
House Passes E-mail Privacy Act - prostoalex
http://www.multichannel.com/news/congress/house-passes-e-mail-privacy-act/410716
======
hendersoon
This bill is great in that email stored on your ISP's (or Google's) servers is
treated identically to that on your computer at home-- they need to get a
warrant. That's a great step forward. It isn't BS.

However, it doesn't address intercepting and recording communications in-
transit, which is extremely commonplace these days. Technically american
intelligence agencies need a warrant to eavesdrop on american citizens. But in
practice, they can get around this by recording _everything_ (full take),
indexing it, and limiting their searches against communications by US citizens
where they either talk to a foreigner or match a search query on a nefarious
keyword. [1]

They wave away violating the 4th amendment of the US constitution by saying
that copying, storing, indexing, and searching through US citizens' private
information is OK as long as a human doesn't read it.

"Full take" sounds incredible-- it entails recording and retaining EVERYTHING
passing through the internet. But we know it's possible. Snowden revealed that
the UK GCHQ has been doing it since at least 2013 with their Tempora system
[2]. Snowden also revealed the NSA's very similar XKeyscore system. At the
time of his leaks, the NSA did not do Full Take... but that was several years
ago.

It's very reasonable to assume that everything, EVERYTHING, you do on the
internet is recorded and stored by the government. This bill does not address
that.

That's why it's absolutely critical that everything you do is end-to-end
encrypted. These government agencies have the resources to crack most
encryption, too [3] but at least you aren't making it trivial.

[1]
[https://en.wikipedia.org/wiki/XKeyscore](https://en.wikipedia.org/wiki/XKeyscore)

[2]
[https://en.wikipedia.org/wiki/Tempora](https://en.wikipedia.org/wiki/Tempora)

[3]
[https://en.wikipedia.org/wiki/Bullrun_(decryption_program)](https://en.wikipedia.org/wiki/Bullrun_\(decryption_program\))

~~~
jcranmer
> However, it doesn't address intercepting and recording communications in-
> transit, which is extremely commonplace these days.

MTA<->MTA SMTP transmission is increasingly SSL these days, and end-user
MUA<->MTA transmission has pretty much been entirely SSL for a long while.
Google cites about 80-90% of its MTA<->MTA transmission is encrypted
([https://www.google.com/transparencyreport/saferemail/](https://www.google.com/transparencyreport/saferemail/)).

~~~
feld
The dirty secret nobody wants to talk about is that MTA's don't do certificate
validation. You can't or you'd never deliver email successfully because of the
number of self signed certs out there.

MITM on SSL/TLS SMTP is child's play

~~~
mike-cardwell
Postfix and Exim both support DANE/TLSA. When I email somebody with TLSA set
up, or they email me, the certificates are validated using DNSSEC signed DNS
records:

    
    
      mike@snake:~$ dig +short mx grepular.com
      20 mail.grepular.com.
      10 mx1.grepular.com.
      mike@snake:~$ dig +short tlsa _25._tcp.mx1.grepular.com
      2 1 1 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517 616E8A18
      2 1 1 B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E 02CF362B
      mike@snake:~$ dig +short tlsa _25._tcp.mail.grepular.com
      2 1 1 B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E 02CF362B
      2 1 1 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517 616E8A18
      mike@snake:~$

~~~
cuckcuckspruce
That assumes that nobody can MITM either your DNS server, the your ISPs DNS
cache (if you use it), or Google's DNS cache (if you use it).

~~~
noinsight
Or it assumes DNSSEC.

~~~
mike-cardwell
It does assume DNSSEC yes. Which is a requirement of DANE.

------
e40
I have a hard time believing that the House would make this such an early part
of its business without there being some exigent need. I wonder what scandal
they are trying to forestall? I'm 100% serious. Every move they've made so far
has been from a playbook. I doubt this one was done _for the people_.

~~~
burkaman
This bill was originally introduced in 2013 and unanimously passed the House
last year, it isn't new. It got blocked and then weakened in the Senate last
year, so they're just trying again. In general I think the House is less
theatrical and scripted than the Senate.

[https://en.wikipedia.org/wiki/Email_Privacy_Act](https://en.wikipedia.org/wiki/Email_Privacy_Act)

~~~
un-devmox
Thanks for the link.

Interestingly in 2015, AG to be Sessions introduced an amendment that "would
have exempted federal agents from the requirement to secure a warrant if the
government asserts that an emergency situation exists."

The bill was then withdrawn from consideration.

Is there something similar attached to the current version?

~~~
burkaman
No, this bill is essentially identical to the version that was sent to the
Senate last year. You can compare them here:

[https://www.congress.gov/114/bills/hr699/BILLS-114hr699rds.p...](https://www.congress.gov/114/bills/hr699/BILLS-114hr699rds.pdf)

[https://www.congress.gov/115/bills/hr387/BILLS-115hr387ih.pd...](https://www.congress.gov/115/bills/hr387/BILLS-115hr387ih.pdf)

The only differences I saw are that it's now a BILL instead of an ACT, and
they added the word "and" in one spot.

As far as I can tell the amendments were not actually voted on last year; the
bill was preemptively withdrawn because the sponsors thought passing a bill
with the amendments would be worse than not passing it at all.

------
msravi
Does this also encompass the providers' "reading" emails to place appropriate
ads and/or services?

For example, I noticed recently, that if I have a hotel booked, Google "reads"
my email and annotates Google maps with the dates of my booking.

Does this act apply only to the government's access to email or also the
provider's?

Edit: Also, does the government need a warrant only for US citizens' accounts
or for anyone's emails stored on US servers?

~~~
Buge
Google has to be able to read your emails, otherwise they wouldn't be able to
index them for you to search through. Or do spam detection.

~~~
mc32
If your company is using google apps, this would be one of the things of
concern. How could you ensure none of your trade secrets are unintentionally
leaking via meta data, etc... Unless every account is self-contained and
isolated and encrypted at rest and they don't retain a master/admin key.

~~~
russell_h
G Suite doesn't display ads or scan hosted data for advertising:
[https://gsuite.google.com/faq/security/](https://gsuite.google.com/faq/security/)

~~~
mc32
For sure there are arguments for scanning (threat detection/spam detection)
but that has to be weighed against the meta data you are providing the
provider, as well as knowing you are not in control of your data and someone
else has a means to access the data, even if it's for learning purposes.

------
teekert
I'm not fully aware of the inner workings of American politics, but, did Trump
have any role in this?

Edit "The House has acted to protect Americans' privacy. Now it's up to the
Senate and the President to do the same." Ok, so he might kill it yet. I'm
curious how this will end.

~~~
kijin
If there is enough political will in the House and Senate, they can override
even the President's veto. I wouldn't count on that happening anytime soon,
though.

~~~
typetypetype
For what it's worth, this bill passed the house unanimously (aka veto proof).

~~~
burkaman
It did last year too, and then the Senate blocked and essentially killed it
with amendments.

------
chinathrow
Ctrl-f "National Security Letter"

0 results found.

~~~
elif
I think this comment is down-voted for its terseness, but I think this is the
most important point in the comments.

National Security Letters and FISA court rulings create a legal mechanism to
circumvent this entire bill and any other form of legislative or judicial
oversight.

[https://en.wikipedia.org/wiki/National_security_letter](https://en.wikipedia.org/wiki/National_security_letter)

[https://www.theguardian.com/law/2016/oct/19/aclu-fisa-
court-...](https://www.theguardian.com/law/2016/oct/19/aclu-fisa-court-
surveillance-laws-classified)

~~~
linkregister
I feel that the inclusion of NSLs is almost outside the scope of the bill.
Furthermore, inclusion of prohibitions of NSLs would likely doom the bill. In
this case, perfect would be the enemy of good.

NSLs are a worthy topic for a bill in its own right or as an amendment to the
next FISA reauthorization.

~~~
elif
IMO, a bill titled "No one is allowed to murder" while actually only
preventing Alice from murdering, and permitting Bob to continue his (more
prevalent) murder spree, is a net loss.

It is the false illusion of safety, which is more dangerous than a known
threat.

~~~
linkregister
Stopping Alice from murdering is more dangerous? Interesting.

(I don't agree with your analogy but I'm playing along)

------
miguelrochefort
What year is this? How come are people still expecting privacy?

Don't you realize that privacy is unsustainable and selfish?

~~~
eutropia
I'm not giving up my privacy until governments give up theirs.

~~~
warent
Good answer :)

