The Privacy Issue
Email Encryption Privacy Begins at Home
Several things thumped
into Dynamoo's Inbox this month on the thorny issue of Internet privacy.
Privacy is distinct from many other security issues because
your privacy can be compromised quite legally by government agencies as well
as illegally by hackers and the like.
Echelon is the great-grandaddy
of monitoring systems, founded in the 1970s and updated continually, this
is a joint program of the US, UK, Australia, Canada and New Zealand. Simply
put, Echelon has the potential to intercept all electronic communications
coming in or out of these countries, from email and web connections through
to phone calls and fax transmissions. In addition, the US operates Echelon
eavesdropping facilities in a number of allied countries.
How does it work. Well,
not even Echelon can read everything, but it uses and intelligent filtering
system to try to get at potentially "interesting" communications.
Sounds like paranoia?
Well, not really - there are arguably good grounds for having this capability,
certainly in the eyes of governments. Except that the available evidence
tends to show that it is being used against private citizens, and, increasingly
for economic advantage (at least according to a report of the European
>>> Echelon links
In the UK the Regulation
of Investigatory Powers Act (RIP Act or RIPA) enables UK intelligence
authorities to eavesdrop on all domestic Internet traffic in an Act which
(bizarrely) was meant to protect privacy. The Act allows security
services to install equipment at ISP's locations and monitor traffic without
a warrant. It also allows the goverment to compel people to hand over passwords
and keys, and in effect removes any shred of privacy or legal redress.
Again, this is not paranoia.
The Act actually allows for these things - but it is hard to tell if they
are being put in place because the Act also makes it illegal for private
individuals to reveal that these actions are taking place. There are tribunal
and check systems in place, but the cloak of secrecy may make them less than
>>> RIPA Links
One common way to try
to overcome these is to use an anoymous proxy service to surf the web. One
of the best known is Anonymizer
- but there are many others, and Dynamoo's favorite at the moment is the
excellent (and free)
Megaproxy . These enable you to access sites which are either barred,
logged or otherwise inaccesible.
Encryption is one of
the best ways of keeping email private, and one of the best known ways of
doing this is to use PGP. PGP has a long history behind it - I would
recommend Simon Singh's
The Code Book as an excellent primer in all aspects of cryptography.
International PGP Home Page has various free versions of PGP for personal
There are two main drawbacks
with sending encrypted email:
Begins at Home (or Work)
- Firstly, they can draw attention
to yourself (i.e. why are you sending encrypted email?). Even if security
agencies can't crack your encryption, they can use traffic analysis
to see who is sending messages to whom, even if the content is unknown.
- Secondly, encrypted emails
are a nightmare for corporate administrators because they render Anti-Virus
products useless. There is no way an AV product can scan a PGP encrypted
email for incoming viruses, and this increases the risk of virus infection
on a corporate network.
Everywhere you visit
on the Web leaves a trail, of History files, Cookies, Temporary files and
other traces. These contain information about your surfing habits, personal
details and other things you might not want people to know about.
2004) How vulnerable
you are depends on how skilled the person is looking for traces
of sites you've visited. Deleting Cookies and Temporary Internet
files (in Internet Explorer this is under Tools.. Internet Options..)
will only stop nontechnical users. In a work environment, you might
have staff with good computer forensic skills, in which case consider
looking at the products listed at the Open
BBC News article on Echelon, May 2001
European Parliament: Draft report on Echelon [pdf]
FAS: Echelon an excellent site from the
Federation of American Scientists
RIP Act links:
UK Home Office: Regulation of Investigatory Powers Act 2000
Regulation of Investigatory Powers Act (2000) - Commentary at
Orgasm's quick guide to the RIP bill at