

NSA E-Mail Eavesdropping - qubitsam
https://www.schneier.com/blog/archives/2013/07/nsa_e-mail_eave.html

======
mrcharles
It is a terrible disgusting shame that this whole thing is slowly fading into
the backdrop. In a few years, it will just be taken for granted that the US
government listens to / stores data on everything you do.

I would very much like, now more than ever, for services to build on
encryption in a way that allows it to be used by everyone, with little to no
barrier to entry.

I've wanted to encrypt all my email for a very long time, but the logistics of
doing so when you interact with normal people are... rough, at best.

~~~
sneak
> In a few years, it will just be taken for granted that the US government
> listens to / stores data on everything you do.

I doubt it. Google/Apple/Facebook/AWS/AWS customers/Microsoft have more non-US
customers than US customers, and while the US population might not care, all
of those "foreign entities" that Obama explained are targeted without warrants
aren't going to put their high-value confidential data into those services now
that this is common knowledge.

These companies had better get their asses in gear and get this whole
surveillance architecture shut down, or it's curtains for the US internet
industry.

If this isn't visibly and loudly fixed, nobody (the 6.5+bn nobodies that don't
get 4th amendment protections) will trust US-based companies with high value
data ever again. (It may already be too late, if only because if they shut
down this one, their track record of dishonesty and evasion suggests they'd
just build another and lie about its existence like they did this time
'round.)

There are already European municipalities banning the use of Google Apps on
security grounds, for instance. This is just the beginning.

~~~
vixen99
I just hope you're right about the rearguard action which might now get
underway. Apparently the US nomenclatura seems to think that privacy is a
privilege only for Americans - and then only in a formal sense. Hit them where
it hurts, in their pocket. Best part is that not paying to be bugged is
something any of us can do as a tiny pathetic action which might turn out not
to be so if there are enough of us.

------
bartl
What I don't get is that in the USA, figuring out a password to an email
account is a crime punishable with years of jailtime (think of the Sarah Palin
case) [1], but somehow, when the NSA does it _to everyone in the world_ it's
just "yesterday's news"?

[1]
[http://en.wikipedia.org/wiki/Sarah_Palin_email_hack](http://en.wikipedia.org/wiki/Sarah_Palin_email_hack)

~~~
rayiner
That's a ridiculous comparison. The government has more power to do things
than individuals. When people kill people its murder, no matter how guilty
that person is. When the government does it pursuant to a legitimate
sentencing, its no crime.

~~~
ynniv
That's a ridiculous comparison. For one, the courts didn't find everyone who
was surveilled guilty of something for which surveillance was a sentence, and
government actions are justified by law, not fiat. For another, your choice of
murder is unnecessarily extreme and emotional. A better comparison would be
opening someone's mail. It is illegal for someone to open someone else's USPS
mail, but the NSA thinks it's not a big deal to open everyone's mail and
construct a big chart of who knows who and what they talk about. Given that no
one under surveillance has been convicted of anything, running a program of
that audacity and scale is not what a government "Of the People" should be
doing. In previous times of war, we have said that governments who do that
should be removed.

------
hawleyal
Why do we keep talking about the legality of what is being done? Instead, our
standards should be what should and should not be done. Just because you can
do something, doesn't mean it's a good idea.

~~~
a3n
You make a good point, but subjective standards are harder to enforce than
objective standards (laws). We subjectively decide what should and shouldn't
be done, and then we objectively codify that in law to make prosecution
straightforward and fair. The law is a tool.

That's the theory. We're fucked when the govt turns around and subjectively
interprets objective law to do whatever the fuck they want.

~~~
hawleyal
Sure. But really, I meant why does the NSA or other orgs need to do everything
up to the letter of the law (regardless of the suggestion that they went
beyond the law)? Just because the speed limit __is __70, doesn 't mean you
have to go 70.

------
espeed
The PRISM revelations are causing people to question using online services
such as GMail and Facebook for fear that the NSA could access their
information. Some have said they would prefer a model where all their data is
stored locally on their phone rather than trusting it to an online company.

However, wouldn't it be easier for the NSA to get data directly off your phone
rather than requesting your data from all the online companies individually?

It's probably trivial for the NSA to remotely access the data on your phone or
even turn it into a remote listening device when you're not using it. Snowden
intimated this when he recommended to all the people he was meeting to put
their phones in the icebox because its insulation blocks reception.

~~~
taway2012
The point is about dragnet surveillance. Since info is centralized, it can be
copied without too many people being aware that it's being done. E.g., the
copying of info from Google etc was done without any "hacking" or backdoors.

Whereas doing the same scale of info copying by individually accessing users'
computers/phones would be _WAY_ WAY more detectable.

Typing in a hurry, sorry if the point isn't clear.

~~~
espeed
As I understand it, the NSA does not have unfettered access to all of
Google's/Facebook's data so it makes FISA requests on individual users, which
the online companies have not been permitted to include in their transparency
reports
([http://www.google.com/transparencyreport/userdatarequests/](http://www.google.com/transparencyreport/userdatarequests/)).
Dragnet surveillance techniques such as tapping fiber is a different issue.

Regarding detectability, I'm sure they have methods for downloading phone data
that are hard to detect and would look like malware if someone happened to
detect it.

~~~
fnordfnordfnord
>As I understand it, the NSA does not have unfettered access to all of
Google's/Facebook's data so it makes FISA requests on individual users

You may continue to hold that opinion, but I see no reason to trust denials by
either the gov't or by Google/Facebook/et al. "Unfettered access" is easy to
deny, but it may be the case that what the gov't has amounts to the same
thing, or is effectively unfettered access. The gov't officials involved have
little incentive to tell the truth, and a large incentive to conceal their
activities. The corporate parties may be compelled to lie, or at least be
unable to tell the truth (under duress).

>Dragnet surveillance techniques such as tapping fiber is a different issue.

A single program of many. Don't confuse gov't denials concerning one activity
under one program, as proof that the gov't isn't conducting that activity
under some other program by another name. Also, gov't officials have been
caught in outright lies James Clapper, for example.

>I'm sure they have methods for downloading phone data that are hard to detect
and would look like malware if someone happened to detect it.

Phones report their users' every activity, this has been discussed here and on
the internet at large, at length, several times over the past few years. Most
recently was the disclosure related to Motorola phones which is still on the
front page.
[https://news.ycombinator.com/item?id=5973282](https://news.ycombinator.com/item?id=5973282)

~~~
espeed
> Don't confuse gov't denials concerning one activity under one program, as
> proof that the gov't isn't conducting that activity under some other program
> by another name

I'm not ruling out any scenario -- just pointing out that even if
Google/Facebook refuse to comply with the NSA or you decide to stop storing
data in the cloud, it may not do much to protect your privacy because your
phone is not a safe haven.

------
staircasebug
All this makes me wonder if the NSA has the ability to tap your medical
records. Has this reach been talked about?

In their terms, nothing is off limits, correct?

------
nobodycares
Newsroom NSA episode predicted this.

~~~
LoganCale
Newsroom NSA storyline was based on earlier leaks that basically said the same
things, just without evidence and government admissions to back them up and
the stories died out quickly in the news without most people paying attention.

