

Bad advice on preventing government snooping - junto
http://www.guardian.co.uk/technology/2012/apr/02/how-to-hide-emails-government-snooping

======
DanBC
Existing Law: RIPA - (<http://www.legislation.gov.uk/ukpga/2000/23/contents>)

There are proposed changes to allow certain LEOs to have "realtime" rather
than "retrospective" access to addressing / routing data, without a warrant.
Access to content would still need a warrant.

The article doesn't do a great job of explaining the difference between
"private" and "anonymous".

> _Even an encrypted email will usually include the addresses of the sender
> and the recipient in its headers._

but then the article goes on to say

> _There are simpler ways to send private and/or anonymous emails. For
> example, anonymouse.org offers a simple form for AnonEmail, as does the
> sendanonymousemail.net website. There's also Mailinator, which provides free
> disposable email addresses, and Hushmail, which works like an ordinary email
> service but encrypts all your email._

That "and/or" in the first line is important. They should have been clearer
because, as they acknowledge, many people just don't get this stuff. (Also,
Hushmail (and I guess all services) say they comply with correctly formed
legal requests. Hushmail will go as far as crafting a backdoored java app and
serving it to the customer. I guess that's not particularly worrying for
regular users from England.)

Public key encryption is hard with anonymity because you tie an identity (the
keys) to messages.

The other problem is the risk analysis you have to do. Protecting email
content and routing data is trivial if the attacker is "the smart 14 year old"
or "the very smart, experienced 45 year old with industry connections". But in
this case the attacker is a well funded, first world, technically advanced
government. GCHQ are not idiots. They don't lack computer power or math
expertise. Anonymising traffic data is going to be hard, even if you use a
bunch of different proxies.

------
junto
"Examples include hidemyass.com, anonymouse.org, Guardster, Proxify, IDzap and
Megaproxy."

Does anyone else also think it might be a really really bad idea to login to
your email account using any of these services?

~~~
DanBC
You'd log into your email provider using SSL.

Is there a working MITM attack?

------
stephengillie
This would be a good foreword to an introduction to computer messaging
security, for those who are unaware of encryption or proxies. It may be too
basic for most users of this site to find it useful.

