Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Year After Snowden's Disclosures, EFF, FSF Want You To Fight Surveillance

Posted by timothy on from the why-make-it-easy-for-'em? dept.

Today, as the EFF notes, marks one year from Edward Snowden's first document leaks, and the group is using that as a good spur to install free software intended to make it harder for anyone (the NSA is certainly not the first, and arguably far from the worst) to spy on your electronic communications. Nowadays, that means nearly everything besides face-to-face communication, or paper shipped through the world's postal systems. Reader gnujoshua (540710) highlights one of the options: 'The FSF has published a (rather beautiful) infographic and guide to encrypting your email using GnuPG. In their blog post announcing the guide they write: "One year ago today, an NSA contractor named Edward Snowden went public with his history-changing revelations about the NSA's massive system of indiscriminate surveillance. Today the FSF is releasing Email Self-Defense, a guide to personal email encryption to help everyone, including beginners, make the NSA's job a little harder.'" Serendipitous timing: a year and a day ago, we mentioned a UN report that made explicit the seemingly obvious truth that undue government surveillance, besides being an affront in itself, chills free speech. (Edward Snowden agrees.)

22 of 108 comments (clear)

  1. Today's Vancouver Sun says Canada spying on them by WillAffleckUW · · Score: 2

    So, it's not just the US spying on Americans in America, it's apparently Canadians spying on Canadians in Canada.

    --
    -- Tigger warning: This post may contain tiggers! --
  2. No point encrypting if you're the only one... by nine-times · · Score: 5, Insightful

    There's no point in encrypting your email with something like GPG if you're the only one using it, and most people aren't going to use it until it's easy.

    I know, you'll tell me it's easy. Just download this software, install it, and it'll work for your email client assume you're still using an email client and there's a plugin available for it, which there might not be. Otherwise you need to copy and paste and stuff, and... oh right, then there's also the whole issue of managing keys and keeping a backup copy safe. Most people don't back anything up.

    You have to make it easy. Someone will get angry because I appear to be praising Apple, but take iMessage's encryption for example. Do people using it know that their messages are encrypted? Probably not. Are they given a choice? No. Do they know that they're generating encryption keys? Probably not. Are they asked to manage their own encryption keys? No.

    That's easy. GPG isn't. Email encryption needs to be that easy, or people won't use it.

    1. Re:No point encrypting if you're the only one... by PRMan · · Score: 4, Informative

      Gmail is working on it. And they're trying to get other e-mail providers onboard.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    2. Re:No point encrypting if you're the only one... by mcelrath · · Score: 2

      I've been using GPG for more than a decade, but in recent years I've stopped signing my messages because it often trips up poorly-configured spam filters. That, combined with the fact that you can't be certain that the recipient has received or read a message makes using GPG (and potentially losing your email) risky.

      While "read receipts" exist in many proprietary formats, we need it to be standardized and deployed globally. Hey, let's use our GPG keys to do it?

      --
      1^2=1; (-1)^2=1; 1^2=(-1)^2; 1=-1; 1=0.
    3. Re:No point encrypting if you're the only one... by McDutchie · · Score: 2

      This argument hasn't changed in twenty years, in spite of massive improvements in ease of use. Apparently, it's impossible to make it "easy enough" for the average user. I think this means ease of use actually has very little to do with the problem. The problem is with the average user's priorities. People value convenience more highly than privacy, and as long as people don't change those values, encryption will never take on. Typically people will only change their priorities under threat of dire and immediate consequences for them personally. Everyone will lock their door so they don't get burglarised. But email privacy is too abstract and invisible still. It's going to take some huge cases of identity theft, with real monetary loss, to get people to change â" and then people will probably sooner abandon email than use email encryption. Finally, the kind of convenience that you propose necessarily will render the whole thing insecure. Letting strangers (like Google) manage your private keys defeats the whole purpose.

    4. Re:No point encrypting if you're the only one... by NotInHere · · Score: 2

      The W3C should standardize the way 'End-to-End' communicates with the website. It has a huge potential, not just for mail but also for chat or with WebRTC.

    5. Re:No point encrypting if you're the only one... by Capslock118 · · Score: 4, Insightful

      I agree 100%. I'd say 50% of my communication is with my family, and there is not a single person in that group that would be able to handle GPG. And anyway, we are at the point of "every message on every device", and again most of my family communicates on their smartphones, not on a desktop or laptop. Even if they did use a desktop/laptop the message would still have to be easily read on all of their devices (including default apps). There is just no point in wasting my time with email encryption since I am not any kind of political advocate and no one I communicate with would be able to use encryption. Heck, I have S/MIME on all of my devices for email and that works great and it's automatic......but I am the only person in my circle who uses that even though it's arguable easier to use than GPG (because it's supported by most of the default email applications out there). Why even bother with trying to ram encryption into email when there are other secure communication protocols out there?

    6. Re:No point encrypting if you're the only one... by Anonymous Coward · · Score: 2, Informative

      Do people using it know that their messages are encrypted? Probably not.

      Are their messages encrypted? Probably not.

      Easy enough your grandma can't do it.

    7. Re:No point encrypting if you're the only one... by mlts · · Score: 2

      Maybe this is pure Ludditism, but the best security is gotten by having a MUA that is separate from the e-mail provider, and the MUA handles PGP/gpg or S/MIME keys.

      There is something nice and convenient about Web based E-mail, but it is at a cost of end to end security.

      It isn't as good as end to end, but with Exchange, one can do encrypted TLS connectors with other Exchange sites that one does a lot of E-mail or other messaging with. This will secure the E-mail as it goes from site "A" to site "B". However, if site "C" still uses unencrypted SMTP, then anything going there isn't really secured.

    8. Re:No point encrypting if you're the only one... by TheGratefulNet · · Score: 2

      gmail will NEVER have encrypted mail, end to end.\

      why?

      think about it. their whole business model is about looking at your stuff. if you encrypt it, they can't see it.

      also, the other main reason is that you can't do searches if your on-disk data is encrypted.

      so, a web company will NEVER give true end to end (including on-disk) enryption. its againt their whole business model for many reasons.

      --

      --
      "It is now safe to switch off your computer."
    9. Re:No point encrypting if you're the only one... by nine-times · · Score: 2

      Does trusting Apple to write your encryption software, manage your encryption keys for you, and handle your actual communications make any sense in the least?

      It makes more sense than not encrypting your messages at all. Actually it's dramatically changing the sort of problem that you're dealing with. If you really just don't trust Apple at all, then I get it. Don't use their products at all, because they could have put in NSA backdoors to everything, so use FOSS.

      But my point wasn't that we should trust Apple. My point was that Apple managed to create an encryption scheme for messaging that results in every message being encrypted, without the user being expected to do special configuration and key management, and it's baked into their software by default. If Apple can do it, why can't someone else?

      For starters, if we want GPG to be the default for encryption, why can't we have thunderbolt built in such a way that it includes GPG, Enigmail, and everything else? Why not have the default setup prompt to set up encryption, generating keys or restoring them if they don't already exist? And what's your plan to standardizing backup/recovery of keys?

      Fine, don't trust Apple, but then build your own system that's at least as good.

      That's like trusting a burglar to set up your home security system

      Only if you assume that Apple is a burglar, in which case, don't trust them with anything. But in reality, it's just too much of a big deal to not trust anyone with anything. I put my money in a bank, even knowing it's possible for them to make unethical use of my banking records. I store my email on Gmail. I store my website with my web host. I accept SSL certificates from certificate authorities. I buy my phone from Apple and my laptop from Lenovo. There could be hardware chips built in by the manufacturers that are logging my keys. Realistically what am I going to do if I don't trust anyone? Even when I use Linux, I'm still trusting people. I didn't do a code audit myself.

    10. Re:No point encrypting if you're the only one... by nine-times · · Score: 2

      Did you read their instructions?

      Yes. And I'm an IT guy, and I'll tell you that an awful lot of people would have trouble with those directions even if they wanted to follow them. For your average person, they'd have to install Thunderbird, GPG, and Enigmail-- and with that, you've already lost 90% of users. You haven't even gotten to dealing with the encryption keys, but give those instructions to most people and they'll say, "But can't I just use the Internet?" by which they mean, they would rather use webmail than install 3 applications. They won't even understand what those 3 applications are. You can forget about Linux.

      Plus, let's say they follow those directions and encrypt all of their email in Thunderbird. Now they're traveling and they want to read their email in webmail. Uh oh. It looks all weird. No problem, they'll just access it on their iPhone-- but it looks like gibberish there too!

      Sorry, it's not going to work like this. It needs to be much much easier than this.

  3. Misuse by Impy+the+Impiuos+Imp · · Score: 2

    > the seemingly obvious truth that undue
    > government surveillance, besides being
    > an affront in itself, chills free speech.

    When I first read this, I was completely shocked that, because the NSA monitors this, anyone would ever think they are anything but a bunch of swell guys.

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  4. Fixing a social problem with technical means? by cpghost · · Score: 5, Insightful

    Basically, we're making it WAY too easy for the NSA to spy on us. But, even if we all switched to encrypted mail, that's not enough: with their metadata collection, they can still infer a lot of things from our communications patterns. So technically, we need I2P, Freenet or similar anonymizing technology to hide in the crowd. However, to REALLY fix the problem once and for all, we need to take it to the political arena, and fight for majorities to get Congress to reign in NSA in earnest, no matter what "Yes We Scan" Obama wants. If we don't, Orwell's 1984 will remain in effect, no matter how much we use OSS, encryption and so on.

    --
    cpghost at Cordula's Web.
    1. Re:Fixing a social problem with technical means? by mooingyak · · Score: 2

      Historically, technical means are a valid way to help fix social problems. Would we have ended slavery as quickly without the cotton gin?

      Isn't that backwards?

      quoting from first link from "cotton gin effect on slavery"

      The cotton gin freed slaves from the arthritic labor of separating seeds from the lint by hand. At the same time, the dramatically lowered cost of producing cotton fiber, the corresponding increase in the amount of cotton fabric demanded by textile mills, and the increasing prevalence of large-scale plantation agriculture resulted in a dramatic increase in the demand for more slaves to work those plantations. Overall, the slave population in the South grew from 700,000 before Whitney’s patent to more than three million in 1850—striking evidence of the changing Southern economy and its growing dependence on the slave system to keep the economy running.

      --
      William of Ockham had no beard. The most likely explanation is that it was chewed off by squirrels every morning.
    2. Re:Fixing a social problem with technical means? by Shatrat · · Score: 2

      Well shit, I guess maybe we shouldn't encrypt our emails after all.

      --
      09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
  5. Encryption isn't privacy by bigpat · · Score: 5, Interesting

    Encryption misses the point. Encryption isn't privacy. The major threat to privacy from the US government is not from the content of your communications being read without a warrant it is that your communications are going to be monitored without a warrant so they will be able to monitor all your associations, purchases, communications and movement and locations. Basically it is like having a tail on 24x7 with someone looking over your shoulder... they don't need to know what you are saying until they want to and if they want to then you are past the point where encryption will mean much since they can put a keylogger on your system or maybe even break your 256 bit encryption.

    The only protection from the surveillance state is either to eliminate communications technology altogether or to return to the rule of law.

    1. Re:Encryption isn't privacy by bigpat · · Score: 2

      I don't disagree with the idea that some of these things might be worth doing, especially if you have intellectual property or activities that are worth protecting. Just disagree with the notion that it would be easier to get a few billion people talking with encryption than it would be to just get some politicians elected who might actually put some constitutional restraints back on the NSA and other US government agencies. Encryption is better than not having encryption, but relying on encryption when you don't have well managed keys or security in other parts of your system is what I think can lead to a screen door on a submarine mentality where you think you have a door.

  6. pointless by Charliemopps · · Score: 4, Insightful

    This is pointless. The 5 people that do this will be protected when they communicate with one another. That's it.

    Lets be clear. I don't care if Google or Facebook are spying on me (well, I do, but that's an entirely different topic.) The NSA is definitely the "worst" despite what this says. I'm even less concerned about foreign governments or criminals spying on me. The real danger is to our entire way of life. What the NSA is doing could be used to turn us into a true totalitarian state... very easily. What China, or some script kiddy, or even what Google can do with this information pales in comparison to the atrocities the federal government could commit with this power. The only thing restraining them at this time is their own will not to do so. That is NOT acceptable in my opinion. How long before we elect the next Nixon? or Stalin? It will happen, it always does. What will they do with this power?

    1. Re:pointless by timrod · · Score: 2

      It's also pointless because the NSA doesn't care about reading emails - they have no need to. Even with encryption, they can read the headers on the email and the sender/receiver email addresses and link those with real people. They can see who you're communicating with and how often you do so. If they really want to know what you're saying, they have a myriad of options at their disposal:

      - Call the FBI (or other nationwide law enforcement agency for those not in the US) and have them raid you and everyone you talk to, either allowing them to obtain the private keys off your PC or by jailing you indefinitely for contempt of court for refusing to hand the keys over.

      - Send out NSLs and obtain pen register orders against everyone you talk to, allowing them to read the already-decrypted messages.

      - Use any one of their stash of zero-days and backdoors to install a pen register on your computer.

      No amount of encryption is going to stop an agency that can send a small army of thugs to your door for any reason or no reason at all.

  7. Agreed by Anonymous Coward · · Score: 2, Insightful

    The essence of this demand is "You have a responsibility to smarten-up."

    That has never, and will never, work. Humans simply do not work that way.

    My optimistic side says the major players will make it easy, like your example from Apple, and then all will be good.

    My cynical side says the government will simply slap some gag orders on the industry players, and impose backdoors, and roll merrily along with the surveillance.

    The *only* people who can be protected from this are those smart enough, and motivated enough, to do something that is not easy.

  8. Great article wrong on paper mail being safe by sasparillascott · · Score: 4, Informative

    Great article but this part isn't correct:

    "Nowadays, that means nearly everything besides face-to-face communication, or paper shipped through the world's postal systems."

    As shown here - every single piece of 1st class mail in the U.S. is photographed (and probably handed over to the FBI or NSA or whomever started this stupid program up in the first place to get the Post Office to do that):

    http://www.nytimes.com/2013/07...

    Short of radical political reform, which seems a long shot in the U.S. in the near term - technical solutions coming from open software will be the few ways we can restore some privacy to communications.