Why security mattersEvery email takes a perilous journey. A typical email might travel across twenty networks and be stored on five computers from the time it is composed to the time it is read. At every step of the way, the contents of the email might be monitored, archived, cataloged, and indexed. However, it is not the content of your email which is most interesting: typically, a spying organization is more concerned by whom you communicate with.
There are many ways in which this kind of mapping of people's associations and habits is far worse than traditional eavesdropping. By cataloging our associations, a spying organization has an intimate picture of how our social movements are organized--a more detailed picture than even the social movements themselves are aware of. This is bad. Really bad. The US government, among others, has a long track record of doing whatever it can to subvert, imprison, kill, or squash social movements which it sees as a threat (black power, anti-war, civil rights, anti-slavery, native rights, organized labor, and so on). And now they have all the tools they need to do this with blinding precision.
We believe that communication free of eavesdropping and association mapping is necessary for a democratic society (should one ever happen to take root in the US). We must defend the right to free speech, but it is just as necessary to defend the right to private speech. Unfortunately, private communication is not possible if only a few people practice it: they will stand out and open themselves up to greater scrutiny. Therefore, we believe it is important for everyone to incorporate as many security measures in your email life as you are able.
Email is not secureYou should think of normal email as a postcard: anyone can read it, your letter carrier, your nosy neighbor, your house mates. All email, unless encrypted, is completely insecure. Email is actually much less secure than a postcard, because at least with a postcard you have a chance of recognizing the sender's handwriting. With email, anyone can pretend to be anyone else. There is another way in which email is even less private than a postcard: the government does not have enough labor to read everyone's postscards, but they probably have the capacity and ability to scan most email. Based on current research in datamining, it is likely that the government does not search email for particular words but rather looks for patterns of association and activity.
In the three cases below, evidence is well established that the US government conducts widespread and sweeping electronic survillence.
According to a former Justice Department attorney, it is common practice for the FBI to practice "full-pipe monitoring". The process involves vacuuming up all traffic of an ISP and then later mining that data for whatever the FBI might find interesting. The story was first reported on January 30, 2007 by Declan McCullagh of CNET News.com.
The Electronic Frontier Foundation (EFF) filed a class-action lawsuit against AT&T on January 31, 2006, accusing the telecom giant of violating the law and the privacy of its customers by collaborating with the National Security Agency (NSA) in its massive and illegal program to wiretap and data-mine Americans' communications.
Because AT&T is one of the few providers of the internet backbone (a so called Tier 1 provider), even if you are not an AT&T customer is is likely that AT&T is the carrier for much of your interent traffic. It is very likely that other large internet and email providers have also worked out deals with the government. We only know about this one because of an internal whistleblower.
For legal domestic wiretaps, the U.S. government runs a program called Carnivore (also called DCS1000).
Carnivore is a 'black box' which some ISPs are required to install which allows law enforcement to do 'legal' wiretaps. However, no one knows how they work, they effectively give the government total control over monitoring anything on the ISP's network, and there is much evidence that the government uses carnivore to gather more information than is legal.
As of January 2005, the FBI announced they are no longer using Carnivore/DCS1000 and are replacing it with a product developed by a third party. The purpose of the new system is exactly the same.
ECHELON is a spy program operated cooperatively with the governments of the United States, Canada, United Kingdom, Australia, and New Zealand. The goal is to monitor and analyze internet traffic on a wide scale. The EU Parliament has accused the U.S. of using Echelon for industrial espionage.
On May 10, USAToday broke the story that the NSA has a database designed to track every phone call ever made in the US. Although this applies to phone conversations, the fact that the government believes that this is legal means that they almost certainly think it is legal to track all the email communication within the US as well. And we know from the AT&T case that they have the capability to do so.
You can do something about it!What a gloomy picture! Happily, there are many things you can do. These security pages will help outline some of the simple and not-so-simple changes you can make to your email behavior.
What a gloomy picture! Happily, there are many things you can do. These security pages will help outline some of the simple and not-so-simple changes you can make to your email behavior.
* Secure Connections: by using secure connections, you protect your login information and your data while is in transport to riseup.net.
* Secure Providers: when you send mail to and from secure email providers, you can protect the content of your communication and also the pattern of your associations.
* Public Key Encryption: although it is a little more work, public key encryption is the best way to keep the content of your communication private.
See the next page, Security Measures, for tips on these and other steps you can take. Remember: even if you don't personally need privacy, practicing secure communication will ensure that others have the ability to freely organize and agitate.