E-Mail and Privacy

In the old time, before we had computers, internet and cell phones, how did we communicate? We were writing letters for birthdays, Christmas or just to let the other person know, we are still thinking on him. We wrote the letter and sealed it well in an envelope. The letter was dropped in the postbox and transported over several hops to its recipient. This was save in most countries a save way to transmit personal information to someone else. In some countries there have been sitting man in grey coats with sunglasses in the post office, opening the letters over steam and checking out, what people write. In countries based on law and justice an order from of judge was necessary to do so in some other countries this was a standard procedure implemented for persons opposing the local regime. In the so called “free world” this was seen as an intrusion into personal privacy and thus the privacy was protected by law.
For quick communication we have been using a phone, which was attached by a wire to the wall 😉 The same procedure applies as to letters. Listening to private communication requires a court order. This hasn’t changed much, besides, well we use cell phones and at least their location can be tracked down easily today. Additional we use today application to chat quickly and to ensure privacy most chat apps, like Threema, Telegram , Signal or WhatsUp are using end to end encryption. This means the message is put into an envelope on the sender side and only the recipient can open it and read the massage. To intercept such a message, the agent has to install some kind of spy-software on the phone or the computer of the sender or of the receiver. That process is similar to when spies wire tapped the home of a potential target. Although this process was again a standard procedure for enemies of the state in certain countries, it requires a court order in most other countries. The process to do so is work intensive and was done only in connection with severe crimes. Although installing spy-software can be done from remote today, it’s still not a simple process and usually requires the “cooperation” of the target. After security authorities found a way to intercept Telegram chats it can be assumed that this security hole will be fixed in the near future. Usually we can assume that our private conversation through a chat application using end to end encryption is quite save as long as the information thief doesn’t get hold of the hardware used. Mass surveillance is not possible as long as we use end-to-end encryption for our communication.
But what’s about our e-mail?
Most mail-servers are using encryption we might assert, so it should be save, right?
Let’s have a look onto the transport way of an e-mail. We write it and send it to our mail-server. This connection is usual encrypted. But now the mail-server decrypts the e-mail and stores it in a readable format, before it encrypts the e-mail again to send it to the mail-sever of the recipient, this server again will decrypt the mail, store it in the inbox of the recipient until he fetches the e-mail. If we compare it with the old fashioned way of sending letters, it’s like the letter gets opened and closed again on every post office on the way to the recipient. Huh? Yes, everyone with access to the post office or the mail server can read the mail! This is the way how free-mail services, like gmail are working. They use scan the e-mails stored on their servers in order to present the sender and recipient personalized advertising. What else they are going to do with the information obtained this way, we don’t know. We also don’t know, who else is able to get access to our personal messages stored on the mail server. This opens the door to mass surveillance. Well, of course, we already share a lot of personal information today on social media, like Facebook. Therefore anything, we don’t want to see being published about us in a newspaper, we should’t share on these social media. This information is public, accessible at least for any security agency. Sacrificing our privacy might therefore also sacrifice under certain circumstances our personal security, like many examples about bloggers or posters on Twitter or Facebook have shown in the past. Some countries still don’t appreciate free speech, they are afraid of it and jail people instead. The sentence, “I don’t have anything to hide” can be considered just plain ignorant, everyone has his private secrets, everyone has his privacy and it’s worth to be protected. So, what’s the best way to do so with e-mails?
So what we can do to reclaim privacy in our e-mails?
Sure, we can run our own mail-server and make sure the potential recipients have mail accounts on our mail server. But this requires not only to run a computer 7/24, but also a reachable address, like a fixed IP-address or the use of a service, like DynIP. As mail-servers are popular targets for hackers, we need to harden the server against attacks. This requires at least some advanced technical knowledge, most people don’t have. In some cases, like for companies, this might be the solution of choice, it’s not a choice for everyone.
The answer would be, we use end-to-end encryption, like with our chat-apps.
How does end-to-end encryption work?
It basically works with a key-pair: a public-key and a private-key. As the names already indicate the public-key is public and thus accessible to everybody. The public-key is usually also used to sign an e-mail and it is sent as an attachment. The e-mail is encrypted with the private-key of the sender and the public-key of the receiver, who then is able the decrypt the e-mail and read it.
Today there are two methods around for signing and encrypting emails and they are not compatible.
S/MIME works with certificates, like SSL encryption used to secure traffic between a computer and an internet-server. The certificate can be bought from a certification authority, which guarantees the identity of the owner of the certificate. Some certification authorities issue free certificates, alternatively one can also create so called self-signed certificates. Most operating systems will only trust certificates for which you have to pay money. Thus S/MIME is often used by companies, as they can also distribute the public part of the certificates through an Active Directory Service. So if you ever receive an e-mail with an “smime.p7s” signature, then the sender is using S/MIME.
OpenPGP or PGP is the other method used for signing and encryption. This is the most common method as it does not require any authority. The public keys are stored together with the e-mail address on key-servers. PGP is a commercial product-line offered by Symantec, OpenPGP is, as the name already implies a free and open source solution for signing and encrypting e-mails and is the preferred solution to sign and encrypt mails. Mails with an attachment, like “signature.asc” are signed with OpenPGP, the signature is also the public key of the sender, but you should verify it through a key server. Both solutions, the commercial one from Symantec and the OpenSource one are compatible.
In the next post, I will explain, how to really encrypt and decrypt e-mails as comfortable as possible.

My data and PRISM

Everyday we can read about Prism in the big media. Prism is a data-mining software used by the NSA, the national secret service of the USA.

That something like this will happen in the future could have been expected. Until now we’ve seen technology like that only in SiFi kind of action movies, like 24hours for example.

Many of us thought to be save, our privacy is thought to be a far more higher good than the information interests of security agencies. Everyone who said, hey guys, you’re wrong, was stamped to be neurotic, anxious, way to fearful of big brother government. Now after parts of the truth surfaced, people are upset.

The German government wants the US government to immediately release all informations concerning data-mining of German citizens. Who do they believe they are? Are they serious, that the NSA will give them any more information, then the one could be found in the media? If they really believe that, they are simply naive. Besides that, the German government just passed a law, called „Gesetz zur Neuregelung der Bestandsdatenauskunft“, in English something like „act revising the inventory data information“. This law allows security agencies to break into any data-privacy of a person, even if the person just got a parking ticket. It gives the authorities access to passwords, email accounts, chat protocols.

Everything what is considered in non digital live as private and is protected by special laws.

To listen to your phone conversation or to search your home, authorities need a warrant signed by a judge. In digital live, no warrant is needed, they just get the access. And the funny thing in Germany is, neither Social Democrats nor the Greens opposed this law.

The EC also makes pressure that a law about the retention of telecommunication data is passed in every member state.

So why they are all now that upset about what the NSA is doing? Because the NSA is not storing the data by itself, instead they use Apple, Google, Facebook etc. as free mass-storage places of people’s personal data? Or what?

We all should now by now, that modern governments have no interest in protecting civil rights, their interest is to protect their own power and influence.

Just recently two young German students got denied entrance to the US, because the border authorities accused them of planning illegal actions in the US, as proof the authorities showed the students private chats from Facebook.

Benjamin Franklin once wrote: „They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.“ He also said: „Freedom of speech is a principal pillar of a free government; when this support is taken away, the constitution of a free society is dissolved, and tyranny is erected on its ruins.“ This is the development we are seeing right now.

In Turkey the media didn’t reported in the beginning about the protests on Taksim Square, later lawyers were arrested and Erdogan, the PM of Turkey declared the protestors to be vandalists etc. In Germany a demonstration against the power of banks was beaten down by police and in the US the police was doing nearly the same before in New York with the occupy movement, which was internally marked as being terrorists by the FBI.

Our societies are loosing their liberty, their freedom for which so many people have fought and died in the past.

The sad thing is, most of the people are not interested. Panem et circensem, bread and games, worked already well at the time of the Roman Empire and it’s still functioning.

If you as reader are interested to protect your privacy at least a little bit, here are some tips:

First some big NOs, don’t do this, don’t…

  • publish anything on social media, like Facebook or Twitter, you don’t want to read in the newspaper
  • chat about personal things with people using Facebook Chat, AIM, Yahoo Chat, Skype or simular
  • pass on personal information through email without encrypting it
  • save or backup personal data on any cloud service, if a software doesn’t give you a choice like Things, drop it
and here is what you can do:

  • use encryption in e-mail, like PGP, GnuPGP or OpenPG
  • use your personal hardware for backup or
  • use point to point encryption on rented server space
  • avoid or minimize the use of personal data
  • treat unencrypted email, like sending a postcard
  • use Jabber also called XMPP for chatting with a server you can trust via SSL/TLS additional an end-to-end encryption can be used with OpenPGP. The encryption is integrated with some clients like Adium for Mac
  • use TOR for brownsing, if you want to sat annonym
  • use https whenever possible
For encrypting their are meanwhile easy to use software packets on the market, professional solutions and open Source software as well.

Here are some links:

Generell: GnuPG, OpenPGP

The TOR project

MacOS (for AppleMail): GnuPG

iOS (iPhone, IPad): oPenGP (not free)

Android: The Guardian Project

For Thunderbird: Enigmail

Windows: GPG4Win

Payed solution from Symantec for example

Point to Point encryption:

Most OSes have that capability built in for the local hard drive, called full disk encryption. Check Point offers a more professional solution for the Mac. There are many solutions on the market, free open source solutions and payed services. The important point is that only you have the key and the control over the key and not the hosting company.

The Cloud

Happy new year everybody 🙂

Today I kicked my getting things done app in the trash.

Getting things done is a book and Method by David Allen. The method originally works with paper and boxes and helps you to get organized and things out of one mind to free the mind for being creative instead of storing stuff there and having to think on that, what’s still not yet done.

Naturally a lot of applications have grown around this idea. Quite some time I decided to use Things from Culture Code. There is a desktop and a iPhone application which were synchronizing over the local network. The user interface of the application is neat and clean and I liked it a lot. I was pretty happy with it.

So what made me trash it?

Culture code decided to update Things to Things 2.0 and with that update they introduced synchronization over their own cloud service and announced very proud how many users are already having an account there. Theres nothing wrong with that, but they also decided to drop local synchronization. So if I want to use the new version, I’d be forced to use their cloud service, a server I have no control of and leave there all my to do lists including all the personal or business information, which I might have noted in one or the other task of my to-do list.

I’m amazed actually, how many people blindly trust a company and leave their personal data on the companies server. Didn’t we all learn meanwhile, that google scans the mails of their gmail service to place proper advertising to the user? So why should we trust a software company, especially when they just abandon the local service, so if I want to continue using the software, I’m forced to use their cloud service.

It becomes even more interesting, if one knows that Culture Code is a German company and the German Ministry of inner affairs is currently working on some laws to give security service access to data in the cloud, meaning forcing providers to open their servers for police or other security services to access these data, preferable without any consultation of a judge. The Patriot Act of the US does this already.

Upps, you didn’t know that? You synchronize your iPhone via the Apple’s Cloud Service, store your documents on amazon’s cloud service. You think it’s all well protected by your personal password and login data. If you run your own server, you know that you have access to everything and anything stored on that machine, so has the industries.

Of course you can encrypt your data with an point to point encryption, which will make it harder for anybody to look into it and only government services or big companies will have the computing power to crack your encryption. Well and what happens, when government and industries work together? It already does as I learnt recently by an article published by the Guardian. A peaceful protest movement against the power of the banks was marked as terrorist activity by the FBI.

You might think, you don’t do anything illegal, so why should you care. We’ve seen over the past couple of years, how quickly innocent people can get into the focus of law enforcement authorities or the industries. The result is often scary. And well, we all have something to protect and be it only our privacy.

Well, I didn’t give up, organizing my to-do and getting things done in a organized way, I’m just using a different software from the omnigroup, a well know Apple development company. Omni Focus offers different ways of synchronizing the desktop and iPhone app. One of them is via Bonjour and the local network another one works via WebDAV or a file server.

These days I just learned, you can set up your own clod services with OwnCloud. OwnCloud is a software-suit based on php and a SQL-server, which can be set up on nearly any Operating-System, all you need is access to a server. This probably works also with dynamic ip addresses and a service, like dynDNS. So now I’m thinking to setup this on my server here.

So, you don’t believe me? Then check this out: http://www.zdnet.com/blog/igeneration/microsoft-admits-patriot-act-can-access-eu-based-cloud-data/11225