Email security: we’re on our own

Governments want to do blanket email monitoring simply because they can. The temptation to sift through all that data looking for anything of "interest" is enormous and "national security" is a wonderful excuse for doing so.

Terrorist One sends an email message to Terrorist Two, saying “We’re going to kill the President of the USA on Monday at 6:15pm”.

In a darkened basement in Washington a machine notices and red lights begin flashing on a supervisor’s desk. Within 15 minutes, a SEAL team has “neutralised” the startled terrorists and democracy has once again been protected.

Variations on this charming little fiction are the tired rationale used by various security services to justify the interception of email — something they have without doubt been doing covertly for a number of years already. The problem is that it’s a scenario so specious that it’s laughable: any terrorist who sends a plain text message like this is worse than stupid, and the SEAL team is probably doing humanity a Darwinesque service by removing his kind from the gene pool.

Terrorists and criminals have had access to strong encryption for just as long as the security services have, and it’s hard to imagine they don’t use it rigorously. What anti-terrorist benefit, then, does any security service gain by blanket interception of email?

If you stop and think about it for more than a few nanoseconds, it’s clear governments want to do blanket email monitoring simply because they can. The temptation to sift through all that data looking for anything of “interest” is enormous and “national security” is a wonderful excuse for doing so, because it requires absolutely no justification or oversight. The argument seems reasonable — the government, through its intelligence services, has a perfectly clear and reasonable obligation to protect the interests of society.

Unfortunately, previous governments here have shown no compunction about using the SIS to “monitor activities” of people who have perfectly legal views that might conflict with the government line. Add to this the significant number of cases of abuse of such systems (like IRD staff and police officers selling information, or the Courts Department using LTSA driver licence information to locate people with outstanding fines) and it’s clear there are real risks associated with putting such enormous power in the hands of mere mortals, especially when many of them are unanswerable to the public they allegedly serve.

The editor of Computerworld calls my attitude to privacy “paranoid”; by contrast, my position is that only the naive are surprised when their supposedly tame Rottweiler guard dog turns and savages them. Trust can be dangerous. The problem with all these “national security” matters is they are administered by people, and they are inherently unpredictable and corruptible. Nothing will make me trust anyone with this level of power, especially when they are faceless and almost exempt from public responsibility for their actions. Even if only 1% of these people are bad, that’s still too many to be going through my personal correspondence.

In the end, the government and its related intelligence services are not interested in “privacy”: this notion, which most citizens take for granted, is at worst an inconvenience to those in power, and does not actively enter into their thinking . For this reason, no amount of lobbying by the public will moderate the use of systems like Echelon or Carnivore, and the astounding powers promised to the security services under the Crimes Amendment Bill (Number 6) are already a fait accompli. I can’t work out whether Paul Swain is ignorant, naive, a pawn, or whether he is a villain, but his repeated assertions along the lines of “the honest have nothing to fear” ring so false that not even the very stupid could accept them.

When it comes to our email, then, we are on our own.

Fortunately, the tools criminals and security services use to protect their communication from prying eyes are increasingly available to us as well. Encryption is now so widely available and well understood that no government can seriously hope to prevent or curtail its use. As a result, I believe encryption of email has to become mainstream — whether information is sensitive or not. The encryption doesn’t have to be especially strong — only secure enough to make the process of breaking it more costly than the value of the information it protects. Email encryption is one way in which we, “the honest”, can claim back a little of the privacy we feel is our right, and as an email developer, it’s an area I’m actively pursuing as a priority.

Harris is the Dunedin-based developer of internet mail software Pegasus Mail. Send email to David Harris.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about BillEchelonPegasus

Show Comments