Compuholic says

    @left0ver1under:

    That is essentially correct. PGP is an implementation of the public key principle (which is also used in SSL encryption). If the key size is big enough it is virtually certain that nobody can read your encrypted messages. Unfortunately this solution only addresses part of the problem.

    1. The header information is still sent over the wire in plaintext since the mail servers the message goes through need to know how to handle it. The header already contains a lot of meta-data that can be exploited. This problem could in principle be adressed by transmitting the message itself over a SSL-secured connection which carries another set of problem with it:
    a) SSL relies on a Diffie-Hellman key exchange which is prone to man-in-the-middle attacks (at least without a certification authority that both communication partners trust)
    b) If the recieving server is compromised it doesn’t really matter how you encrypt your communications.

    2. Your communication partners need to have PGP or a compatible software and you need the public keys of your communication partners.

    3. If someone send you a PGP key you cannot directly verify that it was the sender who sent you the key. In order to verify the key you need to rely on the fingerprint (which your partner has to tell you somehow) or on a certification authority that both parties trust.

    In the past certification authorities have also been compromised.

Leave a Reply

Your email address will not be published. Required fields are marked *