Safeguarding Data From Big Brother Sven?

An anonymous reader writes "Now that the Swedish government (in its infinite wisdom) has passed a law allowing them to monitor email traffic, a question that I think a lot of people are asking (or at least should be asking) is: 'What can I do to improve my privacy?' The answer is not obvious. So, what are the best solutions for seamless email encryption, search privacy, etc? What are your experiences with PGP vs GPG vs ...? In this day and age, why is the use of this type of privacy technologies still so limited? Why isn't there a larger movement promoting the use of privacy tools? Also, what is in your opinion the largest privacy concern? Search tracking? Email transfer? I believe this is an interesting question not only for Swedes, but for everyone. Lots of traffic is passing through Sweden, but more importantly, the Swedish government is not alone in using this type of surveillance."

Reader j1976 writes with a related question: "For most users with email addresses within large organizations, implementing their own email encryption scheme is not feasible, partly because of the technological aspects, but also since users in organizations often do not have administrative access to their workstations. What can an organization do, centrally, to lift the burden of encryption from the users? Are there any transparent schemes for email encryption which could be installed for the organization as a whole?"

What about PirateBay/Relakks?

[Anonymous Coward]

I wonder how this affects people using Relakks. If the US intelligence agencies will get access to the data, it wont be long until the MPAA/RIAA get access to it also.

On NPR...

[Illbay]

...(Of all places) there was a pretty good segment this morning regarding email encryption, even including a short interview with Phil Zimmerman. What was VERY interesting about it, to me, was the attitudes of the "man / woman in the internet cafe'" interviews they did, and how most people just "didn't care" about privacy issues regarding email. One fellow naively stated "I try to live my life in such a way that no one would have an issue with what I do." In my opinion, though, what YOU or I might consider innocuous might garner unwanted attention from government. As we are headed seemingly toward a more "European" philosophy here in the USA where the government assumes the duties of "personal watchdog" over your "lifestyle," what you eat, what you drink or smoke, what you teach your kids, etc., this would seem to be a foolhardy attitude.

Re:Someone please remind me...

[Anonymous Coward]

Because no matter what country you live in some of your Internet traffic is likely to pass through Sweden. They snoop and tell your government about your stash of __________ (insert your own illegal/grey market goods etc. here). Wala - your government has "proof" you are engaged in illegal activity and busts down your door. Moreover, you apparently haven't been watching the news regarding the change in behavior people exhibit when they know/think they are being watched.

Nobody cares.

[twatter]

Personal encryption is not widespread because most people don't know anything about security or privacy. They figure the "stuff" going through the "tubes" is safe and only the intended recipients can see it.

Then again most people only send chan letters, lame jokes and soccer practice announcements, so its not like they needed a lots of privacy to begin with.

People with a clue know what they need to do and do it. Everyone else can carry on as usual.

Too complex

[croftj]

It's too complex for most. If it were as simple as me putting code on my machine and sending encrypted emails to my family and friends I would do it. Sadly, I have to step them ALL though putting GPG or PGP onto their machines, creating a pair of keys then sending my and all of their friends their public key. Want to place bets how many of them would send their private key themselves?

      If MS would simplify it and make all of this just happen. I bet that there would be a big gaping hole for the gov't to make use of. Not to mention the security holes that would go along with it as well.

Well as Phil Z. has said..

[X86BSD]

The reason PGP, and GPG as well, fail is because PKI is just too difficult to setup and maintain. I'm sure some nerd who lives in his mom's basement is going to contest this but the fact remains it's too difficult to do in most corporations let alone end users. Making a key, remembering the password, managing keys, revoking keys, it's all just a total pain in the ass. If you truly want secure email for the masses it has to be transparent. This is just a given. People are not going to do PKI. This is the main reason we don't have mass adoption of PGP encrypted email.

The second reason and it's to a lesser extent but still a strong motivator IMO for the lack of secure options for communication are that corporations and governments don't WANT secure applications being adopted. How else can the government spy on you or corporations steal secrets from each other if things are encrypted. This isn't paranoid fantasy land I live in. I don't think any intelligent person today doesn't know especially over the last 8 years that the governments are doing everything they can to spy on you, record you, monitor you and track you. Wether its the TSA, DHS, warrant-less wiretapping whatever we are living in a 1984'esqe society. Seamless and mass adoption of strong encryption and anonymity by the masses would *seriously* curtail their ability to spy on you and find dissidents and evil doers who read catcher in the rye. So IMO these are the two strongest compelling reasons we don't have encryption for the masses yet. Phil's ZFone project is a good step in the right direction though.

PGP/GPG

[wilsoniya]

More people need to use these. Operating without a centralized Certificate Authority, GPG really depends on there being sufficient users to establish a web of trust.

I think people (in the US at least) either don't understand the simplicity of sniffing cleartext, or don't think they care. The aggravating part is that GPG can be really easy to use. Apps like Seahorse [gnome.org] make key and keyring management trivial. There's a great Thunderbird plugin [mozdev.org] that makes signing and/or encrypting your mail no harder than it was before. (Yes, I know not everyone uses Linux and Thunderbird, but I trust GPG tools exist for other OSs/email clients)

Given a safe and ubiquitous encryption scheme, I can't think any reasons for sending text/data in the clear. Now all we need is a ubiquitous encryption scheme.

My largest privacy concern?

[multisync]

The fact that the majority of people will happily give up all manner of private information in exchange for a few pennies off the price of a carton of milk. If the threat of identity theft doesn't make people more conscious of their privacy, I doubt the threat of their government reading their email will.

Re:Terrorists use encryption!

[JSBiff]

You make a fundamental assumption that there are no stupid criminals or stupid terrorists. Yes, *some* terrorists and criminals are smart enough to encrypt their emails. But I'm sure there really are people out there stupid enough to talk about their criminal plans/exploits in plaintext email, or plaintext IMs, because they are just stupid. The Swedish government, will, no doubt catch some of those stupid criminals through such spying on email, then point to those cases whenever they talk to the media/public about why this is a 'good thing'.

      As with any invasive authoritarian law, the government can always present anecdotal examples of it 'working', and so 'justify' the law, despite the fact that it's fundamentally a bad law, and probably not necessary.

Re:Why can't it be simple.

[Anonymous Coward]

Here's a simple solution : OVERTURN THE STINKIN LAW. Law isn't written in stone. That's the whole point of having a legislature. Get a referendum together and have the thing repealed. It won't stop the eavesdropping - nothing will - but it will make it illegal to use said information.

encryption is irrelevant

[TheGratefulNet]

I'll go out on a limb and predict that in 5 yrs or less time, encryption will be a 'self admission of guilt' to ALL governments.

I really hope I'm wrong. but the trend is there if you just look.

we already have people saying 'if you are not a terrorist, you should have nothing to hide'. this is just a half step away from saying 'if you DO use encryption, you MUST be hiding something that we should see'.

mark my words.

you may think that you are out-smarting the governments but they have the money, the guns and all the power. and they're NOT about to give this bit of power (over the people) up.

if you encrypt a laptop and pass thru customs, you are FORCED to reveal your password or at the least, 'open' the disk for them to view the contents of. so tell me, how did encryption help here?

don't give me that crap about truecrypt, either. how long will it take before their border people know how to detect this? ....so depressing ;(

Re:Why can't it be simple.

[k1e0x]

And how many tyrannical laws are overturned?

I'm still waiting on the Patriot act.. it breaks what the 1st, 4th, 5th, 6th, and 8th amendments to the constitution and its law.

Re:The fact is the Facebook generation doesn't car

[Dunbal]

Users of MySpace/Facebook etc. have clearly demonstrated by their actions that they don't care at all about their privacy.

      Patients have clearly demonstrated by their actions that they don't care at all about their privacy. After all they keep getting sick all the time, and visiting hospitals containing busy emergency rooms full of all kinds of undesirables - and that's just the staff!....

      I think the key word, as always, is CHOICE. Do you really propose that society accept your views on privacy with an argument based on what some teenagers are willing to do on "myspace"?

Webmail

[Sloppy]

In this day and age, why is the use of this type of privacy technologies still so limited?

Aside from the usual reason of apathy, we have a (relatively) new, technical problem with securing email: a lot of people are using webmail.

That development was a technological step backwards: moving from specialized client software (mail reader) that understands what it is working on, to a generic tool (web browser). It's hard for a web browser to be able to understand that this piece of an web page is a PGP block, and this part is just UI, and that's assuming that it even has the whole message to work with (i.e. the web server actually sends all the PGP/MIME attachments, instead of presenting a nice webby interface that presents the message parts separately).

I have heard of a Firefox extension (damn, I can't remember the name) that can encrypt and decrypt pieces of web pages or textareas, but that sort of thing is always going to be hacky and cumbersome compared to a real mailreader, so I think that puts us at a disadvantage, compared to the situation ten years ago.

Discourage webmail. Webmail is creating a network effect that is a barrier to securing email.

Re:On NPR...

[bsDaemon]

No, everything wrong with the world is caused by irrational people. There tend to be a lot of irrational people on both sides. Irrational lefties are more concerned with how you "feel," for instance. They are more concerned with intentions than outcome.

Irrational Conservatives think that everyone night like them is going to go to hell and think GOP stands for God's Own Party.

I think that about 80% of people on either side are irrational, and frankly I would rather talk to/be represented by someone I disagree with who at least can map out the thought process that lead to their conclusions rather than some knee-jerk liberal/conservative who thinks that being pro-environment means you also have to want to tax the rich and ban guns, or vice versa.

Anyway, we're getting dangerously OT now, so I'll shut up.

Re:Sweden's just being honest about it

[Braino420]

I bet the DoD cert is delivered on a secure medium, in a a locked briefcase, chained to the wrist of a scary looking fellow wearing black shades.

You're confused because you think that it is still secrecy that protects the cert. The reason you can trust the CA's root certificate is because the CA's public key is PUBLIC. Anyone can read the cert using the CA's public key, which will decrypt the cert and then you're left with the DoD's public key and their identity (which was supposed to be verified by the CA). You know this hasn't been tampered with en-route because the MITM doesn't have the CA's private key, to re-encrypt the cert after they make any changes (maybe binding another public key with /their/ identity instead). If they did this, you would know immediately because you wouldn't be able to decrypt the cert with the CA's public key.

Also, you use cert and private key as if they mean the same thing. The CA's don't have "trusted certs", they have private keys with well known public keys that they use to sign your public key and identity.

From a Terrorist perspective.

[Anachragnome]

The "cat is out of the bag" as far as government electronic snooping is concerned.

Look at how "low-tech" the 9/11 attack was. Fake IDs and boxcutters.

Does anyone really believe that Terrorists are still using email and cellphones(other then bomb triggers)?

My guess is they have gone back to face-to-face MeatMeetings and good old SnailMail(with re-posting networks) in conjunction with simple codewords.

That being said, I seriously doubt all this Security "Theater" is aimed at Terrorists, if, indeed, it is more then theater. My guess is that it is all to head off the "revolution" by average citizens when they snap out of complacency.

Re:Someone please remind me...

[Mr2001]

I believe you may already know but, because if you pay for it: then pimps step in and abuse girls to do it.

That's a result of prostitution being illegal, not a cause. When an industry is legal, workers can freely move from one employer to another, and disputes can be resolved with words in open court instead of a gold-tipped cane in a dark alley.

Re:Sweden's just being honest about it

[mrcaseyj]

>The NSA can probably get VeriSign to sign anything they want.

Maybe they can. Or they could just start their own Certificate Authority and get themselves onto the list of trusted authorities that comes installed with browsers or mail software.

But either way they might be reluctant to do the MITM like that because the bogus certificate with the genuine signature could be recorded by the targets and released to the public, causing great embarrassment to the certificate authority and much degradation to the trust of the certificate system.

Re:Why can't it be simple.

[grumbel]

but I believe this is too much of a hassle for people who can't even figure out Yahoo Mail or tell the difference between Internet Explorer and Firefox.

Its not only to much hassle, it also doesn't really provide half as much security as one would expect. The header gets send completly unencrypted, so To, From, CC and stuff are easy to read, Subject sometimes to. And for a government it can often be enough to know your peers, the exact content isn't that important and if it is it can be retrieved by more drastic measures (keylocker, etc.). There is of course another issue in that when you sign your emails you lose deniability, so one should better not do that when one wants things to stay secret.

Overall GPG and friends don't really solve the problem. You simply can't fix a broken government with software, you have to fix the government itself.