Sunday, December 12, 2010

Email Security in the new Surveillance Society

For over two decades, email has been a routine part of our modern lives. Who would consider sending out a quick one line 'Haven't heard from you lately, how are you?" by postal mail anymore when just about everyone in the industrialized world has an email address?  For many people, myself included, email has nearly totally supplanted postal mail as their de facto method of communication. On any day, I probably send and receive more than 100 emails while my outgoing postal mail is down to one or two items a week and my incoming is nearly only commercial.

With our incredible reliance on the technology, it might surprise you that email hasn't changed very much since it was developed nearly four decades ago or that it is one of the biggest threats to your personal security and liberty on the Internet today. Bigger than hackers. Bigger than viruses. Bigger than the entire criminal underworld combined.

Email works much the same as our traditional land based mail systems do.  When you drop a letter in the mail in Florida destined for a friend in Wisconsin, that piece of mail will pass through multiple mail processing hubs as it makes its way to its final destination. You might trust your local postal staff not to read your mail and you might even trust the postal staff at the office in Wisconsin, but what about the multiple, unknown, stops your letter will make as it travels? Do you trust the people who work at those locations?

From the moment you press the send button, your email begins a magical journey that will carry it through tens (or even dozens) of machines in a totally unencrypted and unprotected form.  Anyone at any of the machines your email passes through on the way to its destination can easily intercept and read your mail and you'd never know it happened. The email would still reach its destination as planned and you and Aunt Sallie would successfully plan the demise of this years cookie baking champion.

Who would want to read your email though? I mean, you're exchanging baking recipes, jokes, occasional 'important' but not terribly sensitive information.  You're not some CIA spy working in Siberia trying to catch an international arms dealer.  As it turns out, you don't have to be.  There are several groups that might have an interest in intercepting and reading your mail: the government in an effort to 'catch terrorists', your ISP (for various reasons), your email provider, someone trying to analyze the data in your email for marketing purposes, the list goes on and on and on.  Unfortunately, the list also grows every day. Email is the last great wide open privacy farm. Nobody thinks about protecting it and people share incredibly sensitive information using it.

Let's define 'reading' a bit.

You've seen me use the term 'read your email' several times in this article and you might be thinking 'really, Anthony, someone is going to sit down and personally go through thousands or millions of email messages every day? I don't think so!"  You'd be right. They automate it.  Because email contains absolutely no encryption or security at all, it's easy to automate scanning it for keywords. If you use the popular email service GMail you're already familiar with this. Notice how if I make a joke in my email to you about Viagra, GMail is suddenly showing Viagra ads on the left of the email? It's because they've used special software to 'read' your email for keywords and picked up that we were talking about Viagra. GMail uses the technology to help their marketing, but it could easily be used to scan for anything they wanted.

That's one form of reading your email. But there's another, even more sinister and more direct way.

Let's discuss the Government


The United States, as well as several other governments around the world including UK, New Zealand, and Australia, have admitted over the last several years to routinely monitoring overseas communications. That includes phone calls, emails, faxes, etc.  From recent research, we have strong reason to suspect that a few of those governments may have tuned their surveillance to even include domestic communication that that's where your email to Aunt Sallie comes in.

The software governments use to scan email is similar to that used by GMail except immensely more sophisticated.  Because governments are seeking (called 'minining') intelligence information, their processing is more fine tuned and the analysis that goes on is much more extensive. Government analysis seeks to find patterns, keywords, and trends in your messages. For example, is a specific phrase used a lot in multiple, otherwise unrelated emails? That might indicate something.  Were you frustrated by the recent election and said something in passing about 'just getting rid of them all'? That might indicate something too. We don't know how extensive government analysis is but, because of it's purpose, you can bet it's intense.

In the end, if your email is interesting enough to trip enough triggers, it might end up on the desk of some nice intelligence analyst who will read it personally. If he finds it interesting, he might ask your Internet mail provider to forward him all of your email communications for a while and he'll read those until he's satisfied that you're just another ordinary citizen.

For brevity (what's that?) I'm not going to go into the other parties who might want to read your email. The point is that there's virtually no protection against anyone who really wants a crack at your private communications. Your email is like a house with no locks. Private as long as nobody decides to take a peek inside.

Installing the locks...


With all this talk about how insecure email is, you probably think that protecting it from prying eyes must be a Herculean task or else everyone would do it.  Here's another surprise: it's not.

Protecting your most private communication from anyone's prying eyes is incredibly simple and the tools you need are freely available. The process involves both you and the person you're communicating with simply encrypting your mail both ways using something called a public key.

Don't worry, it's not as complicated as it might sound. It's all automated!


Public Key Encryption is a reliable and, if used correctly, unbreakable way to protect your emails from unauthorized access. It involves both you and the person you're exchanging emails with to exchange 'public keys' which is information that anyone can have - it simply allows someone to encrypt email to you. YOU keep what is known as your 'private key', which is used to decrypt mail sent to you and to do other functions.

The process can be done in most email clients (Outlook, Eudora, Thunderbird, AppleMail, etc) automatically after a five to seven minute setup. After that, as long as you're encrypting mail to your recipients and they to you, no one will ever know what you're saying ever again.

If it's so easy, why isn't everyone using it?


Good question! Laziness!

While setting up and using this technology is very simple, it does require you to set it up and it does require some extra work when you start to encrypt mail to new people (you have to add their public key to your 'keychain'). It's not a lot of work but it's more than most people want to do just to send an email - especially if they have nothing to hide.

Exactly! I have nothing to hide, why would I worry who reads my email?


Are you ashamed about sex with your spouse? Can I come over and peek through the windows next time you guys are romantic?  The truth is, you don't have to be doing anything wrong to deserve or want privacy. In fact, it's the innocent who require and should demand the most privacy. If you're not doing anything wrong, why should someone be reading your emails? Personally, the fact that there's possibly some guy I don't know sitting in some analysis room reading YOUR private emails makes me mad as hell. You deserve privacy and YOU exerting your right to it makes a stronger case for all of us privacy loving netizens.

Alright, where can I find out more?


There's not a lot your have to do to get started. If you're a Windows user, first make sure your computer is virus and spyware free (I assume you know how to do that) then head over to http://www.gpg4win.org/download.html, download, and set up the software. Go through the steps in this article to set the software up and generate your public/private key, and get the keys of those you communicate with. With that, you are totally secure!

Happy, safe, computing!

1 comment:

Christine said...

Thanks Tony! That is so helpful. I don't even think about stuff like this on a daily basis. Maybe that's why we have so many problems today. People don't know how to protect themselves. Thanks!