Forgot your password?
typodupeerror
Privacy Your Rights Online

Ask Slashdot: What Country Has the Best Email Privacy Laws? 236

Posted by samzenpus
from the spanning-the-globe dept.
An anonymous reader writes "Given all that is going on with the ability of the government to go through my email if it is on a third-party server, I was wondering: what countries have the best privacy laws and what are some good hosts to use? I would rather pay a token fee to have secure private email than have members of the government able to read it as soon as it's 180 days old if I keep it at my email provider."
This discussion has been archived. No new comments can be posted.

Ask Slashdot: What Country Has the Best Email Privacy Laws?

Comments Filter:
  • My-own-email-server-istan.
  • by Junior J. Junior III (192702) on Sunday April 10, 2011 @02:16PM (#35775024) Homepage

    Email is inherently insecure, since it is transmitted in clear text and stored in multiple hops between destination and recipient, where its contents may be intercepted, altered, copied, stored, etc.. If you're relying on the law to keep your email private, you've already lost. Use digital signatures for authenticity and integrity, and strong encryption for confidentiality. At that point, you really don't need the law's help to keep your emails private.

    • by Junior J. Junior III (192702) on Sunday April 10, 2011 @02:18PM (#35775038) Homepage

      I mean, do you even know what countries your emails might route through between sending and arriving at their destination? If you're going to go to a server in a different country to gain the benefit of their better privacy laws, you're likely going to need to transfer data over networks that geographically reside in other countries too. And your end points probably are still somewhere within your own country. What are the laws like there?

      • Whilst the Internet can route around damage or disruption and your packets aren't guaranteed to take the same path every time, in practice they will take a more efficient or shorter route over a longer one.

        If I'm in Australia and I'm checking my gmail which is hosted somewhere in the USA, there is an undersea fibre cable between Australia and the US. My packets aren't going to suddenly start going via Finland and Japan just because they feel like it. I can be quite well assured that my data will travel from

        • Actually your packets will take a even shorter route - straight to Sydney.

          traceroute to gmail.com (66.102.11.83), 30 hops max, 60 byte packets
          1 192.168.0.1 (192.168.0.1) 0.628 ms 0.829 ms 1.026 ms
          2 * * *
          3 202.7.173.17 (202.7.173.17) 104.611 ms 104.799 ms 104.795 ms
          4 syd-sot-ken-crt1-ge-5-1-0.tpgi.com.au (202.7.162.173) 104.993 ms 105.193 ms 105.389 ms
          5 202.7.171.18 (202.7.171.18) 105.386 ms 105.583 ms 105.783 ms
          6 66.249.95.224 (66.249.95.224)

        • by lazybeam (162300)

          Don't most of those cables go through NZ and/or Guam? Also, if both Reach and SXC are damaged, or ISP becomes misconfigured then our packets could go through Japan (Finland is highly improbable though). Then there is the Chinese who have "accidentally on purpose (allegedly)" hijacked large parts of the Internet causing traffic to go through them.

          Internet routing is quite interesting. Recently my office got a new IP address, in the 14/8 range, a range only allocated to APNIC a few months prior. Most sites wo

          • by Cimexus (1355033)

            Yeah I agree that you certainly don't have any guarantees that your traffic will go direct to the US. As you say if something gets damaged it may well end up going via another country, and you have no guarantees or control what route it will take at any given moment. Looking at the major cables to the US:

            SXC / Southern Cross Cable: This has a loop topology. The southern half of the loop does go through NZ, however, the northern half goes direct from Sydney to the US (Hawaii, then onwards to California). Whi

      • Back when clients started sending emails to lawyers, it was questioned whether lawyers had a responsibility to warn clients on their web sites that email was insecure. The courts decided that lawyers needn't publish public keys and tell clients to use them because it was considered almost always secure enough for almost all clients. Obviously some clients and lawyers need all the security they can get, but they apparently don't consider that the case in general. The situation was likened to telephones, snai

    • you do still need laws to litigate if an angry ex, an employer ... find a way (keyloggers...) to get your keys.

    • by klapaucjusz (1167407) on Sunday April 10, 2011 @02:55PM (#35775310) Homepage

      Email is inherently insecure, since it is transmitted in clear text

      Most mail nowadays is transmitted over SSL [wikipedia.org]. Yes, that's still vulnerable to MITM-ing, but it's no longer a simple matter of passive snooping.

      If you're relying on the law to keep your email private, you've already lost.

      Please. Strong privacy laws won't prevent ISPs from occasionally snooping on their users, granted. With no privacy laws, howver, expect your ISP to routinely spy on you, and sell the data to advertising companies.

      -- jch

      • by hedwards (940851)

        Unless I'm missing something, which I don't think I am, that only applies between you and your mail server, between mail servers there is no such guarantee.

        • by klapaucjusz (1167407) on Sunday April 10, 2011 @03:19PM (#35775470) Homepage
          STARTTLS is used between mail servers if:
          • both the sender and the receiver support the STARTTLS extension; and
          • the receiver has been configured with a certificate (even a self-signed one).

          All modern mail servers support STARTTLS, and most ISPs have configured a certificate in their MX. To see if yours has, do the following:

          $ host -t mx google.com
          google.com mail is handled by 50 alt4.aspmx.l.google.com.
          google.com mail is handled by 30 alt2.aspmx.l.google.com.
          google.com mail is handled by 40 alt3.aspmx.l.google.com.
          google.com mail is handled by 10 aspmx.l.google.com.
          google.com mail is handled by 20 alt1.aspmx.l.google.com.
          $ telnet aspmx.l.google.com smtp
          Trying...
          Connected to aspmx.l.google.com.
          Escape character is '^]'.
          220 mx.google.com ESMTP
          EHLO localhost
          250-mx.google.com at your service
          250-SIZE 35882577
          250-8BITMIME
          250-STARTTLS
          250 ENHANCEDSTATUSCODES
          QUIT /blockquote

          • Re: (Score:2, Interesting)

            by Anonymous Coward

            Since requiring TLS on my laptop to server connection I have found it is very common for hotel and airport ISP's to hijack the connection and route mail through their own servers. How did I find out? They don't support TLS so the connection fails. Then if you use runtbird to start thunderbird you can find the evidence. In future I will be using runtbird anyway to check if they are hijacking the connection and supporting TLS.

            Example below from a Delta lounge in ATL:

            0[192c140]: SMTP Connecting to: mail.myc

        • Most SMTP servers will use encryption for mail transfer these days, not just for mail submission and mail reading. klapaucjusz's [slashdot.org] reply to your article has more details on how.

    • There are third party services (like messagelabs offered by Symantec) that provide email scanning and archival. This puts an interesting kink into the model, because now the path includes more than just other email hosts. These services can have their own retention and privacy policies, and you, as merely one endpoint in a communication process, may have no idea that such a third party is being used.

    • by syousef (465911)

      Email is inherently insecure, since it is transmitted in clear text and stored in multiple hops between destination and recipient, where its contents may be intercepted, altered, copied, stored, etc.. If you're relying on the law to keep your email private, you've already lost. Use digital signatures for authenticity and integrity, and strong encryption for confidentiality. At that point, you really don't need the law's help to keep your emails private.

      How the fuck does this get modded insightful?

      Using PGP or whatever else is not going to help you if the law requires that you give up your keys or rot in prison for the rest of your life.

      If the opening poster was interested in technical ways to keep his email private I'm sure he would have asked. This is slashdot, so it's entirely possible he's already got the encryption and signature angle covered. This was not a techy question, and a techy answer is not appropriate!

      • But the law in the U.S. doesn't require you to give up your keys. It was ruled that was testifying against yourself. Trying to force you to give it up is a violation of the 5th Amendment.

        The only exception so far was a guy coming in to the United States, and because the computer was asleep (not off), the border search found child pornography that was normally encrypted, but the encryption engine was running. The man then turned off the computer.

        Since they ALREADY KNEW there was illegal material in the
  • Even if you host your own email server or use a server in a country with great privacy laws, every email you send or receive is stored on two servers, each with your name (email address) attached to it. Unless everyone you email has the same security policy as you, your messages are little more secure than they would be if you used any other email server.
  • Storing email? (Score:3, Insightful)

    by krelvin (771644) on Sunday April 10, 2011 @02:24PM (#35775082)

    If this is really worried about this...Why are you storing any email on a 3rd party server? As new email arrives, save it to your local computer, removing it from the inbox. No email is then left to become 180 days old. Nothing to worry about. Actually that is not true since you most likely will be worrying about something else then too, but...

    • This would appear to be operating on the optimistic assumption that hitting "delete" has any effect other than making the message invisible. If you are lucky, cheapness and/or laziness on the part of the operator will mean that they purge and/or just lose everything they can get away with as fast as possible. If, on the other hand, they are doing some sort of data mining for commercial purposes, or complying with some sort of retention request, game over, man.
    • It also assumes that you use POP3, not IMAP, or at least have fine control over your IMAP settings. Because by default, IMAP keeps copies of your emails on the server, not your local machine.

      IMAP is great for people who want to access the same email accounts from several machines and see the same thing on all of them. From a security standpoint, it has it's head so far up its ass it will never see daylight.
    • I was having trouble with my email account on my hosted server, and I called tech support. I told the guy what the problem was. He said "Why do you want to use POP3? Use IMAP. POP3 is soooo 2003..."

      I just smiled and told him to get my POP3 working again.
  • by lobiusmoop (305328) on Sunday April 10, 2011 @02:24PM (#35775092) Homepage

    Given I can't be bothered to take the most basic steps to gain a little privacy for my letters, like using envelopes, writing everything on postcards that let everybody in the postal industry in contact with my mail read it, what are the best couriers for me to send my letters with?

    Honestly, I think some articles are just deliberate trolls for the computer-security folks on Slashdot.

    • Redact everything yourself. Problem solved. Stick it to those government snoops!
  • That's easy: Sealand [sealandgov.org]!
  • by t2t10 (1909766) on Sunday April 10, 2011 @02:45PM (#35775226)

    Many European nations nominally have better privacy laws, but they have lots of exceptions for national security, police enforcement, and privacy law enforcement, as well as other loopholes.

    But you're likely also no better off storing it on your local disk; for your government or your ISP, accessing data on your disk is likely no more complicated than pushing a button.

    If you want your E-mail to be private, encrypt it, whether it's on a local disk or a server, and even then, there's a good chance others can intercept the key and read it anyway.

    • If you want your E-mail to be private, encrypt it [...], and even then, there's a good chance others can intercept the key and read it anyway.

      Would you care to expand on that? I was under the impression that both smime and key-pair encryption are pretty solid.

      • by t2t10 (1909766)

        Governments, software vendors, and/or ISPs can easily install key loggers and backdoors on your machine through the usual software update mechanisms. Once they have that, they can get your keys no matter what system you use.

    • Many European nations nominally have better privacy laws, but they have lots of exceptions for national security, police enforcement, and privacy law enforcement, as well as other loopholes.

      Which loopholes do you mean?
      A search warrant issued by a judge according to evidence presented by the prosecutor is not a loop hole in my eyes. I'm not aware about other "loop holes".
      angel'o'sphere

      • by t2t10 (1909766)

        The loopholes where governments can access and share your data if it is "in the public interest". No, they don't need a warrant for that, and they can do just about anything based on that. Here is one of the places where that exception is listed http://bundesrecht.juris.de/bdsg_1990/__4c.html [juris.de] There are other holes in the law.

        • Erm,
          you copied pasted the wrong law/paragraph.

          This is not about allowing anyone to read your emails, but about your personal data.
          As you copied a german paragraph I repeat: in germany EMails can not be read without a judge giving a warrant first.
          For emails exactly the same rules apply as for written letters on paper.

          angel'o'sphere

          • by t2t10 (1909766)

            No, I didn't "paste the wrong law". That is one of the relevant laws. Similar exceptions exist in other laws:

            http://dejure.org/gesetze/GG/10.html [dejure.org]

            http://bundesrecht.juris.de/g10_2001/BJNR125410001.html#BJNR125410001BJNG000300000 [juris.de]

            Note that exceptions can be justified under "Volksverhetzung", which is such a vague concept that a lot of politically unpopular speech might fall under these exceptions.

            If you want to claim that "in germany EMails can not be read without a judge giving a warrant first", you have to

            • As you are obviously german and can read the law, you missed the fact that you posted "Das Bundesdatenschutzgesetz" which has nothing to do with "Fernmeldegeheimnis".

              The latter one is an extension to the constitution, "Verfassung" which explicitly states that you need a warrant from a judge.

              I don't get where you have your missinformation from.

              The stuff you linked in this last post again has not much to do with "protection of telecommunication" but is referring to an intelligence agency. And the paragraph st

              • by t2t10 (1909766)

                No, I'm not German, I just follow German politics and law.

                As for the laws, both are relevant, since communications privacy requires both laws, both laws have exceptions, and both kinds of laws apply to ISPs.

                You are picking out bits and pieces of the law and draw conclusions from them, but that's not how it works. In fact, the most relevant parts are Â2 and Â3. Â2 says that executive branches can order telecom providers to give them information; there is no mention of the need for a judge's

                • Well,

                  no offense, but all your conclusions are not correct.

                  You are interpreting the laws you are citing wrong.

                  In fact, the most relevant parts are Ã2 and Ã3. Ã2 says that executive branches can order telecom providers to give them information;

                  Personal information!!! not EMAILS. Under certain situations, if you can make a strong claim, you can get e.g. connection data, web pages that got accessed etc. But not the actual data you transfered via the wire, that means: no, not a copy of the photos

  • by John Hasler (414242) on Sunday April 10, 2011 @02:55PM (#35775306) Homepage

    Because we all know that all govenments can be trusted to respect such laws when their own interests are at stake.

    If you have secrets that you must protect against goverments why are leaving them (unencrypted, evidently) on third party servers? And why are you discussing that fact on a public forum?

  • by timothyf (615594) on Sunday April 10, 2011 @02:55PM (#35775308) Homepage

    Are you sure you're always communicating with people that live in countries with privacy laws that are just as secure? Unless you're really good about keeping your contacts secure as well, all it means is that they have to issue more subpoenas.

    • Are you sure you're always communicating with people that live in countries with privacy laws that are just as secure? Unless you're really good about keeping your contacts secure as well, all it means is that they have to issue more subpoenas.

      This brings up a point - I wouldn't be at all surprised if data isn't routinely sent out of the country for analysis and decryption to countries who have no laws against such things.

  • Ask Slashdot: What Country Has the Best Email Privacy Laws?

    And here's why I say this:

    It depends on who's metrics we'll use to determine what is 'best'. So that's the question.

    • by Odinlake (1057938)

      Anything can be misinterpreted by someone who doesn't want to understand. I'd say implicit in this question is:

      "According to whatever metrics you yourself apply when using the word 'best' in this context, out of the countries you have any knowledge or instinct about whatsoever, have you noticed any one that seems to have somewhat better email privacy laws than the other."

      Now this is still not very precise, but I imagine if the best literary minds in the world got together and wrote a treaty on the subj

  • You know the People's Republicans of China are going to read your email, but would they share with any other government? Doubtful.
  • Whatever country you're living room is, where you would obviously be keeping your mail server in a rack running under truecrypt.

    If you don't want to bother than that, then, your privacy just isn't important. As soon as you put your personal information on someone else's hardware you lose control of that information.
  • Don't put anything you want to keep private on a third party server. If you must use email, find one with encryption. Microsoft Outlook has had it since at least version 2003, and there are lots of other programs available.

  • Why not just host it yourself using the open source mail server and transport of your choice?
    • Generally that requires a static IP because so many ISPs won't deliver mail from a dynamic address.

      Not everyone can get one of those.

  • I was wondering: what countries have the best privacy laws and what are some good hosts to use?

    You are a foreign national routing allegedly innocent e-mails through an unfamiliar host 1,200-12,000 miles distant. Do you really think that won't attract unwanted attention on both sides of the border?

  • by angel'o'sphere (80593) on Sunday April 10, 2011 @04:18PM (#35775758) Homepage Journal

    ... at least in germany and most european countries.

    If you want to read them you need a search warrant.

    angel'o'sphere

    • by bloodhawk (813939)
      or a router or a mail server in the chain between the sender and recipient, then you can just read it to your hearts content with no one the wiser. seriously if you are relying on governments or providers to keep your privacy then you have already lost. Sign it if you want to be sure it wasn't altered, encrypt it if you want to be sure it wasn't read. otherwise all bets are off.
    • by DCFusor (1763438)
      Nah, no warrant need to read them -- done all the time. Warrant only needed to convict you for something in them. But -- no need for a warrant then either. Just use the email to figure out who to watch, and then they bust you for whatever they see you do. Just like the way you are entitled to confront your accuser. Some guy calls the cops on you, they show up, and they see, you name it, and bust you for it. The cop is now "the accuser" and you never find out who called them. Just ask the cops sometim
      • Sorry, that is not how it works in germany or any EU country I know about, like france, italy or UK or netherlands.

        angel'o'sphere

  • by mordur (1321893) on Sunday April 10, 2011 @04:43PM (#35775864)
    I don't know which country has the best protection for users of online services now, but Iceland most certainly will be a contender when the IMMI legislation has been passed as per the Parliamentary Resolution passed on June 16. last year. Check it out: http://immi.is/ [immi.is]
  • Best laws are one thing, but I'm more interested in best enforcement.

  • Its easy. Enigmail and Co have been there for ages.

  • China has arguably the best privacy laws. In China the state really will go the extra mile to protect the privacy of all government agencies that have access to your emails.
  • I wonder, how the adoption of IPv6 will cause a paradigm shift here. It would allow every user to host his very own mail server right at home (though technically already doable even with v4), incl. SSL etc.. Subpoenas for your mail would need to be real search warrants, the entire (mail) hosting industry would mostly become irrelevant and people could send mail the good old-fashioned way *directly* to each other ('s IP). Snoops would have an awful time with this, when they have their established live-feeds

  • "Email Privacy" does not exist.

  • if you don't want it to be associable to you via bank slips.

    ask it from a trusted associate who doesn't run backup servers and who has enough noise in his transfers.
    if you're really paranoid that is. of course, you should also have your eggs in multiple baskets. but if you don't want it to be searchable later, then you should somehow arrange that the chat isn't stored at all(so that whoever eavesdropping you would at least need to pretty much log all your traffic, because he couldn't just bust the door in).

One small step for man, one giant stumble for mankind.

Working...