40 comments

[ 5.1 ms ] story [ 107 ms ] thread
This analysis is fine as far as it goes, but Riseup is a really optimistically best-case choice for a U.S. provider to use in the comparison. It's not a general-purpose or commercial provider, but rather a political organization. It's an anarcho-socialist activist group that provides accounts to its members, and to allied groups/individuals who request assistance. New accounts must either be vouched for by a current member, or submit an application that will be reviewed. Accounts are denied to people who do not align with the group's general goals. For example, they do not wish to provide accounts to capitalists ("anarcho-" or otherwise), to vanguardists/Leninists, or to other people whose aims are incompatible with libertarian socialism.

As such it's more of a political association than a telecom company, which at least in theory ought to give it the highest degree of protection under US law.

If political associations have greater protection under US law, would it be possible to create a network of political organisations similar to Riseup, but for every section of the political spectrum that would provide email accounts to everyone who applies? By having multiple providers you could cover 99% of the people who care about their privacy.
Too bad Lavabit didn't think to call itself a political organization for the privacy minded.
Because it wasn't one. Encouraging abuse of these loopholes is the best way to get them reexamined.

If you think email providers should be entitled to the same level of protection, okay. That's a sensible change to suggest. I don't see what good you think can come of obviously apolitical email providers pretending they are political organizations to get additional benefits. That's a "let's pretend we're a church so we don't have to pay any taxes!" level idea.

Any political organization in the world should be very worried about its communications since the Snowden revelations.

I wonder why we havent heard major political parties in EU countries them setting up their email/communications-equipment/networks/services inside their parliament buildings, or even just re-checking their current security standards.

Because 1) they've known all along this has been happening and 2) they don't really care, public histrionics to the contrary.
It's a poor analysis, using one example. Zero points for research and comparison. Nothing about likely legislation and law enforceent norms for example. Even if the writer's not trying to be exhaustive, there are various factors to consider, and very few are outlined here.
Well, email is safer in the U.S. since it's literally the only way it retains any Fourth Amendment protection, and even that is only if you own the hardware that the email is held on. As soon as it crosses international boundaries (even, apparently, virtual boundaries) it's fair game legally for the NSA to grab if they can.

But that was true in 2012 as well. The problem now, as it was then, is that people have chosen and they are quite willing to trade some privacy for cost and convenience.

The rise of mobile is only further accelerating that trend, and the lack of really good open source (or even commercial) PIM is not helping matters either. There's a reason people are switching to GMail instead of sticking with their existing free email through their own ISP, after all.

> As soon as it crosses international boundaries [..] it's fair game legally for the NSA to grab if they can [..] people have chosen and they are quite willing to trade some privacy for cost and convenience.

No they haven't. Most people haven't made this trade-off at all, they just "use e-mail".

  > As soon as it crosses international boundaries (even,
  > apparently, virtual boundaries) it's fair game legally for 
  > the NSA to grab if they can.
Would you say the same if NSA was replaced by some other organization in China, Russia, Krakosia?
Why not? You can pay people to intercept. Or you can negotiate with the government in the foreign country. Actually intel agency from different countries have a few collaborations as they continue on with their operations. Sneaking into someone's secret file is not always welcoming and can backfire so they do trade information as necessary.

For example, watch a documentary on Iraq war you will find that the US, French, British and German intels were exchanging information.

Yes. I've always assumed that any useful Internet traffic crossing Chinese or Russian borders would be poached by their intelligence agencies as a matter of course. This is what they've been doing since electronic communications were proven to be valuable during WWII, after all.

Why, what did you think they were doing?

Even beyond that I have assumed that Internet communications of mine that are unencrypted are likely to be read by botnets, Internet-based organized crime, spammers, and a host of other unsavory characters that I really don't need snooping in my bidness. I have assumed this ever since reading Schneier back in 2001 or thereabouts and making my first GPG key.

As Anon has been so fond of reminding us, "The Internet Never Forgets", and I remember that every time I use the Internet.

(comment deleted)
Well, U.S. email is safer in the U.S.

Fixed that for you. I don't like the way the article implicitly assumes an American audience, and so do the comments here. As a European, my email is certainly not safer in the US than in Europe.

I apologize for that, you're right that I'm implicitly assuming some Americanisms.

Yes, as a European your email is always at theoretical risk of interception by NSA if it transits U.S. borders.

Although even there the law is murky; foreigners don't lose property rights just because they visit the U.S. for instance, and the Fourth Amendment applies to foreigners within the boundaries of the U.S.

So if you host your email on your own hardware, within the U.S., it's not as if the government has the authority to go rip your server off the shelves without a warrant. They can intercept your traffic between your home in Europe and the server in the U.S., but that's why we have encryption, you should always have been assuming people are snooping that anyways.

On the other hand hosting email abroad from your home nation may put you at risk of European intelligence agencies warrantlessly intercepting them (even the German BND appears to have that legal authority), so I suppose that's a risk factor you'll have to balance on your own.

The article woefully misunderstands the web security model :

> Lavabit’s own privacy policy at the time that Snowden was believed to have been using it stated that “premium users” would benefit from having their e-mail secured with “an asymmetric encryption process that guarantees that it can’t be accessed by anyone except the holder of the account password. For these accounts, only the encrypted version of the message is ever saved to disk.”

Except, of course, that lavabit is still the only party that controls the code that reads and writes your password, and has the power to replace that code without telling you. Furthermore it doesn't work at all unlesss it's connected to the internet. Updating lavabit's servers to send the password to your mails the first time you access them would be trivial, and well within the powers of the NSA/FBI/...

Worse, Lavabit does get clear text emails when they are received. They encrypted them later. The amount of time later is legally irrelevant because they are now in possession of the data and can be made to hand it over.
But they are not in a position to hand over communications received prior to the court order. That's the whole point of encrypting received e-mails.
This is an important distinction, though not iron clad. Lavabit could in theory be ordered to retain records for x days in general.

More importantly, though it's obvious to anyone who thinks about how "encrypted" mail works, many people(possibly including Lavabit's founder ... it appears he asserted to the fed's he couldn't give them envelope information) assumed encrypted meant nothing can be handed over ever, even with a court order.

(comment deleted)
The only way for that not to be the case is if the sender encrypted it before sending it, at which point you don't need Lavabit anyways.
Actually, that's not entirely true. Due to a quirk of US law, e-mail in transit has more legal protection than e-mail at rest.
"We will never go away and leave you without an e-mail account."

"We would rather pull the plug than submit to repressive surveillance by our government"

Processing, processing, processing... Warning! Internal consistency error detected.

I think this this article grossly misunderstands the basic problem. It's not about the government being able to reach out for the data of an individual suspects criminal. It's about the government grabbing ALL data from EVERYONE.

No email service stands above the law. They have to provide data about about suspect criminals if there is a search warrant. This will even work internationally with the mentioned treaties and the suspect will not be notified about the search. Lavabit would have complied with such a request as well.

HOWEVER, this does NOT mean blanket surveillance of everyone, without any due process, court orders, or search warrants. And frankly, European data protection laws are supposed to prevent such blanket surveillance while the American government clearly does not.

That's right, and as a consequence of failing to note this important difference, the article also misses the point about US v Europe email security. A US person has some (limited) protection against blanket surveillance by US agencies whereas a European person is considered fair game for them.

Where your email is more secure depends entirely on where you live and what threat you're trying to protect against. As a Chinese political activist I would feel safest with Google. As someone with friends and family in the Middle East I would try to route my email around the US if at all possible.

The article is also wrong about the gag orders in Germany. The provider can not tell you that they handed over your data while you are personally under investigation. If it turns out that you are actually innocent the police is required by law to inform you that they have requested some data about you. That they often "forget" to do so is a different story.
I don't know German law, but I'd imagine it's similar to Portuguese law (which is itself French-inspired): a court case can be secret in the investigation phase, always under mandate by a judge, with explicitly limited secrecy duration. When the investigation phase ends, all those investigated must be notified, even when they are deemed not interesting in the case.

Some secrecy is needed to avoid evidence going down the toilet. This model strikes a decent balance, I think.

In short the situation in many European countries is "the ISP doesn't need to inform you that they handed over your data for an investigation, it's the police's job to do so".
The police can't request data. Only public attorneys, and even then, only under direct surveillance by a judge. When the first phase of the investigation ends, the ISP may inform the customer. Public attorneys must inform the investigated individual.
This is slightly off-topic, but does anyone know of any standards for publishing PGP keys? Like if your email is sandra@example.com, you could publish your PGP key at http://pgp.example.com/sandra.

Seems way more in the federated spirit of email than just using pgp.mit.edu.

There’s not just pgp.mit.edu but a whole network of keyservers to which you can upload your key – after all, publishing a PGP key is not the hard part, verifying it is the difficult task.
Put the servers in orbit.

Oh wait, the NSA/CIA/military has their own private space shuttle (seriously)

Or you could encrypt your e-mail. It doesn't matter where the server is, since the whole communication with it is probably intercepted by some intelligence agency. The only thing you can do is encrypting your e-mail and telling everyone you know to do so too.
The article I feel is missing several points. Using riseup with dropbox for example seems to be the wrong way to do it.

The problems we have with e-mail are due to e-mail itself. Traditional E-mail (whether it's delivered over SMTP/TCP/IP or UUCP or whatever) was not designed with privacy in mind. As hackers, tinkerers and makers we need to design and develop more resilient communications systems in the wake of this and clearly define what it is that we're protecting them from. Trying to find a country in which it's marginally safer to host a standard e-mail system in which there's no encryption is a bit like re-arranging deck chairs on the titanic.

I'm hoping (if my submission is accepted) to discuss this in more detail at 30C3 and Securi-Tay 3 in December and January, and provide a proof of concept that shows some ideas on how we can address specific threats.

So, German companies can't tell you if their government accessed the data. How does that exclude Europe in it's entirety?

Even if such laws are passed within the European union, there still are countries outside of EU that have reasonable laws on freedom of speech.

Misleading headline. If option B is equally as bad as A, then how does that exclude C, or even recommend A again?

So the real answer is: Use encryption and think about self-hosting. I'm 90% done with my docker image (docker just for fun, maybe I'll turn it into a chef recipe/ansible playbook or whatnot, just to make it reproducable) for a mail server that _I_ am going to use and that I'll try to promote among friends.

Up and running in minutes, mostly limited by the download rate to install the required packages. Run that on a (old/small if you want) machine with full-disk encryption. You're mostly there for 'normal use'.

I really think this is possible for regular users, if provided in a simple way. A 'one click to set up your mailserver' thing (or maybe ArkOS etc.).

The country's laws come second when YOU are in control of the machine in question (and on a side note: I'm pretty sure the laws in German are much better if you're talking about your private service instead of a commercial service that you're offering similar to an ISP).

As many EU countries collaborate closely with the US intelligence, I think it's a matter of how much influence the US can leverage to get its way.

For instance, I'm fairly certain that Sweden will do anything the US demands to not upset the big brother.