Email
-
Do not use your work email address
e.g. @homeoffice.gsi.gov.uk to pass on whistleblower material to
politicians, journalists or bloggers.
The Home Office (or other Government
Department) , as your employer, is perfectly within its rights to
analyse the log files of its own email systems. They do not need to wait
for a "serious criminal investigation" which would require a
Regulation of Investigatory Powers Act 2000 warrant signed by, wait
for it, the Home Secretary, or as recently delegated under the Terrorism
Act 2006, any nameless official that the Home Secretary delegates the
renewal of long running intelligence agency or electronic interception
warrants, which almost certainly include the "protection" of the Home
Office IT systems themselves.
-
If you are relatively
very IT literate, you may be able to master how to send an email through
a
Mixmaster Anonymous Remailer chain, but, we suspect that the number
of people who are confident enough to do this currently working at the
Home Office and who might become whistleblowers is very small.
-
Similarly, a whistleblower could use
Pretty Good Privacy public key encryption, but again, this requires some
effort to install the PGP software, on your own PC (not on your Home
Office workstation !)
-
PGP encryption could
protect the content of your correspondence with whoever you
are whistleblowing to, but not the fact that your are in
communication with say, David Davis, or the Sun newspaper or
even a political blog.
-
GPG -
Gnu Privacy Guard is an open source version of PGP, compatible with
most PGP keys (and vice versa), except for some of the old keys which
used RSA public key and IDEA symmetric key algorithms, which the open
source purists did not want to use, due to their patent status, despite
"free for non-commercial use" licences.
-
Unfortunately it is only Spy Blog and
a few other technical security and privacy related blogs which publish a
PGP Public Encryption Key, something which we encourage other bloggers,
journalists and members of Parliament to do as well. -
Spy Blog PGP public encryption key
Hushmail
A good compromise for the non-technical
civil servant who wants to be a whistleblower could be a
Hushmail account.
This has the advantage of being based in
Canada, Ireland and the tax haven of Anguilla, and is a web based email
system which uses the SSL/TLS encryption used to protect credit card and
internet banking transactions from snoopers.
You may have to install the
Sun version of the Java Runtime Environment if you have a recent
version of Windows XP which no longer comes with Java installed by
default.
-
Hushmail, as of mid-October 2006 now
have a "No Java" or "Turn Java Off" option in their web page client. The
encryption gets done at the server. The web browser to web server SSL/TLS
https sessions remain, but are therefore at risk of a
man-in-the-middle attack, whilst being immune from casual monitoring.
You can sign up for a free, anonymous
Hushmail account, (with 2Mb of storage space) which needs to be accessed
at least every 3 weeks to keep it active . You can pay about US $35 a year
for a full account, which gives you a Gigabyte of email and document
storage, and the very useful ability to create email aliases e.g. ht4w@nym.hush.com,
(but obviously this will leave a credit card trail with your name and
address, unless you use the hard to trust e-gold payment system).
Hushmail to Hushmail traffic is strongly
encrypted, but using Hushmail to say, email your
Member of Parliament
will be plaintext like other emails.
Hushmail do have a "pre-shared secret"
challenge/response email system called Hushmail Express which can be
useful for non-hushmail replies, but it is quite a bit less secure,
although still a lot more secure than unencrypted email.
Whether or not it is safe for a
whistleblower to use a Hushmail account from within their workplace,
depends on the situation. Ideally this should be done from home or even a
public cyber café etc. (unless the whistleblower feels that they are under
directed surveillance i.e. being followed or observed).
Hushmail obviously complies with Canadian law
Hushmail have handed over emails
probably stored in the online mailbox, and IP address logs as a result of
a Canadian Court Order, at the request of the US authorities who were
investigating a relatively minor anabolic steroid drug dealer.
Deleting your stored emails after you
have read them, and always using the Java applet, still makes Hushmail
more secure against electronic interception, than the more common web
based email services.
See Wired magazine's
investigation:
Encrypted E-Mail Company Hushmail Spills to Feds
See also the April 2010 Wired
article about the case of a senior US National Security Agency accused of
leaking information to a Baltimore Sun newspaper reporter
NSA Official Faces Prison for Leaking to Newspaper
[...]
Thomas Andrews Drake, 52, was a
high-ranking NSA employee with access to signals intelligence documents
when he repeatedly leaked classified information to the unnamed
reporter, who ran stories based on the leaks between February 2006 and
November 2007, the indictment alleges.
Fox News is reporting that the
journalist was Siobhan Gorman, who worked at the time for the
Baltimore Sun and is now a reporter with The Wall Street
Journal, which is published by Fox parent corporation News Corp.
According to the indictment, Drake
exchanged hundreds of e-mails with the reporter, and the two met in the
Washington, D.C., area half a dozen times. Drake also researched stories
for the journalist, sending e-mail to other NSA employees asking
questions, and accessing classified documents to obtain information.
Drake even "reviewed, commented on,
and edited drafts, near final and final drafts" of the reporter's
articles, according to the government.
[...]
Drake opened a Hushmail e-mail account
to contact Gorman, and volunteered to provide information about the NSA.
Drake instructed the reporter to open her own Hushmail account so they
could communicate covertly.
Hushmail is a Canada-based encrypted
e-mail service that allows account holders to communicate securely with
a client-side Java encryption applet. But Threat Level previously
reported that the company has
subverted its own encryption to help U.S. and Canadian authorities
gain access to customer e-mail, in response to court orders. It's
unclear if the FBI used that capability in investigating Drake.
Gorman agreed that information
gathered from Drake would be attributed in articles to a "senior
intelligence official" and that Drake would never be her only source for
information.
[...]
The fact that a senior NSA official
chose to trust Hushmail for his whistleblowing activities, is some sort of
endorsement.
The proviso that he should not
be the only source for any newspaper articles, is a wise one for
whistleblowers dealing with the mainstream media.
However, perhaps "hundreds of emails"
exchanged for more than a year, was rather too much use of that particular
channel of communications ?
Presumably the FBI were snooping on all
of the Baltimore Sun journalists, in order to try to track down
the source of the NSA internal leaks ?
Hushmail and PGP
If you encrypt or sign and encrypt a
message using your own PGP or GPG software, and then also use Hushmail to
encrypt and or digitally sign your PGP message block inline in the body of
the email, rather than as an attachment, this seems to cause problems for
some versions of GPG software, due to an extra "-" and extra " " space
at the start of the encrypted block. Windows PGP software handles this ok,
but various Linux open source and Apple versions of GPG do not. Either
dispense with using Hush mail's digital signing, if you are already
encrypting and signing with your local PGP key, or put any such messages
or files into attachments rather than the inline body of the email
message.
Please note: Hush mail only recognizes
digital signatures on text messages that are signed using the Clear text
Signature Framework as described in
RFC2440 section 7. Thus when sending to a Hush mail account you must
sign the message first, generating a cleartext signed message, and then
encrypt the result. If you encrypt and sign a message in a single step
(the default for many PGP applications), the signature will not be
recognized.
Gmail sessions are now encrypted by default
In response to the Chinese government
hacking attacks on human rights activists Google gmaill accounts, the
search engine giant has now (January 2010) switched on https://
SSL / TLS encryption by default.
See The Register article
Google flips default switch for always-on Gmail crypto
Google mail also understands STARTTLS
encryption between mail servers, so, for example a Gmail to Hushmail
message will be encrypted all the way through, making interception by
anyone other than the US or Canadian authorities unlikely.
Note that you Gmail Inbox and Sent
folder, will still be unencrypted, and will be keyword
searched by Google search engine software for Advertising Keyword (or
Government watchlist) purposes.
Encryption does not mean Anonymity
Sending an email message which has been
encrypted with PGP, or through a fully encrypted email service like
Hushmail, or (now) mostly) encrypted one like Gmail, should preserve the
Privacy of what is being sent, but it does not
necessarily protect the anonymity of the whistleblower
i.e. the when and to whom it was sent.
Neither Gmail to Hushmail, nor any other
email system is immune from Communications Traffic Data
retention, snooping and analysis i.e. which email account communicated
with which other account, at what date and time, and how big a message was
sent (which may be indicative of attached whistleblower documents etc.)
Obviously if you pay for an email
service, especially through a Credit Card, then there will be a financial
audit trail leading back to you.
Luckily, many "free" email accounts are
available (with obviously limited functionality compared with the paid
ones).
It is possible to set up a free Hushmail
or Gmail or Hotmail or Yahoo mail etc. account, even through anonymising
proxy services or Tor.
Such accounts based outside of the
United Kingdom , and so make it more of an effort for the UK authorities
to snoop on such email systems legally, especially during a whistleblower
leak investigation, which does not qualify as being serious enough to
invoke the national security for serious organised crime proportionality
test under the
Regulation of Investigatory Powers Act 2000 section 81
General interpretation
(3) Those tests are--
(a) that the offence or one of the
offences that is or would be constituted by the conduct is an offence
for which a person who has attained the age of twenty-one and has no
previous convictions could reasonably be expected to be sentenced to
imprisonment for a term of three years or more;
(b) that the conduct involves the use
of violence, results in substantial financial gain or is conduct by a
large number of persons in pursuit of a common purpose.
STARTTLS
Wikipedia article on
STARTTLS
STARTTLS is an extension to plain text
communication protocols. It offers a way to upgrade a plain text
connection to an encrypted (TLS or SSL) connection instead of using a
separate port for encrypted communication.
STARTTLS for IMAP and POP3 is defined
in RFC 2595, for SMTP in RFC 2487, and in RFC 4642 for NNTP.
A typical email header between two email
servers which are using STARTLS encryption would include lines such as:
(using TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
EnigmaMail and OpenPGP
There is an easy to install
plugin for the Mozilla Thunderbird email client called
EnigmaMail. which is ,as it describes itself quite a "simple interface
for OpenPGP email security"
This needs a copy of the Open Source version of the PGP
software, available as a free
download from the Gnu Privacy Guard website.. Obviously there is
source code for you to compile your own binary executable programs, and
cryptographic checksums to show if the software has been tampered with
etc.
However, for most of the people who are
reading this article, there is
GnuPG 1.4.10b compiled for Microsoft Windows. which is also easy to
install.
The EnigmaMail setup wizard allows you
to quickly generate a reasonable settings for generating your email
encryption and signing key, and the software works well to import the PGP
public keys of your correspondents, or to look them up on public PGP
keyservers.
If you have difficulty in accessing the
official websites for this software, then copies of the EnigmaMail plugin
for Thunderbird 3.0 and the GnuPG software for Windows are
available for download here.
General tips about encrypted email
-
Remember that the Subject line of your
email or the original Filename of any Attachment may not be
encrypted, and may betray clues to a whistleblower leak
investigation. Use something neutral for both of these, e.g. Attachment
.doc , Attachment2.doc etc.
-
Do not leave the
Subject line Blank. Do not use anything that looks like
spam e.g. "Viagra" or "Designer Watches" or "Poker" or "Important -
Please read immediately" etc. as it might well be filtered out before it
gets to your intended recipient.
-
For extra security, do not
store or write down your Email password or Encryption / Decryption
passphrase, but memorise it.
-
Choose a
Strong Password or passphrase.
-
As with many other web based services,
if your Web Email service offers a "Forgotten Password"
or Password Recovery or Reset option, then make sure that Answers to the
Challenge / Response Questions are at least as strong as your actual
password e.g. if the Question is "What is your mother's maiden name ?",
you usually do not actually have to reply
truthfully, or with a very short , easily guessed or easily
password cracked answer. US Vice-Presidential candidate Sarah
Palin's Yahoo email accounts were illegally accessed in this way in
2008.
Stored Email inbox and outbox
The laws in the UK and the USA and other
countries, which protect unwarranted interception of email communications,
are very specific, and really only apply to the actual email message in
transit.
If your email is stored as a draft,
awaiting to be sent, or copies are left undeleted in your
inbox or outbox, either on your personal computer or on, for example a web
based email service on like Hotmail, then the Police and Intelligence
agencies do not usually need to get an
Interception warrant, especially if they physically "seize"
copies of the personal computer or email server hard disk storage systems
for analysis.
Paradoxically, as was shown in the
recent proper legal Operation Algebra investigation into child rape
criminals in Scotland, shows that the UK authorities do not
actually need to apply for any Court Order or get a warrant signed by the
Home Secretary in order to get access to Foreign based
email systems, e.g. Microsoft's Hotmail, based in California, USA.
See Spy Blog
Operation Algebra child rape convictions in Scotland: open Wi-Fi tracking,
digital camera image forensics
Rennie's identity was revealed only
after DI's Hood's team had invoked the International Mutual Assistance
Treaty, which enabled Scottish investigators to request assistance from
their American counterparts. An intervention by the FBI enabled the
Edinburgh detectives to place a "preservation order " effectively
freezing all the contacts, chatlogs and emails recorded on kplover's
email account at the Microsoft offices in San Jose
i.e. although a Court Order in
California was involved, this was entirely handled by the US authorities
after the self-authorised Mutual Legal Assistance Treaty request
by the Lothian & Borders Police, in secret, with no independent judicial
oversight in the UK.
Obviously this is not much of a issue
when dealing with serious criminals, but exactly the same mechanisms, and
lack of privacy safeguards would come into play if a "whistleblower leak"
inquiry was being handled by the UK Police or other Government agencies.
It would be wise for any whistleblower
to make sure that they do not store copies of emails
which they send or receive, to or from, journalists or bloggers or
politicians or external ombudsmen or regulators etc. within their normal
email or web mail systems.
Any copies which whistleblowers need to
keep, should be in separate, strongly encrypted storage.
There is a technique, which might be
effective if a particular email system is not under active surveillance at
the time, which has been used since the very start of web based email
systems, and which has been used (sometimes unsuccessfully) by terrorist
suspects.
This involves composing an email message and storing it as a Draft, on the
remote webmail server, but not actually Sending it. You
then alert your recipient through some other means, e.g. a seemingly
innocuous email message using a different account, or an SMS text message
or some other sort of "Dead Letter Drop" signal (see
Covert Channel Signals for Meetings or Dead Letter Drops
The intended recipient then logs into
the same email account (you will have had to have shared the username and
password credentials beforehand), in order to read and/or copy the
information in the Draft. They will then Delete the Draft email when they
have finished with it.
Ideally both the whistleblower and the
recipient will have taken steps to hide their true IP Addresses as they
access the web email site (see
Tor - The Onion Router cloud of proxy servers,
Open Proxy Servers,
Virtual Private Networks etc.)
This technique can be used with many
other systems, not just web email e.g. photo sharing or MP3 music sharing,
and blogging websites etc.
RIPA and your Cryptographic De-cryption
Keys
In the United Kingdom, the
Regulation of Investigatory Powers ACt 200 Part III - Investigation of
electronic data protected by encryption etc. has not
been used against terrorists or drug smugglers etc., but it has been used
against animal rights extremist activists and against mentally vulnerable
people who stand up for their human right of privacy.
Any Police constable, can issue you with
a RIPA section 49 notice, demanding either the plaintext of your encrypted
files or messages, or the de-cryption key(s) so that they decrypt your
intercepted emails, or encrypted computer files, which they have somehow
got into their possession (either legally or illegally).
The legislation threatens you with up to
2 years in prison (and /or an unlimited fine) for not complying with such
a section 49 notice, or up to 5 years in prison (and/or an unlimited
fine), if the magic words "national security" are somehow weaseled into
the investigation.
Tey can also impose secrecy over the
fact or substance of a section 49 notice - a "tipping off" offence with a
penalty of up to 5years and /or an unlimited fine.
This is all very deliberately vague and
catch all.
It is a defence to claim that you have
genuinely forgotten the PGP pass phrase, especially to an
old Cryptographic key pair.
Appallingly for justice, the
burden of proof falls on the accused, who has to prove his or her
innocence, rather than be assumed to be innocent , with the prosecution
having to prove guilt beyond reasonable doubt.
However, if you can show that you, as a
human, rather than a machine, have never known the secret de-cryption key,
e.g. for your SSL / TLS encrypted web browsing session, or the transient
encrypted OpenPGP links between Tor server nodes or the STARTLS encryption
between two email servers which you are not the systems administrator for
or any other other ephermeral encryption, then you have a reasonable
chance of defending yourself in Court.
Of course, your life will have been
ruined by arrest / DNA sampling / Fingerprinting and criminal intelligence
database records which are retained for ever, even if you are found not
guilty in Court.