Ask Slashdot: Recommendations For Non-US Based Email Providers?

First time accepted submitter jlnance writes "I don't particularly like the NSA looking over my shoulder. As the scope of its various data gathering programs comes to light, it is apparent to me that the only way to avoid being watched is to use servers based in countries which are unlikely to respond to US requests for information. I realize I am trading surveillance by the NSA for surveillance by the KGB or equivalent, but I'm less troubled by that. I searched briefly for services similar to ymail or gmail which are not hosted in the US. I didn't come up with much. Surely they exist? What are your experiences with this?"

Not sure I understand the question.

Actual communication security implies point-to-point security. In such a setting, a third-party service doesn't make any sense. Hence either what you're look for can't exist, or you won't know if it's secure.

Re:Not sure I understand the question.

[Eunuchswear]

+++ THIS.

Do it yourself.

Re:Not sure I understand the question.

[ImdatS]

Yes, correct.

In my experience, having a mail server provider in Europe (e.g.) and using PGP/GPG could help. The problem is of course that your recipient also needs PGP/GPG.

1&1 and Deutsche Telekom in Germany just announced that (paraphrasing it) they will take email security more seriously now. You might want t get an email account at GMX in Germany (product of 1&1) and then use PGP/GPG for fully confidential communication. I wouldn't use their webmail interface, rather suggest to use their IMAP/POP Interface using SSL/TLS.

Using PGP/GPG *and* a foreign email service provider helps in (a) encrypting your email (PGP/GPG), and (b) (if used with SSL/TLS) communication, also hiding the sender/recipient identification, including your email's subject.

On the other hand, I don't know if that would be really secure (for [b] at least), as the German secret service (BND) seems to forward communication information to the NSA (at least the meta-information)...

If you really want to communicate securely, I recommend a "dead mailbox"-principle electronically, but by using PGP/GPG to encrypt the file in question, maybe even hiding the content as a picture or video...

Re:Not sure I understand the question.

You would have to lease space in a datacenter, buy a domain, setup VPN, use securelinux (though probably not since it was written by the NSA) or solaris, run a VM inside that, always do a restore before accessing email and read through the tens of thousands of lines of code to delete out anything that MAY compromise your security (best use open source in this case). Also you will have to ensure that everyone you email is doing the same thing. So you may want to start mandating that everyone you email use your domain, but since it will b so expensie you should probably charge for it to at a minimum off set costs. Though you should probably charge enough to ensure that you can afford to quit your current job to do full time maintenance.

After all that, probably be best you find a neutral country that has no agreements with the US and will refuse to work with it.

But good luck!

Re:Not sure I understand the question.

[the_B0fh]

If you restore your VM (that hosts your email) before accessing your email, didn't that just wipe out your emails?

You need more paranoia please.

Re:Not sure I understand the question.

[Z00L00K]

Make sure that you use encrypted mails using self signed certificates or by someone you trust.

Re:Not sure I understand the question.

[methano]

What if you used a pigeon? A third-party pigeon, that is.

But like he said, you still can't be sure it's secure.

And, of course, you'd need to use a US-based pigeon.

Re:Not sure I understand the question.

[tqk]

You would have to lease space in a datacenter ...

Uh, no. Use Linux (or *BSD) and point your local SMTP at your ISP's Smarthost. Encrypt files locally with GnuPG and send them as attachments. The only difficult part is expecting the recipients to do the same in reverse and to treat your privacy as seriously as you do. There, you'll need to exercise judgment as to who to trust and with what (just like in every other area of life).

I really couldn't give a rat's ass how many cycles the NSA wastes on trying to crack my encrypted attachments. I consider myself fortunate in not having to support them financially (I'm non-US). I've toyed with the idea of making a cronjob blast out emails to random addresses simply to supply them with stuff to waste time and effort on, but I don't really care that much to bother.

If I ever manage to contact the Medellin or Cali or Zeta cartels' IT guys, I'll have a proposal for them, but so far no joy there. That would be great fun.

Re:Not sure I understand the question.

[Aighearach]

The problem with pigeons is that they're susceptible to man-in-the-middle attacks.

Re:Not sure I understand the question.

[BenEnglishAtHome]

I recommend a "dead mailbox"-principle electronically...

There are usenet newsgroups that seem to be entirely dedicated to encrypted dead drop communications. I wonder what's going on there?

Re:Not sure I understand the question.

[Lennie]

US transit providers in Germany will just forward traffic to the US-agency in Germany.

That has already been in the news.

Re:Not sure I understand the question.

[Kwpolska]

Let’s host in Antarctica instead!

Re:Not sure I understand the question.

[Gr8Apes]

You realize that Germany has cancelled their agreement, and the rest of the EU is considering similar actions currently. A few more leaks and segmentation of the internet will follow pretty quickly, and the idealistic neutral internet we thought we knew will be but a distant memory. OTOH, this will fix the "issues" with the .com domain, as only US companies will be on it.

Re:Not sure I understand the question.

[Aighearach]

Maybe you can find some colo space at McMurdo. Oh, wait...

Re:Not sure I understand the question.

[jader3rd]

The problem with pigeons is that they're susceptible to man-in-the-middle attacks.

I thought they were susceptible to cat-in-the-middle attacks.

Re:Not sure I understand the question.

[Aighearach]

You realize that the NSA facilities in Germany are still intact, right? What was canceled is the part where the US, UK, and France could request Germany to surveillance on their behalf. Whatever basis the data sharing was under is not known, and there is no reason to believe it has been canceled. Chancellor Merkel denied it was even happening until it got leaked. Now you believe her that they stopped, on account of canceling the most public related agreement? I guess the NSA employees on US bases in Germany just sit around and play cards all day now, right?

It has also been said publicly by German government officials that the old agreement was obsolete, and hadn't been actually used as the authority for anything since reunification! If you're going to fall for a bait-and-switch that is already reported on, how can you hope to avoid secret government surveillance?

Actually what you really do is reward companies in the countries that have the least transparency, where you know the least about what they do to spy on your, or help others spy on you. You're better off choosing companies that take the risk of publicly asking for more transparency, and employing your own security such as PGP/GPG

Re:Not sure I understand the question.

[Znork]

Of course, the part that the NSA et al seems most interested in is the source and destinations of your mails to map your associations. By sending via your ISP smarthost you're still handing them that info, so if you want to cut them out of the loop you need to vpn the mail relaying outside their grasp and ensure encrypted smtp/tls direct between endpoints.

Your random mail idea does screw with them in a nice way tho as it'd mess up their social graph and probably get yourself classified as an uninteresting spammer after which you can freely inform islamic insurgents how they can enlarge their manhood and obtain large fortunes from Africa by sending a small upfront payment.

But for actual secure comms it's probably better to use i2p or some other darknet. And traffic on that screws with the snoops as well.

Re:Not sure I understand the question.

[sumdumass]

Only if you restore it on the server side. I suspect what he meant was using a VM on the client accessing the server to ensure there are no bugs or trojans set to intercept or log the communications.

Re:Not sure I understand the question.

[ImdatS]

There were some interesting articles in German online media regarding this. The BND acknowledged that they were forwarding at least mobile communications data to the NSA and defended this as fight against terrorism.

Example source: http://www.zeit.de/politik/2013-08/bnd-gibt-daten-weiter (in German)

Re:Not sure I understand the question.

[mrbester]

If that man is Dick Dastardly I think we're OK...

Re:Not sure I understand the question.

[Gr8Apes]

If you're going to fall for a bait-and-switch that is already reported on, how can you hope to avoid secret government surveillance?

Who said anything about a bait and switch. My topic was something entirely different - the disintegration of what we know today as the internet. Whoosh.

Actually what you really do is reward companies in the countries that have the least transparency, where you know the least about what they do to spy on your, or help others spy on you. You're better off choosing companies that take the risk of publicly asking for more transparency, and employing your own security such as PGP/GPG

I'm not about rewarding anyone. I've always believed in owning my own email servers, but also realize that owning them myself is good only for communications between people on that server, or similar secure servers. If you're communicating with someone on yahoo or gmail or any of the other 3rd party servers, your email might as well be published on the front page of cnn or the like. The same is true for any other communications. Attempting to hide your identity on a site like /. is also pointless. However, this does not mean the government should be allowed to break the law and gather all this data and sift at will.

Re:Not sure I understand the question.

[godel_56]

You realize that Germany has cancelled their agreement, and the rest of the EU is considering similar actions currently. A few more leaks and segmentation of the internet will follow pretty quickly, and the idealistic neutral internet we thought we knew will be but a distant memory. OTOH, this will fix the "issues" with the .com domain, as only US companies will be on it.

How is failing to communicate information from your own citizens that was supposed to be private anyway, leading to the "segmentation" of the "idealistic neutral internet"?

And what's so "idealistic" about a 1984-style surveillance program of ordinary citizens anyway?

Re:Not sure I understand the question.

[mysidia]

Your random mail idea does screw with them in a nice way tho as it'd mess up their social graph and probably get yourself classified as an uninteresting spammer

But is he really an uninteresting spammer, or someone using spam as a ruse, and coupling some unknown advanced steganography to hide messages for insurgents in the spam?

Re:Not sure I understand the question.

[Gr8Apes]

Being able to communicate freely at will globally is pretty idealistic. That will now most likely be strongly gated at national cyber boundaries. No more direct connections. Many countries were already moving this way, now there's a reason to and the US, the strongest proponent of "freedom", no longer has any sway, since "freedom" apparently meant "freedom to spy on you". So watch things quickly segment, get firewalled, and countries that chafed the most at letting their citizens see outside information get walled off completely again.

Re:Not sure I understand the question.

[mysidia]

In my experience, having a mail server provider in Europe (e.g.) and using PGP/GPG could help. The problem is of course that your recipient also needs PGP/GPG.

Encrypting with GPG/PGP just hides the content of the message. If the recipient is in the US, the NSA will still get the log that shows the two of you communicated

Also, since the communication is now international --- it now falls under lawful interception; because the NSA is free and expected to snoop on international communications, this bit about using an overseas provider essentially in all likelihood guarantees the NSA will receive a copy of the metadata... whereas, otherwise, it would not be so certain

Re:Not sure I understand the question.

[rossdee]

you do know that other countries have bases in Antarctica , right?

NZ, OZ, UK, Russia, Norway..

Re:Not sure I understand the question.

[icebike]

The German BND does not forward domestic communication to the NSA. Doing so is prohibited by law (the G-10 law, specifically) and breaking the law in Germany is actually a bad idea, even for the government. So I'd say your email would be quite secure there.

Well I you might want to peek at this Ars article where multiple security experts are taking the German telecoms to task for their claims of increased security by merely turning on ssl for their web interface.
http://arstechnica.com/business/2013/08/crypto-experts-blast-german-e-mail-providers-secure-data-storage-claim/

Re:Not sure I understand the question.

[icebike]

People who don't even want governments to know who they communicate with are wise to choose this route.
The problem is you have to watch the entire group just to pick up the few messages destined for you, or which you can decrypt.

Most people who use encryption just use it to keep information out of the hands of others, with no real concern that others may know who they correspond with. After all, I have the right to buy stuff from companies and send my credit card info encrypted.

Hackers, child porn, identity thieves, smugglers etc all come to mind, but surely there must be legitimate reasons for using such plausibly deniable methods.

Re:Not sure I understand the question.

[im_thatoneguy]

ts. The only difficult part is expecting the recipients to do the same in reverse and to treat your privacy as seriously as you do. There, you'll need to exercise judgment as to who to trust and with what (just like in every other area of life).

That's the real problem. If you are a 'terrorist' and you attract the 'attention' of the 'NSA' then your email header data will be unencrypted (by necessity). Therefore instead of breaking your encryption they'll just go for the weak link and read the email of whoever you sent an email to.

The other problem is that if you are most likely an "American" then you presumably do have rights assuming they are following the law. In which case the best strategy isn't to obfuscate your activity but to at the very least try and enhance your "Americanness".

If you are sending encrypted files hither thither (enmasse) you're just going to become something very "interesting" and "worth investigation". If you however pretend to be a 14 year old girl in Kansas the NSA will probably leave all of your communication alone due to legal necessity.

So if you're in the Cali or Zeta cartels your best strategy is a fake Facebook profile for an "American" and a VPN to make the origin as American as possible.

Sure it's not as "theoretically" secure as a massive super encrypted communication network... but camouflage is usually more effective in nature than armor.

Re:Not sure I understand the question.

[Ungrounded+Lightning]

The problem with pigeons is that they're susceptible to man-in-the-middle attacks.

I thought they were susceptible to cat-in-the-middle attacks.

What's worse is that they are AND they aren't susceptible to Schrodinger's-cat-in-the-middle attacks.

Re:Not sure I understand the question.

[Zenin]

Why use "email" at all, why not Usenet or a web forum? Eliminate the entire point-to-point tracking problem.

Just throw your message (encrypted and signed of course) onto whatever forum you feel like, from whatever location, via whatever server (especially nice with Usenet). Only the receiver can tell if it's actually for them (their decrypt key works) and from you (signature matches). Use bots to mildly spam other nonsense messages encrypted and signed to add noise to the signal.

You could do something similar with torrents too, but for that both sides would need a steady supply of attractive content to act as the carrier. Game of Thrones episodes wouldn't get you very far. You'd need something like The Simpsons.

Re:Not sure I understand the question.

[Tadu]

1&1 and Deutsche Telekom in Germany just announced that (paraphrasing it) they will take email security more seriously now.

The announcement was from DT and United Internet (which has the sub companies 1&1.de, web.de, GMX.de), so you find the "eMail made in Germany" logo on all of them. These four plus GMail likely account for most email accounts in Germany. (And no, just because of having a subsidiary in the US doesn't make 1&1 an american company. It's not. Whether that helps the US employees against torture is another question, though.) Nevertheless, "more seriously" means enabling SSL encryption between servers, which technically is something that should have done a decade ago. So essentially it is nothing more than a marketing campain.

You might want t get an email account at GMX in Germany (product of 1&1)

You certainly don't want to. Fact is that the WW II hasn't ended in so far as there are still serious limitations on sovereignity on Germany from US side (the Russians gave up on them during German reunification). Essentially US authorities can order around German authorities, including in particular the order to not investigate US crimes on German soil. You also may want to look up the story of the guy who invited a few friends on fecesbook to take a walk to some spy facility to watch the endangered species of NSA agents from a distance (or some such). He had the modern equivalent of the Gestapo at his doorsteps a few days later and had to officially register this walk as a demonstration...

and then use PGP/GPG for fully

That for sure.

Re:Not sure I understand the question.

[dcollins117]

The other problem is that if you are most likely an "American" then you presumably do have rights assuming they are following the law. In which case the best strategy isn't to obfuscate your activity but to at the very least try and enhance your "Americanness".

That's got to be the most disturbing thing I've ever read on Slashdot. And that's saying something.

Oh, and just to be clear, I have never been a member of the communist party or affiliated with any fundamentalist religious group. In fact, I'm an atheist! I was born and raised in these beloved United States of America. I love my mom and apple pie. God bless America.

Re:Not sure I understand the question.

[NicBenjamin]

You certainly don't want to. Fact is that the WW II hasn't ended in so far as there are still serious limitations on sovereignity on Germany from US side (the Russians gave up on them during German reunification). Essentially US authorities can order around German authorities, including in particular the order to not investigate US crimes on German soil.

That's not really a relic of WW2. Any state allied to the US that wants US Troops based in it has to agree that all criminal cases involving said troops run through the US Military. We were supposed to have 10k or troops still in Iraq training their Army, but the Iraqis wouldn't extend their version of this deal. Obviously most of these agreements date to WW2 or it's immediate aftermath (Japan, Korea, etc.), but Afghanistan didn't have one until 2002.

From our point of view this is necessary because civilian courts suck art evaluating whether something was justified militarily. People who do not regularly fly a combat aircraft at 0.9 Mach and 150 ft simply are not capable of telling you who was at fault when one of those flights goes wrong.

Then there's the relative trustworthiness of court systems in various US Allies. Most of Europe is good, but there's a pretty big exception in Italy. The Italian Courts take forever to do anything even when they're working right, and it's not hard to find examples of them not working right. For example they just sentenced a CIA guy for an extraordinary rendition, but they happened to pick the one CIA guy who opposed the entire operation. Which is counter-productive, at best. Spanish Judges actually seem to like being called "Crusaders" in the media, and if I was a Spanish Judge I would be very tempted to play to Latin American Anti-American sentiment by insisting the US Troop who shorted his waitress 15 eurocents be sent to prison for theft.

And we don't just have European allies. How hard do you think it would be for the Taliban to find an innocent guy killed in the crossfire of a firefight, and get a couple Marines hanged for his murder? Hell, how hard do you think it would be for them to kill some innocent dude, and then bribe a couple local officials into convicting Americans of his murder. Heck if they were smart they'd use two judges. The one whose reluctant to kill innocent foreigners gets to be the dead dude.

It's a lot easier to get Afghanistan, the Spanish, the Italians, etc. to agree that US Military Courts will have sole jurisdiction in US Military cases if everybody else had to agree to that too.

You also may want to look up the story of the guy who invited a few friends on fecesbook to take a walk to some spy facility to watch the endangered species of NSA agents from a distance (or some such). He had the modern equivalent of the Gestapo at his doorsteps a few days later and had to officially register this walk as a demonstration..

So the US is evil because some guy wanted to demonstrate against us, and the German Government made him fill out paperwork calling it a demonstration?

I'm not familiar enough with German law to make any conclusive statements on it, but I do have to say that in most countries 10 demonstrators are enough to require a permit, and this guy ended up with 80. They weren't walking quietly, keeping to themselves, they were making a show of it. They used birdcalls to try to coax the "endangered species" out of it's underground facility, and they brought signs. That's a demonstration, and in every democracy in the entire fucking world 80 guys demonstrating at a government facility requires a permit. If you try to a start such a demonstration without a permit, the police make the assumption you have a reason to do so (for example, perhaps you intend to break into the facility in your search for NSA Agent when the birdcalls fail to work), therefore they have to talk to you to figure out the reason.

Hell, complaints of this kind are a major reason I trust the NSA. You can start a demonstration a

Re:Not sure I understand the question.

[NicBenjamin]

Those are the countries that claim a chunk of Antarctica plus Russia. Argentina and Chile are the Latin American territorial claimants. Unfortunately for those fleeing the US the only states on that list who aren't officially US Allies are Russia and Chile, the Russians record towards freedom of anything is extremely mixed, and the current Chilean government is probably more pro-US then most of our official allies.

Many other states have research stations on the continent. Nine of them are NATO (Belgium, Bulgaria, the Czech Republic, France, Germany, Italy, Poland, Romania, and Spain) and three more are other official (ie: Major Non-NATO) allies (Japan, South Korea, and Pakistan). Ukraine waffles between being Russia's ally and America's, and the Belarussians share their base with the Russians.

But Sweden, China, South Africa, Ecuador, India, Peru, Brazil, Uruguay, and Finland all have bases. It's theoretically possible the Uruguayans and Brazilians aren't tainted by pro-US policies and haven't done something that makes their claim to support the freedom of information a joke in the last decade, but you'd probably be better off setting up your servers in Brazil or Uruguay proper instead of Artigas and Commandante Ferraz.

Re: Not sure I understand the question.

[jd2112]

NSA analist: Interesting. A 14 year old girl and not one email about Justin Beiber. This warrants furthrt investigation.

Re:Not sure I understand the question.

[pepty]

The other problem is that if you are most likely an "American" then you presumably do have rights assuming they are following the law.

I really don't think that's a very safe assumption.

If you however pretend to be a 14 year old girl in Kansas the NSA will probably leave all of your communication alone due to legal necessity.

Then there's a chance that those email attachments are actually selfies, so they'll need to investigate in case of child pornography.

Re:Not sure I understand the question.

[fatwilbur]

I really couldn't give a rat's ass how many cycles the NSA wastes on trying to crack my encrypted attachments.

It has struck me as odd, that now we know how the NSA operates, no one has started using this against them. Why not have programs which send random, encrypted, suspicious content to other random points overseas?

I'm sure a few people working together could get enough servers in enough various countries and have them generate enough of what they would have found suspicious, to effectively drown out any useful data from their system?

Re:Not sure I understand the question.

[gl4ss]

it's not exactly the same.(to host in us friendly nations).

lavabit like situation wouldn't happen. you see, no such secret court system for handling such government interference. they would be free to bitch as much as they wanted publicly about whoever the fuck it was that came to their office with a warrant demanding them to install backdoors.

you see.. even in most US friendly nations they do expect ops to adhere to the law - something the US authorities ditched a long time ago...

Re:Not sure I understand the question.

[tlhIngan]

Also, since the communication is now international --- it now falls under lawful interception; because the NSA is free and expected to snoop on international communications, this bit about using an overseas provider essentially in all likelihood guarantees the NSA will receive a copy of the metadata... whereas, otherwise, it would not be so certain

I've wondered - why do people want to make their e-mail even more suspicious? The truth is, despite the saying, you're not all that special. The people you send email to aren't all that special either (for the most part - assuming most people don't correspond with "interesting people" with shipping orders on munitions or such).

By encrypting, using offshore services, etc, it puts your messages into the "interesting" category - something to examine in depth.

By doing what everyone else does you fall under the radar because you've become the background noise. It's not steganography because you're not trying to hide communications, you're just going about your day simply not caring and making your correspondence look just the same as everyone else's.

Or take it this way - do some people watching at a busy street and listen to other people's conversations. You'll find the vast majority are really quite dull and boring and you'll have to sift through days worth of phone calls before you can find the one nugget of interesting.

It's why metadata analysis is more interesting (and technically legal - a pen recorder in the old days could be had without a warrant, but actually recording phone calls required a warrant). Mapping a web of people and their interactions produces interesting behavior patterns. Even meta data analysis like whether it's encrypted can produce interesting results.

Re:Not sure I understand the question.

[kermidge]

I think you nailed it. Kinda like it's not what you know, it's who. These are the days of big data sifting and pattern analysis. Unless one is doing nefarious stuff in which case you'd be an idiot for doing so in a way that can be rendered open, it's background noise as you say. If one needs to deal with confidential business stuff there are plenty of ways to share sensitive docs.

Else, don't bother. Cousin Avery's gallbladder and Aunt Suzy's use of medical herb just aren't that important. The one possible catch is number of hops; if you talk with somebody who talks with someone who talks with someone else who talks with someone that's being looked at, you have to question whether you get looked at or not. Over time it's easier to sift data than put eyeballs on the street.

The latter is what's needed but it's very consuming of time and people and thus expensive, so the powers that be have simply re-written the laws to basically make anyone already guilty, so it's just a matter of if they want you or not - in which case no fancy security theater on your part will make a bloddy bit of difference.

Re:Not sure I understand the question.

[the_B0fh]

In that case, isn't it safer to keep it under lock and key? After all, if you keep restoring back to original, you are going to end up with an unpatched system, and that is just as dangerous.

Re:Not sure I understand the question.

[dizzy8578]

My mail server is in Germany. My communication is boring. Do you think I could get the NSA to replace those windows xp cd keys I accidentally deleted?

Runbox.com

[Gaygirlie]

I am using www.runbox.com myself: it's a service based in Norway, it's pretty cheap considering, they do not have any NSA-ties or the likes. I dunno what else to say about it, really, so I'll just copypaste this from their site:

Email Privacy in Norway

Some countries, especially in Europe, have a constitutional guarantee of secrecy of correspondence, wherein email is equated with letters and therefore protected from all types of screening and surveillance. In electronic communication, this principle protects not only the message contents but also the logs of when and from/to whom messages have been sent.

In Norway, freedom of expression and privacy of correspondence is governed by Article 100 and 102 of the Constitution and the implementation of the European Convention on Human Rights in the Norwegian Human Rights Act, especially Article 8: Right to respect for private and family life.

Additionally, the Personal Data Act as set forth by the Norwegian Data Inspectorate regulates collection, storage, and processing of personal data.

The Data Inspectorate was established January 1, 1980 and was among the first agencies in the world to facilitate the protection of individuals from violation of their right to privacy through processing of their personal data.

Central principles of the Norwegian data privacy regulations are:

        Personal data must only be collected by private entities when consent from the user has been obtained.
        Personal data must not be used for purposes inconsistent with the initial purpose of collection except with consent from the user.
        Personal data must not be stored longer than required by the purpose of collection.
        Personal data must be kept confidential unless required by law or court order.

Finally, the coming Data Retention Directive will soon be implemented in Norway but will only regulate electronic infrastructure providers, which Runbox is not.

Re:Runbox.com

Personal data must be kept confidential unless required by law or court order.

That's a hole you can drive a truck though. The NSA justifies everything on those grounds.

Re:Runbox.com

[MightyMartian]

Besides, the way I understand it, whatever privacy protections remain apply to US citizens on US soil. Use a foreign email serviced, and it sounds like all bets are off.

Re:Runbox.com

[msobkow]

The Norway data pipes probably run through the UK, as do most of the pipes in the EU. So rather than installing back doors on Norway's servers, the UK just sniffs the big data pipe traffic and captures that directly. And they give not one whit about your constitutional protections, any more than the US respects the Canadian constitution and Charter of Rights when they sniff our traffic while it passes through the big data pipes south of the border.

I don't think people are getting it yet.

Between Australia, the UK, and the US, something on the order of 90% of the global data traffic runs through the leeching backbone nodes that have sniffers attached to them. They don't need the cooperation of your local governments and ISPs to do their dirty work.

Re:Runbox.com

[spire3661]

The 4th amendment doesn't end at the border for a U.S. citizen.

Re:Runbox.com

Yeah, it ends 100 miles inside the border.

Re:Runbox.com

[ImdatS]

The problem is "... unless required by law", not the second part ("... or court order"). The NSA cannot request a court order in Norway.

But if Norway has a law that requires the email provider to provide information to the Norwegian secret service, which then forwards the information to the NSA, then yes, you can "can drive a truck through [that hole]".

Re:Runbox.com

[westlake]

it's pretty cheap considering, they do not have any NSA-ties or the likes.

You can't know that for certain. Redbox's internal and external auditors can't know that for certain.

Re:Runbox.com

[nebulus4]

The data pipes through Sweden and they do sniff the traffic. I wouldn't be surprised if they share the data with US and UK.

Re:Runbox.com

[amiga3D]

Those prices look damn good. You like the service.

Re:Runbox.com

[BUL2294]

But the on-site / server backdoors are necessary unless there's some unknown backdoor built into SSL that the NSA, MI6, IDF, etc. can utilize. By default, my GMail uses HTTPS, but the NSA's backdoor to Google servers negates that advantage.

So, unless there's an unknown backdoor built into SSL, as long as Runbox.com uses HTTPS, how should "Australia, the UK, the US", etc. know what was transmitted unless they use a brute-force attack?

Just yesterday, NPR indicated that US-based cloud platforms stand to lose between $21 billion and $35 billion over the next few years over the NSA scandal... http://www.npr.org/templates/story/story.php?storyId=210570888 . Lavamail and Silent Circle shut down unexpectedly & destroyed all data they had to not get caught up in the scandal...

Re:Runbox.com

[stenvar]

Some countries, especially in Europe, have a constitutional guarantee of secrecy of correspondence, wherein email is equated with letters and therefore protected from all types of screening and surveillance.

They also have numerous exceptions for national security, and fairly low thresholds for police and courts to actually get at the data.

Central principles of the Norwegian data privacy regulations are:

Notice how those principles only protect you from private entities (and are pretty vague too).

Re:Runbox.com

[msobkow]

HTTPS only encrypts the traffic between the server and your client.

Most email traffic is transmitted in plain text between the servers connected to the pipes, not over SSL.

The way it works is this:

• Set up the monitor/sniffer to watch the IPs that are running mail traffic. All you need is the IP address and the port number.
• When a request comes in to connect to the mail server, enable a responder watch to capture the port that is assigned by the server for the TCP stream. You don't even need to know what the client's port is going to be.
• Set up a stream sniffer to capture all traffic to/from the IP address and port that was assigned to the TCP stream.
• Analyze the header data for the email traffic pattern. If it's not email, stop sniffing the stream. Of course you could opt to monitor any kind of stream, not just email traffic.
• Tear down the contents of the uploaded stream being sent to the server, or downloaded from the server. As it's all based on open protocols, this is easy to do.
• In theory, only keep the email header data. Again, we only have the NSA's word that they're doing this. They've got the full message contents at their system's fingertips.
• Boom. Another "terrorist" email captured.

Re:Runbox.com

[msobkow]

The "back door" boxes that the NSA has installed on US services like GMail make it easier for them to collect the data, but they can do it regardless of whether a given ISP cooperates, as long as they know the IP and port of the email server the ISP is running.

What? You thought the NSA had their little black boxes installed here in Canada? Hell, no!

Re:Runbox.com

[nine-times]

Agreed. I don't think hosting your email in another country will do much to secure your email. If anything, it will make you a bigger target, since they've claimed their attention is pointed most directly in communications going in and out of the US.

Re:Runbox.com

[msobkow]

The other reason for the black boxes is to capture email between GMail users, for example. But as soon as you email someone with an address on a different email provider, your email contents are fired out plain text over the backbones between those servers, so they can capture it using the traffic sniffing approach.

The only way your email would be safe from the sniffers is if you only emailed people on the same out-of-country ISP you're proposing, and used SSL for all your email client's connections to/from that server.

But there is no way to secure your email from sniffing between the servers other than to encrypt the contents of your email yourself.

Re:Runbox.com

[msobkow]

By the way, the email headers are never encrypted. Only the body of the email is, so they can always get the "meta data" for your email message indicating who it's to/from and such, regardless of whether you encrypt your email or not.

Re:Runbox.com

[Rick+Zeman]

By the way, the email headers are never encrypted. Only the body of the email is, so they can always get the "meta data" for your email message indicating who it's to/from and such, regardless of whether you encrypt your email or not.

That's a point that can't be emphasized enough. TLS is good as far as it goes (and for who uses it), but it's only a partial solution.

Re:Runbox.com

[tiznom]

Here's the problem with Runbox: They email your username and password when you set up your account, plus they send your password to your recovery email address if you ever use the 'forgot password' function at login. Not a password reset link, or a temporary password to be reset. Your password, in plain text. Go on, try it yourself right now since you are using their service.

Re:Runbox.com

[msobkow]

Note: I'm talking about the traffic between email servers, not the communications between the email client and a given email server. They're different protocols, at least historically. So while they can't sniff your browser session's HTTPS connection to the email web server, they can and do sniff the traffic that leaves or enters the email server itself.

Re:Runbox.com

[msobkow]

i.e. I'm not talking about the POP3 and SMTP connections that your email client can run over SSH, but the inter-email-server messaging.

Re:Runbox.com

[Lawrence_Bird]

Often the domestic protections only apply to citizens of that country. In addition, Norway is a NATO member and as such subject to pressure from NSA to allow copying of all data in and out of the country by NSA similar to what is being done in the UK

Re:Runbox.com

[Gaygirlie]

Here's the problem with Runbox: They email your username and password when you set up your account

They didn't mail me that. I did get mail for the *support account* with the username and password, but not for the actual Runbox-account.

plus they send your password to your recovery email address if you ever use the 'forgot password' function at login. Not a password reset link, or a temporary password to be reset. Your password, in plain text. Go on, try it yourself right now since you are using their service.

Nope. I just tried it, it's a link to reset the password. At no point was my original password mentioned anywhere. I have no idea where you've gotten your misinformation from, but it's clearly incorrect.

Re:Runbox.com

[bruce_the_loon]

All current email server-to-server communication is SMTP or SMTP-TLS which is an encrypted channel. Except for internal site chatter on something like Exchange or Notes, SMTP is used globally, and even Exchange can be configured to use it for internal chatter.

You might be thinking of the old UUCP days, but those boxes are long dead for the vast majority.

Re:Runbox.com

[KarlIsNotMyName]

And Norway rushes to implement EU regulations before most of the countries in the EU gets around to considering them. Or even as other EU countries have lawsuits to shoot them down. I wouldn't trust my country on privacy at this time.

Re:Runbox.com

[aztracker1]

I've been thinking of a new way to do email.. thinking that a DHT posting would be really anonymous and less trackable, but would have no protection from spam.

Essentially, you have the original message (headers + body), that gets encrypted to a public key for the recipient... that is the MSG, for the transmission you have...

TO: CRC32(to-address)
FROM: CRC32(from-address)
DATE: ISO8601 (UTC date-time) MSG: ENC(data)
KEY: CRC32(msg)
CONF: CRC32(msg + to-address)

This could intentionally have conflicting TO hashes, (was thinking CRC16, but that would be difficult to have better distribution/routing)... so there's no guarantee the TO is your target... the recipient can simply request all mail bits (to/from/date/key/conf) for messages TO their CRC, they can then check against the KEY/CONF pair to determin if it is for them before downloading the body.

The hard part would be setting up a torrent-like system where several people have peer2peer emails so that it can be wholly decentralized. The other issues are dealing with SPAM, and finally would need to have a relatively short expiration.. ie: messages are deleted from the pool's nodes after a week, if you don't have a computer grabbing your mail when you go on vacation you could lose it. Also, announcing your email address/public-key, or announcing a new key could be problematic.

Re:Runbox.com

[KarlIsNotMyName]

Norway of course, isn't actually part of the EU, just has a shitty deal that wouldn't be so shitty, if we actually used our right to veto.

Re:Runbox.com

[KarlIsNotMyName]

Yes, Sweden spies on everything that goes through there. *waves to Swedish underlords"

Re:Runbox.com

[aztracker1]

If decentralization weren't an issue... an announce/pull email could make spam very easy to deal with...

Add a msg-id of (UUID):from-domain:to-domain to the above message example... have the sender's server contact the recipient's server, and announce the message.. the recipient's server looks up the MX for the sender's domain, and retrieves said message (no spoofing source domains), the recipient's server can then retrieve the message and store it however long it likes, until a user with NEWMAILPROT picks up their message (they could have a longer store time, like say 30 days).

I've actually given this all a lot of thought over the years... the issues surrounding security, which should now be sender to recipient, and spam, and decentralization as an ideal are very hard to overcome in a single solution.

Re:Runbox.com

[aztracker1]

I think that signed server-server TLS for SMTP would got a *LONG* way towards helping.. but if the sender's or receiver's hosts are complicit in surrendering data, the point is mute. The best bet would be a new protocol where end-to-end content is encrypted, and the to: is a hash loose enough for intentional collisions while being tight enough that some kind of routing system could work.

Re:Runbox.com

[mrbester]

Here's another problem with Runbox: the .com bit. According to various (retarded) rulings, all .com sites are essentially in US territory even if the servers aren't.

Re:Runbox.com

[darkonc]

If you live in the US, then the NSA can legally intercept anything that you send out of the US. Encrypting it makes it harder for them to read, but they've still intercepted the encrypted message. If they've got, or can extract the decoding private key, then they've also intercepted your cleartext message (effectively).

Re:Runbox.com

[darkonc]

The NSA doesn't need direct access to Google's servers to read your mail. All that they need is access to google's data pipes and a copy of their private key. There's probably a FISA order telling Google to give them access to Google's private keys -- and the person who received the order isn't allowed to talk about it.

Re:Runbox.com

[AmiMoJo]

Seems like it would be easy to circumvent. Encrypt the message subject and body with the recipient's private key. Then encrypt the recipient's address with a 3rd party forwarding server's address. Send to that server and have it forward the mail on to the recipient, after a short random delay and with some extra dummy data to prevent traffic analysis. You somewhat need to trust the server, but even it is compromised they only get the recipient's address, not the subject.

Re:Runbox.com

[AmiMoJo]

Using a foreign webmail service over HTTPS definitely will help. As long as the service itself can be trusted they can't see what details you used to log in, and therefore can't associate you with any particular account or email being sent/received. Maybe some kind of traffic analysis would be possible, but it could easily be thrawted by having a short random delay between the user clicking "send" and the email actually going out.

It's not perfect but keep in mind that most users of PRISM are not skilled or technically knowledgeable. All the tools are designed to make violating privacy easy for morons, with keyword access and a nice GUI for everything. If you make it harder for them to keep tabs on you then unless you are considered a major target no-one will bother circumventing your protective measures like this. Your name will simply not appear on the list when the unskilled snooper types in some half baked search term, and they won't get to jack off over your kid's photos on Faceboook.

Re:Runbox.com

[Pandur77]

The main data pipes from Norway go through Sweden for traffic to Europe and further east/south. But there's also several direct fiber connections across the Atlantic to North America.

Re:Runbox.com

[cavreader]

Yes the 4th amendment protections do end at the border. And I am still waiting to hear of someone being charged and prosecuted for a crime using the surveillance data collected by the NSA as evidence. The government surveillance methods cannot be declared illegal until they are vetted by the judiciary.

Re:Runbox.com

[ltwally]

Until two months ago, I was a Runbox subscriber for over 10 years. So I can offer a pretty good review of the standard account.

Pros:

1. Respectable mailbox size (10 gigs), more available for extra $$
2. Large attachments (100 megs), though very few other mailservers will be able to handle more than a third of that
3. Respectable feature set (filters, aliases, etc etc)
4. 1 gig FTP account
5. small HTTP account, with CPanel
6. Decent prices

Cons:

1. From anywhere in the continental United States: Slow. Slow SMTP, Slow POP3.

Perhaps it's because of the transatlantic nature of the connection. Perhaps they just have a slow service. But it's only gotten slower over the years. Eventually it became enough to drive me away.

Re:Runbox.com

[msobkow]

Times do indeed change.

But still, you have no guarantees that server to server communications are run over TLS.

Re:Runbox.com

[mysidia]

By the way, the email headers are never encrypted. Only the body of the email is

False. IPSec, SSL, TLS, or SMTP tunnneled over SSH, or other ad-hoc encapsulation protocols with encryption features can be used to secure the transport between cooperating mail servers.

Re:Runbox.com

[myowntrueself]

I worked in an Asian telco where a switch was being used for internal and external traffic, it wasn't partitioned into port based vlans. Amazingly it actually worked. Except that there was so much traffic through this switch that its tables were overflowing and it was functioning as a hub.

Consequently, sniffing from the mail server (which only had an external interface) one could see the unencrypted traffic between the servers that handle SMS messages. Ie you could read customers SMS messages.

(first thing I did was call one of the corporate lawyers over to have a look, explained it to him (to show I wasn't trying to hide anything), then wrote a report for my superiors complete with a (dead easy to implement plan) to fix this 'problem'. Next thing I know they have Huawei engineers crawling all over the place and I'm fired.

Also, this mail server had all the passwords in plain text and almost all of them (about 90%) were 123456. Including the CEO.

It doesn't require much sophistication to totally own an operation like that and monitor everyones SMS messages.

Re:Runbox.com

[msobkow]

Tunneling means the whole traffic stream is encrypted, not that the headers are encrypted.

Only the body of the email is encrypted if you use email encryption, not the headers.

Whether the whole traffic stream is encrypted is entirely up to the email provider and not under your control.

Re:Runbox.com

[msobkow]

Check the full headers on some emails you've received from outside your ISP's domain. You'll find that they're often routed through a handful of servers. As long as any one of those server-server communications are done without TLS, your headers are vulnerable to sniffing.

You can *not* assume that every ISP in the email route is competent, energetic, and cares about security. You have to assume that at least one of them is incompetent, lazy, and doesn't give a shit about your security. Which means you have to assume the email is routed in plain text. Any competent security professional will tell you the same thing.

Re:Runbox.com

[mysidia]

Whether the whole traffic stream is encrypted is entirely up to the email provider and not under your control.

That's just not true. I can configure my mail server to refuse to accept MAIL FROM, RCPT TO, or DATA from any domain's mail server that has not negotiated TLS with me.

I can configure my mail server to refuse to send mail to any server that will not accept my server's TLS negotiation.

The result will be, all messages are encrypted; headers, body, and all, in transit from my server to the domain's MX and from any domain's MX to my server.

Re:Runbox.com

[bruce_the_loon]

Given what I see in a sweep of the mail logs on the servers I manage, TLS is almost guaranteed to not be there.

Re:Runbox.com

[NicBenjamin]

Why would they do that?

Presumably if you're actually planning a terror attack you do all kinds of things that create evidence. You're buying things that go boom, talking to nasty people, etc. They'll have plenty of evidence that is NSA-free. They get your metadata with a FISA warrant, figure out you're talking to a terrorist, then get a non-FISA warrant so google will tell them the text of your emails, then use the text of said emails to find out more, etc. Why bother presenting the metadata in Court?

Investigations are really complex, and involve a lot of steps that may (but may not) depend on each-other. I have no doubt that this NSA stuff was at least present in the files of some recently convicted terrorists, but that it wasn't mentioned in Court because a) it might get thrown out, and b) they didn't need it for a conviction. If Obama ever starts taking this seriously (which would basically require a bunch of Senate Democrats to take this seriously, and/or Boehnor and the House GOP to stop bitching about taxes/spending long enough to talk about shit that matters) I have no doubt all those convictions will be brought out to the public.

I sincerely doubt any of it would actually means anything, because unless they tell us exactly what they did we can't tell whether this NSA stuff was just kinda there, or whether it blew open the case. And if they tell US exactly what they did they tell Al Qaeda exactly what they did. Which I really don't want. I honestly have no clue whether AQ could find a way top seriously hurt us with that info, because that kind of thing is simply unknowable until you actually try it, but really have a burning desire not to find that out. I wouldn't mind finding out more about the NSA sections of their files, but to actually figure out whether the NSA section is important they have to tell you everything else, and that strikes me as a bad idea.

What would be interesting to know is the number of drone attack victims who have an NSA section in their files. Guys who directly attack us tend to be in the US, talking to Americans, which means the NSA has to do it's best not to accidentally read their mail, and in turn means that if they got anything on the Fort Hood shooter it's like one email they forwarded to the FBI.

Re:Runbox.com

[NicBenjamin]

You do realize the legal theory pretty much all NSA interception is based on is that one of the people in a conversation is a foreigner? And if your email address is .co.no the NSA can make that assumption, and is legally entitled to all communications from a .com address to you? They don't need a warrant, they don't need a Court Order, they're 51% sure you're a foreigner therefore you have no rights, therefore until they stumble across an email from you that includes the phrase "I am a US Citizen," you have no rights. Even after they stumble across said email, the "good faith" exception means they don't have to delete any of their info on you, and all they have to do is turn your name over to the FBI for a serious investigation.

I sincerely doubt there's a way to avoid NSA snooping without opening yourself up to much worse snooping because all the democracies intelligence services and court systems work together, so if the NSA has enough probable cause for a US warrant the French are probably gonna bend over backwards to provide all the damn data. The non-democracies and shitty democracies are probably doing the same shit the NSA does, except instead of focusing on a tiny little ideology that would be lucky to get 1% support (there ain't many Islamists in the US) they're focused on the Chinese and Russian equivalent of Mitt Romney. Assange, for example, would probably be totally unacceptable to Ecuador if he had any interaction at all with Latin American NGOs because latin American NGOs are associated with the rich, which (to Correa at least) means the US.

Re:Runbox.com

[cavreader]

You are right when you say we will never really know where the intelligence comes from that causes the US to send up the drones. I suspect most of the actionable intelligence comes from human assets on the ground and not from some super secret technology used by the government. Technology can provide good survellience tools but you need to point it in the right direction to produce any worthwhile results. The current data collection programs do not provide the information to stop an attack unless the attack is in the planning stage for a long time. There is just too much data and not enough analysts to process that amount of information. Even the most advanced keyword analytics will still result in millions of hits a day that would require human intervention to determine the utility of the information. About the only thing they could do is analyze some of the metadata using targeted queries. One example would be detecting communication patterns to the middle east and other parts of the world where the US has security interests. In my first post I was trying to address the idea that the programs such as the Patriot Act or PRISM really violates somones 4th amendment rights. Until someone is charged with a crime and presents their defense in court the question of violating rights is still up in the air. The executive and legislative branches create and declare new laws and they tend to rely on in-house council to review the proposed law for obvious defects but that is still a long way from declaring the law legal. The law needs to be applied in such a manner that it can be specifically challenged. And the judiciary cannot perform this level of review until a case appears in front of them. The entire reason GITMO exists is to prevent prisoners from accessing the US legal system and risk having the Patriot Act and other laws ruled against. This has already happened to a professor who was charged and prosecuted under the Patriot Act and the court ruled against the Patriot Act articles involved in the case and dismissed all charges.

KGB better than NSA?

[tonytally]

You'd really rather have the KGB looking over your shoulder rather than NSA? Surely you are joking.

Re:KGB better than NSA?

[Opportunist]

As a US citizen, I sure as hell would prefer the KGB looking over my shoulder. the chance that it has any kind of impact on my life is far lower.

Re:KGB better than NSA?

[Xenx]

I would assume they meant they'd rather a foreign government that isn't likely to care about them as an individual, instead of the local government which may.

Re: KGB better than NSA?

If you're in the Soviet Union, the NSA is better, no joke. Think about why. Pop quiz later.

Re:KGB better than NSA?

ask Snowden :)

Re:KGB better than NSA?

[gmuslera]

The KGB still don't send drones to kill innocents to other countries, things that happen with the NSA if you are not in US, and maybe in a short time, even if you are.

Re:KGB better than NSA?

[DeathGrippe]

You don't know that for a fact. Russian intelligence is every bit as invasive as ours, and is subject to far fewer restrictions. Putin himself recently said that the US is only doing what the Russians have been doing all along. And, don't forget, Putin is the former head of the KGB.

Re:KGB better than NSA?

[PolygamousRanchKid+]

The FSB and SVR, the artists formally known as KGB, have limited resources. They are used to going after those that they evalutate as threats.

The NSA has unlimited resources. The NSA just goes after everybody. They can afford to skip the evaluation phase.

Re:KGB better than NSA?

[sshir]

Actually, it's a rather common practice. Assumption is that with the exception of rare cases (i.e. Chechens), KGB (a.k.a. FSB) does not talk to FBI. So they are played against each other: Don't want NSA reading your stuff - tunnel to mail.ru (or such), don't want FSB - tunnel to gmail. Don't like both reading the same message - try Asians (and btw, you have some serious problems my friend.) I would not go with Europeans though - there were some nasty scandals in the past (even with Swiss of all nations)

Re: KGB better than NSA?

[lxs]

Is it because the NSA is famously helpful to time travellers?

Re: KGB better than NSA?

[EvilSS]

If you're in the Soviet Union, the NSA is better, no joke. Think about why. Pop quiz later.

Because you're a time traveler?

Re:KGB better than NSA?

[lxs]

That's right. Although the KGB has long since passed the torch to the FSB, and the FSB still sends humans to do their dirty work.

Re:KGB better than NSA?

[Princeofcups]

As a US citizen, I sure as hell would prefer the KGB looking over my shoulder. the chance that it has any kind of impact on my life is far lower.

Considering it was disbanded in 1991, I wouldn't worry about them either. Americans really don't care about world history do they (we)?

Re:KGB better than NSA?

Apparently you've never been to Belarus. The KGB never did disband there (and yes it is still called the KGB and is as devious as ever).

Re:KGB better than NSA?

[0111+1110]

It is the NKVD or GPU that we should really be worried about.

Re:KGB better than NSA?

[0111+1110]

and is subject to far fewer restrictions.

Restrictions? What are these "restrictions" you speak of?

Re:KGB better than NSA?

[unixisc]

Glad you mentioned this - the KGB hasn't been around since 1991.

Re:KGB better than NSA?

[gmuslera]

So far the countries that i've seen to do indiscriminated killing in other, not in war, countries because "there are hidden terrorists" are US and Israel. Maybe they manage to kill the suspicious people (with no certain that they were guilty, but they redefine them as plain terrorist after all), but they kill also everyone around. US sent drones to schools, funerals, weddings, games and so on because "there are a suspicious meeting there". I don't know what Russia is or may be doing, but i know what US is doing, and is bad enough.

Re:KGB better than NSA?

[TheGratefulNet]

so, you're saying my video card is now bugging me, too??

I knew it. I just knew it! nvidia is not to be trusted either.

Re:KGB better than NSA?

The KGB (really NKVD or GPU) don't have SWAT teams ready for deployment in my home country that can break down my door because of some random erroneous keyword matchup with something supposedly terrorist-related. They aren't likely to deny me a job or put me on a list because of their errors, or if they do, the chances it will matter to me are slim.

Domestic surveillance is 10x worse than foreign because the former can easily act on it. For false positives/innocent people, that's something greater to worry about than what some foreign country will do with the same information (probably nothing).

It seems stupidly backwards at first glance, but for innocent people, what the "home office" will do with the information is always a greater concern.

Re:KGB better than NSA?

[similar_name]

You don't know that for a fact.

He could never know that for a fact. You are attempting to force him to prove a negative to make his point. If you think there are Russian drone attacks then you should provide evidence of it. He can not provide evidence that something didn't happen.

Russian intelligence is every bit as invasive as ours, and is subject to far fewer restrictions. Putin himself recently said that the US is only doing what the Russians have been doing all along. And, don't forget, Putin is the former head of the KGB.

Don't forget Bush Sr. was the director of the CIA. I'm sure Putin did say that but Russia also recently bought drones from the UAE. And if you search for russian drone attacks all you get is stuff about U.S. drones and a few consipiracy theories about Obama.

You're only speculating. I could say that Russia uses space based gamma ray lasers to keep alien invaders at bay. They nobly sacrificed their economy and communism to save the human race while the U.S. enjoyed prosperity and protection. Prove that didn't happen.

Re:KGB better than NSA?

[cervesaebraciator]

And, don't forget, Putin is the former head of the KGB.

FYI: Putin was not, as is commonly stated, head of the KGB. The highest rank he achieved before his resignation was Lt. Colonel. He was appointed head of the FSB in '98 by Yeltsin, however. FSB is one of the successor organizations of the KGB, covering similar ground to that of MI5 (particularly counter intelligence and domestic surveillance, all the fun of the FBI and NSA rolled into one).

It is interesting in this regard to note that George H.W. Bush was himself once Director of Central Intelligence (CIA head). One might almost get the impression that being privy to the secrets gathered by a state security apparatus has political advantages.

Re: KGB better than NSA?

[Aighearach]

ZOMG he totally forgot theirz no Soviet Union! lolcatz! How many phds do you need to understand his point?

At least 3... one to search for them in their known former terrain, another to dig for their bones, and another to search for linguistic clues.

If you can get the funding, another to use false-color satellite images to gain popular support for your search.

Re:KGB better than NSA?

[Aighearach]

The KGB still don't send drones to kill innocents to other countries, things that happen with the NSA if you are not in US, and maybe in a short time, even if you are.

Grandpa, that's because the FSB does that now. http://en.rian.ru/military_news/20130121/178915985.html
Now take your meds it is almost nap time.

Re:KGB better than NSA?

NKVD -- dissolved in 1954
GPU -- dissolved in 1923

Perhaps you think of the GRU? Or you're a time-traveller.

Re:KGB better than NSA?

[Lotana]

You may want to look up the time Russia spent in Afganistan and Chechnya.

Re:KGB better than NSA?

[utkonos]

Disbanded? Hardly. It's alive and well, it just changed its name to Federalnaya Sluzhba Bezopasnosti (FSB) from Komitet Gosudartvennoi Bezopastnosti (KGB). HQ is the exact same building (Lubyanka), which by the way is the tallest building in Moscow (because you can see Siberia from the basement). It has all the same people working for it that worked for the KGB.

However, they are probably not the group in the government that would be reading your email. That group is the Russian Federal Service for Mass Media, Telecommunications and the Protection of Cultural Heritage (Rosokhrankultura).

Re:KGB better than NSA?

[phayes]

Unlimited resources? Using such hyperbole only makes you look like a loon.

Re:KGB better than NSA?

[mysidia]

As a US citizen, I sure as hell would prefer the KGB looking over my shoulder. the chance that it has any kind of impact on my life is far lower.

That all depends on how much you're willing to pay the KGB agents blackmailing you.

If the amount is deemed insufficient, you may find the pertinent details mysteriously arriving in the hands of your friendly neighborhood field office, anyways.

Re:KGB better than NSA?

[lxs]

All you really need is a big hug, a walk in a sunny park and some perspective. So put down Jane's Fighting Ships for a bit and pick up some Jane Austen.

Re:KGB better than NSA?

[gdy]

Wrong. KGB have been split into three parts - foreign intelligence (SVR), border guards and internal security (FSB). Since then border guards have joined FSB but SVR remains a separate entity.

Re:KGB better than NSA?

[NicBenjamin]

Nope. Because Russia is too shitty at technology to build drones.

The Russians use Polonium.

Re:KGB better than NSA?

[NicBenjamin]

I don't like the Israelis very much, and I'm quite a bit more skeptical of the use of force then a lot of Americans, but methinks your problem is that you ignore anything that doesn't involve the US.

Russia is, at this very minute, supporting major secessionist movements in Abkhazia and Transdneipr. Neither is really big enough to be it's own independent state, both are trying to secede from countries roughly the size of Denmark; but the Russians don't care. They say the West supported an independent (roughly 1 million person) Kosovo, therefore these two tiny statelets with a combined population of 800k deserve troops from Mother Russia. OTOH if the same problem appears in Russia it's an internal Russian matter, and it's nobody's business what the Russian state does to preserve it's territory.

I don't know if anyone is actually dying as part of these conflicts, largely because people like you don't watch News shows that cover Russia bullying Georgia, but there was actually a war between Abkhazia and the Georgians. It was preceded in '93 by a minor incident where a quarter million ethnic Georgians were expelled from Abkhaz territory and 15,000 died. Yeah, technically it's genocide, and technically it's worse then the genocidal crap the Israelis do, but apparently it's only news when the US and it's allies do bad things.

BTW, you may note that I made a point of not mentioning either of the matters Lotana mentioned. When the US does evil we go after one guy, we try not to kill more then a handful of his associates, and everyone criticizes us for it. The Israelis are quite a bit less selective, in favor of a cause I don't have much sympathy for, but they too get raked over the coals for anything they do.

I get very annoyed when internet-savvy westerners rip the US to shreds for being un-Democratic and evil, and then imply the Russians are better because they milk Snowden for propaganda value. They aren't.

Re:KGB better than NSA?

[utkonos]

I don't see how what you said and what I said are different. I was disagreeing with what the parent said: that the organization was disbanded. It was not, it was reorganized and the name was changed. The main point I wanted to make is that its the same people. You can call it whatever you like, and you can divide it into as many "separate" departments as you like, but its still the same animal. When was the last time you lived in Russia?

Wrong question

Since the NSA programs are designed primarily to intercept communications between US and non-US folks, if you are in the US and store your mail somewhere else you are asking the NSA to collect all of it. Today, if you are in the US and have your hosting in the US the NSA only gets the parts that go between you and someone in another country (or where you said some "interesting" thing like "that new pressure cooker that fits in my backpack for camping is the bomb". If you move your mail to another country, the NSA will be collecting it all (assuming your communications end point is still in the US). Yes, encryption, VPN, yada, yada. You really don't gain much by moving it.

Re:Wrong question

Since the NSA programs are designed primarily to intercept communications between US and non-US folks,

You haven't been listening. They are designed to intercept everything. The queries are supposed to relate to outside communication and/or anything else of interest (by definition, if someone looks at it for some reason, that means it is of interest). But everything is intercepted.

Yes, encryption, VPN, yada, yada. You really don't gain much by moving it.

Except that decrypting stuff is expensive, so the average NSA snooper will incur traceable costs he might need to justify better than "oh, I just had a hunch I might be interested in my neighbors mail".

Re: Wrong question

It's much harder to dragnet SSL traffic from a foreign server. You gain plenty by moving abroad.

Re:Wrong question

[gl4ss]

eheh.
the whole debacle is about NSA applying such rules in quite loose form, they dont' care for shit.
Today if you're in the USA, NSA can get it all "by the book"(their book, not the lawbook) because you talked to some dude on a foreign forum - you did that by posting on slashdot. so you're screwed.
but true, it doesn't help much, only thing that would help would be to get people sending you mail to encrypt it before they send it to you.

however - hosting it outside of USA definitely does help against men in suits with secret court orders, because those only work in USA(and puppet states, in most puppet states too you'll need a local court order at least because the secret USA one isn't worth shit).

Re:Wrong question

[DNS-and-BIND]

The NSA was like that. Not any more. They're intercepting everything, international or no.

I always liked the NSA. They were the good guys as long as they were the ones giving us an advantage. Now they've followed the rest of the federal government into "we're just expanding our power because we can" mode. Sad, NSA did a lot of good back in the day.

Re:Wrong Question

[cartel1982]

Encrypt? Using RSA?

The NSA has an undisclosed black budget and has been pouring money into quantum computing for over a decade. They can read encrypted messages.

Re:Wrong Question

[anfi]

User2user encryption is important but it is not all. Some people may dislike idea NSA.gov(.us) registering even "communication patterns" (when, to whom, size). User2user encryption does not cover it.

"Communication patterns" with big supporting databases can "suggests" A LOT.

P.S. There would be no american revolution with NSA.gov.uk watching carefully ;-)

Re:Wrong Question

That is fucking bullshit. The NSA don't have a monopoly on scientists and practical quantum computing is decades off.

There's nothing the NSA would like people to believe more than that they can magically break modern encryption that would take 1000,000s of processor years to decrypt. The more people believe it, the less they will bother using encryption and the easier it is to keep tabs on the few that do.

Re:Wrong question

[Z00L00K]

Just figure out which countries that are a pain in the butt for the US when it comes to politics and host your mail there.

I just wonder if this is going to be a new market for states like Switzerland, Lichtenstein, Luxemburg and Jersey now that they have started to share some of the bank information.

But Germany is actually a good alternative these days.

Re:Wrong Question

[julesh]

Evidence suggests that scaling quantum computing to the large number of qubits required to decrypt 2kbit RSA would be extraordinarily expensive, if possible at all. The largest quantum computer[1] built so far outside of secret institutions has, I believe, 14 qubits (I may be a little out-of-date, but not by a long way). Scaling has occurred at a fairly constant linear rate of about 1 qubit per annum since the earliest machines were produced. There's no signs of an exponential take-off the way there was with conventional computing hardware, which suggests that the expense of scaling to larger and larger quantum computers doesn't get decrease the way it does with silicon.

Some data points:

1998: 3 qubits
2000: 5 qubits
2001: 7 qubits (largest achieved to date with single atom containing all qubits in different degrees of freedom)
2005: 8 qubits
2006: 12 qubits
2011: 14 qubits

This is the best private industry can do. I'd be surprised if the NSA were doing more than a factor of 10 better. To crack 2048-bit RSA, about 3000 qubits would be required[2], or about 20 times my best guess as the limit of what the NSA could have achieved. Besides, Shor's algorithm is not instant: even if it's faster than any classical algorithm, it's still third-order polynomial on the number of bits in the input, and quantum computers don't perform individual operations particularly quickly, so even if we assume the NSA has managed to make a quantum computer that's a thousand times faster per operation than existing private systems, to factor a 2048-bit RSA key on a 3,000 qubit computer would take about 8.6 billion operations running at about 10-100us each, which is to say approximately 1 to 10 days of time on the (enormously expensive) system (of which they almost certainly only have one, which will therefore have a very long prioritized queue of jobs waiting for it).

And upgrade to 4096 bits, and they'll need a quantum computer with 6,000 qubits, and the job will take somewhere between a week and three months to complete.

[1] I'm excluding so-called quantum annealing computers from this, e.g. various systems produced by D-Wave, because they cannot be used to run Shor's algorithm, so are not a threat to RSA. This is not so much an entry into the debate as to whether or not they should be classified as quantum computers, but a practical decision based on the subject under discussion.
[2] traditionally, this would be 4096 (twice the number of bits in the input), but this arxiv paper claims 1.5 x bits in input or fewer is achievable through a method I don't really understand

Re:Wrong question

[Aighearach]

"Germany sends 'massive amounts' of phone, email data to NSA" http://rt.com/news/germany-nsa-sharing-surveillance-179/

Re:Wrong Question

[Chemisor]

> How do I get everyone to sign and encrypt their emails as a matter of course?

Make it work transparently, that's how. Looking for people's keys is a hassle. Entering yet another password is a hassle. The solution should be obvious:

1. The mail client should generate a keypair for each profile, usable without a password.
2. Attach this public key to every outgoing email
3. All outgoing email should be encrypted if the recepient has a known public key and is known to be using a client that supports encryption.

This way, most email traffic will get encrypted by default without the user having to know anything about it. Without a password on the keypair you will still be vulnerable to local attacks, but anybody who wants to read your mail will now need to break into your computer instead of just being able to sniff traffic in bulk.

Re:Wrong Question

[fph+il+quozientatore]

Scaling has occurred at a fairly constant linear rate of about 1 qubit per annum since the earliest machines were produced. There's no signs of an exponential take-off the way there was with conventional computing hardware

Shouldn't 1 qubit/year already be considered an exponential growth? After all, if (say) RAM doubles its size every year, you are adding 1 bit per year to the available address space.

hushmail.com

it is in canada. the americans could still get to it, but at least they would need a proper canadian warrant, not just a nsa search button. i wouldn't suggest it if you plan to do crime, but if you just want basic civili liberties it is a worthwhile option.

Re: hushmail.com

Ironically, the services you'd most like are probably in China and Russia.

Re:hushmail.com

[gmuslera]

This Hushmail? They already gave customers emails to US authorities, and we are talking about 6 years ago. Not sure how or if things changed, but i would avoid them, or at the very least their web interface.

Re:hushmail.com

[julesh]

Yes, they surrendered data with a court order. Pretty-much any service provider in most countries will, and when there's actual evidence of serious crimes tied to your identity it's easy to get such a court order in most countries. These were targeted, court-approved disclosures, which is a very, very different thing from massive unwarranted trawling.

Also: if you avoid their javascript-based interface and use the java applet, they still *can't* disclose your emails, as they are never available unencrypted on their server.

Roll your own...

[flogger]

My email server is sitting in my laundry room. I also host some message forums and picture galleries for just my family and friends. It is how I communicate with them.

Only about 1/3 of my family and friends use my server for email.... So any over seas email service is going to have the same limitation as mine. If I email my sister from my server, that email goes to gmail. So now the NSA knows what I sent to my sister.

So unless everyone you communicate with is outside of the US or on a server outside of NSA's reach, it won;t do any good.

Sorry to break it to you, but in the war against terror, the American people have lost.

Re: Roll your own...

[MarioMax]

I agree completely, roll your own is the best method. The only issues with it is technical know-how, and ISP limitations (and cost). But if those are a non issue, there is no better solution.

Re:Roll your own...

[wezelboy]

Let's get hypothetical...

One of your nephews or cousins that uses your e-mail server decides to purchase a pressure cooker online. He also has some friends in Europe that he e-mails once in a while. What do you do when the NSA asks you for all the e-mails stored on your server?

Re: Roll your own...

[MarioMax]

Demand a search warrant issued by the local county or state judge, and have the county sheriff deliver it in person. No search warrant, no search.

Re:Roll your own...

What do you do when the NSA asks you for all the e-mails stored on your server?

Switch on the degausser which obliterates the data on the server,
then remove the hard drives and melt down the platters.

Re:Roll your own...

[ickleberry]

I run my own email server as well. Not hard to set up and maintain dovecot+postfix + roundcube (optional) at all but unfortunately a lot of people are a bit *too* addicted to convienience and have outsourced everything to the Big Bad GOOG

Re: Roll your own...

[wezelboy]

That might by you some time at best. You can wipe the server drives, but then you will be charged with contempt or worse obstruction of justice. The first you may hear of it is your front door smashed in and cops with guns (and a warrant) in your house.

Re:Roll your own...

[ImdatS]

A while ago I had a similar thought. My solution was quite easy:

Install an email system that does the the following: Normally, when "standard" email arrives, it is processed as usual.

When an email arrives from an authorized sender (such as you), in a very specially formatted way and with special content, the mail server immediately starts destroying all emails, all communication logs, and all attached backups. It literally not only unlinks the files, but also replaces all impacted file-contents with "0". You can even do it on block-level completely reformat (overwrite) the hard disc in a way that it looks crashed. It then initiates a clean re-install of a clean, unused, fresh out-of-the-box system.

The only that you have to do is to make sure none of the backups are available... Then again, I would probably NOT have historical backups of emails outside somewhere, but rather backups on devices that *are* connected to the server and erase those too...

End result: "Ooops, sorry, but it seems, my server has crashed..."

Re:Roll your own...

[ImdatS]

Alternatively, you could have everything on an encrypted hard disc and instead of deleting the files, you delete the key (overwrite it on a block-level). So could hand-over the hard disc but since the key is not retrievable anymore (and you could make it so that it looks like a hard disc failure), that's it...

Re:Roll your own...

[FridayBob]

Completely agree; I've been doing it like this for longer than services like Gmail and Hotmail have been around. However, with XS4ALL as my ISP here in the Netherlands, things have certainly been made easy for me. For example, my DSL connection has a fixed public IPv4 address and PPP makes it relatively easy for me to arrange for my public IPv4 address to be on my personal server. In turn, this not only allows me to run my own firewall and NAT, thus affording me far better security than I can expect from the firmware on a consumer-grade DSL modem/router, but it also allows me to support protocols like SIP, Kerberos and various tunneling solutions. It's even allowed me to set up an OpenAFS cell that spans multiple Internet connections.

But, how easy is it to do this in the United States these days? Do any ISPs in the US support fixed IPv4 address for their consumer subscribers? Are there any Slashdotters in the States who have managed to configure their public IPv4 address on their personal server without using a professional Internet subscription?

Re:Roll your own...

[Manfre]

Rolling your own server is great, but email's fundamental purpose to to send and receive. Unless you are certain both end points and all hops in between are secure, it's pointless.

Re:Roll your own...

[Aighearach]

Sorry to break it to you, but in the war against terror, the American people have lost.

Americans who are freaking out have lost. Americans who are all, like, "meh" have successfully defeated terrorism. ;)

Re:Roll your own...

[Aighearach]

Comcast generally gives you the same IP address for years, as long as you keep using it (eg, you don't turn your cable modem off).
Many smaller ISPs offer static IP service for a small fee. Comcast will only guarantee you keep the same IP for business customers.

However, it is a fake problem because if your IP isn't static, you can just use a dynamic DNS service, so you.somedyndnsservice.com will always point to you. And then you have a local client that updates the record whenever your IP changes.

Re:Roll your own...

[ImdatS]

I did check that and came back with

On the other hand, according to the 2006 NIST Special Publication 800-88 (p. 7): "Studies have shown that most of today’s media can be effectively cleared by one overwrite" and "for ATA disk drives manufactured after 2001 (over 15 GB) the terms clearing and purging have converged."[1] An analysis by Wright et al. of recovery techniques, including magnetic force microscopy, also concludes that a single wipe is all that is required for modern drives. They point out that the long time required for multiple wipes "has created a situation where many organisations ignore the issue all together – resulting in data leaks and loss.

Source: http://en.wikipedia.org/wiki/Data_remanence#Overwriting

My argument above is, it seems, correct: overwriting with "0" will solves this. Lookup the sentence above:

It literally not only unlinks the files, but also replaces all impacted file-contents with "0"

which quite actually says that one should overwrite it. Alternatively, I have recommended "encryption" in my posting below.

So, next time you tell someone he doesn't know what he's talking about, maybe it could be a good idea for you to re-read his/her statement and try to understand it before commenting.

Re: Roll your own...

[aztracker1]

One of my bigger issues is that I really want a solution that supports multiple domains, is open-source, has a decent webmail interface and doesn't suck... I've been using a now older version of Smartermail I bought several years ago that has worked pretty well.. but It's pretty much my last Windows VM, and it's fairly old now. I'm no longer hosting for anyone other than a few friends and family (that I don't charge for), so buying another product isn't an option.

Most of the solutions I've looked at (OpenXchange, etc) are either really complicated to setup the "free/open" version, or just plain suck. I'd actually been thinking of moving it all to domains.live.com, but even then getting away from a U.S. host would be nice, or rolling a non-windows VM solution.

Re:Roll your own...

[aztracker1]

For the most part a business account isn't much more than a personal one.. most cable providers block more inbound ports than DSL from what I've seen.. as far as the dynamic IP, there are plenty of dynamic dns options out there, where you can have your DNS entries updated when your IP changes.. most ISPs that I've seen in the US have their IPs set out for at least a week at a time (short of a router/MAC change for your public connection). YMMV

Re:Roll your own...

[FridayBob]

Comcast generally gives you the same IP address for years, as long as you keep using it (eg, you don't turn your cable modem off).

That's what I would call a typical dynamic IP address service. Apparently, supporting the administration necessary to maintain a fixed IP address for all of their subscribers -- whether they choose to keep their modems switched on all the time or not -- is not something that every ISP wants to do.

Many smaller ISPs offer static IP service for a small fee.

Okay, so the concept is definitely not out of reach to all Americans. That's good to hear.

Comcast will only guarantee you keep the same IP for business customers.

I suspect most ISPs around the world are like Comcast.

However, it is a fake problem because if your IP isn't static, you can just use a dynamic DNS service, so you.somedyndnsservice.com will always point to you. And then you have a local client that updates the record whenever your IP changes.

IMO, DDNS is only a solution for the simplest of home server configurations. Yes, it solves the forward-lookup DNS problem, but it prevents you from running your own DNS server. Also, having a dynamic IP address also means that you will never have a proper reverse-lookup for your server; an often overlooked aspect in configuring a trustworthy mail server. Moreover, maintaining a subscription with an Internet DDNS service means yet more costs, having to put your trust in yet another 3rd party, and always having to run some client software that they give you. I'd rather avoid all that.

Re:Roll your own...

[Aighearach]

Sorry, I meant, as long as you don't turn your cable modem off for over a day.

Re:Roll your own...

[dotancohen]

You are encouraged to post the qmail rules as AC.

Re: Roll your own...

[Reziac]

Cite U.S. Code Title 18, Sections 241-242. Call a federal marshal. This combination takes a dim view of ridiculous fishing expeditions and a lack of proper warrants.

Re:Roll your own...

[NicBenjamin]

Let's get hypothetical...

One of your nephews or cousins that uses your e-mail server decides to purchase a pressure cooker online. He also has some friends in Europe that he e-mails once in a while. What do you do when the NSA asks you for all the e-mails stored on your server?

So you still have an advantage because now you know that there's a warrant targeting you, personally.

There is no actual good solution to this problem. The government has infinite power, if it's actually abusing the law the way Snowden alleges (and it's clear he's simply wrong about several of his allegations), then going abroad only means they file for a foreign warrant before they screw you, or they get all your emails from the numerous people you know who haven't gone abroad.

More importantly if you're going to a place that hates the US Legal system so much they'll ignore a FISA warrant you're either a) going to a place where connectivity will be an issue (Africa is long-ass way from the US), b) going to a place where the local snoops have literally no restrictions (Russia), or c) both (Cuba makes a point of restricting the internet so your connection is bound to suck).

Re:Roll your own...

[NicBenjamin]

And now you've committed Contempt of Court and you're going to jail. Possibly Obstruction of Justice as well.

And jury's typically assume the dude who destroyed the evidence had a reason to destroy the evidence, so when your nephew fingers you as the source of all the weed he's been selling his High School you gonna be going away for a while.

Kremvax, of course!

http://en.wikipedia.org/wiki/Kremvax

Tuffmail

[sinkasapa]

Tuffmail was a service I chose because it was the best but it also happens to be a Canadian company.

http://www.tuffmail.com/

Use your own domain and host

[MarioMax]

Domain names are relatively cheap, and hosting is relatively cheap. I go that route myself. The only people that have access to my server is the hosting company (which is no worse than Google to be honest)

if you have the means, the very best solution is to run an email server out of your home or place of business.

Re:Use your own domain and host

[fustakrakich]

...if you have the means, the very best solution is to run an email server out of your home or place of business.

Only to have SWAT haul it all off under some asset forfeiture statute.. Your home and business are not safe, anywhere, well, maybe Iceland... up to a point

Re: Use your own domain and host

[MarioMax]

Perhaps, but nothing is stopping them from doing the same to your hosting provider either.

Re: Use your own domain and host

[fustakrakich]

Exactly, so, in essence it makes no difference. Your communications are not safe or secure.

Re:Use your own domain and host

[GrBear]

As one who's tried to setup a mail server under Ubuntu several times, there's alot of black magic and voodoo involved to get it to work right, including vacation messages.

We're still using antiquated software like sendmail and dovecot that requires a degree to understand the cryptic config files.

This is not for the faint of heart, and certainly not plausible for the average user. Until something more user friendly comes along, don't expect this to happen all that often.

Zimbra by VMWare seems to be making good headway in making it much simpler though.

Re: Use your own domain and host

[longk]

There is a difference. I can make sure my server is powered off and its RAM flushed when SWAT arrives, allowing a properly encrypted system to remain secure.

Re: Use your own domain and host

[fustakrakich]

And you will be sequestered until you cough up the key. Your stuff is not safe until you shred the entire machine, including the drive, USB sticks, and CDs. And make sure to burn all your paperwork. In fact, you probably should burn down the house... Campers creed: Leave no trace

Re:Use your own domain and host

[XcepticZP]

Maybe the real problem is that we're using email. That piece of technology is decades old, and from a time that was much different to the one we are in now.

We need an alternative that is as easily embraced by third parties as email.

Re:Use your own domain and host

Isn't this exactly what mailpile is trying to do? Make a email server get automagically set up on your home computer? I don't understand why there is not more excitement about this project; it seems like the only practical solution to keeping ones email secure.

Re:Use your own domain and host

[chihowa]

That takes resources, though, and is only likely to happen if you, personally, are under investigation. In that case, you also get the benefit of knowing that you are being investigated.

For routine, hoover-up-everything surveillance like PRISM, you remove one of the vulnerable endpoints and reduce the number of third parties you need to trust. It's the only scenario listed that does that much.

Re:Use your own domain and host

[fustakrakich]

Attempting to go 'off the grid' will automatically place you under suspicion and worth watching.

Re:Use your own domain and host

[Reziac]

I'm reminded of those tiny viruses that set up their own mail server on infected machines. Obviously they work without the user having a clue how to set them up. So -- why can't there be a legit app that does the same, suitable for the average user? "Install PrivateMail Server and it does the rest" much as the viruses do.

Wrong Question

[ocularsinister]

What you should be asking is "How do I get everyone to sign and encrypt their emails as a matter of course?"

KGB definitely preferable except for Russians

[Bruce66423]

Ultimately there are two reasons why - apart from the yuck factor, which is legitimate - why you don't want the NSA reading your email 1) If you say or do something which generates a shadow of suspicion, the probability that the Russians will act on it, to the extent of a SWAT team beating your door down and shooting your dog, is lower 2) If you are politically active, it's going to be less likely that the Russians will provide data to the FBI about your dubious activities Sure - avoiding either is a better ideal - but perversely I would prefer the KGB, unless I am resident in Russia, in which case they would be a very bad idea.

Makes no difference.

[dgatwood]

From all reports, most or all of the countries where spying occurs, despite their very vocal public outcry against what the U.S. is doing, are in fact sharing information with the U.S. government. And even if they don't, the U.S. can simply grab the data on its way out of the country to that server.

The only way to make email secure is to abandon email in favor of a protocol that supports end-to-end encryption, such as iMessage, XMPP, etc. and to tweak your centralized server and/or clients to require that end-to-end encryption be used. And even then, the metadata (who sent mail to whom) is at risk. The only way to prevent metadata from being trackable is to either develop a new system in which locating a user does not require credentials and use Tor to connect to the centralized server (e.g. use wide-area Bonjour to advertise your current IP address) or design a whole new messaging system built in a darknet.

Either way, email is and has always been just as secure as sending a postcard (which is to say, completely insecure), and cannot readily be improved upon significantly in this regard without starting over from scratch.

Re:Makes no difference.

[fustakrakich]

With DNS and TCP-IP there is no 'darknet'. The safest way is to splatter your signal all over the place and let the intended audience sort it out of the chaff, like all those secret messages in the classified ads sections of the newspaper.

Re:Makes no difference.

[dgatwood]

Darknets refer to connections made through large numbers of peers, such as Tor's onion routing, such that it is not practical to determine where a message came from or where it is going farther than one hop away, and such that it is infeasible to compromise enough nodes to compromise the entire chain of custody for that message. Darknets exist, with varying levels of actual security. They work best for non-interactive communication like email, where each node can hand off the entire message in a single chunk and randomly add multi-second latency to make it even more infeasible to correlate the timing of compromised nodes.

Re:Makes no difference.

[fustakrakich]

All your connections are through a single service provider. You claim that it's 'infeasible to compromise enough nodes'... That's because your budget is limited. Theirs is is not.

Re:Makes no difference.

[dgatwood]

You miss the point. All your connections are going through a node that has no relationship to the node that actually is going to receive the message. Instead of sending the email to google.com, you send the encrypted email to yahoo.com. It decrypts the outer wrapper and the message says simply, "Send this to microsoft.com". It decrypts the outer wrapper and gets the command "Send this to apple.com". It decrypts the outer wrapper and finds the instruction, "Send this to mail.ru". It decrypts the outer wrapper and sees the command, "Send this to google.com". Google then decrypts the outer wrapper and sees "Send this to user foo". User foo then decrypts the email message.

The above is a very simplified example, of course. In a real scheme, those nodes would be randomly chosen devices on the Internet owned by random users, not major email providers. They would be scattered around the world, and would be different for every request. They would randomly delay the message before delivering it. Because of the random delays, for a node delivering a nontrivial number of messages, it becomes absolutely impossible to say with certainty where a message received from any other node was subsequently sent. Therefore, the only way to definitively say where the message went is to actually take over that node used for delivery, or at least force it to log data against its owners' will.

Because the path of any given message is random, the only way to definitively determine the path of any significant number of messages is to control a substantial percentage of nodes in the graph. Because these are spread across multiple countries, and because the address blocks of any data centers would immediately get block-banned, there's no good way to compromise the network in that way.

So basically, short of managing to slip logging code and/or some severe crypto weakness into the software itself without anyone noticing, there's no way for any single entity (or even any multinational group of entities) to realistically thwart the end-to-end privacy.

use encryption

[stenvar]

Many E-mail providers overseas require you to give personal information to sign up, often due to legal requirements in those countries; sometimes they verify that with a credit card number or simply by comparing your address data with government databases. Many countries (including much of Europe) also have data retention requirements and give their own police and intelligence service nearly free reign, and they may well exchange data with the US anyway, so it's not clear you're better off. And some providers of anonymous services may simply be fronts for intelligence agencies. And, of course, if the other parties to your E-mail use a US provider, your data is already available to US intelligence agencies, and your foreign E-mail account will stick out.

As an American, if you want to communicate privately, you have to use encryption, and preferably steganography. Getting an E-mail account in another country really doesn't help very much.

Re:use encryption

[rajji]

I totally agree with encryption ... if you really want encryption, then the encryption should be in the client browser before it goes to network. I'm using http://fonet.mobi/ for email encryption with my own password and have to send my password key to recipient in order to decrypt the message.

It won't save you

[msobkow]

If you are emailing people who use GMail, Live, Yahoo, or a US ISP for their email provisioning, your emails to/from them are still tracked. So unless you're planning to drop all your US contacts as well, you're not helping yourself much.

Here in Canada we have a bigger issue -- all of our network pipes connect to the bigger pipes in the US. So even though we might be emailing a fellow Canadian from one Canadian ISP to another, the traffic still gets routed and sniffed through US servers.

The same is a problem for people in the EU -- the emails get routed through the pipes that are monitored by the UK's spy agency.

The NSA doesn't have to install backdoors on email servers to monitor you at all. And they *don't* typically make requests when they're spying on someone in particular -- they just sniff the traffic on the big data pipes directly.

And seeing as all those pipes run through the major partner countries like the UK, Australia, and the US itself, we're *all* fucked.

Re:It won't save you

[falstaff]

The "Here in Canada we have bigger issues..." comment is not true.While we do have some network failover routes that run through the US, most traffic can be and is routed exclusively inside Canada. Almost all government and public sector organizations have laws & policies in place prohibiting network traffic from passing through the United States since the Patriot Act was implemented. Frankly, that act has been great for our network and Data Centre industries.
Which is not to say that CSIS are not snooping just like the NSA.

Re:It won't save you

[msobkow]

Typical traffic routes from Ontario to Saskatchewan route through the US. Try doing a traceroute.

Re:It won't save you

[alihm]

Internet needs a new protocol for sending emails ASAP, And It's not really hard actually. Here is a simple example how it should have been: Say Server X wants to send an email to server Y 1- X initiates a connection to Y and asks for private key 2- X encrypts email(including meta data) using Y's private key 3- X sends the packet and closes the connection

NSA Avoidance List

[Leghkster]

Try https://prism-break.org/ for some recommendations of OS, email, IM and more.

Forget about it

[fustakrakich]

The NSA and all its foreign counterparts own the world, Okay, they work for the owners... But it should be clear that privacy is an illusion... Your service provider is taking up any remaining slack.

Do NOT forget the telco and the routing

[CaptainOfSpray]

NSA and GCHQ are also siphoning off data from the telcos (BT and others) at the telecoms servers, at which point who your email provider is becomes irrelevant. [You can assume that anything GCHQ knows, the NSA also knows]. It has also come out that BT has allowed GCHQ to tap the Transatlantic cables at the shore station in Bude, Cornwall without the knowledge or consent of several telcos that are not otherwise co-operating. So AFAIK you need either (1) a non-US non-UK telco and ISP with a routing that does not go through UK, or (2) encrypt everything.

NSA and foreign mail hosts

[Checkered+Daemon]

You should probably take into account that the few, and obviously mainly ignored, privacy protections you do have evaporate the nanosecond your communication leaves U.S. borders. Supposedly within the U.S. the NSA is limited to email metadata collection (look up the older term 'pen register' for the legal history of law enforcement access to this kind of information), but when you interact with a 'foreign agent' the sky's the limit. Ellison may have known more than we thought when he said, "You have no privacy. Get over it."

Re:NSA and foreign mail hosts

[Clsid]

I think there are ways around it, not a 100% perfect but at least make their job a lot harder. Services like lavabit were good and it goes to show that they needed to use some nasty legal tactics to make them open up. Those tactics are not available when you use providers in countries like Russia or China. Sure, they can tap the underwater fiber all they want, but I think it still is better than nothing.

Startmail

www.startmail.com -- currently in closed Beta -- and based in the Netherlands.

Re:Startmail

[guises]

If I had mod points I'd give them to you, just for being one of the very few people here who is actually making an attempt to answer the question.

Securing email is complicated

[FuzzNugget]

Securing your local data is easy, because you have end-to-end control. Securing email is complicated because you'll never be able to maintain complete control. It requires coordination and mutual understanding between you and everyone you email, and that's just not going to happen unless you're in a tightly-controlled organization and all of your communication is internal. I'm assuming you're an end-user at home, not an IT manager in a large corporate environment.

If your ISP allows it (and that's a big if in today's spam wars), you could run your own email server to host email service for yourself, your family and your friends and require SSL/TLS connections for all communication. Don't forget TrueCrypt or luks/dm-crypt for disk encryption on the server itself. But this only protects against eavesdropping and snooping for email users on your hosted service. There's basically nothing you can do about emails sent or received from outside of your own service. And then there's the assumption that email recipients inside of your hosted service will adequately secure their own devices (good luck getting grandma to use TrueCrypt).

If you can actually accomplish this, well, you have better powers of persuasion than I (my boss is a smart and tech savvy guy and I can't even convince him). Your best bet is: don't use email for anything you wouldn't want publicized.

Roll your own?

To all the people suggesting to host your own servers in the basement: do you have the resources to challenge a FISC order? Hardly!
The second your email recipients are not on the same network, i.e. work off the same router, your communication is accessible to the spying agencies. Sure you could use PGP to encrypt your mails, but the metadata is still available. TOR is not really an option anymore.
Hosting on some provider's infrastructure is just replacing google, yahoo, with that provider. Who do you trust, and how much?

The only real solution to the issue MUST be a political solution. But good luck on that one!

Where are you located?

If you are in the US I guess its tough luck, because if you have your email leave the US for foreign soil then it will be captured.
If you use encryption anywhere , it will be stored indefinitely until a time comes and there is sufficient computing horsepower to decode it.

I would suspect at this time that having your email sent anywhere outside your own country would trigger some scrutiny no matter where you live.
Its not always the ISP where the scavenging occurs (ie under sea cables) , satellite links.

I suppose we wont hear anymore of twitter empowering democracy articles. Nor the web as a great equalizer.

In the US this puts a whole new light on the ongoing effort to bring broadband to everyone. Not as a great educational or empowering tool for the rural on nontechnical population , but maybe more for the monitoring ability,

A coworker of mine who had terribly slow internet speeds was offered free 3 times the speed upgrade. I half joked with him that NSA techs were falling asleep monitoring him with his slow slow internet connection.

Years ago now... the first consumer device to not have an on/off switch was/is the household portable phone. That should have been a portent of things to come.

I do not feel that the this can be undone. Like Bears to honey , you cant just say stop. We sll become constant suspects of some future crime or some past minor crime that we didnt know we committed. We all become Russian in mindset where all electrical devices are suspect and monitoring is assumed the norm.

We did it to ourselves. Can you even expect the average congress critter to understand the technical aspects of the how modern communications work?
The term metadata is waved around as if it is something trivial. If you have my phone number you know who I am. If you have my MAC address you know what machine I am using and IP address. If you have my IME I number you know what cell phone I am using. This is all metadata.

Welcome my son to the machine...

Re:Where are you located?

[cykros]

If you use encryption anywhere , it will be stored indefinitely until a time comes and there is sufficient computing horsepower to decode it.

So, this is true, and is perhaps a major problem for some (though it's worth noting that most things the average person has that are sensitive enough to require strong encryption have a time period after which they're no longer that sensitive). The technically feasible, though slow, and perhaps difficult, solution is to use One Time Pad cryptography. When used correctly, it is mathematically unbreakable, as instead of using an algorithm at all, it uses an absolutely random one time use key. Brute forcing at that point becomes entirely impossible, as any message of a given length could be literally ANY other message of that length (or, if you're combining some other form of crypto or simply padding, even the length may be wrong). It's what sleeper cells have long used (if you're not familiar, do yourself a favor and google "number stations" for some interesting reading).

The big inconvenience with OTP crypto is that it is symmetric. You need to preshare the keys with anyone you're communicating with (and to boot, each key is only to be used for a single message, and then destroyed). So it's not really being posed as a general solution to the situation we find ourselves facing, but at the same time, seems like it may have SOME use, and is worth spreading awareness about. Just don't half-ass the key generation using rand() or anything equally foolish.

Here are some

[Clsid]

The best I have found so far are Yandex from Russia and Netease 163.com from China. 163 is extremely fast if you are in China, but it has some advertising and the interface is all Chinese, so I would suggest the English version of Yandex mail instead at mail.yandex.com.

I'm planning to get a dedicated server with the state telco in Venezuela for precisely this reason. That and also run a Tinyproxy/OpenVPN and figure out WebDAV to have my own Google Drive/SkyDrive, etc. If anybody is interested just write to aclsid at 163.com.

Re:Here are some

[Clsid]

Yandex is Google's Russia with all its faults. With Google you get to share your stuff with the US govt and with Yandex you do the same with the Russian government. If you read what the question is asking, Yandex is a very good solution. But if you want a better solution maybe that private e-mail project coming out from Iceland might do the trick, or Dotcom's idea. In any case, I'm all ears to hear about your solution. And no, I don't work for Yandex, as soon as I get my own server I'll dump them as well.

hushmail

[phantomfive]

Hushmail is one of the oldest 'secure' mail systems, and they moved out of the US specifically to avoid problems like the NSA. They're worth looking at, I guess.

Re:hushmail

[UnOrigMoniker]

Except HushMail won't hesitate to deliver a unique java client-side applet embedded with a keylogger to intercept the target recipient's passphrase. They are a Canadian company and we have a tighter working relationship with Canada than any other Country to the point that we used to send all Macs up to Canada and have the RCMP perform forensic analysis on them. We stopped doing that when we built-out our own facilities. Google the National Computer Forensics Institute in Hoover, AL. Now Canada sends their stuff to us.

Re: hushmail

[Manfre]

Nothing wrong with a company turning over information after receiving a warrant. The issue with the NSA is that they collect everything they can without a warrant, but (fingers crossed) promise not to look at it without one.

Re:hushmail

[longk]

They've given up content of e-mails to authorities a number of times.

Any solution which allows the provider to hold the keys if doomed to fail in protecting your privacy. We need zero-knowledge e-mail providers. Kind of what Wuala and SpiderOak do, but for e-mail instead of cloud storage.

Re: hushmail

[longk]

Supposedly there are warrants. Secret ones issues by a secret court. No thanks.

Re: hushmail

[guises]

The problem is that if Hushmail was actually secure they wouldn't have the ability to decrypt emails at all. They should not have the encryption key.

Re:hushmail

[chihowa]

SpiderOak is not as secure as they claim.

The encryption key that secures your data is directly derived from (only) the same password you use to login to their website. At the very least, they have a hashed copy of your password, which can be turned over and brute forced. They don't mention this fact anywhere on their site, and don't warn users or do password strength tests when you create your website password (not knowing that this is all that protects your data). For instance, if you create an account with them and use a password of '1', there will not be a single warning that the poor password you chose will be all that secures your data.

Be warned that all of your data with SpiderOak is protected entirely by the strength of your password and the very few bits of entropy that a password contains. Pseudosecurity.

Re:hushmail

[ygslash]

Except HushMail won't hesitate to deliver a unique java client-side applet embedded with a keylogger to intercept the target recipient's passphrase.

If you don't use their web interface at all - neither to generate your key nor to send and read mail - then that's not a problem.

Re: hushmail

[ygslash]

Their TOS explicitly states they can and will decrypt emails if asked to by law.

They can only do that if they have your key. If you use their web interface to generate your key, or to send and read email, then they can be forced to decrypt your email. But if you generate your key yourself and use it to encrypt and decrypt locally, your are fine.

They are not worth looking at

I think that's a little harsh. They're doing the best they can, and they are being very honest about the inherent limitations.

Is this not a paradox?

I understand the desire to your email off-shore, but since the NSA claims to be looking at all foreign traffic, doesn't this mean you will be placing yourself directly in their sights? As much as I hate it, the solution to this is going to have to be a political one rather than a technical one.

Re:Is this not a paradox?

[Clsid]

I agree with you it is a complex issue, but the truth is that you could have a community server or roll your own, so at least when they want to see what's going on they would have to ask you.

Has to do with Lavabit shutting down?

This Ask Slashdot probably has something to do with lavabit shutting down http://news.cnet.com/8301-1009_3-57597954-83/lavabit-chief-predicts-long-fight-with-feds-q-a/
And they can't even talk about what exactly happened. That is just evil.

Re:Norway has a 4th Amendment?

[spire3661]

Doesnt mean MY government is empowered legally to look at ANY of my correspondence ANYWHERE in the world, without a warrant. It is explicitly forbidden to do so by the absolute highest law in the land. Until such time as the 4th is repealed, i will continue to demand that it be enforced.

Re:Use PGP.

[lister+king+of+smeg]

I have tried to convince others that I regularly corespond with to use encryption but the reactioni get is either

1 I don't have anything to hide I m not interesting enough to bother. and encryption is hard

or

2 they have all of the encryption broken because I heard it from my brother who heard it from a reliable source and your explanation is to technical of why they haven't really broken it.

I have given up on trying so now I just cryptographicly sign my email so at the very least it can't be forged.

Open source? LOL

[unassimilatible]

You're really advocating open source software as a way to avoid the NSA? LOL.

Re:Open source? LOL

[Leghkster]

You say "open source" like it prevents source review while incorporating backdoors by command under gag orders.

I won't be revisiting this thread, so have fun.

Re:Norway has a 4th Amendment?

[MightyMartian]

I'm not attempting to argue with you. The point is not what the NSA should or should not be doing, but rather about the practical considerations. On US soil, the claim is all they can gather is metadata (the SMTP envelop). Start using a foreign mail service, and it's very likely that everything after the DATA command is being stored as well.

Host it in the Netherlands

[bazorg]

I haven't tried it myself, but the people who sell this are well-known old school Portuguese geeks: http://www.fullmailserver.com/

Re:Not really.

[gmuslera]

That targets 1 person assumed traitor, terrorist, criminal or whatever, they don't thow a nuke into a populated city to kill just one person, or very few ones. What about US policy, where 50 civilians are killed for every terrorist?

Going to non-US provider won't protect you.

[jcochran]

Actually, NSA by law is allowed to intercept communications outside the United States. In fact, that's its mandate. So they don't have to be sneaky and underhanded to try and sneak around the law like the bull shit currently going on with US providers. Now using a non-US provider does mean that the intercepts have to be "on the fly", but that isn't a major problem for the NSA given the number of intercept facilities they have. To be perfectly honest, given the current state of technology, the only real protection the common citizen has is the shear volume of data involved and the fact that most people are of no interest to the government.

Re:Going to non-US provider won't protect you.

[aztracker1]

That's how I felt a few years ago.. Since then, technology has advanced enough and along with horizontal scaling techniques no longer make this an unmanageable deluge of data. At this point, and over the next few years with new facilities it will be entirely practical for local law enforcement to potentially have access to, or receive "tips" from the feds for this kind of data. It's already happening with other federal agencies, it won't be long before more local agencies are much more involved. I really hope you haven't been talking to your friends about doing anything potentially illegal on facebook, twitter, email, or skype.

Right now, I would say that real-time text transcription is a bit of a ways off... for example it sometimes takes 3-4 minutes for a voicemail's text version to show up in google voice.. but another decade it wouldn't surprise me if all communication can be analyzed and processed in real time, including voice/video.

Before there was an Internet....

[couchslug]

....people didn't use the internet for secure communication because it didn't exist.

Now that the internet useless for secure communication, it would be wise to stop using it for anything other than a smokescreen.

OTOH, tiny storage is cheap and there are plenty of places one could conceal say a MicroSD card on the PC board of ordinary consumer products. You could tuck one under the heatsink of a notebook or other location where it would pass visual inspection.

Re:Before there was an Internet....

[Aighearach]

If you want a secure internet server, just unplug the power but leave the ethernet plugged in. Then you can bury it in your garden and keep your data safe. At least, as long as they don't exhume it. If you have a pond to throw it in, even better!

good one

[slashmydots]

Tormail! Oh wait...

Battlestar Galactica holds the truth:

[millertym]

The only completely secure network communication is no network communication.

That won't work: 1and1 has management in the US.

1and1.com is a US-based company, or has management staff in the United States, so that won't work.

This is what I understand:
1) The U.S. government can force any company to do anything it wants.
2) The U.S. government can demand that the company keep that secret.
3) The U.S. government can put a U.S. employee in prison if 1 and 2 are not followed.

Seems to me to be a vicious, anti-democratic government.

Re:Norway has a 4th Amendment?

[davester666]

Well, they also believe that they can process the content if they aren't sure either the sender or receiver is a US citizen, or if they aren't sure both parties are within the US. And if they have processed and stored the content, and then later find out they shouldn't have [because both the sender and receiver are US citizens, and were within the US at the time], they believe it's OK keep the content anyway under a "good faith" exception.

Thats all well and good in the short term

[maliqua]

But i think the only real solution is to boycott any information services from a company with an american presence. since it doesn't fucking matter what you do if you host something off shore, all the data crossing borders is monitored and exchange between smtp servers is unencrypted. Which means there is no possibility of privacy unless EVERYONE you communicate with has mail hosted outside the USA as well and the routes don't pass through either.

The actual problem is not a technical one, its a political one, and the only ways to force change are with your wallets or with weapons, personally i'll play either game agains the USA

Re:Norway has a 4th Amendment?

[Gr8Apes]

Which is all a violation of several of the Bill of Rights clauses. As data inspection and/or retention is not allowed by the federal government, that right is mine or my state's. (#9) BTW, that applies to mail address inspection as well.

MEGA mail - coming 2014

[PirateSmiley]

http://www.theinquirer.net/inquirer/news/2287932/kim-dotcom-s-prism-busting-encrypted-email-service-will-be-out-in-2014

Re:Norway has a 4th Amendment?

[sumdumass]

The US government stopped worrying about the Constitution a long time ago. Just recently, they decided they had the power to mandate that every single US citizen purchase a specific product or be fined (Obamacare). But more to illustrate this, look at how the administrative branch of the government is refusing to follow laws congress implemented and how they think they can just write a new law without congress at all.

And before anyone jumps in here to defend Obama as if their world would fall apart if his name was ever tarnished, this has happened by both parties in the past starting with the civil war and become widely done since the new deal where Roosevelt ended up having a stand off with the supreme court. Obama is used only because he is the most recent president to be doing it.

Pigeon Droppings

[Roger+W+Moore]

Not only that but you still need to secure your message otherwise you'll have a problem with pigeon droppings.

Re:Pigeon Droppings

[plover]

Not only that but you still need to secure your message otherwise you'll have a problem with pigeon droppings.

I'd like to see Snowden deal with those "leaks".

Re:Norway has a 4th Amendment?

[Mr.+Slippery]

The US government stopped worrying about the Constitution a long time ago.

True. That goes back to at least 1798.

Just recently, they decided they had the power to mandate that every single US citizen purchase a specific product or be fined (Obamacare).

Under the Constitution, the feds can tax you, or not tax you, pretty much any way they like. Paying a tax if you don't have health insurance is no more a violation of the Constitution than paying a tax if you don't have a mortgage. The ACA's mandate is bad policy, but is entirely Constitutional.

mailpile ?

[Squiggle]

I have only recently heard about this project and haven't investigated too closely yet, but they seem to be trying to solve similar issues, and have an indiegogo campaign active:

http://www.mailpile.is/

gmail is fine

[ScudBee]

Trust me, you don't want to have KGB looking over your shoulder.

Posteo.de

[echnaton192]

1. All the guys here are correct, you'll need to do it yourself to be absolutely shure.
2. Nevertheless, setting up a webmail- and IMAP-server might be a bit excessive just to be a bit more secure.

Look at posteo.de:

1GB for 1 EUR per month, up to 20 GB.
They claim that they can not relate your payment to the anonymously set up account. They are allowed to throw away any data not needed for doing the billing by German law, so they do that
Your ip in the emails is replaced by the generic ip of posteo, making it harder to trace you
They claim that they do not store any access-data
You could use calendar and contacts and opt in to encrypt that data on their server
The SSL-certificates are created via open source products and signed by a rather paranoid signing-center

As of now, they seem to be trustworthy and the situation in Germany is NOT yet as bad as it is in the US. Personally, I trust them.

As an off topic sidenote:
Disadvantage for you US guys: They are using only green energy, the bastards! Actually avoiding the good and beloved fossile and nuclear energy! Impossible! Germany is doomed, our economy is doomed, we are all going to die!

SCNR, but some comments on /. about alternative energies are... amusing, at least in my book as a German...

Re:Norway has a 4th Amendment?

[sumdumass]

True. That goes back to at least 1798

Yes, but did you know we can take it back even further? I believe it was the second session of the first congress that gave us warrantless border searches for vessels entering and exiting the national ports. But that might be stretching it a bit.

Under the Constitution, the feds can tax you, or not tax you, pretty much any way they like. Paying a tax if you don't have health insurance is no more a violation of the Constitution than paying a tax if you don't have a mortgage. The ACA's mandate is bad policy, but is entirely Constitutional.

If the tax followed the constitutional requirements for being created, I would agree with you. However, the so called tax was being called a penalty by all invested in seeing it pass supreme court muster because they know that the tax originated in the senate and the US constitution says it must originate in the house of representatives. There are limits to how the feds can tax you- or more precisely, limits to how the taxes are implemented.

http://www.yourhoustonnews.com/cypresscreek/blogs/the-supreme-court-may-yet-rule-obamacare-unconstitutional/article_9f10425c-a9dd-11e2-879c-0019bb2963f4.html

My understanding is that there is a lawsuit going forward on this attempting to make it hit as soon as the tax penalty is in force (standing). There has been talk about how the suspension of the penalty for businesses and organizations was to remove standing from the group suing but they modified their complaint to represent the people of the organization itself now.

Really think that will work ?

[Archfeld]

Do you think that by opening an account outside the US will stop the NSA ? If the traffic originates from the US the NSA will capture it. Very likely they are in cahoots with serveral other governments ensuring that international traffic is captured as well...*cough* Australia, *cough* GB

Re:Norway has a 4th Amendment?

[lgw]

Under the Constitution, the feds can tax you, or not tax you, pretty much any way they like. Paying a tax if you don't have health insurance is no more a violation of the Constitution than paying a tax if you don't have a mortgage. The ACA's mandate is bad policy, but is entirely Constitutional.

There an important difference between a tax and a fine. What you say applies only to a tax. The bill was very clear in multiple places that the penalty was a fine, not a tax. The bill did not originate in the House, and so could not constitutionally contain a tax in the first place.

Not that it matters - the Roberts caved to personal social pressure in blatant disregard for the truth. That's hardly a new thing for the SCOUTS, this was just a very obvious and high-profile example. These days, laws the majority like by personal preference are found constitutional, and laws the majority find icky are found unconstitutional. We left the rule of law behind long before presidents started granting arbitrary wavers to laws with no constitutional basis for doing any such thing.

There's No Privacy When You Publish on the Net

[reallocate]

Sure, you may run a mail server next to the dryer, but who knows where your mail is, or how it got there.

The internet is not about point-to-point communication. It's a *publishing* technology. The reason I can see this Slashdot page is because it was published on some servers, not sent over some secure wire to me. I click on a URL and somewhere a server sends the data comprising that page out into the net, broken up in itty-bit packets with my IP address embedded in them, and eventually they all get to me, where they are reconstructed and displayed in my browser.

Email is no different. Sure, you can use encryption. But, that's self-limiting unless the entire world knows everyone else's key, and then what good would encryption be?

Just as criminals rely on "social engineering" to get access to data, it's been used for centuries by governments and others to get access to data other people do not want them to see. No matter how anyone uses technology to secure their internet "privacy" (quotes because it's an oxymoron), you are really just depending that the folks who create the technology have not been "socially engineered".

So... if you don't want someone to find out something, don't publish it, on the net or elsewhere.

Re:Norway has a 4th Amendment?

[darkonc]

They capture everything anyways. They say that they only keep encrypted data -- but to decide if the data is encrypted, they have to intercept and process it. If, after examining your data, they decide that it's not 'interesting', then the "don't intercept it" (whatever that may mean, at this point).

In my world, at that point, it's just a bunch of useless wordplay..

Obligitory

[dosh8er]

I hear that http://www.goatse.cx/ is offering webmail now...

Re:Not sure you understand the rationale

[icebike]

Actual communication security implies point-to-point security. In such a setting, a third-party service doesn't make any sense. Hence either what you're look for can't exist, or you won't know if it's secure.

You are correct but ONLY if you are guarding nuclear secrets or something. For joe non-terrorist, that's not an issue.

Any off shore mail server that allows secure connections, either by ssl or tls, and which stores its mail
off shore falls out of reach of that nonsense in US law that allows the government to access any mail
on a server for more than 6 months, because its "abandoned"

Further, those operators are not likely to handle ssl keys over to NSA demands, as has happened already in the US.

So people may send me mail to some ISP in Mozambique or some place pretty much out of the NSA reach, and it it far more likely to be safe sitting there on their server and accessed over ssl than having it right down the street at Google.

You don't have to make everything out to be someone keeping major corporate secrets or moving tons of drug money.
Sometimes its just a desire to be anonymous to your government. Since you posted AC, I can't understand why that point is lost on you.

Ummm...

[multimediavt]

I don't know if anyone else in the thread has pointed this out yet, but if you're worried about the NSA, going outside the U.S. is NOT the answer. Their mission (before the Patriot Act anyway) was to monitor ALL foreign communications, not domestic ones.

Neomailbox

[Timosa]

Neomailbox.net is my favorite. It's located in Switzerland, that has very strict privacy laws. It was an interesting co-incidence, that Neomailbox had part of its accounts hosted in US earlier, but in March 2013 decided to move them to Europe, because of the bad privacy atmosphere in USA. http://www.neomailbox.net/

Re:Norway has a 4th Amendment?

[AlternativeIdeas]

Irrespective of what they *claim* they're entitled to do, in practice I'm sure they capture all the data that they can, all the time, and in all locations. Borders be damned.

Try mail.ru

[FilatovEV]

You could try mail.ru -- a good old Russian e-mail provider. POP3 / IMAP are supported:

help.mail.ru/mail-help/mailer/popsmtp

As long as you do not send or receive top secret U.S. documents, I do not see why you should bother.

Waste of time

[Ralph+Spoilsport]

I live in Canada. Believe it or not, it's a different country. ALL Canadian internet traffic is routed through one of three cities: NYC, CHI, or SEA. I'm in Toronto. If I email a friend in Alberta, it goes through Chicago. By going through Chicago, the NSA records it. If you live in the USA, the NSA is recording it. Period. The only thing that will prevent them from reading it is if it's encrypted, end to end. But if that's the case,

a. the fact that its encrypted flags it b. forget about searching your email for much of anything (they're working on that, but it's a hard problem...) c. you will only be able to communicate with people who can decrypt your messages

So. basically, there is little purpose in trying to go around the NSA on this. The only way to beat them is to wrangle them in legally with policy and legislation, or, (my preferred alternative) simply disband the NSA and abandon the Empire....

Re:Norway has a 4th Amendment?

[NicBenjamin]

Doesnt mean MY government is empowered legally to look at ANY of my correspondence ANYWHERE in the world, without a warrant. It is explicitly forbidden to do so by the absolute highest law in the land. Until such time as the 4th is repealed, i will continue to demand that it be enforced.

Unfortunately unless you're user-name is your social security number they have no way of knowing which Norwegian-stored emails they're allowed to read, which brings in the "good-faith exception." The "good faith exception" is that if a government agent comes upon something interesting, it's usable in a court of law; as long as the government employee was trying to comply with the Fourth Amendment.

For example, if a cop searches your wagon because he thinks he's got a warrant for an eight-horse-wagon, and finds six Salvadorean 12-year-olds tied up in the back, the courts are not gonna give your Salvadorean pre-teens back to you just because it turns out the actual warrant was for a wagon with six horses.

The disadvantage of depending on a late 18th century document to protect your privacy in the early 21st century is that it doesn't really cover anything vaguely like signals intelligence, so the Courts are forced to rely on ridiculous analogies. Your email was stored in Norway, therefore most of the email on the server was probably Norwegians emailing other Norwegians, therefore the cops can assume on Good Faith that ALL the email on the server is not subject to the fourth amendment, therefore they don't need a US Warrant to search those emails. They may need a Norwegian warrant before the Norwegians will turn over the emails, but they do not need an American one.

Re:non-usa e-mail/collaboration online services

[Clsid]

Germany did something to mess up with the data of German citizens as well. I'm not exactly sure what happened but my German friend says he doesn't trust them at all since he does not believe what Merkel said about not knowing anything. Something like a govt agency was colaborating, since Germany is part of NATO after all. I think as many people said here, either roll your own server or use an e-mail of a country that is the antagonist of the country you live in.

Re:Interception is the issue

[Clsid]

Plus even if it is encrypted they will always get who is sending the info and who is receiving it.

Re:Norway has a 4th Amendment?

[NicBenjamin]

The US Constitution includes an enumerated list of powers for both the Executive and the Legislative branches. This implies that no other powers are allowed the federal government. The Ninth (and Tenth as well), re-state that the Feds have no powers except those listed. Which means legally speaking the Ninth (and the Tenth) are only relevant if you can prove a given government action is not justified by some other clause of the Constitution. And if you can prove that the 9tth and 10th are unnecessary.

In other words the fact that you're quoting the Ninth at all is pretty clear evidence you have no clue what the Constitution actually means. In this case it's quite clear the government has the ability to retain data it got legally, because if it didn't it would be extremely tricky for them to run at all. For example, take the fact that Barrack Obama is President. That's data. If the feds have no power to retain legally obtained data it's illegal for them to remember that.

The problem for Fourth Amendment maximalists and email is that the Fourth Amendment predates email. This means that the only way the Courts can apply it to email is apply analogies from horse and buggy-level technology to your gmail account, and the Courts have historically not been very aggressive about 4th Amendment enforcement. For example, if a Federal official heard a wagon was smuggling fake banknotes, he had something on the order of a 99.99% chance of getting a warrant. If he "accidentally" searched the wrong wagon and found some other contraband (say some good imported without paying the proper duties) the courts would declare it was Good Faith and the poor wagon-owner would be found guilty.

Hell, today NYC's stop-and-frisk is much worse from a Fourth Amendment point-of-view, and yet it's virtually impossible to get white people to talk about it. Apparently searching black people without a warrant of any kind is perfectly fine, but reading a white guy's email with a warrant is EVIL.

Re:Norway has a 4th Amendment?

[NicBenjamin]

Please name a proposal that has been un-done due to the origination clause.

Senators change taxes all the time, and if the Senate can;t amend a House bill that includes taxes the Senate is useless.

More to the point the US House said it passed the Bill. Part of Separation of Powers is that the Courts don't get deep into the nitty-gritty of legislative details. For example, more then once they've allowed the House to pass a Bill without voting for it on the basis that the House "Deemed it passed."

It would be a pretty big deal for them to ban ObamaCare on the basis of the origination clause.

Re:Norway has a 4th Amendment?

[NicBenjamin]

Question:
When has the Court ever overturned a proposal on the basis of the origination clause?

Hell, why would the Court do that in this case? Several bills passed the House, including this one, all of which included the mandate. IIRC the House bill's mandate-clause was identical to the Senate bills, because the differences between the houses were largely in abortion funding and the various public option plans.

Re: Non-US based email providers

[TinyTiger8]

Ok, this may not be a comment that you will like, but from a different viewpoint, what you are asking could be interpreted as "How can I go infest and contaminate an erstwhile quiet place, bringing all my paranoia, war mentality and trash with me just do I don't have to live with the mess that me and my society created? I would hate to stay right where I am and peacefully, stubbornly work at changing things I don't like. That sounds like hard work." You think that the NSA doesn't have the capability to trace you to Mars if they wanted to? And the problem when they do that is that they will infiltrate and pollute yet another foreign site that could have done with that undue intrusion, thank you very much.

Re:Norway has a 4th Amendment?

[sumdumass]

Please name a proposal that has been un-done due to the origination clause.

Name me one that has happened in violation of the origination clause. That you will find has never happened that we know about until they attempted to snake the obamacar bills through.

Senators change taxes all the time, and if the Senate can;t amend a House bill that includes taxes the Senate is useless.

Stop being stupid. It does nothing to advance your cause. Of course the senate has the ability to purpose changes to bills sent over by the house even if they include taxes or changing the amount taxed. That is not what happened here.

It would be a pretty big deal for them to ban ObamaCare on the basis of the origination clause.

Actually, no it would not be a big deal. At least no bigger of a deal then declaring what was presented as a penalty and argued to be valid as a penalty was actually a tax and valid as a tax. It would be no bigger of a deal then the Supreme Court ruling that Obama's appointments to the National Labor Relations Board and the Consumer Financial Protection Board were unconstitutional and reversing every decision they had been a part of.

It would not be a big deal at all. It would actually restore some confidence in our system and likely strengthen the trust in government at the same time.

Re:Norway has a 4th Amendment?

[NicBenjamin]

Reread the origination clause. The senate "may propose or concur with Amendments as on other Bills".

That's exactly what happened. Both houses introduced the legislation at once (ie: they "proposed it" at the same time), both houses extensively amended it, and the house went with the Senate version. In legal terms that counts as the House "originating" the bill and then going along with the Senate Amendments.

Note that pretty much every revenue bill ever passed has gone through this exact process. Most of them don't end with the house agreeing to the entire Senate bill, but over the years the Senate bill has been the primary source of the final bill quite often.

Re:Norway has a 4th Amendment?

[sumdumass]

Reread the origination clause. The senate "may propose or concur with Amendments as on other Bills".

If that was what happened, then all is ok. But that is not what happened and the link showed it. However, you arguing whatever is pointless as I'm not the one taking it to court and you will not be sitting on the court deciding over the case.

hat's exactly what happened. Both houses introduced the legislation at once (ie: they "proposed it" at the same time), both houses extensively amended it, and the house went with the Senate version. In legal terms that counts as the House "originating" the bill and then going along with the Senate Amendments.

And constitutionally, that cannot happen because the senate is only allowed to amend or change the house version when it pertains to taxes then the house has to vote on it again to approve of those changes or reject it outright.

Note that pretty much every revenue bill ever passed has gone through this exact process. Most of them don't end with the house agreeing to the entire Senate bill, but over the years the Senate bill has been the primary source of the final bill quite often.

Nope, I can find no other bill that has done this when it comes to taxes being raised. The democrat leadership at the time knew the house wouldn't go along with this and they did a process called reconciliation in which house and senate bills are reconciled together to form a complete bill that has been agreed on. Except that the process violated the house's own rules because it wasn't able to do that according to the rules in place if it involved manipulating revenue. This rule is in place specifically because of the constitutionality of the process.

Re:Norway has a 4th Amendment?

[lgw]

The court would only care if we were a nation of laws. That was sort of my point. The SCOTUS these days seems to rule on the basis of "hey, I (dis)like the intent of this law, and that constitution thingy is just a technicality to be reasoned around". And since they're very smart guys, they can always reason around the "constitution" obstacle.

Re:Norway has a 4th Amendment?

[Gr8Apes]

The US Constitution includes an enumerated list of powers for both the Executive and the Legislative branches. This implies that no other powers are allowed the federal government. The Ninth (and Tenth as well), re-state that the Feds have no powers except those listed. Which means legally speaking the Ninth (and the Tenth) are only relevant if you can prove a given government action is not justified by some other clause of the Constitution.

Actually, I don't have to prove that the government is not justified. The government needs to prove that it is justified. A minor difference, but the onus is on the government.

And if you can prove that the 9tth and 10th are unnecessary.

The 9th and 10th (which some how I edited out of the original posting) were only needed because of the first 8 amendments. The founders wanted to be clear that enumerating rights for the people and the states in no way limited their rights to only those 8. Their primary focus was on limiting the power of the federal government itself.

In other words the fact that you're quoting the Ninth at all is pretty clear evidence you have no clue what the Constitution actually means. In this case it's quite clear the government has the ability to retain data it got legally, because if it didn't it would be extremely tricky for them to run at all.

It's quite clear you are attributing statements that I did not make, and your strawman doesn't make your case either. This is my data, or a company's data. It's not government data in any way, shape, or form. The government doesn't generate it, doesn't operate on it, doesn't require it. The only thing they do is tax revenue flows. They do not need access to lower level data, ever, for any of those reasons. For other reasons, there are warrants which can grant them access when there is a need, along with a paper trail documenting that need.

This means that the only way the Courts can apply it to email is apply analogies from horse and buggy-level technology to your gmail account, and the Courts have historically not been very aggressive about 4th Amendment enforcement.

If you'll note, the founders were careful in their phrasing precisely to not limit it to strawmen such as your horse and buggy example. "secure in their persons, houses, papers, and effects" except "Warrants" issued only "upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized" which is why evidence of a different crime found during a warrant cannot generally be used by the court. Nothing there about horses and buggies, nor mail nor email for that matter.

Hell, today NYC's stop-and-frisk is much worse from a Fourth Amendment point-of-view, and yet it's virtually impossible to get white people to talk about it. Apparently searching black people without a warrant of any kind is perfectly fine, but reading a white guy's email with a warrant is EVIL.

Now I'd agree that stop and frisk under your guise is a bad thing, but generally the officer has observed something to cause it, Or so goes the statements. The TSA, however, has no such thing, and their searches are patently a violation of the 4th, besides being relatively ineffective given what has passed through their sieve of a gauntlet.

Re:Norway has a 4th Amendment?

[NicBenjamin]

I'm beginning to think you're a troll, and your entire job is to prove ObamaCare is Constitutional, because you really suck at this. You just don't seem to be familiar with any actual facts.

Reconciliation happens with every bill that either House amends. It is the process by which the House approves Senate amendments, or vice versa. Reconciliation is not against the House rules, it is the House rules. It involves having both houses vote on the final, reconciled, proposal that their committee has come up with.

Reconciliation did not happen in this case because the vote on a reconciled bill can be filibustered, and between final passage of ObamaCare in the Senate and the start of the reconciliation process Scott Brown got himself elected. This cut the Democratic majority to 59 in the Senate, so no reconciled bill could pass, so they did an end run around the process.

The end run was they just had the House pass the Senate bill. The final vote was 219-212, and was very much in doubt because a group of pro-life Dems, led by Bart Stupak, wanted much stronger rules preventing tax money from funding abortions. Moreover Kucinich refused to support a bill that did not include a strong public option. Both Stupak and Kucinich ended up voting for the bill.

So the House proposed the mandate, it voted on it;s version of the mandate, and then it voted on the Senate version of the mandate. You ain't gonna convince a Court that ObamaCare is invalid because the House didn't vote on it.

Re:Norway has a 4th Amendment?

[NicBenjamin]

The US Constitution includes an enumerated list of powers for both the Executive and the Legislative branches. This implies that no other powers are allowed the federal government. The Ninth (and Tenth as well), re-state that the Feds have no powers except those listed. Which means legally speaking the Ninth (and the Tenth) are only relevant if you can prove a given government action is not justified by some other clause of the Constitution.

Actually, I don't have to prove that the government is not justified. The government needs to prove that it is justified. A minor difference, but the onus is on the government.

True, but given that it's a list of powers, there isn't much difference there.

Somebody's gonna have to go through the list, one by one, eliminating things.

And if you can prove that the 9tth and 10th are unnecessary.

The 9th and 10th (which some how I edited out of the original posting) were only needed because of the first 8 amendments. The founders wanted to be clear that enumerating rights for the people and the states in no way limited their rights to only those 8. Their primary focus was on limiting the power of the federal government itself.

I will admit the 9th isn't a total waste of space in theory. After all, theoretically somebody could think of a right that Englishman had that isn't on the list of the Bill of Rights. In practice it's been 224 years and nobody's thought of one. This argument (for example) is entirely based on the 4th Amendment, and the 9th has (to my knowledge) never been cited by any Court at any level for any reason.

The 10th is about as useful. So far it's been ruled a "truism" by the Supremes. It is cited in case law when the Feds try to force states to enforce Federal law, but that only happens once every 20-30 years.

In other words the fact that you're quoting the Ninth at all is pretty clear evidence you have no clue what the Constitution actually means. In this case it's quite clear the government has the ability to retain data it got legally, because if it didn't it would be extremely tricky for them to run at all.

It's quite clear you are attributing statements that I did not make, and your strawman doesn't make your case either. This is my data, or a company's data. It's not government data in any way, shape, or form. The government doesn't generate it, doesn't operate on it, doesn't require it. The only thing they do is tax revenue flows. They do not need access to lower level data, ever, for any of those reasons. For other reasons, there are warrants which can grant them access when there is a need, along with a paper trail documenting that need.

It's not my fault you weren't clear that you were talking about personal data. It's not like there's a specific Constitutional clause that the government is allowed to collect any data, that's an implicit power.

For what the NSA say they do, they have warrants or don't need warrants because they're 51% sure the target is not a US Citizen. I don't think it's a particularly good idea for the NSA to troll the internet for evil Canadians, but this discussion isn't about what the NSA has a moral right to do, it;s about what the NSA has a legal right to do. And the Courts have very consistently ruled that if an officer of the law is pretty sure he doesn't need a warrant, based on evidence that would convince a reasonable person he probably doesn't need a warrant, he doesn't need a warrant.

It's possible Snowden's right and they're lying. But most of Snowden's most outrageous accusations have already been shown to be false. He could not access data directly from google's servers, he could not read your email in real-time, etc. IMO it's 50-50 who is full of shit on this one.

This means that the only way the Courts can apply it to email is apply ana

Mail.Ru

[RockDoctor]

Knowing that it won't actually address the problem that the OP perceives, but I set up a mail account on www.mail.ru years ago, which I use for mailing lists etc, just to confuse people. Completely screws up advertising people when they really want a live email address.

It would help to speak, or at least read, Russian while signing up. I don't recall there having been an English-language option during the set up, though there may be this-decade.

Re:Norway has a 4th Amendment?

[sumdumass]

I'm beginning to think you're a troll, and your entire job is to prove ObamaCare is Constitutional, because you really suck at this. You just don't seem to be familiar with any actual facts.

Let's not get into delusional fantasies. I said no such thing, I said people are saying it and people are suing over it. But this brings up an interesting note. If what I said makes you think Obamacare is unconstitutional, then perhaps you should explore that Idea in and of itself as it is your idea.

Reconciliation happens with every bill that either House amends. It is the process by which the House approves Senate amendments, or vice versa. Reconciliation is not against the House rules, it is the House rules. It involves having both houses vote on the final, reconciled, proposal that their committee has come up with.

Reconciliation is a specific process- rule in the house pertaining to budgetary items. It involved removing amendments passed in one house that the other won't pass and pulls the bills together insomuch as they are the same as has been voted on. What you say is true in the generic sense of how legislation works, but has no meaning whatsoever at all when talking about this because the main difference is whether or not the two bills need to be voted on again after then have been reconciled. In the normal process, the new bill would need a vote. What happened here is the senate voted on one bill, the house voted on another, those separate and different bills passed, then the senate changed bills and instead of voting again, they removed the differences as if they had bother been passed. The house rules allow that to happen as long as it doesn't increase taxes or spending.

The rest of your comment is meaningless. It talks about before the bills currently called Obamacare was voted on, not what happened when the bills finally went to the president.

So the House proposed the mandate, it voted on it;s version of the mandate, and then it voted on the Senate version of the mandate. You ain't gonna convince a Court that ObamaCare is invalid because the House didn't vote on it.

read that link I posted.
http://www.washingtontimes.com/news/2013/mar/31/obamacare-lawsuit-over-health-care-tax-will-test-c/?page=all

Re:Norway has a 4th Amendment?

[NicBenjamin]

Re-read your source. They're not arguing the bill didn't start in the House. They're arguing it doesn't count as a "revenue bill Originating in the House" because the House bill it started as wasn't a Revenue Bill. They also aren't arguing that they'll win on the merits, they're arguing John Roberts will change his mind on the Constitutionality of the entire bill, and use this opportunity to knock it out.

There's a reason nobody made this argument, despite the fact that the Mandate-Tax was not the only tax in the bill. There's the Cadillac Tax, investment income tax hikes, Medicare payroll tax hikes, etc.

They're quite open that this isn;t a serious legal argument, it's a political effort to get Roberts to change his mind.

Re:Norway has a 4th Amendment?

[sumdumass]

There's a reason nobody made this argument, despite the fact that the Mandate-Tax was not the only tax in the bill. There's the Cadillac Tax, investment income tax hikes, Medicare payroll tax hikes, etc.

Yes, that reason is because you cannot argue standing against a tax that you are not yet subject to. You have to show injury in fact in your standing and until the tax impacts you, that has not happened.

They're quite open that this isn;t a serious legal argument, it's a political effort to get Roberts to change his mind.

Roberts will not change his mind if there is no legal backing for it. None of the judges will support the concept if it isn't legally sound. You seem to be reading too much into what was said. Roberts said the penalties were taxes because they were essentially taxes laid in a reverse order. Once those taxes have an impact on someone, standing to sue over the process they became law becomes possible.

  Anyways, it isn't my argument, it is an argument being made and it will end up at the supreme court unless they refuse to hear it.

Re:Norway has a 4th Amendment?

[NicBenjamin]

The indoor tanning tax was implemented pretty much the day the law was signed (mid-2010). Final regulations on it took awhile (they were just issued this month), but everyone whose paid to use a tanning bed since 2010 has been required to pay the tax.

Lawyers are very good at thinking of credible-sounding BS. Many, man law school classes include a section where the prof presents a case, asks everyone to argue about it, and then makes the winner of the debate take the opposite side. This case is a bunch of very smart conservative lawyers grasping at straws to kill ObamaCare.

The started as a House Bill, HB 3590. Since origination is never defined in the Constitution these conservatives made up a definition that doesn't include it. Unfortunately for them nobody outside of their tiny anti-ObamaCare circle is gonna take their definition of "Origination" very seriously because it's just that: their definition. The people who actually matter in these things are the US House, which did not object to the Senate bill. Seperation of Powers means the Courts only intervene in the other branches interpretation of their particular Constitutional clauses in cases where those branches are seriously violating somebody's rights.

That's why nobody who paid the Tanning Tax sued on the basis ObamaCare was Senate-originated and therefore not allowed to have taxes in it. What's gonna happen is the District Court will refuse to rule, probably on the basis that the origination clause is only the Judicial branch's business if it's being abused to oppress religious minorities (First Amendment) or racial minorities (14th and 15th Amendments); they'll appeal to the Appeals Court, which will refuse to ruls on the basis of "Fuck you asshole," and then the Supremes will ignore them.

Re:Norway has a 4th Amendment?

[sumdumass]

The indoor tanning tax was implemented pretty much the day the law was signed (mid-2010). Final regulations on it took awhile (they were just issued this month), but everyone whose paid to use a tanning bed since 2010 has been required to pay the tax.

Ok, who was subject to the tax that wanted to end obamacare but did not attempt it? Just because someone was taxes doesn't mean the person wanting to challenge the tax was the one taxed.

The started as a House Bill, HB 3590. Since origination is never defined in the Constitution these conservatives made up a definition that doesn't include it. Unfortunately for them nobody outside of their tiny anti-ObamaCare circle is gonna take their definition of "Origination" very seriously because it's just that: their definition. The people who actually matter in these things are the US House, which did not object to the Senate bill. Seperation of Powers means the Courts only intervene in the other branches interpretation of their particular Constitutional clauses in cases where those branches are seriously violating somebody's rights.

Then put all your mental might into a legal brief and submit it to the courts hearing this. As I said, it's being challenged and you not liking it doesn't change that fact. I am quite positive that if there was no merit, it would have been dismissed or will be before it gets any steam. The fact that it hasn't lends me to believe you are wrong.

That's why nobody who paid the Tanning Tax sued on the basis ObamaCare was Senate-originated and therefore not allowed to have taxes in it. What's gonna happen is the District Court will refuse to rule, probably on the basis that the origination clause is only the Judicial branch's business if it's being abused to oppress religious minorities (First Amendment) or racial minorities (14th and 15th Amendments); they'll appeal to the Appeals Court, which will refuse to ruls on the basis of "Fuck you asshole," and then the Supremes will ignore them.

Remember, people have paid taxes without objection even when later those taxes have been rescinded because of constitutionality. Just because no one has argued about a certain tax because a legal theory fites does not mean the theory is defective, it means no one has argued it. And as I said before, it's up to the courts, I think it has more merit then you do but we will have to wait and see.