20130818

the last wheeze of an unreasonable expectation of privacy dying

Some time ago I mused at length concerning how, to me, it was not obvious, as Jonathan Landay had said to Amy Goodman, what one can do to try to protect oneself from communications interception. (I have spent much of the intervening time wondering how "obvious" a secure encryption setup and TOR deployment are, and suspect the technical proficiency required to implement either weighs against obviousness.)

The New York Times this week ran the harrowing and exhilarating story of how documentarian Laura Poitras, journalist Glenn Greenwald and whistleblower Edward Snowden all got together. Among its notable points is the description of Ms. Poitras' acumen with communications security -- developed over her many years of harassment and scrutiny at border crossings -- which, while sufficiently advanced to receive and authenticate encrypted communications, wasn't entirely to the would-be leaker's satisfaction when he approached her.
She . . . sent her public key. . . . The stranger responded with instructions for creating an even more secure system to protect their exchanges [instructing her] to select long pass phrases that could withstand a brute-force attack by networked computers [by an] "adversary . . . capable of a trillion guesses a second." . . . Seconds after she decrypted and read the e-mail, Poitras disconnected from the Internet and removed the message from her computer.
It is worth reading, because, prior to contact with Snowden, by necessity, Poitras already operated at a pretty extreme level of communications and information security: minimizing cell phone use, masking her browsing activity, learning to use encryption, leaving copies of film in safety deposit boxes in her many terminus cities -- a level of precautionary effort that almost any reasonable American would view as extraordinary, and as requiring an extraordinary level of proficiency with computers and networks. This heightened level of operational security, and the proficiency it implies, are what first enabled Snowden to reach out. And when he did, his first communications were instructions to implement even greater security.

It is also worth reading for other aspects of the, as I said, exhilarating narrative. In an additional wrinkle, you may have seen the coverage of Greenwald's partner's detention, while changing planes at Heathrow, for the maximum time permitted under the UK antiterror laws nominally permitting such detentions for our safety.

The Freedom of the Press Foundation, apparently agreeing that encryption and TOR might not be obvious to the socially networked masses of credulous WYSIWYG clickers, has published "Encryption Works: How to Protect Your Privacy in the Age of NSA Surveillance," a primer on available tools to that end.

I read it it. It was good. It was informative. It had useful links to the described tools and their support communities. Although I'm skeptical about the absolute security of this machine, I have nevertheless downloaded and begun trying to understand how to use the GPG software. It, and its documentation, do, however, assume that I understand things that I do not understand. I do not have anyone in particular with whom to correspond encryptedly anyway: When our freedom of expression was chilled we stopped writing email; or was it when we opened social networking sites, or grew old?

Anyway, it basically says use encryption and TOR on Linux. Each has its technical hurdles, and TOR has some inherent latency issues so long as it is not widely adopted, some developing liability issues for certain configurations in certain jurisdictions, and has recently had some security issues as well.

Gawker also published a guide, "How to Leak to Gawker Without (Hopefully) Getting Caught," which has some good tips for information security conscientiousness while on the Internet, contemplating or cultivating anonymity.

In other news, the Guardian reported that Google filings, in a pending suit over Google's practice of scanning the content of email sent to Gmail users from other domains, assert that Gmail users have no "reasonable expectation" of privacy in their Gmail traffic. This is true. It pretty much always has been for networked activities. Although, to be fair, the case, reportedly brought by parties who corresponded with Gmail users, not by Gmail users themselves, is interesting, and the Google spokespersons' glib, fallacious similitudes maybe don't help the corporation look too good here.

That outraged shriek is a bunch of privacy advocates' unreasonable expectation of privacy dying.

As one's "reasonable expectation of privacy" is the basis for the standard judicial inquiry into privacy issues, it is important to understand this. You can have a reasonable expectation of privacy in Gmail (I learn from the above-linked FPF encryption primer) only if you use an email client to draft and encrypt your message, and only then transmit it through the Gmail service (and your implementation and your correspondents' implementations are secure).

Except: Do you have a reasonable expectation of privacy in encrypted transmissions when now-publicly-disclosed documents clearly indicate that procedures, adopted to minimize storage of data concerning US Persons "inadvertently acquired," expressly direct that those enciphered be retained for cryptanalysis?

Isn't committing a communication to encryption then ensuring that the best cryptanalysts available to the U.S. Government will have a go at it, if only for practice, or training purposes?

The reasonableness of an expectation of privacy in such circumstances then would tend to decrease over time by some function of the complexity of the particular cipher, the processing power available for the brute force attack, and a sense of the throughput and the volume in the queue.

So, encrypting securely per the best advice of the Freedom of the Press Foundation, and assuming that all transmissions are, in fact, collected, and that all those encrypted are retained for analysis, and are so analyzed, maybe our best bet is to create such a volume of inane and harmless -- but securely encrypted -- traffic that the queue will be prohibitively long for available resources.

All of this is far beyond obvious, and calls for some serious grounding in a variety of fields. As she worked with Greenwald on Snowden's material, Poitras emerged as an operational security mastermind: "In addition to encrypting any sensitive e-mails, she began using different computers for editing film, for communicating and for reading sensitive documents (the one for sensitive documents is air-gapped, meaning it has never been connected to the Internet)."

Finally, whereas Google may have the power to send you advertising based on the content of your correspondence on the fly, and the NSA may have filled the wastes of the West with banks and banks of processors crunching away at my encrypted love poems to Jonathan Landay and Amy Goodman, U.S. District Judge Reggie B. Walton, the chief judge of the Foreign Intelligence Surveillance Court, told the Washington Post this week that the court lacks the capacity to verify information it is provided or enforce compliance with its rulings. But Mr. Obama knows better.