Email privacy

An interesting look at the arguments made by the US Government in a email privacy case serve as yet another reminder that email is not private. For both technical and, now, potentially legal reasons, email that you send is not protected from prying eyes. Even for jurisdictions that have a bit more regard for privacy than the US does, the cleartext nature of email communication should be enough incentive to use encryption, at least on sensitive emails. But, even among highly technical users, email encryption is quite rare.

In the article, attorney Mark Rasch describes what privacy is, from a constitutional standpoint, as well as the test the US Supreme Court used to determine privacy rights. "Constitutional privacy" simply governs whether the government is required to get a warrant before using a particular piece of evidence against a defendant, which is a bit different than the usual definition. In the current case, the government seeks to introduce email that it gathered without a warrant – its claim is that none is required.

The case that essentially created privacy rights in the US was a 1963 case involving payphone privacy and the Supreme Court decided on a two question test to determine whether there was a privacy right or not. Those questions boil down to whether the person believed what they were doing was private and whether society as a whole would agree. In the current case, the government is arguing that because the terms of service (TOS) of an ISP allow the ISP to monitor email, anyone using that service has no reasonable expectation of privacy. Thus, a subpoena, rather than a warrant, is all that is required to use the defendant's email against him.

A subpoena is much easier to get, with much less specificity about what kind of evidence is being sought. A prosecutor could subpoena someone's entire stored email archive from an ISP, but a warrant would need to indicate what kind of evidence, for which alleged crimes, was being sought. Email that was evidence of a different crime would not be admissible. At least in theory.

This would appear to be an end run around the Electronic Communications Privacy Act (ECPA), which was passed to specifically protect electronic communications in the same way that telephone calls are protected. The current administration's assault on telephone privacy notwithstanding, ECPA clearly extends the wiretapping laws and warrant requirements into the realm of internet communications. A regulation passed by Congress can add additional privacy safeguards, beyond what the Supreme Court decided, as long as the safeguards are not unconstitutional themselves. How the Justice Department intends to circumvent ECPA is not clear, but hopefully the defendant's lawyers and the judge won't ignore it as well as the Justice Department has. A decision in the case is still pending.

Perhaps the most chilling portion of the government's argument is that it didn't even need a subpoena; that the email could be introduced as evidence no matter how it was acquired. Their argument once again rests on the TOS that folks agree to with their email providers (ISPs or on-line services like GMail), which, because it gives the provider the right to look at the email, makes email inherently non-private. So the government can collect it in secret rooms at AT&T and use it as they see fit. That's not quite how they put it in their arguments, but that is the upshot.

With luck, the courts will see things just a tad differently, especially in light of ECPA. This will hopefully leave us with only the technical side of email privacy to deal with. For that, there are plenty of tools available, they just don't seem to see much use.

Most modern mail user agents have some kind of encryption capability, usually in the form of an OpenPGP (RFC 2440) compliant message handler. This open encryption standard has been around for a long time, is well-supported, and not too terribly difficult to use. So why do the vast majority of emails go out unencrypted?

There are a number of reasons, probably. For one thing, the vast majority of email is spam these days; encryption probably lessens their impact, though it may help them avoid spam filters in the future. Of the rest, most of what is sent as email probably doesn't seem to require much in the way of privacy. Some of it is going to public mailing lists, others are reminding the spouse to get milk on the way home, and the rest is one of several bad jokes that have now been forwarded enough times that the indentation level puts the actual text on a monitor next door. But, seriously, it is only a small subset of email that needs encryption.

Even that small subset is probably not encrypted, at least in the author's experience. Certainly the Tor eavesdropping exercise indicated that even governments tend not to use encryption for at least some of their diplomatic traffic. It almost certainly comes down to convenience; dealing with keys, key exchanges, and key management is more trouble than it is worth. Unfortunately, there is no silver bullet solution to that problem; in order to have good encryption, you must have good keys.

Encrypted email should be fairly private, but it is certainly not bulletproof. Because it is so rarely used today, sending encrypted email might attract unwanted attention from entities monitoring internet traffic. But, as long as both parties maintain the secrecy of their keys, possibly under the threat of imprisonment for contempt of court, there is no known method for decrypting the message in a reasonable timeframe (key-length and cipher-strength dependent, of course). If we really want privacy for our emails, encryption is the right path.

it seems the safest way to store mail is on RNC computers which are evidently programmed to
lose both mail and backups upon being subpoenaed.

It WAS a typo.  Good heavens, but what a Freudian slip that was!

"So in the end it's still too terribly difficult to use. "

Indeed. I have found many applications of this technology to be too difficult to use routinely
in practice, even though I teach it. And in my view for this fact to change 3 developments
must occur:

1. DNSSEC provides a certification forest with root keys at the domain roots - users can
choose between different certification standards and approaches based on the top-level domain
they choose their own registered domain to be within. Domain registration comes with
certification of a domain signing key as standard. I'll believe this one has occurred when
cryptographic services are provided alongside standard DNS domain registration and renewal as
standard practice. (I don't realistically see any non-DNS based approach to key authentication
taking off. If you already have the cost and hassle of renewing a domain every year or 2 you
might as well combine the possibility of key certification and rollover servicing at the same
time. )

2. Secret keys to be held by end users are mostly kept on cheap/small cryptographic hardware
used only to sign and encrypt documents. This possibility is getting closer. Today I saw a
brand new authentication device (small enough to attach to a set of physical keys) which
generates a six digit security code every minute for up to 5 years issued routinely for use
with a bank account.

3. Usable standards are developed for storing public keys within DNS and for cross-platform
APIs for networked applications requesting and obtaining encryption and signing services using
dedicated crypto hardware described in 2. 

With the above 3 developments in place, all the end user should have to do to sign and encrypt
or decrypt an email or bank transfer request should be to see a dialog box which asks them to
press a button on their hardware security device, showing them a short digest of the message
on screen, which should be the same as the digest shown on the display of their device so they
can know what they are being asked to sign.

If the key certificate is in the DNS and you trust the certificate chain
down through the DNS tree from the root at the TLD, then you
can establish a measure of trust in the key that I publish in the DNS zone for my domain
genuinely belongs to me, because it was signed by the higher level domain key when I
registered or renewed the domain.

"That only works if I own the domain. Most people get their email from a higher level
provider, which also own the DNS record. It is easy to redirect selected queries."

Semantically joe@example.com carries the same global meaning in connection with working
relationships, name delegation and a potential certificate chain as joe.example.com, though I
accept that the syntax differs. 

"And even if I own the domain, a simple change at my domain registrar would suffice to
redirect queries to another server. Or at a root server; as you say, you have to trust the
certificate chain down to the root. How do you defend against that?"

If you trust the .com root key signing certificate, and .com registry has signed the
example.com certificate, to assert that this key genuinely belongs to the owner of
example.com, and the example.com key has similarly been used to sign the joe.example.com or
even the joe@example.com certificate, then a verifiable chain of trust exists. If you don't
like or trust the .com key-signing certificate, you can register example.co.uk or example.de .
In fact any community that wants to establish a certification tree can root this at any DNS
domain or subdomain that they elect to use for this purpose. As Joe, you defend against
example.com reallocating joe.example.com to someone else in the same way that you prevent .com
reallocating example.com to someone else if you are example.com . If you don't trust the next
label up the chain reallocating your identity in breach of contract, find a domain parent you
do trust to keep to its contract.

If the standards agreed for this purpose place references to locations for certificates at
regular and known places within the DNS then a chain enabling a certificate to be located and
verfied based on knowledge of the the location of the root and trust in the root certificate,
will exist so long as all parent domains to yours up to the root server operate in accordance
with the agreed standard for achieving this. Relocation is no more of an issue than it already
is if the IP address of a DNS server containing delegation records for your domain is changed
- the next level up has to be updated to contain the new address.

If a domain's DNS is spoofed e.g. through a cache poisoning attack, this will create the
possibility of a denial of service attack in the sense that the spoofed domain location will
not contain a certificate for the domain certificated by its parent, making the genuine domain
uncontactable until the redirection is resolved.

Generally domain parents don't do the reputation of their own domain
any good by playing fast and loose with identities or breaching contracts with customers, but
if a domain registration contract has been allowed to lapse, there is nothing to prevent the
identities concerned from being reallocated, just as there is nothing to prevent someone else
from having the same name as me or someone given the family name: McDonald at birth from
opening a restaurant under their own name.

Cryptography will always be seen to fail if the standard required for success is for it to be
seen as solving all of the world's honesty, security and identity problems. This doesn't
prevent crypto from being used more universally and easily than it now is. Personally I can
see some good reasons for the set of working relationships we know as the DNS to be extended
in this manner. I'm not interested in evaluating this against the assumption that this has to
give "perfect security" in all situations as all proposals will fail based on such a
criterion. I am interested in whether this enables us achieve better security than what we now
have in practice more readily than other possible approaches.

Here in the UK our enlightened government has this covered - a law has just been passed by
which you can get banged up for five years for not giving the state police your encryption
keys...

Remind what "freedom" meant in the old days, will you?

For those interested, an excellent blog on such topics is the Volokh conspiracy, e.g.
http://volokh.com/archives/archive_2007_11_04-2007_11_10....

I don't think there was any difference in Microsoft's case between email and physical mail;
Microsoft is a public-traded business, which gives them responsibilities that the public
doesn't have, and a court can subpoena documents from someone, email or paper.