[tor-talk] Email provider for privacy-minded folk
Joe Btfsplk
joebtfsplk at gmx.com
Thu Feb 14 17:26:33 UTC 2013
On 2/14/2013 4:42 AM, adrelanos wrote:
> Moritz Bartl:
>> On 13.02.2013 22:47, Joe Btfsplk wrote:
>>> I suppose even providers offering encryption of files while on their
>>> server (like Lavabit), could read the mail just before it was encrypted
>>> / decrypted, since they are doing the encrypting.
>> Even if they encrypt maildirs on their servers and unlock only while you
>> are logged in, they can sniff your login/encryption password and poof.
>> That's what Hushmail was forced to do on request by law enforcement.
> What if Hushmail (or any other mail provider) had recommended the user
> to install a browser add-on to do encryption locally?
>
> Could they get forced to convince the user to install a malicious
> browser add on, on request by law enforcement?
>
That concept of "feds" forcing Hushmail send targeted users a modified
Java applet, (that does the encrypting on client side), so their pass
phrase could be captured, is discussed here:
http://www.wired.com/threatlevel/2007/11/encrypted-e-mai/
> But can the feds force Hushmail to modify the Java applet sent to a
> particular user,
I don't know if Hushmail still offers a method to encrypt email locally,
before sent to Hushmail servers. But for any that do offer such a
feature, it's possible w/ a court order, or something such as a National
Security Letter - NSL
https://en.wikipedia.org/wiki/National_security_letter - they could be
forced / coerced into doing something like that. That wouldn't affect
majority of users, who aren't direct targets of investigation.
That said, BEFORE the Patriot Act in U.S. (& now similar acts / laws in
other countries), no one would've dreamed it would be so easy for LEAs
to get "private" email - even encrypted ones. So what's next?
Interesting fact: I've read documented correspondence (issued by an
ISP) that ISPs & probably email providers, get paid QUITE a bit, to
gather & turn over data requested in NSLs & maybe ? for other LEA
requests. We're not just talking chump change. Big providers get LOTS
of requests to turn over data each yr.
More information about the tor-talk
mailing list