There Is No Such Thing As NSA-Proof Email

Just ask ultrasecure email providers.

<a href="http://www.shutterstock.com/pic-142624894/stock-vector-open-letter-at-symbol-seen-with-magnifying-glass-on-bright-striped-background-degraded.html?src=_YlftXWQ7KoRjMArAaEKKA-1-19">Paula A Gomez Granada</a>Shutterstock

Fight disinformation: Sign up for the free Mother Jones Daily newsletter and follow the news that matters.


Since last June, when Edward Snowden tore the veil off the National Security Agency’s vast data dragnet, Americans have been flocking to ultrasecure email services in the hopes of keeping the government out of their private business. Use of the most popular email encryption software, PGP, tripled between June and July, while revenue for the data-encryption company Silent Circle has shot up 400 percent.

But even these services may not be able to protect your email from government prying. That fact came into stark relief last Thursday, when Lavabit, the secure email service used by Snowden, abruptly shut down. Lavabit’s 32-year-old founder, Ladar Levison, issued a statement saying he pulled the plug because he didn’t want to be “complicit in crimes against the American people.” He has since given up using email entirely, and he urges others to consider doing the same. “I would strongly recommend against entrusting your privacy to a company with physical ties to the United States,” he told Mother Jones. “I honestly don’t think it’s possible to provide a secure service in this country.”

Levison, who is reportedly under federal gag order, declined to elaborate (though he opined, based on his experience, that we’re a “whisper’s breath away” from becoming a society where all electronic communications are recorded and scrutinized by the government). But according to other industry insiders and cybersecurity experts, there’s good reason to be wary of transmitting sensitive information via email—even if your provider claims to have iron-clad safeguards.

Tech giants, such as the Microsoft subsidiary Hotmail, regularly hand over data to the government. In fact, in the last eight months of 2012 (the most recent period for which data is available), Hotmail, Google, Facebook, and Twitter provided law enforcement authorities with information on more than 64,000 users. And that doesn’t include responses to secret national security letters ordered by the Foreign Intelligence Surveillance Act Court, or FISA.

Secure emails services, such as Lavabit, are supposed to guard against this kind of snooping (as well as hackers and phishers) by encrypting email messages—turning them into gibberish that can only be read by people who have a password, or “key.” Theoretically, in most cases, the email provider can’t even decipher the contents, much less government agencies. But even the most secure email systems don’t completely encrypt “metadata,” the bits of identifying information that accompany messages, such as the sender’s name and IP address; the subject line; and the date and time the message was sent. Matthew Green, an encryption expert at Johns Hopkins University, says the government can tell a lot about a person from these details. “If you can map out who someone has talked to, that’s almost as useful as knowing what they were talking about,” he explained, “especially if you’re trying to map out a criminal conspiracy or find out who leaked information from reporters.”

What’s more, encrypted emails may actually attract NSA scrutiny. Under most circumstances, the NSA is supposed to destroy intercepted email data from US citizens. But, according to an internal NSA document that was leaked to the Guardian in June, this rule doesn’t apply to “enciphered” communications—meaning the NSA can stockpile data from encrypted accounts and comb through it at will.

The federal government also has been known to press tech companies to put “back doors” in their software so it can monitor users’ activity and, in some cases, read encrypted messages. According to Green, this is easy to do, technologically. “The company simply puts out a software update. You download it. Suddenly, what you thought was a secure end-to-end email system is now being read by the government.”

Under the black letter of the law, tech companies aren’t required to comply with such requests (although the FBI is pushing to change that by amending the Communications Assistance for Law Enforcement Act to allow the government to monitor internet communications in the same way it taps phone calls). But several software firms—including the Microsoft subsidiary Skype—have done so. And NSA may be able to demand backdoor access to users’ data through the FISA court, which has its own secret body of law.

While Levison of Lavabit could not discuss the specifics of his case, he suggested that the government was trying to compel him to give access to vast quantities of user data. He explained that he was not opposed to fulfilling law enforcement requests that were “specific in nature” and “approved by a judge after showing probable cause,” and noted that he had responded to some two dozen subpoenas during his decade in business. “What I’m against, at least on a philosophical level,” he added, “is the bulk collection of information, or the violation of the privacy of an entire user base just to conduct the investigation into a handful of individuals.”

Other tech companies seem to share Levison’s concerns about mass surveillance. On Friday, the data-encryption firm Silent Circle followed Lavabit’s lead and shuttered its secure email service. Silent Circle cofounder Philip Zimmermann—who also developed PGP encryption software—told Mother Jones that he believes all “highly principled” secure email services will do the same. The secure-networking company Cryptocloud struck a similar note in a missive posted to its website on Friday, which urged tech companies to take a “seppuku,” or ritual-suicide, pledge. “In the context of privacy issues, ‘corporate seppuku’ means shutting down a company rather than agreeing to become an extension of the massive, ever-expanding, secretive global surveillance network organized by the U.S. National Security Agency,” the message read. “You can’t force a company to do something if there’s no company there to do it.” Several companies have since joined Cryptocloud in signing onto the pledge.

Levison applauds these efforts. But he notes that not every tech company is in a position to be so uncompromising. “Can you imagine what would happen if Google shut down their email service? Or Hotmail? Or Yahoo?” he said. “If all three of those shut down, the economy would stop. They don’t have the luxury of being able to take a moral stand.”

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We can’t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who won’t let independent, investigative journalism down are the people who actually care about its future—you.

And we need readers to show up for us big time—again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We can’t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who won’t let independent, investigative journalism down are the people who actually care about its future—you.

And we need readers to show up for us big time—again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate