That would be helpful but ultimately will not address this as it needs to be made clear to governments that they are not welcome in our private lives except under cover of a specific investigation and public warrant. Encryption would be helpful but if the government compels your email provider to hand over your stored emails or just email headers they can still get a lot of information about you even if you always use encryption to send/receive and try to encrypt content that you send. Even just your IP logs tell a tale of your location potentially over your entire life.
In addition to things you control there are many sources of metadata (phone records, bank records, online services, shopping records, web searches/visits, forum comments, unencrypted emails from companies and others) which are really intrusive if made public in aggregate, and with the recent assertion by the US administration that all these records have no expectation of privacy (because you shared them with someone or a company), encrypting just your emails will seem like a hollow victory when the government can collate and analyse all of your activity, online and anything offline which leaves a digital trail, for your entire life.
I do wonder whether the coming of age of a new generation, and the discovery of this widespread invasion of privacy in the name of fighting terror, will erode still further the allegiance to national governments we still feel and lead to supra-national collectives on the internet having more and more sway in our lives. After the hubristic actions of our governments and their pretentions to omniscience about our lives ('mastering the internet', 'total information awareness' etc), our interests as citizens seem to me much closer aligned with other users on the internet and far less aligned with either corporate or national interests.
Encryption would be helpful but if the government compels your email provider to hand over your stored emails or just email headers they can still get a lot of information about you
Exactly, this the line that the government has currently been using, that they only store "metadata" about communications and not the messages themselves, so encryption would no real difference.
Beginning? You guys do really think you are free lol? Just because you can choose one of gazillion same bubble gums is not freedom! Try to change important things (like your government) and you will see that you already live in tyranny.
I don't entirely disagree with you. (I am not from the US, by the way). The developments in the US when it comes to justice, liberty and surveilance frighten me. From my point of view, the United States is fullfilling more and more of the requirements of a totalitarian regime.
I should probably be keeping my mouth shut regarding my opinions on US politics, since I'm visiting in a few months. Would be embarrassing to be confronted with this stuff at the border.
It's not perfect, but I think the first step to widespread crypto adoption is getting people accustomed to the workflow of fully encrypted email. Phoneme + mailvelope is not a huge jump from the current gmail experience and just that initial taste might be enough to get more people on the right track.
Cool project, you seem talented... I'm just a bit confused here.
If we basically know several governments already have copies of your historical gmails, and you're not securing the incoming channel (which we basically know has a beam splitter on it), what good does encrypting the historical files do?
We don't know for certain that several governments have archived stored copies of all cloud based email in existence, it's hazy as to what they do and do not have access to, what isn't hazy is that they have the right to demand the content of any given gmail account with effectively zero recourse available.
The very fact that they actually do make these demands indicates on balance of probability, they don't actually just have an archived permanent copy of the content of every gmail account in existence. Why ask for what you already have?
Of course, that's an assumption and it may be incorrect. However on the downside if it is incorrect, you're back in the exact same position you started in and you've lost nothing anyway. And as previously stated, it might get people in the habit of understanding how PGP works if mailvelope and products like it see wider adoption.
In a network of correspondents where everyone is running something similar to mailvelope + phoneme, it becomes an obvious thing to do to simply implement proper end to end PGP, so I also hope it might be a solution to the chicken and egg problem which has plagued PGP deployment for so long.
It can never hurt to fight, even if you might lose, especially when if you don't fight, you'll definitely lose.
While I agree with the sentiments, Google most likely does not delete the unencrypted mail, so even if the government hasn't stored the content of the mail they will just request copies of all your deleted mail too.
Certainly going forward it would be a good thing to do, but really (as you say) end to end encryption is required. It's a shame Hushmail was compromised [1], this is the type of thing if it was built into GMail would push encryption to the masses - I realise it's not in Google's interest or business model though.
With the smart phones being SUCH an integrated part of our lives now, this also makes it VERY difficult to keep your email with you on the go since the mailvelope plugin is only desktop based.
Shame. We have the tools, I hope we get better integration soon.
Note response;
Unfortunately, once you have permanently deleted a message from Trash or Spam using "Delete forever," it cannot be recovered. Google complies with data privacy legislation. As a result, our systems are configured in a way that it is infeasible to restore user-deleted data.
Sure, they could be lying, but they could also be telling the truth, and if we assume they are then there is an advantage in keeping a fully encrypted store rather than plaintext. Google has given us no reason to believe that they are directly untrustworthy unless they are actively compelled by law to act in user hostile fashion, and they do not seem to enjoy it.
Personally I'm far more concerned about the state as a hostile entity than Google.
> With the smart phones being SUCH an integrated part of our lives now, this also makes it VERY difficult to keep your email with you on the go since the mailvelope plugin is only desktop based.
I make reference to this on the project page, there's APG which is PGP for android, makes reading / writing / signing PGP possible on mobile http://www.thialfihar.org/projects/apg/.
> Shame. We have the tools, I hope we get better integration soon.
I hope the same, I kind of see this as pushing the issue, we'll see where it goes.
I was hoping someone far more talented than me would write a browser plugin that would encrypt everything I type in a TEXTAREA with GPG, and then prompt me for a list of friends I'd like to have read that text.
Everything, from Facebook to Gmail, would be encrypted that way. And I would be in control of the list of people that could read that text.
This moves the burden to your local machine, which, while not guaranteeing privacy, helps reduce the amount of data that you're just handing to the bastards.
Hardly solved. I want it to be so simple the average Facebook user will want to use it.
Emacs hardly fits that bill. Nor does popping up any other editor I think.
I would just like to use the native browser interface and right before doing a POST, have the browser do a pop up and ask me which of my friends I would like to share the text with.
Just a small quibble, if you're typing in the textarea the website or any other extensions you have in your browser could spy on the plaintext as it is being typed. A secure browser extension would have to call an external program, let you type and encrypt your message in there, and then deposit the encrypted message back into the textarea.
I agree with this but why not take it a step further? We're hackers, working on tools/applications that facilitate the transfer of information - why don't we implement encryption from the get-go? There wouldn't be a need to 'popularize' something exists by default.
GnuPG/PGP are fairly trivial to implement; here's some apps that are ripe for production:
- Messaging application that exchanges public keys on first contact, and henceforth every back and forth message is encrypted/decrypted without the user ever knowing
- An email client that works on the same basis as the messaging application; the user doesn't need to know - they just wanted their messages sent securely.
^^ Thats probably 90% of the uses cases for the average joe covered.
Governments can still gather the metadata of encrypted emails. Both PGP and S/MIME do not encrypt the subject line, sender or recipient addresses.
To use encrypted email and hide the subject line, you need to not use it (just say "Encrypted email") or something. This cannot be made automatic without impacting UX.
The To: header fundamentally cannot be removed. The sender can be inferred from the account within the email provider supplying the Government's feed.
I like the idea for MUAs to automatically encrypt after a mutual automatic key exchange though. I think PGP would be more suitable for this (no CAs required). Is there a standard email header that advertises "you can reply back to me with a PGP encrypted email encrypted to key ID X and I'll be able to read it automatically"? If not, somebody should propose one. Public keyservers exist so I see no reason a simple header like this wouldn't suffice. The rest is MUA implementation.
> Governments can still gather the metadata of encrypted emails.
True, but don't throw out the baby with the bathwater right away. I know metadata is at least as sensitive as the actual content, but you need to pick your battles. If we get people to widely use GPG to encrypt the content of their emails, that is already a huge win. Why? Because they're now using a public/private key infrastructure. And as you are probably well aware, as soon as everyone involved has secure private keys, implementing all sorts of nifty crypto strategies to hide pretty much whatever you want, is just a matter of adding protocols. And that can be done pretty transparently, if only the intended users would already be using keypairs for identity management. So, IMO, even if just encrypting the content is not quite complete privacy, it's a great step on the way to getting there.
The other way around, hiding the metadata first, or perhaps both at the same time, seem a lot harder to accomplish widely.
So even if you're technically right, getting the public in the habit of using GPG, is not a waste of time, it's just that for some crazy reason common usage of strong crypto is so far behind the times they are going to need several steps to catch up with technology.
> Is there a standard email header that advertises "you can reply back to me with a PGP encrypted email encrypted to key ID X and I'll be able to read it automatically"? If not, somebody should propose one. Public keyservers exist so I see no reason a simple header like this wouldn't suffice.
that's a great idea. anyone know if something like this does not already exist?
(and I'm not entirely sure if those key-ID's are sufficiently unique and/or secure, but you can put more then just the ID in such a header to fix that)
> I know metadata is at least as sensitive as the actual content, but you need to pick your battles. If we get people to widely use GPG to encrypt the content of their emails, that is already a huge win. Why? Because they're now using a public/private key infrastructure. And as you are probably well aware, as soon as everyone involved has secure private keys, implementing all sorts of nifty crypto strategies to hide pretty much whatever you want, is just a matter of adding protocols. And that can be done pretty transparently, if only the intended users would already be using keypairs for identity management. So, IMO, even if just encrypting the content is not quite complete privacy, it's a great step on the way to getting there.
True, but key-pairs pretty much cryptographically ties a real person to an online identity, and so that makes meta-data more valuable, and makes "give us your keys or go to jail laws" more scary.
A PGP key is generally tied to an email address. So autogenerating PGP keys per-email-address surely doesn't tie anything to a real identity any more than an email address already does?
> I know metadata is at least as sensitive as the actual content, but you need to pick your battles.
So, picking the metadata battle:
Its straightforward from the command line to email crypto-content to your desired addressee while emailing(spamming?) to a few more auto-generated others. These newly(if functional) spammed others would value your contact, as it provides them with a participating valid email account, so `spamee' can now also `shotgun' emails to more addressees further obfuscating his intended addressee(s).
If this became popular, universal, The graph of all our email metadata (nodes?) becomes chaotic.
The timestamp metadata? Send to subset random sampled addressees over set random offset ranges.
The SUBJECT: header could be automated to filter through all this new junkmail.
> If we get people to widely use GPG to encrypt the content of their emails, that is already a huge win.
Sure. Completely agree.
> (and I'm not entirely sure if those key-ID's are sufficiently unique and/or secure, but you can put more then just the ID in such a header to fix that)
Note that a key ID is just the last characters of the fingerprint. If you want a more secure key ID, just use a longer piece of the fingerprint (which is a valid longer form of key ID that gpg will Just Work with).
> Note that a key ID is just the last characters of the fingerprint. If you want a more secure key ID, just use a longer piece of the fingerprint (which is a valid longer form of key ID that gpg will Just Work with).
cool, I was hoping it would work something like that :)
Cypherpunks have already created a solution, http://mixmaster.sourceforge.net/ and similar remailers, but similar technology needs to be incorporated into easIEST to use tools.
You can't do almost all of the things (facebook, gmail, etc) that the public has become very accustomed to and relies on as everyday conveniences with end to end encryption. Perhaps with some massive backing of major corporations and decades long education efforts you could make a little headway into surveillance-proofing all communications
By making the solutions so simple that they pick them because they don't care either way, but make it slightly more annoying for people still on non-end-to-end crypto services to communicate with those who are.
If there's enough people who care, then hopefully network effects would slowly take care of the rest.
> How do we do that when people don't care about privacy?
the same way governments / politicians / mass media do it: you make them care.
it's a sad fact of humanity that most people will care about whatever they are told to care about, or rather, whatever their peers are perceived to care about.
right now there is a window of opportunity for privacy to stand in the public eye's spotlight, fighting a (very real) fight against the encroaching forces of totalitarianism.
you ask what to do. how about anything you see an opportunity to. educate your friends about privacy, about what is going on, about what the dangers of surveillance are[0], or perhaps educate yourself about using GPG, get the hang of it together with a few other techie friends, so that you can explain it to more people (because it's really not that complex, if someone walks you through it), if you have a brilliant idea write some code, etc. and also, delete Facebook?
In addition to things you control there are many sources of metadata (phone records, bank records, online services, shopping records, web searches/visits, forum comments, unencrypted emails from companies and others) which are really intrusive if made public in aggregate, and with the recent assertion by the US administration that all these records have no expectation of privacy (because you shared them with someone or a company), encrypting just your emails will seem like a hollow victory when the government can collate and analyse all of your activity, online and anything offline which leaves a digital trail, for your entire life.
I do wonder whether the coming of age of a new generation, and the discovery of this widespread invasion of privacy in the name of fighting terror, will erode still further the allegiance to national governments we still feel and lead to supra-national collectives on the internet having more and more sway in our lives. After the hubristic actions of our governments and their pretentions to omniscience about our lives ('mastering the internet', 'total information awareness' etc), our interests as citizens seem to me much closer aligned with other users on the internet and far less aligned with either corporate or national interests.