Note: The date this was published may be wrong - I lost all the date information in my old blog going down, so have guestimated (the posts' chronological order is correct though!)
Why assuming encrypting your email may not be the smartest way to ensure privacy
There are various posts appearing online, suggesting that given the NSA may have direct (I refuse to treat an SFTP server, or basically anything where people aren’t involved, as not direct) access to email content, you should encrypt that content and take your privacy back.
I’m not sure this is the best approach. The volume of data the NSA may or may not have access to every day, if they are able to access email, phone records etc, would be astronomical. We (the technological and scientific community) often find it hard to extract meaning from massive well structured datasets. How is the NSA expected to systematically derive relevant information from as fragmented, diverse and unstructured data as personal communications? If I worked for the NSA, I’d select a number of robust digital targets or flags to look for inside this information. One of those targets would almost certainly be encrypted emails. You can use fairly simple machine learning techniques (Bayesian filters come to mind) to pick key-encrypted text out from normal human readable text.
If a nefarious individual were planning something criminal and using email at all, I would expect them to encrypt or disguise the content in some way. Such an individual would have to assume all communications were compromised – just because we, the public, have not thought this until now does not mean that any organization participating in illegal activities does not already make this assumption. It’s probably also fair to say that, until last week, very few people encrypted the contents of their emails.
Considering this, if I worked for the NSA, I would probably think, “Well – this is one, easy way to drastically reduces the set of data we have to examine” and to essentially treat encrypted emails as a flag. If programs like PRISM are as far reaching as they’re claimed to be, then email is one dimension of a network of data which can be built around a potential target. Encrypting your email may essentially attract the very attention its trying to avoid.
One solution to this, is to use old-school codes and cyphers. Like Enid Blyton’s youthful heroes and heroines, or every spy kit given to every budding childhood spy, secret messages encoded within apparently benign or routine notes may be a far less conspicuous way to sneak secrets through the tubes. Of course, encrypted or coded messages are largely uninformative without other pointers. I suspect this is the precise reason why PRISM is reported to be so massively encroaching – simply put, using just email or cellular metadata alone does not provide even close to the granularity or certainty needed to make informed analyses of potential terror threats. That being said, how the NSA would deal with such a vast, massively complex, semi-overlapping, semi-complementary data set is, theoretically at least, an incredibly interesting problem.