[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Email provider for privacy-minded folk



On 2/14/2013 4:42 AM, adrelanos wrote:
Moritz Bartl:
On 13.02.2013 22:47, Joe Btfsplk wrote:
I suppose even providers offering encryption of files while on their
server (like Lavabit), could read the mail just before it was encrypted
/ decrypted, since they are doing the encrypting.
Even if they encrypt maildirs on their servers and unlock only while you
are logged in, they can sniff your login/encryption password and poof.
That's what Hushmail was forced to do on request by law enforcement.
What if Hushmail (or any other mail provider) had recommended the user
to install a browser add-on to do encryption locally?

Could they get forced to convince the user to install a malicious
browser add on, on request by law enforcement?

That concept of "feds" forcing Hushmail send targeted users a modified Java applet, (that does the encrypting on client side), so their pass phrase could be captured, is discussed here:
http://www.wired.com/threatlevel/2007/11/encrypted-e-mai/
But can the feds force Hushmail to modify the Java applet sent to a particular user,
I don't know if Hushmail still offers a method to encrypt email locally, before sent to Hushmail servers. But for any that do offer such a feature, it's possible w/ a court order, or something such as a National Security Letter - NSL https://en.wikipedia.org/wiki/National_security_letter - they could be forced / coerced into doing something like that. That wouldn't affect majority of users, who aren't direct targets of investigation.

That said, BEFORE the Patriot Act in U.S. (& now similar acts / laws in other countries), no one would've dreamed it would be so easy for LEAs to get "private" email - even encrypted ones. So what's next? Interesting fact: I've read documented correspondence (issued by an ISP) that ISPs & probably email providers, get paid QUITE a bit, to gather & turn over data requested in NSLs & maybe ? for other LEA requests. We're not just talking chump change. Big providers get LOTS of requests to turn over data each yr.
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk