Regarding the current scandal involving former CIA director, General David
Petraeus, did we learn anything new about email security or the lack thereof?
Were you surprised at what the FBI was able to find out about the parties to
this scandal before the FBI even obtained a court order or a warrant or
subpoena?
In this excerpt from
Answercast #74, I look at how email can be accessed easily by the
authorities if it is available in an online service.
Become a Patron of Ask Leo! and go ad-free!
Hiding emails online
Was I surprised? Absolutely not.
Did we learn anything? Well, I think a lot of people learned something. But
it’s not something that wasn’t already out there to be learned.
The fact is when you store email on a service provider like Gmail or Hotmail
or whatever, the email in many cases is legally accessible to law enforcement
if they have a good reason.
Online email can be accessed
Now, I don’t want to get into the legalities and picking apart the law. For
one thing I’m not a lawyer. For another thing the law keeps changing. But as I
kind of sort of understand it, if you leave email on your email server for long
enough, the email is (currently under the law, I think) deemed as being
abandoned, or available, or whatever. What that means is that if you are
honestly, truly concerned about the government accessing your email, don’t
leave it on a common server like Gmail – or your ISP, or wherever.
That’s an important lesson to be learned.
Hiding messages in drafts
The other lesson to be learned, by the way, is about this technique they
were using: where they didn’t actually send mail. They were sharing
access to a single account and leaving each other messages in the Drafts
folder.
In other words – they would type up a message, but leave it in “Drafts” and
never hit send.
That didn’t help them. The fact is that the email account is available.
These folders are available to law enforcement.
Apparently this is a technique that’s been used by others before. I think
you can see that it is not something that is particularly secure, and is not
something that adds a real layer of security to what you’re doing.
Email servers are vulnerable
The important things to take away from this are:
- Mail on a server is vulnerable to inspection by the authorities.
If that’s a problem then you want to take steps to make sure that’s not your
situation.
- Your email then needs to be on your PC where it’s in your control;
or it needs to be encrypted in some way that cannot be decrypted, just by
nature of its storage on the service.
(Transcript lightly edited for readability.)
Next from Answercast 74- Is there
a downside to storing files in recycle bin?
So instead of sharing an email account, if I give remote access, through let us say logmein, to me partner and we leave messages there on the pc, would you say our communication is secure enough from prying eyes?
01-Dec-2012
The true message is, don’t come back for second helpings…
Jp
Anybody who expects unencrypted email to be private is seriously fooling themselves if you don’t do it, it can’t come back and bite you.
What I found shocking and had me ROTFL, is the fact that the CIA director would use such an ineffective way of hiding his tracks as that. I mean, if he’s that sloppy, how could he have been trusted to oversee the whole country’s security???
This sort of touches on a previous question in this newsletter re: how much more capable are men at technology than ‘older’ women. Yep, no question about it. We rock!
It is all not as clear cut as some might think.
Informative discussion: http://www.schneier.com/blog/archives/2012/11/webmail_as_dead.html
Even encryption may not save you. Either “they” can decrypt it or you can be compelled in a legal case to decrypt it.
Bottom line, the only secure communication is to talk to yourself… and don’t do it out loud. :-)
Good News……
It’s called Wickr
Its app works like this: You create a text — picture, voice or video — and you set a time for how long you want that message to live. Then you send it to the other person. The timer starts the second they open the message.
When the timer hits zero the message self-destructs. All digital traces of that communication are gone. The app is free. Wickr plans eventually to make money by charging for a version with a few more features, but the basic security will always be the same.
Dec. 4th release -NPR
http://www.npr.org/2012/12/04/166464858/online-privacy-fix
Cell phone app only for now, but they’re working to expand….but I believe this addresses the primary phone email concern.