Pretty Good Protection
This article, which was linked on Slashdot this morning, is a nice kick in the pants to me to start encrypting my email again(?). Some time ago, one of my professors started insisting on this - but while it's nice for Mac, which he used, it's kind of a pain for Linux.
But "kind of a pain" is still a good tradeoff if it means giving the government goons grief and forcing them to get a public warrant if they want to read my email. Not that anyone probably wants to read MY email (well, not YET anyway - mwahhaha), but it's the principle of the thing.
The case in question is United States v. Warshak, and the issue is that the government subpoenaed an ISP to require it to turn over user account information, including the contents of emails stored on the server. The ISP was also barred from informing its customers. So Warshak, one of the targets of the investigation, sued once he found out.
The decision reached was that whether or not ISP customers have a "reasonable expectation of privacy" under the terms of the Fourth Amendment depends on the agreements they sign when they accept service. And since most ISPs include provisions in their contracts which allow them to datamine your mail to a certain degree, it's likely that a "reasonable expectation of privacy" doesn't exist for most ISP customers. Moral of the story: DOWNLOAD YOUR EMAIL!!!
Linux users hardly need to be told - but the Best Email Client in the World ™ is Mutt, and it prompts you to download your mails every time you log out. Very convenient. As a result, I've long (well, OK, 4 months...) been in the habit of keeping my school mail account clean. Not much I can do about Yahoo! without paying their fee, and Gmail is a lost cause, of course - so I try not to have anything terribly important sent there.
Or is there?
Well, in fact there is - at least as far as Gmail is concerned. You can encrypt your mail, and insist that people send encrypted mails to you.
Thanks to folk hero Philip Zimmerman, encryption is freely available to all - despite the best efforts of the US government to jail him for teaching the world how to do it in the early 1990s. It's called "PGP," for "pretty good privacy." As the name implies - it's hardly perfect. But it's close enough to perfect for most ordinary users. Unless you're the head of a shadowy organization, you're probably not worth the time and resources it would take the government to crack your encryption code, so you can feel 99% safe with PGP.Even if they do randomly decide you're worth it, it's a giant pain for them. It would be easier for them just to subpoena your home machine and get the private key themselves.
The way it works is simple. You download a program that encrypts stuff. This program encrypts it in such a clever way that you need two encryption keys to deal with it: a public key and a private key. As the name suggests, the public key is something that you make available on your website (or, erm, more accurately, you publish it on a website whose raison d'etre is publishing such things) - and when people want to send you encrypted mail, they encrypt their mail with this key. The private key is for DEcrypting the mail - and only you have that. The beauty of PGP is that the private key can't be deduced from the public key. That's why it works: because you can safely publish the public key - the one used to encrypt the stuff sent to you - without fear that someone could use it to crack the code to decrypting your mail. That's why there's the "G" in "PGP."
Using PGP, the only thing that ever shows up on the server is a bunch of gibberish. And ALL mail goes through a server eventually.
My thoughts on the actual court case. Personally, it doesn't bother me that much that there's no "reasonable expectation of privacy" for mails stored on a public server. In fact, I think that's the right interpretation. The right to privacy is largely invented in the first place. It's not specifically enumerated in the Constitution - we just sort of assume that the Founders intended for there to be such a thing but didn't go to too much trouble to write it out because - well, in the 1790s spying technology wasn't what it is today. So we have to be careful reading too much privacy protection into the Constitution - because reading things in that aren't specifically written, no matter how good your intentions, sets a precedent for reading other nasty things into it. So I'm reasonably comfortable with the onus being on me to take steps to keep my information private. I just need to know that, having taken the steps, the government is required to respect my limits - and this case doesn't seem to threaten that in any way.
Servers are someone else's property - and I either use their service for free (Yahoo! and Gmail) or I pay them for it (IUmail). In either case, it's obvious that I use their sevice on their terms. If they're mining my mail, I'm not happy about it, but as long as they told me, I can take my own independent steps to protect my information. And that's all this case says: ISPs have to specify how private your personal mail really is, and you have to abide by their terms when using their server. Fair enough.
As for the "reasonable expectation of privacy," I think about all that needs to be said about that is that wherever you're storing your mail - if not on your home computer, I mean - there's some slob administrator in his pyjamas who can read it whenever he likes. Of course, it's sort of unethical for him to do it - but c'mon! That doesn't mean the geeks that maintain Yahoo! don't occasionally sneak a peek at what you're writing just for laughs. THAT's about as safe as your mail is. Not to mention - ANY hacker worth his salt can intercept mail in transmission. So the word to the wise is DO NOT count on the fact that no one is reading your email! Probably no one is (just think of the sheer volume of all the mail in the world - then ponder your own insignificance in the scheme of things: you're no James Bond) - but you can't COUNT on that fact. So best not to email your pals the finer details of your plans to murder your wife. And best not to assume the government can't get at your email - because really, it can.
Unless you're using PGP.