The recent decision by a federal judge in Alexandria, Virginia to unseal records of the ongoing case involving Lavabit LLC, a Texas-based email provider allegedly used by NSA-leaker Edward Snowden, has rekindled discussions about email security and privacy.
For those who haven’t been following the case, Lavabit was served with a so-called “pen register” order in June requiring it to record, and provide the government with the sender and recipient of every e-mail, as well as the IP address used to access the mailbox. Complying would have required Lavabit to make software changes to defeat the security that they provide to their customers so they resisted the order. As the fight progressed, Lavabit was eventually ordered to turn over their SSL private key, effectively facilitating the wholesale interception and decryption of all data flowing in and out of Lavabit including email, customer information, and credit card payments. Faced with a $5000 per day penalty for non-compliance, owner Ladar Leviston provided the key and shut down operations, but could not reveal the existence of the secret orders until they were unsealed in October.
While the name of the investigation target was redacted from the unsealed records, it’s obvious that the investigation is related to Snowden’s alleged disclosure of highly-classified NSA documents. Presumably investigators would have liked access to Snowden’s email account and the accounts of people he had been communicating with. However, unlike the vast majority of email providers, it appears that email stored on Lavabit servers was encrypted and neither Lavabit nor US authorities could decrypt the information without first obtaining the individual users’ login credentials. The two obvious ways to accomplish that would be for Lavabit to modify their own software to capture the information – something they clearly did not want to do – or for investigators to obtain Lavabit’s SSL private key so that they could decrypt all communications between Lavabit and its customers.
Leviston faced a nasty catch-22: Compromise the security of his own systems to comply with a secret government order, knowing that his actions would eventually be revealed if evidence obtained from Lavabit was used in court, or face crippling fines and potential imprisonment. Either way his business was doomed. It’s easy to understand his decision to comply, shut down his business, and seek public discussion of the issue.
Our reliance on email makes this discussion globally relevant and underscores a reality that most of us have ignored for two decades: Email is inherently insecure. If a new electronic messaging service with the same security properties was proposed today, and subject to even the most cursory risk assessment, it would be deemed totally unacceptable for individual, business, or government use. Everyone from individual technologists to national privacy officials would strenuously object and vigorously argue against its use.
While some poorly designed and inconsistently implemented band-aid solutions exist, email provides no useful level of confidentiality, integrity, or authentication. When we send an email we usually do not know the path it will take to the recipient and who can view it along the way. When we receive an email we have no way of knowing who really sent it or if it has been modified in transit. It is trivial for governments, criminals, Internet service providers, and individual system administrators to read, modify, or copy email.
Email has often been described as analogous to a postcard. As a postcard travels through the postal system, anyone with access to the system can read or copy it. However, once delivered the recipient is in control: The owner can put it on display, lock it up, or destroy it. Our desire to access email from any computer and on our mobile devices means we often leave it in the custody of service providers who have unfettered access and can provide it to third parties without our knowledge. Modern high volume storage systems and routine backups virtually guarantee that copies are made outside our control. We also email things that we would never write on post-cards.
In addition to the content of email, we should also be concerned about metadata collection. Aggregated data such as sender and recipient email addresses, the date and time sent, and the IP address of the sender can paint a significant picture. Not only does it facilitate the automated mapping of human relationships, but it also provides insight into a person’s physical location over a period of time. Consider the information your ISP could gather: When you are home or travelling, how many people who use email live in your home, who they email, when, and how regularly. Unlike the content of email, metadata analysis is easily automated and combined with additional data sources.
For a concrete example at the national level, let’s assume that deployed military personnel use email to keep in touch with family and friends. Given a list – gathered over time – of personnel email addresses, and given access to email metadata, it becomes possible to track movement of military groups worldwide. On a personal level, it’s only a matter of time until criminals use email patterns to identify homes more suitable for burglary due to their owner’s absence.
In addition to metadata, advances in linguistic analysis will increase the exploitation of email content. It would not be difficult to examine email and automatically categorize those in relationships and look for evidence of affairs. Detecting people badmouthing their employer or country is not exceptionally difficult. While a human analyst would need to make the final call, the ability to analyse the emails of millions in search of those vulnerable to bribery or blackmail would be a tremendous advantage to intelligence agencies, organized crime, and unscrupulous competitors.
Much of the world’s email flows through the United States and is stored there by the world’s largest email providers. This gives the US government the ability to access a large percentage of the world’s email. While the US is well within its rights to legislate within its borders, decisions related to communications security have worldwide ramifications as well as the potential to inflict financial damage on service providers. For example, in 1993 the US government proposed the Clipper Chip, an encryption scheme that included a US government backdoor. At least one country called the potential import of products containing the chip a violation of their sovereignty and US manufacturers foresaw significant import restrictions if they incorporated the technology. In this era of economic espionage, governments must consider the interception of their citizens’ email by foreign intelligence agencies a national security concern. Little action has been taken, perhaps because the total absence of email security provides governments with the ability to snoop on their own citizens.
When it comes to securing data there are only two real solutions: Physical possession and encryption. Leaving stacks of electronic postcards in the possession of a third party denies us the ability to protect that information. Search warrants and subpoenas should be served on data owners, not surreptitiously on service providers.
Despite occasional defects, or even alleged backdoors in individual cryptographic algorithms, encrypting data remains one of our best defenses. That the US government went through so much trouble to force Lavabit to relinquish keys demonstrates that strong encryption works. The technology to protect our email has existed since the early 1990s. Open source and commercial versions of PGP provide end-to-end encryption strong enough to secure the vast majority of personal, corporate, and government email. In the mid-nineties Entrust Technologies, an offshoot of Nortel Networks, introduced leading-edge commercial encryption and key management products that were adopted by only a small number of security-conscious organizations. Many email products contain S/MIME functionality to encrypt and digitally sign messages. But for whatever reason – not understanding the risks, apathy, or perhaps even government interference – these features have become neither popular nor easy to use.
One of the painful lessons we have learned since the dawn of the Internet is that, to be effective, security must become core functionality. Optional security mechanisms are seldom engaged. People want to email and surf the web, not deal with security. As a result, unless driven to change, we sink to the lowest common denominator; we send electronic postcards, or worse: Email.