
If You Used TorMail, the FBI Has Your Inbox - barkingbad
http://www.wired.com/threatlevel/2014/01/tormail/
======
skwirl
I don't really see what there is to be upset about in this particular case.
This is how investigations are supposed to be done, by the book.

The FBI has copies of the servers TorMail ran on that they legitimately seized
in an unrelated investigation (the servers were also hosting child pornography
websites).

In the course of another investigation, the FBI found that orders for forged
credit cards were being sent to a TorMail account.

The FBI obtained a search warrant for that specific account and then accessed
it from their own copy.

This is not trolling the seized database for anything and everything that
might be illegal. This is finding probable cause from another source and
obtaining a specific search warrant. This is how it is supposed to be done.
Why would you expect anything less from competent law enforcement?

The FBI is not the NSA. FBI cases have to hold up in the light of open court.

If you are upset about the fact that TorMail was not in fact secure, well,
that's on the TorMail operators and on the users for trusting the entity that
controlled TorMail while knowing absolutely nothing about them. Remember,
TorMail has nothing to do with the Tor protocol, and is just the name someone
gave their supposedly secure and anonymous e-mail service that they hosted on
the deep web. For all anyone knew, the FBI could have been running TorMail all
along.

~~~
wavefunction
People are upset because of this new standard of "grab everything, put it in a
'secure' location and mine it in the future for past crimes."

The main concern is that something you did today may become a crime tomorrow,
so now entire populations are apparently in the situation of Schrodinger's
cat: we are both criminals and not criminals, and only the indistinct future
will determine where we end up.

If you want a society where an individual is free to pursue their interests as
long as they don't hurt anyone, it makes a lot of sense to have a transparent
set of rules that are applied equitably to every citizen, regardless of their
demographics or background.

If you want a society where the individual is completely at the whims of
mysterious and unknown forces that can destroy their life utterly for no
apparent reason at all, well then carve out special exceptions for some while
reserving harsh punishments for others. Introduce secret courts, evidence and
trials... Institute a "permanent record" of someone's behavior that can be
used to manipulate them as desired. Break the well-thought out control systems
that help avoid abuses all to make "LEO easier."

I'm assuming every experience you've ever had with law enforcement is
positive?

~~~
eurleif
>The main concern is that something you did today may become a crime tomorrow

Ex post facto laws are unconstitutional in the US.

~~~
middleclick
> Ex post facto laws are unconstitutional in the US.

The Fourth Amendment protects US citizens from unreasonable search and
seizure. Clearly that is being violated as the recent ruling on NSA data
collection has pointed out.

~~~
res0nat0r
The NSA data collecting as of right now is in fact not illegal. There are
still debates if it should be or not, but as of right now, it is not.

~~~
tsaoutourpants
Not according to a US District Judge who granted a preliminary injunction
against the phone spying. Please don't parrot the politicians who claim
legality. The fourth amendment is clear enough to prohibit this government
conduct.

~~~
res0nat0r
One says yes, one says no, so therefore it is still up in the air. Until there
is a definitive ruling on the matter you can't claim it is illegal...it is
still a gray area until something like the Supreme Court definitively rules
one way or another.

~~~
hnriot
while a gray area it is still legal. It's only illegal when the courts say it
is, so de-facto it's legal. That's a pretty basic property of the US
democratic system.

~~~
tsaoutourpants
You're confusing "innocent until proven guilty" with a constitutional law
question. There is no "presumption" that the executive branch is operating
lawfully.

------
DanBC
{EDIT: I really hope people were risk assessing and choosing an appropriate
provider. Sadly, many people weren't and were choosing what they thought was
secure. This is why the newer crypto tools get a lot of hostile scrutiny. Not
because people don't want them, but because they have to operate in a hostile
environment and consequences of failure can be severe. If prison is a risk you
need have a lot to learn about encryption and privacy.}

There should be legal controls over what information is seized. Requests
should need a warrant, signed by a judge. "Accidental" seizures of too much
information should be reported to the body who provides scrutiny and
oversight.

Some of those accidental seizures should be criminal offences and lead to
punishments for the agencies involved. (Or the individuals).

While the UK has a lousy record on this (with bizarre interpretations of law
so spies can say they obey the law) the reports from the scrutineers are
interesting reading.

[http://iocco-uk.info/](http://iocco-uk.info/)

Here's a PDF of the latest report: [http://iocco-
uk.info/docs/2012%20Annual%20Report%20of%20the%...](http://iocco-
uk.info/docs/2012%20Annual%20Report%20of%20the%20Interception%20of%20Communications%20Commissioner%20WEB.pdf)

Some parts of the UK government use statistics carefully and they have real
statisticians available to produce and review the charts. This document? I'm
not so sure. While the raw data can be trusted the use of pie-charts is
usually a flag for me, and this document does include a few of them.

------
zvanness
It sometimes amazes me how naive people are. The reality is that since the
patriot act, the entire intelligence community has had access to any
information they need. One needs to be delusional to think that they do not
already have access to your emails, browsing history, phone call conversations
in both audio and text versions, mapping points of where you have been
throughout the day. They collect a very wide net of data that they can later
scan through for any reason. And no, that data isn't deleted after a certain
time frame.

Why are articles like this so shocking?

Have any of you guys had IQT reach out to you, the CIA's investment ARM? They
are very active in finding tech companies that can decipher this data, profile
everyone automatically, categorize people, and try to predict their next
behaviors.

------
f_salmon
_While investigating a hosting company known for sheltering child porn last
year the FBI incidentally seized the entire e-mail database of a popular
anonymous webmail service called TorMail.

Now the FBI is tapping that vast trove of e-mail in unrelated investigations._

That says pretty much all about their methods.

~~~
retube
That they'll share data across investigations? Why wouldn't they? Wouldn't it
be utterly remiss not to?

~~~
dredmorbius
Due process. Fifth amendment. Unclean hands.

Any evidence derived from or linked to this trove can _AND SHOULD_ be tossed
out of court.

~~~
yread
don't worry, parallel construction will save the day at court

~~~
dredmorbius
PC should be recognized as fully unconstitutional.

~~~
TeMPOraL
I think the reason people are opposed to PC is the same why people are opposed
to insurance companies knowing too much - we don't want them to perform their
job (identifying crime, keeping a good probability distribution of bad events
over population) in an optimal way, because the more wrong they are (to a
limit), the more society benefits.

I'm not sure what to think of it; it's just an observation.

~~~
summerdown2
I don't usually quote the bible, but this has stayed with me since childhood:

[http://www.kingjamesbibleonline.org/Psalms-130-3/](http://www.kingjamesbibleonline.org/Psalms-130-3/)

> If thou, LORD, shouldest mark iniquities, O Lord, who shall stand?

Also this, from a somewhat similar source, Cardinal Richlieu:

[http://quotationsbook.com/quote/19331/](http://quotationsbook.com/quote/19331/)

> If you give me six lines written by the hand of the most honest of men, I
> will find something in them which will hang him.

And finally, this:

[http://online.wsj.com/news/articles/SB1000142405274870447150...](http://online.wsj.com/news/articles/SB10001424052748704471504574438900830760842)

> The average citizen commits three felonies a day.

... I'm not sure anyone can survive perfect application of the law.

~~~
dredmorbius
The Cardinal Richlieu line has been my G+ profile motto since registering my
(2nd, pseudonymous) account.

I'd deleted my initial account after only a couple of weeks.

I'm now winding down my pseudonymous account and most Google activity.

------
scrabble
According to the article they did not look at the other data in the database
until they had a warrant to do so. And they didn't obtain a warrant until a
different investigation pointed at a tormail account.

That honestly doesn't sound too ridiculous.

~~~
lostcolony
Surreptitiously mine database for incriminating information.

Build case. Apply for warrant.

Oh look, surprise surprise, the warrant turned up something.

Yes, if we trust law enforcement, blah blah blah. The point of having checks
on government authority is so you don't HAVE to trust government. Government
is not to be trusted; it is to be kept in check. Your safety, your rights,
should not be contingent upon trustworthy official.

------
nullc
I never used TorMail, but people who emailed me did. So they have private
email from me even though I never used the service.

~~~
autonomy77
That's an accurate comment to make, yes. They know that you correspond with
people who use Tor. See how this can escalate? I think we are (hopefully) all
agreed that chasing down people who use the web for wrongdoing is acceptable
for the govt to do - but the collateral damage is where the problems can lie -
the potential for "guilt by association" here is monumental.

------
malka
NEVER EVER trust the pipes. If you want your communication to be safe, encrypt
it yourself.

~~~
ElongatedTowel
Excuse my lack of knowledge in terms of mail encryption, but wouldn't the
knowledge of communication be enough to warrant further investigation, even if
the text itself is encrypted?

~~~
crpatino
Well, yes... but then, by _openly_ encrypting your traffic, you would be
stating that you are a law-abiding, technically sophisticated citizen, willing
to provide decryption keys to legitimated law enforcement officials with an
appropriate order.

People with real secrets to hide ought to escalate to steganography +
subliminal channel communications.

------
belorn
Email is one of the really worst security risk regarding exposure to false
accusations. Its even worse if you consider prosecutors who is more interested
in statistics and carer than justice and truth.

Almost everyone has hundred thousands of emails laying around. All in your
name, all forever stored, all with a legal signature on them binding you, and
each with a short text message with no context. It is very often used as
evidence, attached with a conjecture provided by the prosecutor. The defended
is then forced to try defend themselves both regarding the conjecture, but
also having to remember and explain the original context.

It has been used in a profile case to "prove" conspiracy, and has also been
used by prosecutors to move public opinion by providing snippets (official
sanctioned leaking) to media.

This is why I view running a email server without full disk encryption to be
negligence, and that everyone should have their own mail server. Until the
legal system have caught up with technology, its not much more one can do.

~~~
mbq
E-mail was actually designed to just copy a message file from the sender's
computer to the receiver's one; it is sad how it evolved into a plaintext
database of private stuff hosted by third parties.

------
dkokelley
OT: Let me propose that link titles now replace link-baity parts (i.e. "This
Secure Webmail Site") with specific data where available (i.e. "TorMail").

------
higherpurpose
> Now the FBI is tapping that vast trove of e-mail in unrelated
> investigations.

Wait - can they do that? _Why_ can they do that?! Isn't that like a fishing
expedition? Now they're just looking for crimes from that database trove? I've
never used TorMail but _screw everything about that_!

This is why we need to pass some strict laws against mass collection of data,
and against using data in "unrelated investigations".

------
sdfjkl
This post (and article) really need to have "TorMail" in the title.

~~~
kristiandupont
Indeed. Though of course, that would cost them all the clicks of users of
other services, curious to see if they are in danger.

~~~
sdfjkl
If they keep doing it, it'll cost them everything. Such shortsightedness is
the downfall of many a business these days.

------
nly
Who goes to the hassle of using Tormail and then doesn't use PGP? Tormail only
kills off metadata.

~~~
dredmorbius
Getting people to use PGP properly is ... hard.

I've been called out by no less than a Linux evangelist, working at Google,
for being so rude as to PGP-encrypt my email to him "because it was such a
hassle to open".

When the ICIJ was doing its extensive collaborative investigation of offshore
banking, the team evaluated using PGP, but ultimately abandoned it:

 _The project team’s attempts to use encrypted e-mail systems such as PGP
(“Pretty Good Privacy”) were abandoned because of complexity and unreliability
that slowed down information sharing. Studies have shown that police and
government agents – and even terrorists – also struggle to use secure e-mail
systems effectively. Other complex cryptographic systems popular with computer
hackers were not considered for the same reasons. While many team members had
sophisticated computer knowledge and could use such tools well, many more did
not._

[http://www.icij.org/offshore/how-icijs-project-team-
analyzed...](http://www.icij.org/offshore/how-icijs-project-team-analyzed-
offshore-files)

It's little use if _I_ have and use PGP if I can't convince my counterparties
to do so.

Sad, too.

~~~
drdaeman
I don't get it.

What's hard about GPG or S/MIME-encrypted mail? You set up the thing to
integrate with the MUA once (in GPG's case, S/MIME are supported out-of-the-
box with most common desktop MUAs), then the only hassle is to enter password
on startup or when reading the first message. And lock the computer properly
when you're getting away.

Write a message, tick "encrypt" (or don't untick it), send, done. Receive a
message, see a badge "encrypted, verified", type a password (if key's not
cached before), read it as usual, done. I fail to see how anything can be
easier and less obstructive than this.

At least, my only problem with encrypting email is that practically no one of
my peers have keys published. This could be easily solved if mail client
software vendors could make their products ask user to generate and backup a
keypair on install.

Oh, right, encryption has problems with webmail. Extension/userscript kludges
are insecure (unless they open separate window/tab for anything private) and
break with every other update.

~~~
dredmorbius
_I don 't get it._

I'm with you. I've had mutt set up to use PGP for ages. I've configured a
half-dozen or more other MUAs to use PGP/GPG. If I've got an MUA that _doesn
't_ support PGP, I can do ASCII armor encryption and decryption easily.

That's you and me, the geek set.

The Google guy I mentioned: he's just as versed. And yet, felt he should give
me grief.

If you've got a Linux desktop, odds are that the tools you need are
integrated. Congratulations, that's ... about 0.5-3% of all desktops depending
on whose numbers you trust and/or like.

And an increasing number of users are now on smartphones and tablets. Yes,
I've got K9Mail, but I've received no, and sent very few, encrypted emails.

In corporate environments, you get the tools you've got on a standard desktop
and that's it. I've had a hell of a time convincing engineering and dev teams
to create and use PGP/GPG keys and/or use SSH key authentication rather than
passwords. I've been at shops recently which still use rsh (and had the
pleasure of giving the solution to a user creating large numbers of client
sessions: oh, yeah, SSH doesn't have the 512 max outbound connections limit
that RSH does due to its privileged port use). Sigh.

Key distribution is a huge part of the problem. In large part it's what PGP
Corp (now part of Symantec) addressed with its appliance solutions: a box that
creates, signs, manages, and automatically applies keys for users. I don't
exist, and yet I've got a key published (and embedded in my G+ profile
coverphoto). Oh, what the heck, let's add it to my HN profile.

As you note: webmail, mobile, smartphone, and Windows are all problematic. But
more than that: people _don 't fundamentally understand the technology they
use_ (part of a _much_ larger rant and topic), and this stuff confuses them
utterly.

------
ergoproxy
The key sentence from this article: "the FBI is adapting to the age of big-
data with an NSA-style collect-everything approach."

NZ PM John Key famously said: "If you don't want to be spied on, hide under a
blanket." [http://www.thecivilian.co.nz/if-you-dont-want-to-be-spied-
on...](http://www.thecivilian.co.nz/if-you-dont-want-to-be-spied-on-hide-
under-a-blanket-says-key/)

Actually, hiding under a blanket won't help. I don't think Americans get it
yet, so let me shout it: YOUR GOV'T IS SPYING ON EVERYTHING YOU DO!

They don't wait for you to commit a crime and then get a warrant: They collect
everything!

And not only the US government, but governments all around the world. In fact,
the British government spied on users of Angry Birds, along with the NSA.
Source: [http://www.nytimes.com/2014/01/28/world/spy-agencies-
scour-p...](http://www.nytimes.com/2014/01/28/world/spy-agencies-scour-phone-
apps-for-personal-data.html?_r=0)

And this is nothing new: "In 1862, Lincoln authorized sweeping control over
the American telegraph infrastructure for Edwin Stanton, his secretary of war.
Telegraphs were re-routed through his office, and Stanton used his power to
spy on Americans, arrest journalists, and even control what was or wasn't
sent." Source: [http://www.theverge.com/2013/7/6/4499636/how-lincoln-used-
te...](http://www.theverge.com/2013/7/6/4499636/how-lincoln-used-telegraph-
office-to-spy-on-citizens-before-nsa)

There you have it: The US government has been using NSA-style electronic
surveillance to spy on its citizens since at least 1862. So do you really
think anything's going to change now all of a sudden?

------
nraynaud
If the French hosting service was really OVH, it would be quite strange that a
Polish refugee fleeing for political reasons take part in a large-scale spying
operation. But since they are now operating in the US, I guess they have no
choice than look like nice little soldiers.

------
Thiz
If you used ANY webmail site, the FBI has your inbox.

FTFY.

~~~
chacham15
If you used ANY webmail site, the NSA has your inbox.

FTFY.

~~~
aaronem
If you use email, the Black Chamber can have your inbox if it wants.

FTFY.

~~~
alexlarsson
If you don't use email, chuck norris has your inbox anyway.

------
herrschindler
As long as people think the issue is technical only, they'll keep choosing
providers that cannot hold the promise they make. Legislation and local
provisions should be very high on your list. So far, Switzerland seems like
the best legislation of choice according to this article:
[http://arstechnica.com/tech-policy/2013/12/switzerland-
wont-...](http://arstechnica.com/tech-policy/2013/12/switzerland-wont-save-
you-either-why-e-mail-might-still-be-safer-in-us/)

Of course the author seems to disagree, especially when you look at the title,
but that seems only because of some odd fascination with gag orders which seem
largely irrelevant in real life as several comments have pointed out.

------
afhsfsfdsss88
Seize it all now and justify it[or not] later. Makes sense. Maybe we should
all just go to jail now and wait to see if the government finds a 'lawful'
reason later for us to be there.

"Strength through unity. Unity through faith."

------
interstitial
If HN is going to be a nexus of discussion on the FBI and NSA, it needs to
understand the "social engineering" programs going on, and take steps to out
astroturfing.

------
hendersoon
Unless I missed it, the FBI still hasn't disclosed how they tracked down the
physical server. The FBI said was it was "located in a country with an
arrangement with the US, who gave us access", but remained intentionally vague
and said nothing more. Can they really use that data without disclosing how
they got it?

------
htns
The site was heavily associated with small time trading of drugs and weapons
and what not. While US law might be overly harsh on the criminals, I can't
really bring myself to feel bad for the half a dozen people who had any
substantial legitimate traffic on the server.

~~~
john_b
So having the private communications of innocent people compromised as
collateral damage to an investigation of a few bad people is ok now? They have
servers full of communication logs and only a handful of people have been
charged with crimes based on that information.

------
jobigoud
Surely if you use TorMail you are also the type to encrypt your messages,
right? Right ?

------
midas007
Privacy as a Service with centralized servers isn't "swat proof."

------
atmosx
People who used tormail with their real name and/or without PGP are _naive_
and have clearly no idea in what they were into. If the NSA has a huge amount
of PGP's well... who cares? :-)

------
codys
Parallel Construction, anyone? They just happened to be executing a search of
his gmail account and certainly hadn't looked over this trove of emails from
people trying to be secretive?

------
mfisher87
"...we had to oppose their application to preserve our own ability to protect
our own games.&nbsp; Otherwise, it would be much easier for future copycats to
argue that use of the word “Saga” when related to games, was fair play."

That's disgusting. "We use the word saga in more than one of our games,
therefore it's our game word and it's unfair if other people steal that word
from us." ...

~~~
mintplant
Wrong article?

~~~
mfisher87
Apparently so. Fucked that one up.

------
imdsm
Is anything safe anymore?

~~~
GunlogAlm
Was anything ever?

~~~
midas007
Another reason to use end-to-end encryption (like gpg with in-person signed
keys) where possible and not worry as much.

------
aronvox
use [https://www.t3mpmail.com](https://www.t3mpmail.com)

------
sprash
So bitmessage it is then...

