Ask Slashdot: What Country Has the Best Email Privacy Laws?

An anonymous reader writes "Given all that is going on with the ability of the government to go through my email if it is on a third-party server, I was wondering: what countries have the best privacy laws and what are some good hosts to use? I would rather pay a token fee to have secure private email than have members of the government able to read it as soon as it's 180 days old if I keep it at my email provider."

Most secure country:

[ngc5194]

My-own-email-server-istan.

privacy laws won't fix a broken privacy model

[Junior+J.+Junior+III]

Email is inherently insecure, since it is transmitted in clear text and stored in multiple hops between destination and recipient, where its contents may be intercepted, altered, copied, stored, etc.. If you're relying on the law to keep your email private, you've already lost. Use digital signatures for authenticity and integrity, and strong encryption for confidentiality. At that point, you really don't need the law's help to keep your emails private.

Re:privacy laws won't fix a broken privacy model

[Junior+J.+Junior+III]

I mean, do you even know what countries your emails might route through between sending and arriving at their destination? If you're going to go to a server in a different country to gain the benefit of their better privacy laws, you're likely going to need to transfer data over networks that geographically reside in other countries too. And your end points probably are still somewhere within your own country. What are the laws like there?

Re:privacy laws won't fix a broken privacy model

[obarthelemy]

you do still need laws to litigate if an angry ex, an employer ... find a way (keyloggers...) to get your keys.

Re:privacy laws won't fix a broken privacy model

[klapaucjusz]

Email is inherently insecure, since it is transmitted in clear text

Most mail nowadays is transmitted over SSL. Yes, that's still vulnerable to MITM-ing, but it's no longer a simple matter of passive snooping.

If you're relying on the law to keep your email private, you've already lost.

Please. Strong privacy laws won't prevent ISPs from occasionally snooping on their users, granted. With no privacy laws, howver, expect your ISP to routinely spy on you, and sell the data to advertising companies.

-- jch

Re:privacy laws won't fix a broken privacy model

[klapaucjusz]

STARTTLS is used between mail servers if:

• both the sender and the receiver support the STARTTLS extension; and
• the receiver has been configured with a certificate (even a self-signed one).

All modern mail servers support STARTTLS, and most ISPs have configured a certificate in their MX. To see if yours has, do the following:

$ host -t mx google.com
google.com mail is handled by 50 alt4.aspmx.l.google.com.
google.com mail is handled by 30 alt2.aspmx.l.google.com.
google.com mail is handled by 40 alt3.aspmx.l.google.com.
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 20 alt1.aspmx.l.google.com.
$ telnet aspmx.l.google.com smtp
Trying...
Connected to aspmx.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP
EHLO localhost
250-mx.google.com at your service
250-SIZE 35882577
250-8BITMIME
250-STARTTLS
250 ENHANCEDSTATUSCODES
QUIT /blockquote

Re:privacy laws won't fix a broken privacy model

Since requiring TLS on my laptop to server connection I have found it is very common for hotel and airport ISP's to hijack the connection and route mail through their own servers. How did I find out? They don't support TLS so the connection fails. Then if you use runtbird to start thunderbird you can find the evidence. In future I will be using runtbird anyway to check if they are hijacking the connection and supporting TLS.

Example below from a Delta lounge in ATL:

0[192c140]: SMTP Connecting to: mail.mycompany.com
0[192c140]: SMTP entering state: 0
0[192c140]: SMTP Response: 220 mail.tmail.com ESMTP Xxx, xx Mar 2011 14:43:21 -0400
0[192c140]: SMTP entering state: 14
0[192c140]: SMTP Send: EHLO [10.241.1.242]
0[192c140]: SMTP entering state: 0
0[192c140]: SMTP Response: 250-mail.tmail.com Hello 242.1.241.10.in-addr.arpa [10.241.1.242], pleased to meet you
0[192c140]: SMTP entering state: 0
0[192c140]: SMTP Response: 250-ENHANCEDSTATUSCODES
0[192c140]: SMTP entering state: 0
0[192c140]: SMTP Response: 250-PIPELINING
0[192c140]: SMTP entering state: 0
0[192c140]: SMTP Response: 250 8BITMIME
0[192c140]: SMTP entering state: 4
0[192c140]: SMTP entering state: 21
0[192c140]: SMTP Send: QUIT
0[192c140]: SMTP entering state: 0
0[192c140]: SMTP entering state: 0
0[192c140]: SMTP Response: 221 2.0.0 mail.tmail.com Closing connection
0[192c140]: SMTP entering state: 11
0[192c140]: SMTP entering state: 12

Re:privacy laws won't fix a broken privacy model

[cheater512]

Actually your packets will take a even shorter route - straight to Sydney.

traceroute to gmail.com (66.102.11.83), 30 hops max, 60 byte packets
  1 192.168.0.1 (192.168.0.1) 0.628 ms 0.829 ms 1.026 ms
  2 * * *
  3 202.7.173.17 (202.7.173.17) 104.611 ms 104.799 ms 104.795 ms
  4 syd-sot-ken-crt1-ge-5-1-0.tpgi.com.au (202.7.162.173) 104.993 ms 105.193 ms 105.389 ms
  5 202.7.171.18 (202.7.171.18) 105.386 ms 105.583 ms 105.783 ms
  6 66.249.95.224 (66.249.95.224) 107.476 ms 72.409 ms 74.315 ms
  7 64.233.174.242 (64.233.174.242) 75.010 ms 75.208 ms 75.299 ms
  8 syd01s01-in-f83.1e100.net (66.102.11.83) 75.403 ms 76.471 ms 76.672 ms

Re:privacy laws won't fix a broken privacy model

[Jane+Q.+Public]

But the law in the U.S. doesn't require you to give up your keys. It was ruled that was testifying against yourself. Trying to force you to give it up is a violation of the 5th Amendment.

The only exception so far was a guy coming in to the United States, and because the computer was asleep (not off), the border search found child pornography that was normally encrypted, but the encryption engine was running. The man then turned off the computer.

Since they ALREADY KNEW there was illegal material in the encrypted file, the court ruled that his encryption key could be demanded via subpoena.

The upshot is that in the U.S., they can't demand your encryption keys unless they can already show that the encrypted material contains something known to be illegal.

Re:privacy laws won't fix a broken privacy model

[Jane+Q.+Public]

"In addition to being entirely unnecessary for the vast majority of users who aren't living in a dictatorship, paranoid, criminal or all three.."

And the "criminal" argument is simply bogus. In effect, it is the old argument that "if you have done nothing wrong, you have nothing to fear."

Anybody who knows a little bit of history knows how ludicrous that concept is!

Does it matter?

[steevven1]

Even if you host your own email server or use a server in a country with great privacy laws, every email you send or receive is stored on two servers, each with your name (email address) attached to it. Unless everyone you email has the same security policy as you, your messages are little more secure than they would be if you used any other email server.

Storing email?

[krelvin]

If this is really worried about this...Why are you storing any email on a 3rd party server? As new email arrives, save it to your local computer, removing it from the inbox. No email is then left to become 180 days old. Nothing to worry about. Actually that is not true since you most likely will be worrying about something else then too, but...

What Country Has the Best Snail-Mail Privacy Laws?

[lobiusmoop]

Given I can't be bothered to take the most basic steps to gain a little privacy for my letters, like using envelopes, writing everything on postcards that let everybody in the postal industry in contact with my mail read it, what are the best couriers for me to send my letters with?

Honestly, I think some articles are just deliberate trolls for the computer-security folks on Slashdot.

Re:What Country Has the Best Snail-Mail Privacy La

[sandytaru]

Redact everything yourself. Problem solved. Stick it to those government snoops!

Re:Privacy laws

[countertrolling]

(Score:-1)

This is what I get for pointing out that our 'anonymous' submitter here is a company troll grasping for page hits.

So one more time for posterity, privacy on the internet, and any expectation thereof is pure mental masturbation.

This site is being compromised by too many sockpuppets and zombies. It used to be fun when was a small group of friends, but not any more. Maybe it's best to just stay away from the front page.

nowhere really

[t2t10]

Many European nations nominally have better privacy laws, but they have lots of exceptions for national security, police enforcement, and privacy law enforcement, as well as other loopholes.

But you're likely also no better off storing it on your local disk; for your government or your ISP, accessing data on your disk is likely no more complicated than pushing a button.

If you want your E-mail to be private, encrypt it, whether it's on a local disk or a server, and even then, there's a good chance others can intercept the key and read it anyway.

Re:nowhere really

[angel'o'sphere]

Lol, you again bring complete false contextual answers. The question was never if a security agency like CIA or BND may in special circumstances read email without a court order, the question was wether the "government" or the "police" may do it.

Did you ever read the laws you citate?
And did you read the articles you link?

Neither the law you linked nor any article says that THE POLICE or THE STATE does NOT NEED a court order. Of course they need one.

The BND is an exception just like the CIA or NSA is ... so what is your fucking point? You start to annoy me. You don't want to admit that you are wrong.

Do you really think a random police man or a random BND agent is "allowed" to read m email?

Read the damn law you link.
The question is not if the Verfassungsschutz is illegally doing it, the question is how to legally do it and to do it legally you need a court order. Or you need to announce it to the "Parlamentarische Kontrollgremium" which is an even higher instance than a court.

 1 Gegenstand des Gesetzes
2. ...
(2) Soweit MaÃYnahmen nach Absatz 1 von BehÃrden des Bundes durchgeführt werden, unterliegen sie der Kontrolle durch das Parlamentarische Kontrollgremium und durch eine besondere Kommission (G 10-Kommission).

Learn to read, and stop claiming something and then linking a not appropriated source.

http://www.welt.de/politik/article1589067/BND_darf_Telefonate_von_Verdaechtigen_abhoeren.html

Read your link from top to bottom and get a damn clue.

The BND *asked* their supervisors to do the surveillance!! Der Geheimdienst hatte auf die internationale Terrorgefahr verwiesen, als er die Telefonüberwachung am 14. September 2001 beim Bundesinnenministerium beantragte.

And again: you jumped the topic without noticing I assume. My claim is: E-mail is equivalent to postal mail. Thats all! I never talked about security agencies ... you jumped the topic to them.

angel'o'sphere

"...what countries have the best privacy laws..."

[John+Hasler]

Because we all know that all govenments can be trusted to respect such laws when their own interests are at stake.

If you have secrets that you must protect against goverments why are leaving them (unencrypted, evidently) on third party servers? And why are you discussing that fact on a public forum?

What about the people you communicate with?

[timothyf]

Are you sure you're always communicating with people that live in countries with privacy laws that are just as secure? Unless you're really good about keeping your contacts secure as well, all it means is that they have to issue more subpoenas.

Re:RETARDED

[SwedishPenguin]

Except the data retention directive requires providers to store email for at least 6 months.. (minimum in directive, actual period can be longer in individual countries)

Re:Best email security laws?

[houstonbofh]

Havenco closed in 2008. No sealand hosting now.

For email apply the same laws as for paper mails

[angel'o'sphere]

... at least in germany and most european countries.

If you want to read them you need a search warrant.

angel'o'sphere

Re:RETARDED

[Jurily]

legally private, as opposed to "secure"

I'm not sure this term has any meaning when applied to information that is instantly, cheaply and undetectably duplicated, especially if this duplication is the whole fucking point. How many servers did that mail pass through while it got to the recipient?

What we really need is to define encryption as a basic human right.

Re:other means of storage

[symbolic]

There are third party services (like messagelabs offered by Symantec) that provide email scanning and archival. This puts an interesting kink into the model, because now the path includes more than just other email hosts. These services can have their own retention and privacy policies, and you, as merely one endpoint in a communication process, may have no idea that such a third party is being used.

IMMI - International Modern Media Initiative.

[mordur]

I don't know which country has the best protection for users of online services now, but Iceland most certainly will be a contender when the IMMI legislation has been passed as per the Parliamentary Resolution passed on June 16. last year. Check it out: http://immi.is/

There's always a work-around!

[Paracelcus]

Run an SMTP/POP3 server in a VM that loads from an encrypted partition, use a dynamic DNS service so that you can be found. Or rent a COLO in a third world country, etc, And send everything/receive everything as an encrypted attachment. Use steganography to distribute embedded keys in mainstream porn images on annoying pop-up web-page ads.

Live in a skid-row hotel room, move often, use prepaid cell phones, don't use snail-mail, if you have a beard, shave, if you don't grow one, large dark glasses, broad-brimmed hat (lined with tinfoil) look behind you, AAAHHH!!!

China definitely

[KostasPlenty]

China has arguably the best privacy laws. In China the state really will go the extra mile to protect the privacy of all government agencies that have access to your emails.