NSA Email Surveillance Pervasive and Ongoing

dkleinsc writes "The NY Times has a piece about work being done by Congressman Rush Holt (D-NJ) and others to curb NSA efforts to read email and Internet traffic. Here's an excerpt: 'Since April, when it was disclosed that the intercepts of some private communications of Americans went beyond legal limits in late 2008 and early 2009, several Congressional committees have been investigating. Those inquiries have led to concerns in Congress about the agency's ability to collect and read domestic e-mail messages of Americans on a widespread basis, officials said. Supporting that conclusion is the account of a former NSA analyst who, in a series of interviews, described being trained in 2005 for a program in which the agency routinely examined large volumes of Americans' e-mail messages without court warrants. Two intelligence officials confirmed that the program was still in operation.'"

SMIME

[iluvcapra]

You don't have to wait for government action to keep the NSA from reading you personal email. Get your friends and family a Freemail x.509 cert from Thawte (no cost, a Verisign cert costs $30/yr) and use S/MIME.

Re:SMIME

[sshir]

The problem is - almost nobody uses this. So you can be singled out on that fact alone.

As a poor man's solution, one can use Gmail over https (they have that option now): in my case all my friends have gmail accounts. It's not easily accessible to the government (assuming google's internal traffic is not tapped). This of course exposes you to Google, but at least there is a good chance, that it's not subject to warrantless wiretaps.

On top of that you can encrypt so google is off too.

My Dearest NSA,

[Bob9113]

My Dearest NSA,

Allow me to use, for the first time in my life, a turn of a phrase that I generally find to be rather repugnant:

If you fear freedom so much, why don't you move to Iran?

This country is for people who love freedom. Who are willing to risk their lives for it. You scared, little, cowards -- shivering in your pajamas at night wetting your bed because you don't know everything I am thinking, all the time -- have no right place in this, the Founding Fathers' most extraordinary experiment.

You think you are more trustworthy than The Constitution? I do not trust you as much as the average crazy screaming panhandler on the corner, let alone as much as the average free American Citizen. You are too scared to be trusted. Scared people act unpredictably. And certainly I do not trust you as much as what is perhaps the most inspired legal document in history.

You are the threat to the American way of life. Not us. Your cowardice eats away at us, and our great society, like a disease. If you can't handle freedom, move to a master planned community with big gates, or even one of the many authoritarian regimes around the world. But don't shit all over what makes this country great just because you can't handle freedom.

Re:SMIME

[secondhand_Buddah]

I hate to burst your bubble. But the NSA have full access to the keys. Why do you think Mark Shuttleworth (Now of Ubuntu fame) was paid US$ 575 Million for Thawte? Becuase he controlled a sizable portion of the market, even though physically it was a very small operation.
There is a whole history here but in short, Verisign was started by several ex CIA directors shortly after the Clipper chip program failed. The Clipper chip was an encryption chip designed to handle all encryption. In short the CIA would legally be able to access your keys on the chip. there was a public outcry and the program was shelved. No one expected Mark Shuttleworth to gain such a large portion of the market so rapidly, so they paid him a small fortune to get full control of the market. So basically if you want to rely on personal encryption, use PGP, because certs from Thawte and Verisign are not secure from the prying eyes of government agencies.

Re:Oh, quit whining

[houstonbofh]

Maybe if your political system was proportional instead of based in electoral circles, there wouldn't be the duopoly of two parties that alternate in power with no significant difference between them.

That is only for one position in government. A powerful one, yes, but one that would be limited by a Libertarian congress, for example.

Why doesn't every email client have PGP built-in?

[Anonymous Coward]

I do not understand why major OS vendors don't make an effort to seamlessly integrate PGP into their email clients.

Re:Oh, quit whining

[CarpetShark]

The way to stop it is to PARTICIPATE in the political system

Hardly. The reason people put up with the current system is that they believe most people are in favour of it, and they, being reasonable people, have no right to go against the majority. When most people reject the system, giving voter turnout of around 20%, then any government elected by it will clearly be illegitimate, and therefore citizens will feel justified in sitting down to discuss a new system.

You can rarely replace a system by participating in the system you want to replace. It's like trying to upgrade windows to unix by running windows programs.

Re:Oh, quit whining

[bcrowell]

Start firing congressmen and senators in significant numbers, and things will change. Otherwise, quit the damn whining.

I live in Orange County, California, which is famous as a bastion of Reagan-style conservatism. In the last general election, my congressman, Ed Royce, outdid his Democratic opponent in fundraising by more than 10 to 1, and won with 67% of the vote. Your prescription is not going to work here in my district. Vote the bum out? If you tell my neighbors that the NSA is reading people's email, they'll probably say that's great, because it's a good way to fight terrorism. My district isn't unusual, either. The reason incumbents in the US almost always get reelected is that we have a two-party system with geographically defined election districts, and party loyalty is highly correlated with geography.

It's a majoritarian fallacy to say that if the minority's rights are violated, the minority should just vote to have them not be violated anymore. The reason we have a constitution is to protect the rights of the minority, even when violating them is a very popular, majority position.

Re:What about spam?

[sshir]

And not just "profiling".

What happens is that they (NSA) DoS-ing investigative resources. FBI and such have only so many men in the field to check the facts. As a result, the ability (probability) to identify true threats goes way down.

The same goes for other after 9/11 security "improvements" like, for example, indiscriminate "deep background investigation" of immigrants - the queue became so long, that it takes years now (not shitting) to get men from "interesting" countries checked! And I'm not talking about nutcases holed up somewhere in Pakistan mountains - I'm talking about people who already walk the streets of the US!

Too bad we don't know how to imitate free market's ability to optimally allocate resources in rigid government setups...

How about regular mail?

[Sqreater]

I offer these comments in the spirit of participating in a robust public discussion about a current issue of public concern: privacy before goverment secrecy. Don't blame me for being an American. Further, no insight is based on inside information, of which I have none.

NSA might be (probably is) archiving the outside of every piece of mail being processed through the United States Postal Service today. This would NOT be done by the USPS, which legitimately uses the info to route mail, then discards it normally. The data would be siphoned off and stored elsewhere in my opinion. The only place with the desire and the capacity would be the NSA. This may be legal under current law as law enforcement already can record the cover of your mail. But I'm not a lawyer. Imagine, storing two-hundred billion images a year in grayscale! Imagine if they could data mine that massive database! It could be worth billions to commercial interests nationwide. Imagine if they could kick in your door in the middle of the night because of a pattern in your received mail.

"The arbitrated result is sent back to DIOSS 1 . If the image was read successfully and a ZIP+4 delivery point identified, DIOSS 1 sends a signal to image server 8 instructing it to discard or archive the grayscale image saved for that mail piece. Information obtained from the image data, typically a header including destination information and a copy of the binary image data, is transmitted to a storage and transfer processor (STP) 4 . In the majority of cases, image data for mail pieces will be resolved and a sorting decision made at DIOSS 1 , and a POSTNET bar code label will be printed on the mail piece in DIOSS 1 in real time. The ability to archive the grayscale image may become increasingly important for forensic reasons in the event of a bio-terrorist attack. According to a further aspect of the invention, all of the sorter machines used by the USPS forward their archived image data (binary, grayscale/color, or both) to a central database which stores the image for a period of time, along with identifying information (destination address or ID number), the date and time of processing, and the identity and location of the sorting machine that handled the mail piece. This data, extremely large in volume, would be saved for a period of time before being discarded, anywhere from several days, a month, or a year or more depending on storage capacity available. Law enforcement officials working on a case wherein contaminated letters were sent through the mail could thereby determine accurately where the mail piece was processed so that decontamination can be carried out and any patterns of mailing used by the perpetrator can be analyzed.(my emphasis)

From here: http://www.freepatentsonline.com/7145093.html [freepatentsonline.com]

Re:Oh, quit whining

[arb phd slp]

Bullshit. You're like the elephant who remains constrained by the tiny piece of rope tied to a stake. If you want to use "I can't afford it" as your rationalization for not being involved in the governance of your community, go ahead and do that, but it is only as much of an obstacle as one thinks it is.

I spent about $750 on a campaign for state legislature... and every evening and weekend from June until October. I didn't spend that time raising money, I spent it talking to my neighbors. In the process, I met a couple of people who are in Congress now. They didn't have any money. I also saw candidates going down in flames to candidates who spent a third of what they did.
I think it is giving up evenings and weekends to do political things that makes good people (especially most here) not want to do it. I mean, my bread beats rubbery chicken at the VFW and Rotary and the circuses are on TV.

Re:SMIME

[secondhand_Buddah]

Well firstly, the keys are generated by a trusted third party (Verisign or Thawte). What makes RSA encryption feasible is the concept of a trusted third party (TTP) . The TTP issues you your private key, and so of course they have a copy of it.
You can of course set up your own RSA key server. Its pretty easy to do, but that means that you are your own TTP which is fine for internal security, but definitely does not work on a public network for encryption where parties need to be identified.

Re:What about spam?

[ca111a]

from "interesting" countries

I wasn't from an "interesting" country, still took them 2.5 years. The only "interesting" part was - I had to pay hundreds every year for work permit extension. And it's even more expensive now. Immigration process is broken, but nobody care since immigrant cannot vote for at least 5 ears. Poor FBI is swamped with that kind of bs. The VCF [wikipedia.org] would probably help, but we all know where it all went. They should have just asked all the programmers waiting for their background check to contribute some time to that project, that might have saved it...