
IRS claims it can read your e-mail without a warrant - DanielBMarkham
http://news.cnet.com/8301-13578_3-57578839-38/irs-claims-it-can-read-your-e-mail-without-a-warrant/
======
rayiner
This statement: "Newly disclosed documents prepared by IRS lawyers says that
Americans enjoy 'generally no privacy' in their e-mail, Facebook chats,
Twitter direct messages, and similar online communications" is entirely
consistent with the existence of Warshack. Warshack covers the Sixth Circuit,
which includes the following states: Kentucky, Michigan, Ohio, and Tennessee.
The IRS is bound by this precedent in those states and nowhere else. Other
circuits might find this precedent persuasive and agree in future cases, and
that is something the IRS will have to deal with in future prosecutions, but
for a Handbook on the law as it stands now, this statement is absolutely
accurate.

The nation-wide precedent is they can access anything older than 180 days
without a warrant, which for IRS's purposes is basically anything that would
be relevant to a criminal tax prosecution (there is no statute of limitations
on willful tax evasion or fraud).

Should we have privacy rights in our e-mails and personal messages? I think
so. But the Constitution doesn't protect that, any more than it protects
"one's papers" if those papers are left on the premises of a third party.[1]
Not everything that is a good idea must be necessitated by the Constitution.

[1] Wikipedia's article on "expectation of privacy" is pretty good:
<http://en.wikipedia.org/wiki/Expectation_of_privacy> ("In general, one cannot
have a reasonable expectation of privacy in things held out to the public.").
If you understand how SMTP works, it's hard to argue that it's a private means
of communication. You send a clear-text message to a publically-accessible
service that is empowered to forward the message to other publically-
accessible servers if necessary.

~~~
maratd
> If you understand how SMTP works, it's hard to argue that it's a private
> means of communication. You send a clear-text message to a publically-
> accessible service that is empowered to forward the message to other
> publically-accessible servers if necessary.

Whoa, hold it, I don't think so. Almost every SMTP server out there today
requires authentication and quite a few require either SSL or TLS. That is the
very definition of trying to keep things private.

Hell, I use Google's solution and have two-factor authentication set up.

Should I really start adding "this email is privileged and confidential" to
every email like my lawyer?

~~~
sliverstorm
Authentication is to prevent someone from pretending to be you. This is not
the same as trying to keep your messages private.

~~~
kamjam
_The lock on my door is to prevent someone from pretending to be me to enter
my property. This is not the same as trying to keep my stuff private or safe._

Note how your statement does not hold in the real world.

~~~
sliverstorm
We are talking about a transmission protocol, not a storage protocol. For
storage, privacy and identity overlap. For transmission they do not.

~~~
superuser2
So you don't mind if I wiretap all your phones?

Email being transmitted by 3rd parties is not different from voice calls being
transmitted by 3rd parties. Yes, you are trusting a provider, _with the
expectation that your provider will send the data where you've asked it to
send the data, and nowhere else_. This is still true whether you're talking
postal service, landline voice calls, SMS, cellular voice calls, Skype, etc.

~~~
sliverstorm
Maybe I'm expressing myself in too cryptic of a fashion. I'm simply asserting
that while privacy and authentication sometimes overlap, they are not the same
thing.

From the parent of my original comment:

 _Almost every SMTP server out there today requires authentication ... That is
the very definition of trying to keep things private._

Do you disagree with me? Do you believe that SMTP authentication contributes
to _privacy_ and not _authenticity_?

~~~
maratd
Hey, hey, what's with the "..." and cutting out the relevant parts? I
explicitly mention SSL and TLS. Those are encryption standards that are
designed exclusively for privacy.

If I am using them to communicate with a 3rd party, I have a reasonable
expectation of privacy between myself and that 3rd party. You would most
certainly need a warrant to turn around and try to get access to a message
stored on their servers.

On top of that, quite a bit of email today doesn't even touch SMTP. If I'm
sending an email from one GMail user to another GMail user, I'm pretty sure it
is just shuffled around on Google's internal servers. And, of course, I'm
connecting to Google using SSL, an encrypted connection.

How does that not scream private?

~~~
sliverstorm
_Hey, hey, what's with the "..." and cutting out the relevant parts? I
explicitly mention SSL and TLS. Those are encryption standards that are
designed exclusively for privacy._

I cut out the SSL and TLS because I don't disagree; SSL and TLS certainly says
"privacy". I wanted to _specifically_ address the notion that "authentication
=~ privacy"

------
Jach
When will "does not give the option to encrypt all outgoing correspondence
with my PGP public key" become as embarrassing for an important website as
"doesn't have an SSL cert" or "emails/stores passwords in plaintext"?

Edit: added word "outgoing" for pedant below. ;) Of course it'd be nice to get
their public key too if you had to correspond back without going through say
their https website.

~~~
__david__
It'll happen only when PGP isn't just used by .001% [1] of email users.

It needs some really good integration with an email client somewhere, where
addresses are picked up from a public key server and automatically encrypted.
I'm picturing an iMessage style thing where as you're typing someones email
address, the keyserver is getting pinged and the address turns a different
color and a lock icon appears by it. Now all your correspondence with that
person is encrypted. PGP purists might not like it ("but you're automatically
trusting some random key!! The web of trust, the web of trust!") but it would
be a step in the right direction.

[1] Statistic I just made up.

~~~
betterunix
I think a better solution is identity based encryption, so that the sender can
encrypt the message before the receiver has their private key. Senders should
have multiple IBE services to choose from, and we should have standards that
allow or even require threshold IBE (so that no single party can decrypt all
messages). IBE services may fail to take verification seriously, but the
sender of a message could simply refuse to use services with a reputation for
being lazy or malicious. It might also make sense to create a hybrid system,
combining IBE with PGP.

<https://en.wikipedia.org/wiki/Identity_based_encryption>

[Edit: it pains me to say this, of course; I am not a fan of systems where
some other party or coalition of parties can decrypt messages. However, it
would be better than what we have now, and it is closer to the "putting a
letter in an envelope" abstraction.]

~~~
mike-cardwell
If you want to encrypt something with my public key. You would run the
following command (email address obfuscated):

gpg --auto-key-locate pka -ear mike(dot)cardwell(at)grepular(dot)com

gpg then automatically looks up the TXT record for
"mike.cardwell._pka.grepular.com" in the DNS. Which gives it:

"v=pka1\;fpr=35BCAF1D3AA21F843DC3B0CF70A5F5120018461F\;uri=<http://grepular.com/0018461F.pub.asc>

It then automatically fetches my public key from the URL in that record,
checks it matches the fingperint, and then imports it.

For extra goodness, the DNS for "grepular.com" is secured with DNSSEC also.

The technology exists for sharing public keys and using PGP. The major mail
providers couldn't care less about providing user interfaces for it though.

~~~
betterunix
Yeah but _you_ still had to generate and publish that key before _I_ could
send you an encrypted message. If I need to communicate with someone who has
not done so, what I am supposed to do? Nag at them to do it? Try to explain
the important of encryption? I have tried it, and I still try, and it is
basically not going to work: people generally do not see the point, and they
hate the fact that they cannot check their mail from arbitrary systems
(smartcards help here, but now you need to get reliable smartcard readers
deployed all over the place).

We need a system that lets people encrypt messages without having to wait for
the receiver to do anything. That's the point of IBE: your public key is your
email address, you get your private key from the service of the sender's
choice. The service clearly needs to do something to verify your identity,
which is the weakness -- but it is still better than what we do now, and it
does not require us to wait for everyone to upgrade their email clients.

~~~
mike-cardwell
Yeah, what you say is true. That would be better than what we have now. Re
your comments about smart card readers. You can have smartcard functionality
on any machine with a USB port if you use one of these:

<https://www.crypto-stick.com/>

I received one a couple of weeks ago and it works great. I also have an
OpenPGP v2 smart card, a USB smart card reader, and a reader built into my
Thinkpad.

------
unreal37
Is there any evidence that the IRS has ever been able to get access to
people's emails without a warrant, or is this entire discussion theoretical?
It seems to just be quoting a 2009 handbook recently obtained.

Google won't give your email away without a warrant, and neither will
Facebook. So I'm not sure what this means.

~~~
declan
But Google and Facebook are not the only two companies that store users'
electronic messages (it's not just email, remember, but also direct messages,
stored IM chats, etc.)...

~~~
overdrivetg
Also don't forget about Carnivore/Echelon and their ilk that presumably have
the ability to intercept and store basically all email. Then once your email
is duplicated in a government database somewhere, it being primarily housed on
a Google or FB server is irrelevant.

~~~
rayiner
It's not irrelevant. The 4th amendment is enforced primarily by the
exclusionary rule. The fact that Carnivore, Echelon, etc, can get to your
e-mail anyway doesn't mean that the government can introduce it as evidence in
court. To the extent that the 4th amendment doesn't extend to the stuff you
store on Google's, Facebook's, etc, servers, the government can introduce that
as evidence against you.

~~~
unreal37
Carnivore/Echelon will never be introduced as evidence in court. These are
tools of war. When they were hunting Bin Laden, they weren't planning on
taking him to court in the end and introducing his emails as evidence against
him...

~~~
rayiner
That's precisely why ordinary people don't need to worry about what
information is collected by Carnivore/Echelon. The results are too valuable to
risk disclosure by introducing them into evidence for prosecuting run of the
mill crimes. It's highly unlikely that agencies like the IRS even have access
to this information for those reasons.

------
doki_pen
It's funny how in one breath the government tells us that there is no
reasonable expectation of privacy for data on the internet and in another the
DMCA says that the act of knowingly breaking any security, no matter how weak,
is a serious crime.

~~~
logn
And in the other breath say making a GET request to AT&T following some
obvious pattern of IDs makes you a cyber criminal.

------
JVIDEL
Nothing is certain but death, parsing errors and taxes

~~~
jason_slack
Parsing errors +10. Thanks for the chuckle.

~~~
gknoy
Why would death be parsing errors and taxes? ;)

------
mikeocool
This article would be much more concerning if it was titled 'Google claims the
IRS can read your email without a warrant.' The IRS can think whatever it
pleases about accessing your email, however it still needs your provider to
cooperate and turn over your email without a warrant.

Google's stance on this particular issue is actually quite the opposite of the
IRS's: [http://www.wired.com/threatlevel/2013/01/google-says-get-
a-w...](http://www.wired.com/threatlevel/2013/01/google-says-get-a-warrant/)

------
forgotAgain
Its time Americans realized that their government does whatever the hell it
pleases. There are too many secret courts and black op intelligence agencies
operating within US borders for a rational citizen to reach any other
conclusion.

If the government wants to read your email, it will. If it refrains from
reading your email it's only because it doesn't find you interesting enough to
go through the hassle of doing so.

------
comex
This thread is full of hackers eager to apply a technological solution -
encryption - to a problem which is better solved legally. Encryption has
rather obvious usability problems, such as being fundamentally incompatible
with webmail (and remote access in general - even if you use a client that
decrypts emails, you can't search without downloading your entire inbox);
while it's highly valuable for myriad use cases, I shouldn't have to use it
for all my random mail. Yes, email seems fundamentally insecure technically,
SMTP servers bouncing messages to other SMTP servers in the clear, but older
networks such as physical mail and telephone are even worse and harder to
secure, yet I still have an expectation of privacy (even if I use a PO box to
store my mail remotely...) because it has been established by law. There is
zero reason this shouldn't apply to email.

------
driverdan
Original article: [http://www.aclu.org/blog/technology-and-liberty-national-
sec...](http://www.aclu.org/blog/technology-and-liberty-national-security/new-
documents-suggest-irs-reads-emails-without-warrant)

------
johngalt
The problem with email privacy: it's trivial to copy/forward email, but hard
to ensure every endpoint is secure. Even if you are running your own MX in
your basement, all of your email recipients use Gmail.

~~~
rsync
Your communication to users on the same server, however, is secure since it
isn't actually email - it is just a local copy operation.

Every single rsync.net intra-company "email" has never crossed a wire - always
just a local copy operation.

Yes, we do all use (al)pine over SSH, so no, it didn't cross a wire to a web
browser.

------
craftkiller
Why don't people listen when we tell them to encrypt everything?

------
nraynaud
Look, wouldn't it be simpler to make the list of organizations who can't read
emails in the USA?

~~~
socillion
[]

There's your list.

