Safeguarding Data From Big Brother Sven? 345
An anonymous reader writes "Now that the Swedish government (in its infinite wisdom) has passed a law allowing them to monitor email traffic, a question that I think a lot of people are asking (or at least should be asking) is: 'What can I do to improve my privacy?' The answer is not obvious.
So, what are the best solutions for seamless email encryption, search privacy, etc? What are your experiences with PGP vs GPG vs ...? In this day and age, why is the use of this type of privacy technologies still so limited? Why isn't there a larger movement promoting the use of privacy tools? Also, what is in your opinion the largest privacy concern? Search tracking? Email transfer?
I believe this is an interesting question not only for Swedes, but for everyone. Lots of traffic is passing through Sweden, but more importantly, the Swedish government is not alone in using this type of surveillance."
Reader j1976 writes with a related question: "For most users with email addresses within large organizations, implementing their own email encryption scheme is not feasible, partly because of the technological aspects, but also since users in organizations often do not have administrative access to their workstations. What can an organization do, centrally, to lift the burden of encryption from the users? Are there any transparent schemes for email encryption which could be installed for the organization as a whole?"
What about PirateBay/Relakks? (Score:1, Insightful)
On NPR... (Score:5, Insightful)
Re:Someone please remind me... (Score:4, Insightful)
Nobody cares. (Score:0, Insightful)
Then again most people only send chan letters, lame jokes and soccer practice announcements, so its not like they needed a lots of privacy to begin with.
People with a clue know what they need to do and do it. Everyone else can carry on as usual.
Too complex (Score:5, Insightful)
If MS would simplify it and make all of this just happen. I bet that there would be a big gaping hole for the gov't to make use of. Not to mention the security holes that would go along with it as well.
Well as Phil Z. has said.. (Score:4, Insightful)
The second reason and it's to a lesser extent but still a strong motivator IMO for the lack of secure options for communication are that corporations and governments don't WANT secure applications being adopted. How else can the government spy on you or corporations steal secrets from each other if things are encrypted. This isn't paranoid fantasy land I live in. I don't think any intelligent person today doesn't know especially over the last 8 years that the governments are doing everything they can to spy on you, record you, monitor you and track you. Wether its the TSA, DHS, warrant-less wiretapping whatever we are living in a 1984'esqe society. Seamless and mass adoption of strong encryption and anonymity by the masses would *seriously* curtail their ability to spy on you and find dissidents and evil doers who read catcher in the rye. So IMO these are the two strongest compelling reasons we don't have encryption for the masses yet. Phil's ZFone project is a good step in the right direction though.
PGP/GPG (Score:3, Insightful)
More people need to use these. Operating without a centralized Certificate Authority, GPG really depends on there being sufficient users to establish a web of trust.
I think people (in the US at least) either don't understand the simplicity of sniffing cleartext, or don't think they care. The aggravating part is that GPG can be really easy to use. Apps like Seahorse [gnome.org] make key and keyring management trivial. There's a great Thunderbird plugin [mozdev.org] that makes signing and/or encrypting your mail no harder than it was before. (Yes, I know not everyone uses Linux and Thunderbird, but I trust GPG tools exist for other OSs/email clients)
Given a safe and ubiquitous encryption scheme, I can't think any reasons for sending text/data in the clear. Now all we need is a ubiquitous encryption scheme.
My largest privacy concern? (Score:3, Insightful)
Re:Terrorists use encryption! (Score:4, Insightful)
As with any invasive authoritarian law, the government can always present anecdotal examples of it 'working', and so 'justify' the law, despite the fact that it's fundamentally a bad law, and probably not necessary.
Re:Why can't it be simple. (Score:2, Insightful)
encryption is irrelevant (Score:5, Insightful)
I really hope I'm wrong. but the trend is there if you just look.
we already have people saying 'if you are not a terrorist, you should have nothing to hide'. this is just a half step away from saying 'if you DO use encryption, you MUST be hiding something that we should see'.
mark my words.
you may think that you are out-smarting the governments but they have the money, the guns and all the power. and they're NOT about to give this bit of power (over the people) up.
if you encrypt a laptop and pass thru customs, you are FORCED to reveal your password or at the least, 'open' the disk for them to view the contents of. so tell me, how did encryption help here?
don't give me that crap about truecrypt, either. how long will it take before their border people know how to detect this?
Re:Why can't it be simple. (Score:3, Insightful)
I'm still waiting on the Patriot act.. it breaks what the 1st, 4th, 5th, 6th, and 8th amendments to the constitution and its law.
Re:The fact is the Facebook generation doesn't car (Score:3, Insightful)
Patients have clearly demonstrated by their actions that they don't care at all about their privacy. After all they keep getting sick all the time, and visiting hospitals containing busy emergency rooms full of all kinds of undesirables - and that's just the staff!....
I think the key word, as always, is CHOICE. Do you really propose that society accept your views on privacy with an argument based on what some teenagers are willing to do on "myspace"?
Webmail (Score:4, Insightful)
Aside from the usual reason of apathy, we have a (relatively) new, technical problem with securing email: a lot of people are using webmail.
That development was a technological step backwards: moving from specialized client software (mail reader) that understands what it is working on, to a generic tool (web browser). It's hard for a web browser to be able to understand that this piece of an web page is a PGP block, and this part is just UI, and that's assuming that it even has the whole message to work with (i.e. the web server actually sends all the PGP/MIME attachments, instead of presenting a nice webby interface that presents the message parts separately).
I have heard of a Firefox extension (damn, I can't remember the name) that can encrypt and decrypt pieces of web pages or textareas, but that sort of thing is always going to be hacky and cumbersome compared to a real mailreader, so I think that puts us at a disadvantage, compared to the situation ten years ago.
Discourage webmail. Webmail is creating a network effect that is a barrier to securing email.
Re:On NPR... (Score:3, Insightful)
Irrational Conservatives think that everyone night like them is going to go to hell and think GOP stands for God's Own Party.
I think that about 80% of people on either side are irrational, and frankly I would rather talk to/be represented by someone I disagree with who at least can map out the thought process that lead to their conclusions rather than some knee-jerk liberal/conservative who thinks that being pro-environment means you also have to want to tax the rich and ban guns, or vice versa.
Anyway, we're getting dangerously OT now, so I'll shut up.
Re:Sweden's just being honest about it (Score:3, Insightful)
Also, you use cert and private key as if they mean the same thing. The CA's don't have "trusted certs", they have private keys with well known public keys that they use to sign your public key and identity.
From a Terrorist perspective. (Score:4, Insightful)
Look at how "low-tech" the 9/11 attack was. Fake IDs and boxcutters.
Does anyone really believe that Terrorists are still using email and cellphones(other then bomb triggers)?
My guess is they have gone back to face-to-face MeatMeetings and good old SnailMail(with re-posting networks) in conjunction with simple codewords.
That being said, I seriously doubt all this Security "Theater" is aimed at Terrorists, if, indeed, it is more then theater. My guess is that it is all to head off the "revolution" by average citizens when they snap out of complacency.
Re:Someone please remind me... (Score:5, Insightful)
Re:Sweden's just being honest about it (Score:4, Insightful)
Maybe they can. Or they could just start their own Certificate Authority and get themselves onto the list of trusted authorities that comes installed with browsers or mail software.
But either way they might be reluctant to do the MITM like that because the bogus certificate with the genuine signature could be recorded by the targets and released to the public, causing great embarrassment to the certificate authority and much degradation to the trust of the certificate system.
Re:Why can't it be simple. (Score:3, Insightful)
Overall GPG and friends don't really solve the problem. You simply can't fix a broken government with software, you have to fix the government itself.