im | Marcus Povey

One of the hardest things I’ve found during my ongoing process of PRISM breaking my life, was securing my communication with others, especially via email.

Interestingly, this has very little to do with technical reasons; Email encryption is a faff, true, but there has been a lot of work to smooth over the rough edges (and it’s certainly not a big ask for technical people like myself). There are OpenPGP plugins for most clients these days, and technologies like S/MIME are universally supported and almost completely transparent in every day use.

The main problem is that nobody else seems bothered, even technical people, so my tactic here is really just to keep going on about this like a broken record…

Even if you think you have got “Nothing to hide…” (the canonical example of a bullshit argument if ever there was one), you should be encrypting your communication.

Consider that ECHELON, the forerunner of PRISM, has been used for industrial espionage in order to give American companies a competitive advantage, if your business has an American competitor (or Chinese or Russian or French for that matter), do you really want them knowing about the deals you’re working on?

Or to put it all more succinctly; when you send a letter, why do you put it in an envelope?

Of course, if the person you’re emailing is using Gmail or Hotmail you’re doubly screwed, so perhaps it’d be better to give up on email altogether… and to some extent I have, and now do much of my communication via IM, certainly if it’s anything confidential.

Skype, we know now is monitored, so that’s out, as to is Google Talk, however both can be secured by using a technology like OTR, which is much less of a UX nightmare providing you use a talk client rather than Google web interface. I’ve at least had some success in getting people to secure their chats, but there’s still a long way to go.

As an aside, it is relatively trivial to run Jabber on your own server and communicate with other users on other servers (like google talk) entirely transparently. This doesn’t do much to secure your communication unless both sides of the communication have done this, but running your own stuff is all for the good, and hey, it means you’re not a whoever@gmail!

Onwards…

I asked this question over on Hacker News, as well as Quora, but I thought I’d also ask it here…

The UK plans to intercept all electronic communication. They currently don’t plan to snoop on content, but as noted elsewhere connection data is just as invasive.

To me this is both a civil liberties and business risk problem. I view my list of business contacts as confidential information and I don’t trust the government not to leave this information on a train somewhere.

Legal solutions are one thing, but the snoops keep raising their heads, so my feeling is that we need to actually find a way to make this sort of thing technically impossible.

Content encryption is already largely solved, although for email we still need a critical mass of people using PGP or similar.

VPNs just seems to push the problem to another jurisdiction, and if this is an agenda all governments will one day pursue, this will become decreasingly useful.

What can an individual do to protect content and connection data? Onion routing for mail servers? Do technical solutions rely on everyone doing it and so are unlikely to get much traction?

So what are your thoughts? What can we build?

Marcus Povey

Time, Space, and Plexiglas

Tag Archives: im

PRISM Break Part 2 – Email and Messaging

What technical countermeasures are there for the UK’s email snooping agenda?