I'm starting to think more and more that beyond this being a US Constitution issue, it's a human rights issue, and we should fight to ban all such spying internationally. Yes, I realize how hard that that may be to achieve, and how long it would probably take, but we need to do it because it's the right thing for humanity, not because it's easy or hard, just like everyone is fighting for gay marriage all over the world, and have fought for free speech, and so on.
Every human being has the natural right to privacy regardless if they are a US citizen. It's sad and ironic that the US Government claims that foreigners have no natural rights. There should be a global agreement where countries respect the innate rights of all human beings and if not, are punished.
This is the worst aspect of globalization -- the refutation of "sacred and undeniable" rights.
This is just a corollary of what Niemöller said, http://en.wikipedia.org/wiki/First_they_came...
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.
I would be truly surprised if there is any country that does follow through on all human rights. The US especially probably breaks more human rights than any other first world country by a significant margin.
In addition to things you control there are many sources of metadata (phone records, bank records, online services, shopping records, web searches/visits, forum comments, unencrypted emails from companies and others) which are really intrusive if made public in aggregate, and with the recent assertion by the US administration that all these records have no expectation of privacy (because you shared them with someone or a company), encrypting just your emails will seem like a hollow victory when the government can collate and analyse all of your activity, online and anything offline which leaves a digital trail, for your entire life.
I do wonder whether the coming of age of a new generation, and the discovery of this widespread invasion of privacy in the name of fighting terror, will erode still further the allegiance to national governments we still feel and lead to supra-national collectives on the internet having more and more sway in our lives. After the hubristic actions of our governments and their pretentions to omniscience about our lives ('mastering the internet', 'total information awareness' etc), our interests as citizens seem to me much closer aligned with other users on the internet and far less aligned with either corporate or national interests.
Exactly, this the line that the government has currently been using, that they only store "metadata" about communications and not the messages themselves, so encryption would no real difference.
P.S. Intended to be brutal, think about it.
I should probably be keeping my mouth shut regarding my opinions on US politics, since I'm visiting in a few months. Would be embarrassing to be confronted with this stuff at the border.
It's not perfect, but I think the first step to widespread crypto adoption is getting people accustomed to the workflow of fully encrypted email. Phoneme + mailvelope is not a huge jump from the current gmail experience and just that initial taste might be enough to get more people on the right track.
If we basically know several governments already have copies of your historical gmails, and you're not securing the incoming channel (which we basically know has a beam splitter on it), what good does encrypting the historical files do?
The very fact that they actually do make these demands indicates on balance of probability, they don't actually just have an archived permanent copy of the content of every gmail account in existence. Why ask for what you already have?
Of course, that's an assumption and it may be incorrect. However on the downside if it is incorrect, you're back in the exact same position you started in and you've lost nothing anyway. And as previously stated, it might get people in the habit of understanding how PGP works if mailvelope and products like it see wider adoption.
In a network of correspondents where everyone is running something similar to mailvelope + phoneme, it becomes an obvious thing to do to simply implement proper end to end PGP, so I also hope it might be a solution to the chicken and egg problem which has plagued PGP deployment for so long.
It can never hurt to fight, even if you might lose, especially when if you don't fight, you'll definitely lose.
Certainly going forward it would be a good thing to do, but really (as you say) end to end encryption is required. It's a shame Hushmail was compromised , this is the type of thing if it was built into GMail would push encryption to the masses - I realise it's not in Google's interest or business model though.
With the smart phones being SUCH an integrated part of our lives now, this also makes it VERY difficult to keep your email with you on the go since the mailvelope plugin is only desktop based.
Shame. We have the tools, I hope we get better integration soon.
Unfortunately, once you have permanently deleted a message from Trash or Spam using "Delete forever," it cannot be recovered. Google complies with data privacy legislation. As a result, our systems are configured in a way that it is infeasible to restore user-deleted data.
Sure, they could be lying, but they could also be telling the truth, and if we assume they are then there is an advantage in keeping a fully encrypted store rather than plaintext. Google has given us no reason to believe that they are directly untrustworthy unless they are actively compelled by law to act in user hostile fashion, and they do not seem to enjoy it.
Personally I'm far more concerned about the state as a hostile entity than Google.
> With the smart phones being SUCH an integrated part of our lives now, this also makes it VERY difficult to keep your email with you on the go since the mailvelope plugin is only desktop based.
I make reference to this on the project page, there's APG which is PGP for android, makes reading / writing / signing PGP possible on mobile http://www.thialfihar.org/projects/apg/.
> Shame. We have the tools, I hope we get better integration soon.
I hope the same, I kind of see this as pushing the issue, we'll see where it goes.
Still, great work and thanks for the additional info. Here's to hoping one day EVERYTHING will be encrypted by default!
Everything, from Facebook to Gmail, would be encrypted that way. And I would be in control of the list of people that could read that text.
I'm sure something similar exists for vi, sublime, etc., but emacs (of course) has great gpg support (http://www.emacswiki.org/emacs/EasyPG).
This moves the burden to your local machine, which, while not guaranteeing privacy, helps reduce the amount of data that you're just handing to the bastards.
Emacs hardly fits that bill. Nor does popping up any other editor I think.
I would just like to use the native browser interface and right before doing a POST, have the browser do a pop up and ask me which of my friends I would like to share the text with.
"multiparty encryption" is what you're looking for.
GnuPG/PGP are fairly trivial to implement; here's some apps that are ripe for production:
- Messaging application that exchanges public keys on first contact, and henceforth every back and forth message is encrypted/decrypted without the user ever knowing
- An email client that works on the same basis as the messaging application; the user doesn't need to know - they just wanted their messages sent securely.
^^ Thats probably 90% of the uses cases for the average joe covered.
To use encrypted email and hide the subject line, you need to not use it (just say "Encrypted email") or something. This cannot be made automatic without impacting UX.
The To: header fundamentally cannot be removed. The sender can be inferred from the account within the email provider supplying the Government's feed.
I like the idea for MUAs to automatically encrypt after a mutual automatic key exchange though. I think PGP would be more suitable for this (no CAs required). Is there a standard email header that advertises "you can reply back to me with a PGP encrypted email encrypted to key ID X and I'll be able to read it automatically"? If not, somebody should propose one. Public keyservers exist so I see no reason a simple header like this wouldn't suffice. The rest is MUA implementation.
True, but don't throw out the baby with the bathwater right away. I know metadata is at least as sensitive as the actual content, but you need to pick your battles. If we get people to widely use GPG to encrypt the content of their emails, that is already a huge win. Why? Because they're now using a public/private key infrastructure. And as you are probably well aware, as soon as everyone involved has secure private keys, implementing all sorts of nifty crypto strategies to hide pretty much whatever you want, is just a matter of adding protocols. And that can be done pretty transparently, if only the intended users would already be using keypairs for identity management. So, IMO, even if just encrypting the content is not quite complete privacy, it's a great step on the way to getting there.
The other way around, hiding the metadata first, or perhaps both at the same time, seem a lot harder to accomplish widely.
So even if you're technically right, getting the public in the habit of using GPG, is not a waste of time, it's just that for some crazy reason common usage of strong crypto is so far behind the times they are going to need several steps to catch up with technology.
> Is there a standard email header that advertises "you can reply back to me with a PGP encrypted email encrypted to key ID X and I'll be able to read it automatically"? If not, somebody should propose one. Public keyservers exist so I see no reason a simple header like this wouldn't suffice.
that's a great idea. anyone know if something like this does not already exist?
(and I'm not entirely sure if those key-ID's are sufficiently unique and/or secure, but you can put more then just the ID in such a header to fix that)
True, but key-pairs pretty much cryptographically ties a real person to an online identity, and so that makes meta-data more valuable, and makes "give us your keys or go to jail laws" more scary.
So, picking the metadata battle:
Its straightforward from the command line to email crypto-content to your desired addressee while emailing(spamming?) to a few more auto-generated others. These newly(if functional) spammed others would value your contact, as it provides them with a participating valid email account, so `spamee' can now also `shotgun' emails to more addressees further obfuscating his intended addressee(s).
If this became popular, universal, The graph of all our email metadata (nodes?) becomes chaotic.
The timestamp metadata? Send to subset random sampled addressees over set random offset ranges.
The SUBJECT: header could be automated to filter through all this new junkmail.
What else, hmmmmnnn...
Sure. Completely agree.
> (and I'm not entirely sure if those key-ID's are sufficiently unique and/or secure, but you can put more then just the ID in such a header to fix that)
Note that a key ID is just the last characters of the fingerprint. If you want a more secure key ID, just use a longer piece of the fingerprint (which is a valid longer form of key ID that gpg will Just Work with).
cool, I was hoping it would work something like that :)
They aren't: http://www.asheesh.org/note/debian/short-key-ids-are-bad-new...
If there's enough people who care, then hopefully network effects would slowly take care of the rest.
the same way governments / politicians / mass media do it: you make them care.
it's a sad fact of humanity that most people will care about whatever they are told to care about, or rather, whatever their peers are perceived to care about.
right now there is a window of opportunity for privacy to stand in the public eye's spotlight, fighting a (very real) fight against the encroaching forces of totalitarianism.
you ask what to do. how about anything you see an opportunity to. educate your friends about privacy, about what is going on, about what the dangers of surveillance are, or perhaps educate yourself about using GPG, get the hang of it together with a few other techie friends, so that you can explain it to more people (because it's really not that complex, if someone walks you through it), if you have a brilliant idea write some code, etc. and also, delete Facebook?
> Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.
This is an inaccurate distraction in your comment.
With that in mind, it is worth noting that the two authors of this piece are NOT professional journalists, although what they report could and should easily have been put together by actual staffers.
NYT front page on June 20, 22, 24, 25, 26 -- five out of the past 7 days. Plus a front page mention on June 23. I know you don't mean your comment literally, but I think there's been a lot of coverage. There's some criticism that the stories of late tend to focus more on Snowden, but his part of the story is the only thing that's had material developments in the past week.
http://www.nytimes.com/images/2013/06/26/nytfrontpage/scan.p... (et al)
Does the lack of new information from the US government mean that there are no new "material developments" in the story? Considering the damaging revelations in these leaks (misleading congressional testimony? private contractors with access to dragnet surveillance systems?), it is not plausible to claim there is no investigative journalism to do. That it has taken two outsiders to write a piece sensibly critical of the administration and unconstitutionality of data-vacuuming is utterly damning.
1. As of right now, the story is linked to on the front page in the Opinion box since this is an opinion piece and not a news piece. If you want opinion as news, I refer you to Fox News or Buzzfeed or Upworthy.
2. The story of the NSA surveillance was front page on the NY Times when it broke and for about a week or two after.
3. The Mainstream media has been reporting on this consistently, both on the Snowden drama and the actual substance of his leaks.
It's sad to see both longer-time and newer users running around with this chicken little reddit-level bullshit. The mods seem to be complicit in it so oh well. The upside is that I waste less time here.
All "news" is someone's, or a group of someones, opinion. There's no such thing as objective journalism.
> chicken little reddit-level bullshit
It's only been a couple of weeks since people became aware that the largest spy agency in the world is spying on pretty much anything they can get a bead on.
Perhaps cutting people some slack until 24/7 surveillance becomes the New Normal might be in order?
There is definitely such a thing as reporting the facts, and just because there are levels of opinion doesn't mean that all outlets of journalism are somehow comparable. Fox News != Anyone with credibility.
There are very few mainstream sources that have a shred of credibility left. I see little qualitative difference between Fox and CNN, for instance. They only differ in style and delivery but their main entrees are still lies and rubberstamped government press releases.
I could report how many murders were caused by black people,
how many robberies by mexicans,
and how much drugs by asians,
Then how many illegal immigrants entered the country this month.
All fact, no opinion?
There is in fact a very distinct difference between opinion articles and 'proper' news articles. You see, journalism is not a claim to objective truth, but a procedure aimed at achieving a minimum level of validity where it comes to events. When you read a news article, you should (to some extent) be able to trust its contents on the merits of the journalistic method. Whereas with an opinion piece, it's not bound by this procedure. Note - nobody is arguing 'absolute objectivity' here. It's a matter of trust in a procedure.
Of course, it's fine to distrust the journalistic method, to not see it as absolute truth, but to deny or entirely dismiss the distinction is annoyingly daft.
Also, afaik, this story is still everywhere. If you want it to remain that way, start working for change - newspapers report on events, not 'the truth'. Make events happen, and it stays in the cycle.
You're welcome to your opinion.
There is no doubt in my mind which team the NY Times is batting for.
The last time this story was front page news for the NYT was June 23, when they reported on Hong Kong officials letting Snowden go. On June 22 they reported on Snowden being officially charged. And prior to that on June 20, when there was a story about the "complex reality" of Silicon Valley. All of these stories are sympathetic in tone and focus to the administration. Is anyone really going to characterize them as hard-hitting investigative reporting on the substance of the allegations?
There is no lack of investigative reporting that could be done on this story (most obvious question: did Congress intend to authorize warrantless dragnet surveillance), some of which is happening elsewhere, making it hardly a paranoid leap to point out that NYT coverage has been muted and uncritical at best.
* did Congress intend to authorize warrantless surveillance when it passed the legislation being used by the NSA to justify its current policies and wrap them in a cloak of legality?
* which of the leaked materials w/r/t NSA surveillance can and should be considered highly-classified? What is the national security justification for keeping these materials out of public view?
* if Snowden was in a position of administrative privilege that gave him access to highly-sensitive materials without reasonable oversight, why was he employed by a private-sector company? What are the implications of this for FOIA requests, administrative costs, government transparency and checks against potential abuse? (seriously... what on earth is B.A. doing in this story?)
* do the stories released by the NSA to justify warrantless surveillance really justify the actions taken in the light of the law? i.e. is stopping a cab driver from sending 8k to Somalia really the sort of urgent and time-sensitive national security concern that should preclude the government from spending a day or two to get a targeted warrant?
Regardless of whether we agree or disagree on what a reasonable person would conclude on these questions, it seems self-evident that these questions are much more important than most of what the NYT has treated as front-page news on the subject matter.
The bans in the foreign nations could easily stem from foreign business owners pressuring their politicians to ban American-operated companies under the guise of national security, privacy, and anti-American-power-mongering, but their real motivation will be to gain market share. Their politicians can easily make it into a win-win for everyone involved - the politicians (campaign contributions), the local businesses (market share), and the population, who wouldn't mind seeing a global anti-America movement.
Sure it'd be hypocritical, but when did that stop anyone?
There's bound to be a lot of high level execs at European companies whispering in their governments ears at the moment about how this is putting them at a substantial disadvantage, whether or not they believe it to be true.
That will probably not happen.
But what will happen, and have a small but ultimately significant effect, is that American companies will lose some contracts, by the narrowest of margins in a decision... contracts they would otherwise have won by a narrowest of margins... due to the fallout from the NSA surveillance scandal.
Americans can't grasp this because they never experienced it, that's why you need to talk to people who did, otherwise your children will be sorry.
I don't see how any of the Court Cases listed on the wikipedia article are relevant. These all seem to relate to truly political things, like which branch has what authority, or how districts are apportioned. The article only cites 5 areas the courts have clear precedent on - wars, treaties, gerrymandering, impeachment, as well as the Guarantee clause. The Guarantee clause relates to Article 4 though, not Amendment 4.
If we are construing this NSA wire-tapping as a war power, then we're in trouble, because we have now effectively agreed the written words of the Patriot Act have no meaning, and the constitution will never be applied uniformly to the executive.
I might note in asssing that I favor a constitutional amendment that would create an explicit right to privacy; I'm not in favor of a surveillance state. But that doesn't alter my skepticism about how a class action lawsuit would actually fare in the courts.
And you know who the perfect people to decide that would be? Judges. In a court of law. Since that's one of their main job functions.
I fucking love changing my mind, but it takes actually convincing me, not simply argument from authority without even any credentials given. "Go read a bunch of books" is bad form (doubly so with no particular recommendations) - I have plenty on my reading list as it stands.
The beginning of the article on standing does raise questions I hadn't thought about. How would you decide the penalty for something with the potential for abuse? Just because the NSA is storing the largest ever collection of personal info with potential for blackmail, election skullduggery, stalking, identity theft, etc. doesn't mean that those things would happen. If all their data centers were hit by EMPs tomorrow, there may be no injury.
It would seem that when information which would indicate standing is itself concealed, though, that the threshold should be lower. Eh, I'll keep reading.
More worrying, the NSA could abuse this by listening to whatever they liked, then getting information by other means, then lying about listening. And we certainly already know that the NSA is capable of lying and willing to do so.
"We may never know all the details of the mass surveillance programs, but we know this: The administration has justified them through abuse of language, intentional evasion of statutory protections, secret, unreviewable investigative procedures and constitutional arguments that make a mockery of the government’s professed concern with protecting Americans’ privacy. It’s time to call the N.S.A.’s mass surveillance programs what they are: criminal."
Fatal bug throughout the whole `stack'?
Are these lawyered authors actually telling us the rudder is gone and the entire hull rotten?
Respect for civilization's eye's covered verdigris bronze lady holding up scales.
"... Prism is further proof that the agency is collecting vast amounts of e-mails and other messages — including communications to, from and between Americans."
??? PRISM was the one thing I stopped being worried about as soon as I figured out what it was. The government has always been able to subpoena a third-party for records pursuant to an actual investigation, and even Google seemed to be satisfied with the idea that specific PRISM requests have been legal (even if they forced NSA to get a real warrant first).
Other things may indicate NSA is hoovering emails like a Mob boss hoovering blow but PRISM isn't one of them. PRISM has to be turned on to acquire data, unlike other NSA SIGINT this one's not actually magic.
I'm kind of disappointed by the opinion piece because if they only took efforts to be factual they would probably be able to make a much more persuasive case (e.g. by bringing up Carnivore or 641A-style data interception instead of a system that queries specific individual users one-at-a-time).
And the PRISM document says it is the "the number one source of raw intelligence used for NSA analytic reports". Doesn't that mean that PRISM is the majority source of those 3 billion data elements?
And why did Page, Zuckerberg and Apple say they never heard of PRISM? Perhaps I am wrong but it's somewhat confusing!
> And why did Page, Zuckerberg and Apple say they never heard of PRISM?
Because PRISM is the name for the NSA end of that service and associated data tools. The company end of that service would be whatever they called the system they use for FISA warrant/NSL compliance.
I agree that it's time to take the US government to task over this. How does that happen? A civil suit, a private prosecution?
 http://joe-jordan.co.uk/blog/2013/06/tinker-tailor-whistlebl... (hacker news comments: https://news.ycombinator.com/item?id=5945185 )