Someone may be reading all your e-mail. At both security agencies and cybercrime enterprises, thousands of geeks are busily sifting through e-mails that they have intercepted. This is happening every second of every day, around the world.
Of course it’s highly unlikely that anyone at America’s National Security Agency (NSA) or the UK’s Government Communications Headquarters actually cares about you. Unless you’re suspected of aiding terrorists, you’re not going to be worth surveilling.
The same applies to criminal gangs. Unless you’re spectacularly careless or very rich, you’re generally not going to attract their attention. So why is Google working a tool that will make reading intercepted e-mail virtually impossible?
The tool, named End-to-End, is a solution to the inherently insecure nature of most e-mail communication. Normally an e-mail travels across the Internet in a format very close to text. No special tools are required to read a message. And, just like a physical letter, it can be intercepted and read while en-route to its intended recipient.
So, while you may see the comforting green padlock when you access your Gmail or Yahoo inbox, that only means your own connection to those services is secure. Once an e-mail is sent out into the wild there are no guarantees it won’t be intercepted.
End-to-End intends to make encrypting e-mail easy for people without the technical skills normally required to do so. Once encrypted, these e-mails will only be readable to their intended recipients. Anyone else trying to read them would find only scrambled nonsense.
But why not simply secure the routes between mailboxes, just as the world’s postal services have long secured their own routes? While that logic is sound, it is at odds with the fundamental nature of the Internet.
A global network of networks, the Internet is designed to allow information to flow freely between nodes. Some of these nodes are very secure, and some are not secure at all. You cannot predict, with any level of certainty, that your e-mail will not pass through a less secure node. So, while Google’s own network is very secure, your Internet service provider may not be.
By encrypting an e-mail, you put it beyond the grasp of even the most powerful governments. Without the key that unscrambles (decrypts) a message, it would take literally millions (if not billions) of years to “guess” it. It is equivalent to writing a letter in a private language known only to your recipient. The postman might steam open the letter, but he will not be able to understand it.
This is not a new technology. E-mail encryption has existed for the better part of two decades. End-to-End uses a popular standard called OpenPGP that is already used by millions of people. But encryption is a complex process with many steps. By simplifying and automating the process, Google intends to make it more accessible to ordinary users.
End-to-End is not yet ready for public consumption. Google has shared an early version with the global developer community and asked for comments and critiques. It will probably be a few more months before ordinary users will be able to install it. Even then, the product will only work with Web-based e-mail systems such as Gmail and Yahoo.
Of course, End-to-End is just one of many initiatives designed to thwart mass surveillance. The Dark Mail Alliance is developing an entirely new e-mail protocol with encryption baked into it. A slew of new mail services such as ProtonMail and RiseUp offer built-in encryption of e-mail. But Google is the first major e-mail provider to explore end-to-end encryption.
But why should we bother? Most of us mere mortals are not interesting enough to surveil, and this sounds too much like hard work. Yet that attitude is what makes it so easy for governments and criminals to invade our privacy.
At the moment, mass surveillance is relatively easy. If you have direct access to the pipelines through which the data moves — as the NSA does — you can simply scoop it all up and process it at leisure
But if most of that data were encrypted, it would be essentially useless. Without the requisite keys, it would impossible to tell if an e-mail read, “Happy birthday!” or “The bomb is ready”. The point is to make mass surveillance so difficult and costly that it becomes practically unfeasible.
Does that mean I’m in favour of terrorists running amok, unhindered? Of course not. I’m just in favour of security agencies getting back to what they did for decades before the Internet arrived: targeted surveillance. They caught terrorists before the Internet existed, after all. It just required more physical effort and less keyboard surfing.
The security agencies will rail against any such ideas. To them, national security is paramount and mass surveillance is a vital weapon in their arsenal. But the need for safety must always be weighed against the right to privacy. Over the last decade, the balance has tipped dangerously towards safety at all costs. It’s time we leashed our guard dogs. — (c) 2014 Mail & Guardian
- Alistair Fairweather is chief technology officer at the Mail & Guardian
- Visit the Mail & Guardian Online, the smart news source