Mad, Beautiful Ideas
Another Reason to Encrypt your E-Mail

The Sixth Circuit Court of Appeals in Cincinatti has agreed to hear a case, United States v. Warshak, which focuses on the issue of privacy rights and electronic communication, specifically e-mail. Honestly, I’m not sure how this is going to turn out. The tack the government is taking has a lot of potential for success. The Government is attacking the problem of following e-mail by targeting ISPs. In this case, ISPs appear to be defined largely as anyone who is running a mail-server, as anyone running a mail server has the ability to snoop on any e-mail sent through their server, including saving it if they so desire.

Personally, I’m a big fan of server-side storage of e-mail. When I was the sysadmin at CB Apparel, I worked to reimplement the companies e-mail situation to use IMAP instead of POP3, and a webmail client to ensure that our sales staff had full access to their e-mail wherever they might be. Had I been able to find a more mature Open-Source Groupware Suite, I’d have integrated that instead. I love the idea of e-mail available anywhere. But it raises an interesting issue. Most ISPs have rules in their Terms & Conditions that they can monitor e-mail, either to protect themselves, others, or comply with the law. At CB Apparel, we were able to use stored e-mails to prove that a sales person was using company resources for personal gain, trading products that the company was paying for for goods that they were keeping themselves. That person was going to be caught anyway, but the stored e-mail served as a great level of proof.

The problem is that the monitoring of e-mail, either by a corporation or the government, has always depended on an issue of suspicion. Though I certainly had the ability, I had no reason to monitor my users’ e-mail unless we had a reasonable suspicion that we were going to find something. We respected the privacy of almost all our users, revoking that respect only under the case of reasonable suspicion. Same with investigating their web usage. In a few circumstances we had reason to believe they were misusing company resources, and we investigated that. However, I would never have dreamt about cooperating with Law Enforcement unless they could furnish a warrant of subpeona requiring it (though of course, that decision would not have been mine, but my manager’s). Still, the tack that the Government is taking, that e-mail privacy is non-existent and that they should be able to monitor and read it as it passes through ISP servers without requiring a warrant bothers me. A lot.

Some people are taking a 4th Amendment stance on the issue. That such a monitoring system would constitute an illegal search and seizure. I disagree with that argument, simply due to the fact that most e-mails are sent in an insecure fashion. It would be like claiming that a conversation overheard by a law-enforcement official (or even a concerned citizen) while standing in a shopping mall or a restaurant would not be permissible in court. The only success the issue might have, and the defense really needs to push this side of it, is that the illegal search is occurring against the ISP, by forcing them to turn over details on communications being conducted through their servers to the government, they are being forced to give up their right to decide when it is proper to notify the authorities. Because they are being forced to give over this information, we are being told by the government that we have no expectation of privacy in our communications. If they start with e-mail, where will they stop? How long before they can justify warrant-less phone taps to the courts? How long before they claim that any digital media is not considered private?

There are a lot of conspiracy theories regarding the NSA and their ability to break public-key encryption. Certainly, if they can’t get their hands on the Public Key, they’ll have a nearly impossible task at discovering the private key (another reason some people don’t use public-key servers), but I’m of the belief that the NSA still doesn’t have enough computing power at their disposal to efficiently crack 4096-bit keys. I’m still not completely convinced that Quantum Computing will allow the nearly immediate factoring of large primes that it might be able to provide, that are a requirement to cracking modern public-key encryption.

The thing about e-mail monitoring is that the signal to noise ratio is already insanely high. Our mail server at CB Apparel would drop thousands of e-mails a day as Spam. Some days, we’d drop more e-mail than we’d deliver, and even then some Spam would get through. Between that and all the legitimate e-mail traffic, we’re talking about a huge amount of data that would be of no interest whatsoever to law enforcement. Which means that we’d have to have a monitoring system in place that would escalate e-mails that it felt were of interest, presumably on keywords. It’s been rumored that this sort of monitoring is on the phone system already. My Uncle would joke about starting conversations with his brother with a series of words guaranteed to get some attention, like “Bomb President Assassinate Plutonium”, and then proceed with a normal conversation that would have seemed completely inane to whoever might have been listening. E-mail would be lot easier than voice to monitor, since it’s a text-based system instead of voice based, so an e-mail monitoring system seems more reasonable than a voice system (I still don’t fully believe the telephone monitoring system actually existed).

If everyone used encryption, then there wouldn’t be a signal, just noise. At most, the watchers would be left building communication networks, trying to extrapolate relationships based on communication frequency and message size. Not unlike what AT&T is doing as part of their datamining project. Is this sort of information useful? Of course it is. Otherwise, we wouldn’t have been doing it for the entire history of cryptography. A sudden surge in encrypted communications between two generals you’re at war with is sure to be a precursor to something.

This issue boils down to whether or not you have an expectation of privacy on any of your digital communications. Sure, they’ve started with e-mail, but they can easily escalate it further if this is approved. We need to prove that we will not stand for such an invasion. If this courts disagree with the plaintiff in this case, we need to lobby hard to show our congressmen that we value privacy in our digital communications enough that though it might be considered Constitutional, this sort of monitoring should still be illegal. If our congressmen show that they don’t value the privacy of the American People, we need to replace them with men and women who will. Either way, I hope people will look more seriously at the use of encryption technologies. It’s been looking more and more like we can’t trust the people we’ve chosen to lead this nation to respect it’s citizenry, and their right to communicate and live in privacy.

Finally, I encourage all of you to join the EFF today, and support those lawyers who fight for freedom and privacy in the digital age.