Thursday, May 14, 2009

How not to be email snooped?

Remember how the Government dropped the idea of a central database which would store all our email/traffic data, and instead said they would seek to have all the information stored by the ISP instead?

Remember also how it then transpired that this was really just an EU Directive and was introduced as a statutory instrument called the "The Data Retention (EC Directive) Regulations 2009"?

Well, Chris Huhne has received an interesting answer from Nick Harvey about whether the service prodivder for Parliament is subject to the data retention under these rules. A reasonable questin I imagine as some MPs might be concerned about confidentaility and/or whistleblower protection if they get leaked something electornically. Apparently,
The internet service provider for Parliament is Colt. The provisions of the UK Data Retention (EC Directive) Regulations 2009 apply to all public communications providers to whom a written notice has been given by the Secretary of State. I understand that Colt have not received such a notice.
Lesson learned? If you don't want the Government to snoop your email then get a service from Colt?

15 comments:

Half The Story said...

Dizzy, I think Colt provide the network, not the email service. Isn't it the email service provider that has to store data.

So, say AOL, does both for home users, so would. But if you then use a webmail account, how would they track that?

dizzy said...

What does the email travel over? SMTP, across the network. Open packets with TO:, FROM:, RCPT: BODY: fields. The network provider can store the information based on standard protocol filtering.

dizzy said...

Of course, the webmail point stands, and I;m yet to establish how they could store anything other "user X visisted gmail.com"

Alastair said...

Or what if you run your own mail servers and don't use the ISP ones? Not too difficult to set up, and I doubt they'd send a letter asking you to snoop on your own email traffic!

dizzy said...

As already started, you will still be sending mail via outbound SMTP ports ergo the network provider can caputre those packet and inspect and store them.

wonderfulforhisage said...

Comments to date (5) look as if they are very interesting and important. Trouble is I'm not a techie and don't understand them. Any chance of a synopsis which would point us non techies in the direction of snoop free emails. For instance - use a combination of ISP and email provider selected from a list.

Henry Crun said...

Or you could do what Derek Draper does and take your PC walkies. Oh hang on, I'm confusing snooping with "hacking", aren't I?

dizzy said...

@wonderfulforhisage - basically, use a webmail product hosted in the US. Then the most they could know is where you browsed.

Giolla said...

Dizzy,

Running your own mail server does solve much of the problem, as even if the ISP is snooping all your traffic which would breach RIPA (I think) you can always enable TLS so that your mail is encrypted. At present they should just be recording what passes through their mail servers which you won't be using. Private mail servers being exempt from the regulations, I've discussed this in a bit more depth here:
http://www.anonymong.org/2009/04/06/data-retention-starts-today/

Giolla said...

@dizzy @wonderfulforhisage - only if that webmail provider does everything over HTTPS after all if we should worry that they'll snoop port 25 to check our email why not port 80? Given what's happen with phorm and the like, I'd be much more concerned about snooping web traffic than smtp traffic. (plus of course you can always encrypt the message in your email client before it leaves your PC).

dizzy said...

Err my point was that they would be able to snoop your 80 traffic still.

Giolla said...

if it's not HTPS traffic then:

"basically, use a webmail product hosted in the US. Then the most they could know is where you browsed."

isn't true, they can snoop all of the message including to/from etc same as with SMTP traffic.

dizzy said...

Not if the interface doesn't do a POST in the way Hotmail does.

dizzy said...

Of course, we;re going slightly of topic here. The post was originally about Parliament currently being free of data retention regulations.

dizzy said...

As I;ve said before though, the best is using something liek Tor. Although IP over DNS might be an interesting one to try. Hidden by obscuirty as it were.