
E-Mail Security in the Wake of Petraeus - neeee
https://www.schneier.com/blog/archives/2012/11/e-mail_security.html
======
haberman
What is the difference between a warrant and a court order? Both presumably
have judicial oversight, so is it just a difference in the standard required
to issue one?

This reminds me of an experience I had several years ago. My sweet grandma
fell prey to a scam where someone called her, impersonating me, and said I was
in trouble in a foreign country and needed money. She sent some money via
Western Union (or a comparable service, I don't remember which one) to my
name, and the scammer picked the money up. To do this the scammer needed ID
under my name. I called up the company and asked to see a copy of the ID that
was used, since I wanted to know if any of my documents had been compromised.

The company said they wouldn't release that information without a subpoena,
which seemed reasonable to me (for all they knew, I was an attacker trying to
steal someone else's ID). But I couldn't find any way of getting a court order
of any kind. It seemed reasonable to me that I should have standing to see
what ID was used to impersonate me and steal money from my grandmother, but I
couldn't find any options for actually obtaining it.

In this situation, I would have loved a way to obtain a court order for this
information.

~~~
Spooky23
Certain types of requests by law only require an "administrative subpoena" --
Federal agencies basically are given the discretion by Congress to determine
when they are necessary.

Typically, they are used to establish facts needed to support a search
warrant. For example, the police may subpoena a utility to obtain electricity
usage when investigating a marijuana grower. Using that information, they can
obtain phone data and eventually get a search warrant to search the physical
location.

------
misnome
I'm still confused about this whole thing. What did he do that he needed to
resign for? As far as I can tell, he had an affair, which isn't exactly
uncommon, and probably has zero influence on how he worked in his job.

~~~
RyanZAG
This whole saga is hilarious for me - I live in South Africa. Our president
was involved in a rape case just before he was elected. He got the charges
dropped because of a mysterious set of audio recordings that were classified
yet somehow proved him entirely innocent. Trouble is, nobody has yet been able
to get hold of these recordings even under subpoena from the constitutional
courts. The guy also has a number of wives, was involved in a number of arms
deals, and is currently building a $30 million house in the middle of nowhere
and having a billion dollar freeway project begun to make sure he can get to
his house in style. We also have a 'textbook fiasco' where a large portion of
public schools in a province did not receive textbooks at all. Nobody in the
education accepts blame or will step down over this. The monopoly government
controlled electricity provider is increasing electricity charges by over 15%
per year and is still losing money by paying out massive bonuses to employees.
We have had illegal strikes resulting in multiple deaths caused by police
shooting fleeing strikers in the back as they ran away. Nobody in government
has stepped down over any of this.

This is common in many democracies across the world.

The fact that someone in your government is forced to step down over something
as basic as having an affair (our president has had a number of them over the
last 4 years) shows that USA is still pretty high up as far as government
morals go. Bravo!

~~~
adestefan
Politicians in the USA have higher standards for civil servants than they do
for themselves. There are numerous elected officials that have had multiple
affairs, multiple convictions for some serious crimes, and/or very
questionable ethic violations, but they'll happily keep their job.

~~~
RyanZAG
True enough, I concede the point... politicians are probably just as corrupt
anywhere you go.

------
killermonkeys
I don't personally buy that the solution to this is to "rein in the FBI" if
we're talking about the security of the CIA chief vis-a-vis the FBI. The point
is that a motivated attacker could do all these things to a high value target.
It might sound far-fetched but having damaging personal information about a
CIA chief is very valuable. I don't condone judging people by their worst
actions, but I think that the government would rather the FBI found out this
information than someone else.

------
liotier
Yes another reason why I still bother to maintain an email server for 150
people in our family and friends circles.

It is one hundred times more expensive than industrial hosting but, if you
know what you want there is only one way to get it.

~~~
sliverstorm
I mostly like being able to manage my email as files. Can't do "tar zcf
/backup/mail.tar.gz ~/mail" on GMail.

~~~
bct
getmail, fetchmail, etc.

~~~
sliverstorm
At that point though, I feel like you're already taking most all of the risks
of hosting your own mail, and also taking all the risks of going through
public webmail. Worst of both worlds sort of thing. So you might as well host
yourself at that point :)

------
mtgx
The issue is not whether or not FBI should be able to do something like this,
but they should be following more strict procedures, and they should always
need a warrant and "probably cause". It's pretty scary that the FBI can get
all this information about someone just because there's a 10th degree
relationship between someone they were following and you.

But this case was pretty horrible to begin with. It seems FBI was only doing
this as a "favor" to someone, and it wasn't about finding evidence about
Petraeus having an affair, that enemies could've exploited, because they
weren't aware about this, and they only found it by mistake.

All I'm saying is that the Government having this kind of power doesn't
represent the "land of the free" very well, that US is supposed to be, and it
has a lot more in common with a dictatorship/totalitarian state than with a
true democratic republic.

It seems to me that technology is making it irresistible for Governments all
over the world, whether democratic or not, to want to spy on their citizens
and know everything about them. The lure of absolute and all-knowing power is
very tempting, the easier it gets with new technology.

If this doesn't become a real political issue, and is not stopped, I could
easily envision how 30-40 years from now, when technology will make it
possible for people to interact with technology through mind control, it will
also be very easy technologically wise to see what people are thinking, and
the Governments will no doubt want to easily access that, too.

There's already another scary trend starting to show-up - that of pre-crime
recognition, although it's still in its very early stages. But imagine when
we'll start to use quantum computers. Those computers could easily create all
the needed statistics and possibilities to show how likely someone is to
commit a crime in the near future, and I could see the government and law
enforcement agencies wanting to use that. I think we've all read the reports
of NYPD police raiding the OWS leaders a night before the protests were
supposed to happen. This is not mere unlikely theory. It's already happening,
just on a much smaller scale.

It would simply be irresistible to them at the time, just like they love being
able to obtain all the data about you without a warrant right now, and they'd
love if it they could do even more without a warrant, and are lobbying for
these types of laws in Congress. The only way to stop these sort of trends is
for people to take a stand, and vote for people who are against them.

~~~
sliverstorm
_the Government having this kind of power doesn't represent the "land of the
free" very well_

An interesting thought springs to mind. Being free, and the government knowing
what you are up to, are not _inherently_ at odds. This is a good thing, as
hiding things is only going to get more difficult as technology progresses.
Rather than fighting to keep one's deeds (or misdeeds) secret, perhaps we
should be fighting to make it such that it doesn't matter if the government
knows?

~~~
beagle3
The government is made of people. So just replace "government" with "other
random people" in your thought above, and see if it makes sense to you.

To me, it IS "inherently at odds".

edit: to expand on this - information easily leaks from government employees
who have been authorized to access it. Especially when it is so easy to get,
and is so broad, then a private investigator is likely to find a government
employee who would copy the files about person-of-interest-X in return for
$1000, for almost every X.

For just one additional lookup a week, that employee can make an additional
$50,000 tax free with negligible chance of getting caught (with today's
nonexistent oversight) except if the resulting leak happens to become a news
item.

So, realistically also replace "government" with "any willing person with
$2000 to spare" (the private investigator will also take a cut :) )

~~~
knowaveragejoe
This. To me, Silverstorm's comment seems to be along the line of thinking of
"If you've got nothing to hide, then why do you care what they know about
you?"

~~~
sliverstorm
Sort of backwards from that. The counter argument to "If you've got nothing to
hide..." usually revolves around the fact that you're always breaking laws,
just because we have such a tangled legal system. So if you fix the legal
system, then there's no cause for worry.

Yes, there's the privacy issue, but I'd bet that could be handled.

~~~
aidenn0
No, the counter-argument to "If you've got nothing to hide" is that there are
lots of perfectly legal things that you don't want other people to know. Maybe
you're gay and you don't want your parents to know. Maybe you don't want your
abusive ex-husband to know where you live. The more people that know a secret,
the harder it is to keep.

Remember, the government doesn't know anything, people working for the
government know things, and the more people that know a secret, the harder it
is to keep.

~~~
sliverstorm
Right, so that's the privacy part. It seems to me like that ought to be
addressable- there's already plenty of people who become privy to private
information for this or that reason, and it is very rare it becomes a problem.

Unless the system is significantly improved, yes, it probably entails some
increased risk to your personal secrets. But to immediately shut down any
suggestions of increasing government application of tech on those grounds
seems short-sighted and selfish. There are positive outcomes, too! I'm not
saying "forget about privacy, it doesn't matter", but rather "shouldn't we try
to work a compromise?". Find a balance, where any increase in risk to personal
privacy is counterbalanced by a respectable improvement in the capabilities of
government to operate effectively. If we are stoic and immovable on the issue,
we just impair our own government when we limit them to 20th century
technology.

~~~
beagle3
The main fallacy of your argument is that you assume you can somehow prevent
corruption by technical measures, when the only lesson you can take from
history is that government corruption is a question of "when" and "how", not
"if". And you're saying "it might be useful" without offering even a single
example. (In general you need at least two example to generalize from, you
know)

Could you actually give examples where more government knowledge is helpful?
Strike "crime fighting" out, because e.g. London's MET police, and the FBI
already have almost-all-knowing access to data, and all reports say it doesn't
help at all.

In the 2nd half of the 20th century, Eastern Europe and the Soviet Union, are
full of examples of why government knowledge of everything is bad.

Assume government knows _everything_ you do, all is fine, and then one day,
Hollywood gets a law that says you can't watch a DVD with friends (you each
have to own an independent copy, so that they get paid). Bam, instant
enforcement the next day, because the government knows everything. An almost-
as-ridiculous law was almost passed (the recent ACTA treaty), and it's not a
coincidence that demonstrations in Europe (especially former eastern block,
who have actual experience with that) were far more numerous and vocal than in
the US.

------
thechut
This is beyond scary, we all basically live in a police state now and their is
nothing we can do about it. Schneier's last line just about sums it up...

~~~
adestefan
Please. This is nothing compared to what the FBI did from their inception
until the late 1970s. If this happens 40 years ago you might find out about it
5 to 7 years after it occurred.

~~~
beagle3
While I agree with what you are saying, it's like saying "ha, your fatty liver
isn't serious. Some people get cancer!". The fact that the FBI was even more
horrible until the 1970s doesn't make the current situation any less scary.

