Tuesday, July 3, 2012

Your Email Privacy Is Under Increasing Threat

Over the last few days, two stories about emails have hit the headlines, and it leads to questions over the future security of email as a communications medium. What has been considered a fairly private method of communication is now under increasing threat from both government and corporate scrutiny.

Our email accounts carry more than just messages, they are the primary way we sign up for accounts, and verify our identity online. With our email accounts being made insecure, our whole online identity becomes compromised. Everything we do online, comes down to our email addresses. It could be said that they are our online identities. That's why the threat to the privacy of them is one that should not be taken lightly.

By far the more well-known of the stories was about Facebook, and their decision to change the displayed email of every user on the social network to one @facebook.com. The insidious nature of this change - made without notice let alone fanfare - meant that from the time of the change, which happened sometime Friday, until it gained widespread notice on Monday, people who believed they were emailing a friend were actually sending their email into the internal Facebook message system.

Had they enabled the addresses, and sent out a notice, there wouldn’t have been much of a problem. That they decided to REMOVE any visible email address, and display this Facebook one publicly instead is the problem. All of a sudden there’s one approved email contact published and it happens to be one where the information goes to Facebook’s servers.

An email intended for a private email box, sent by someone unaware of the swap or the nature of the email address could send information to it, unaware that it is feeding the Facebook advertising machine. The message enters Facebook’s systems, if the sender’s email address is associated with an account, it’s shown as being from that account (and is virtually indistinguishable from an internal Facebook message)

In a quick test I ran, I sent my Facebook email a message from another email address. One not associated with a Facebook account. Within a minute, the message was sitting in Facebook’s message centre, but hidden in ‘other’ messages. I got no notification of it, no number in the message icon, no email notice. When an email is sent from an address with an associated account, it looks almost indistinguishable from a regular chat message, and again, no email notice, although this time the site does alert you to a message.

this is what an email from an address without a Facebook account looks like 
So either way, unless you log in to Facebook, you won’t know you have been sent an email. Unless you check a folder most aren’t aware of, you won’t know of messages from non-Facebook associated email addresses. Meanwhile, Facebook has access to contact information and message contents, because of how they’ve changed your displayed information. This could in fact be described as a Man-in-the-Middle attack, for email.

For a company that’s in hot water already over the way its IPO was handled (again, an issue of information disclosure) this was not a smart move.

Meanwhile, on the other side of the world, border officials in Israel have a different opinion on email privacy. If they want to read your private emails at will, you will give them access or forget about entering the country.

Think about that for a moment. This goes beyond the US border searches (where you can at least exert some control over what you have on you) which were already excessively intrusive. In one case, reported on by the Times of Israel, a suspected Palestinian supporter and activist was placed before a computer screen at Israel’s International Airport.

The traveller, 42-year-old American citizen Sandra Tamari, was then told to log into her personal Gmail account, so that a security agent could search it for incriminating evidence. Tamari declined the request and was denied entry into the country. Nor is she alone in this – at least three other American women have been expelled from Israel for similar reasons. The email search was not premeditated, or backed by any sort of court; the agent only became aware of the address during a physical search of Tamari’s belongings.

It’s not just confined to emails either. There are reports that other people have been asked to log into Facebook or other services so that Israeli officials can determine if someone is Palestinian supporter.

Israeli officials portray these data-mining fishing trips as normal security practice, for a country constantly under threat. Yet it is Israel that is clearly the rogue state here, rather than one who should be applauded or seen a security visionary. While Iraq was invaded by the US for possibly being in violation of UNSC Resolution 1441, (which turned out to not be the case) Israel has violated over 20 UN Resolutions, and has been called on to respect the 4th Geneva Convention.

Clearly not a country whose actions we should be following, but yet is anyone in any doubt that this idea will spread? It remains to be seen just how much longer email, for a long time considered to be private as far as online communications go, will keep that status. Of course, technology can help mitigate things somewhat, as public/private key encryption remains a possibility. Yet don’t expect them to let you in if you don’t decrypt emails for them as well.

I use Enigmail for Thunderbird for my emails. My public key ID is 0xD6DD7E47

The end of the day it’s a no-win scenario for free speech activists. They are, after all, the easiest to go after and make headlines about, giving the impression to the masses of security without actually making anything secure. In fact, since such measures only foster ill-feeling, such policies only make things LESS secure… but that’s acceptable to those behind it, because there has to be a reason to implement even more intrusive policies at a later date. That is the real (and only) effect of such policies after all.

Meanwhile, your email security is under increasing threat, from companies wanting to monetize it, or Governments wanting to monitor it.

This piece was first published at Falkvinge on InfoPolicy on 29 June 2012. It is under a CC0 license.

No comments:

Post a Comment