09 January 2009

Email Security

Apparently as of March the government will be requiring ISP's  to keep email traffic for a year for use by police and security services.

Yes, it's another of those cases where we have to work out whether we're more appalled by the government's viciousness or by its stupidity.

Here's a little primer in email for novices and government ministers:

The Internet, the Web, and email are three different things.  The internet is a network that can carry data.  The Web is a lot of servers which provide hypertext and media over the internet in response to requests.  Email is an addressing system and message format by which messages can be sent between users over the internet.

ISPs provide internet service.  Sometimes they also provide web or email services over the internet as an add-on, and sometimes they don't.

It is quite possible to send and receive email messages without one's ISP even being aware of the fact.  Indeed, most people do.  If you have a large site, you probably run your own email servers.  You emails go over your ISP's internet service, but do not use your ISP's email service, even if it has one.

Conversely, if you use webmail, your email does not reach your network in the form of messages - only web pages.  Your messages originate or terminate with your webmail provider, who may well not even be in this country.

Only if you use the old-fashioned POP3+SMTP setup, or  your ISP's  webmail service, will your ISP see your email as email.  In some cases it might be possible for them, by searching your entire network traffic, to identify and extract  email from your network flow.  That involves a whole lot of processing that they would otherwise not need to do.

If you use an offshore webmail provider, they can't even do that, because the traffic between you and the webmail provider is encrypted.

I don't actually know whether Google, Yahoo and Microsoft, the biggest webmail providers, have mail servers in this country.  I suspect not.

Note that if you use email encryption, as I recently recommended, you are still leaving a trail of who you sent mail to and when.

Attempts to get email out around inspection (without using webmail) are handicapped by measures taken to prevent spam.  It is quite possible to send mail in the same way a large site does - your mail software uses DNS to locate the recipients' mail servers, and then sends them the mail directly.  However, many ISPs for residential users filter out direct email of this sort, and many recipients spam filters refuse it if it has come from a residential ISP network.  This compromise of the end-to-end principle came in some years ago, and did little harm at the time, but as governments become more nosy, the requirement to pass all emails to your ISP's SMTP server is more of a problem.  It just goes to show how compromising important principles usually has a cost in the long run.

I don't know how well-provided the world is these days with anonymous remailers - they were all the rage fifteen years ago.  It might be possible to use TOR to get email out of the local ISP network securely - I will be investigating both these avenues over the next few days.

None of this is because I have anything to hide in my email traffic.  As I explained previously, the problem is that if in a year or ten years I do, it will be too late.  These channels are awkward to set up, and they have to be done ahead of time.

GPG key is linked to from the sidebar.  Ideally you should get me to confirm the fingerprint in person.  I carry it around with me, so if you meet me it's easy to do.



No comments: