Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Recommendations For Non-US Based Email Providers?

timothy posted about a year ago | from the lesser-of-evils dept.

Communications 410

First time accepted submitter jlnance writes "I don't particularly like the NSA looking over my shoulder. As the scope of its various data gathering programs comes to light, it is apparent to me that the only way to avoid being watched is to use servers based in countries which are unlikely to respond to US requests for information. I realize I am trading surveillance by the NSA for surveillance by the KGB or equivalent, but I'm less troubled by that. I searched briefly for services similar to ymail or gmail which are not hosted in the US. I didn't come up with much. Surely they exist? What are your experiences with this?"

cancel ×

410 comments

Not sure I understand the question. (5, Insightful)

Anonymous Coward | about a year ago | (#44531021)

Actual communication security implies point-to-point security. In such a setting, a third-party service doesn't make any sense. Hence either what you're look for can't exist, or you won't know if it's secure.

Re:Not sure I understand the question. (2)

Eunuchswear (210685) | about a year ago | (#44531153)

+++ THIS.

Do it yourself.

Re:Not sure I understand the question. (5, Insightful)

Anonymous Coward | about a year ago | (#44531427)

You would have to lease space in a datacenter, buy a domain, setup VPN, use securelinux (though probably not since it was written by the NSA) or solaris, run a VM inside that, always do a restore before accessing email and read through the tens of thousands of lines of code to delete out anything that MAY compromise your security (best use open source in this case). Also you will have to ensure that everyone you email is doing the same thing. So you may want to start mandating that everyone you email use your domain, but since it will b so expensie you should probably charge for it to at a minimum off set costs. Though you should probably charge enough to ensure that you can afford to quit your current job to do full time maintenance.

After all that, probably be best you find a neutral country that has no agreements with the US and will refuse to work with it.

But good luck!

Re:Not sure I understand the question. (4, Funny)

the_B0fh (208483) | about a year ago | (#44531487)

If you restore your VM (that hosts your email) before accessing your email, didn't that just wipe out your emails?

You need more paranoia please.

Re:Not sure I understand the question. (5, Interesting)

ImdatS (958642) | about a year ago | (#44531375)

Yes, correct.

In my experience, having a mail server provider in Europe (e.g.) and using PGP/GPG could help. The problem is of course that your recipient also needs PGP/GPG.

1&1 and Deutsche Telekom in Germany just announced that (paraphrasing it) they will take email security more seriously now. You might want t get an email account at GMX in Germany (product of 1&1) and then use PGP/GPG for fully confidential communication. I wouldn't use their webmail interface, rather suggest to use their IMAP/POP Interface using SSL/TLS.

Using PGP/GPG *and* a foreign email service provider helps in (a) encrypting your email (PGP/GPG), and (b) (if used with SSL/TLS) communication, also hiding the sender/recipient identification, including your email's subject.

On the other hand, I don't know if that would be really secure (for [b] at least), as the German secret service (BND) seems to forward communication information to the NSA (at least the meta-information)...

If you really want to communicate securely, I recommend a "dead mailbox"-principle electronically, but by using PGP/GPG to encrypt the file in question, maybe even hiding the content as a picture or video...

Re:Not sure I understand the question. (1)

Z00L00K (682162) | about a year ago | (#44531535)

Make sure that you use encrypted mails using self signed certificates or by someone you trust.

Runbox.com (5, Informative)

Gaygirlie (1657131) | about a year ago | (#44531025)

I am using www.runbox.com myself: it's a service based in Norway, it's pretty cheap considering, they do not have any NSA-ties or the likes. I dunno what else to say about it, really, so I'll just copypaste this from their site:

Email Privacy in Norway

Some countries, especially in Europe, have a constitutional guarantee of secrecy of correspondence, wherein email is equated with letters and therefore protected from all types of screening and surveillance. In electronic communication, this principle protects not only the message contents but also the logs of when and from/to whom messages have been sent.

In Norway, freedom of expression and privacy of correspondence is governed by Article 100 and 102 of the Constitution and the implementation of the European Convention on Human Rights in the Norwegian Human Rights Act, especially Article 8: Right to respect for private and family life.

Additionally, the Personal Data Act as set forth by the Norwegian Data Inspectorate regulates collection, storage, and processing of personal data.

The Data Inspectorate was established January 1, 1980 and was among the first agencies in the world to facilitate the protection of individuals from violation of their right to privacy through processing of their personal data.

Central principles of the Norwegian data privacy regulations are:

        Personal data must only be collected by private entities when consent from the user has been obtained.
        Personal data must not be used for purposes inconsistent with the initial purpose of collection except with consent from the user.
        Personal data must not be stored longer than required by the purpose of collection.
        Personal data must be kept confidential unless required by law or court order.

Finally, the coming Data Retention Directive will soon be implemented in Norway but will only regulate electronic infrastructure providers, which Runbox is not.

Re:Runbox.com (4, Insightful)

Anonymous Coward | about a year ago | (#44531123)

Personal data must be kept confidential unless required by law or court order.

That's a hole you can drive a truck though. The NSA justifies everything on those grounds.

Re:Runbox.com (3, Interesting)

MightyMartian (840721) | about a year ago | (#44531163)

Besides, the way I understand it, whatever privacy protections remain apply to US citizens on US soil. Use a foreign email serviced, and it sounds like all bets are off.

Re:Runbox.com (1)

spire3661 (1038968) | about a year ago | (#44531273)

The 4th amendment doesn't end at the border for a U.S. citizen.

Re:Runbox.com (5, Informative)

Anonymous Coward | about a year ago | (#44531363)

Yeah, it ends 100 miles inside [slashdot.org] the border.

Norway has a 4th Amendment? (0)

Anonymous Coward | about a year ago | (#44531405)

There is likely no expectation of privacy in foreign e-mail networks, so no 4th Amendment protections...

Re:Norway has a 4th Amendment? (1)

spire3661 (1038968) | about a year ago | (#44531465)

Doesnt mean MY government is empowered legally to look at ANY of my correspondence ANYWHERE in the world, without a warrant. It is explicitly forbidden to do so by the absolute highest law in the land. Until such time as the 4th is repealed, i will continue to demand that it be enforced.

Re:Norway has a 4th Amendment? (3, Insightful)

MightyMartian (840721) | about a year ago | (#44531501)

I'm not attempting to argue with you. The point is not what the NSA should or should not be doing, but rather about the practical considerations. On US soil, the claim is all they can gather is metadata (the SMTP envelop). Start using a foreign mail service, and it's very likely that everything after the DATA command is being stored as well.

Re:Runbox.com (2)

ImdatS (958642) | about a year ago | (#44531391)

The problem is "... unless required by law", not the second part ("... or court order"). The NSA cannot request a court order in Norway.

But if Norway has a law that requires the email provider to provide information to the Norwegian secret service, which then forwards the information to the NSA, then yes, you can "can drive a truck through [that hole]".

Re:Runbox.com (5, Interesting)

msobkow (48369) | about a year ago | (#44531255)

The Norway data pipes probably run through the UK, as do most of the pipes in the EU. So rather than installing back doors on Norway's servers, the UK just sniffs the big data pipe traffic and captures that directly. And they give not one whit about your constitutional protections, any more than the US respects the Canadian constitution and Charter of Rights when they sniff our traffic while it passes through the big data pipes south of the border.

I don't think people are getting it yet.

Between Australia, the UK, and the US, something on the order of 90% of the global data traffic runs through the leeching backbone nodes that have sniffers attached to them. They don't need the cooperation of your local governments and ISPs to do their dirty work.

Re:Runbox.com (2)

nebulus4 (799015) | about a year ago | (#44531517)

The data pipes through Sweden and they do sniff the traffic. I wouldn't be surprised if they share the data with US and UK.

Re:Runbox.com (0)

Anonymous Coward | about a year ago | (#44531441)

Those rules do not seem to apply to government collection of data, only to private/corporate collection and utilization of data. And even if they did apply, do you really think that Norwegian intelligence would follow those rules after the 2011 attacks in Oslo and Utøya?

Re:Runbox.com (1)

westlake (615356) | about a year ago | (#44531513)

it's pretty cheap considering, they do not have any NSA-ties or the likes.

You can't know that for certain. Redbox's internal and external auditors can't know that for certain.

first (-1)

Anonymous Coward | about a year ago | (#44531031)

+1

KGB better than NSA? (4, Insightful)

tonytally (2856861) | about a year ago | (#44531037)

You'd really rather have the KGB looking over your shoulder rather than NSA? Surely you are joking.

Re:KGB better than NSA? (5, Insightful)

Opportunist (166417) | about a year ago | (#44531089)

As a US citizen, I sure as hell would prefer the KGB looking over my shoulder. the chance that it has any kind of impact on my life is far lower.

Re:KGB better than NSA? (0)

Anonymous Coward | about a year ago | (#44531371)

Don't you mean 'As a US citizen living in the US'?

Re:KGB better than NSA? (1)

Xenx (2211586) | about a year ago | (#44531093)

I would assume they meant they'd rather a foreign government that isn't likely to care about them as an individual, instead of the local government which may.

KGB definitely preferable except for Russians (3, Interesting)

Bruce66423 (1678196) | about a year ago | (#44531109)

Ultimately there are two reasons why - apart from the yuck factor, which is legitimate - why you don't want the NSA reading your email 1) If you say or do something which generates a shadow of suspicion, the probability that the Russians will act on it, to the extent of a SWAT team beating your door down and shooting your dog, is lower 2) If you are politically active, it's going to be less likely that the Russians will provide data to the FBI about your dubious activities Sure - avoiding either is a better ideal - but perversely I would prefer the KGB, unless I am resident in Russia, in which case they would be a very bad idea.

Re: KGB better than NSA? (1)

Anonymous Coward | about a year ago | (#44531119)

If you're in the Soviet Union, the NSA is better, no joke. Think about why. Pop quiz later.

Re: KGB better than NSA? (1)

lxs (131946) | about a year ago | (#44531399)

Is it because the NSA is famously helpful to time travellers?

Re: KGB better than NSA? (1)

EvilSS (557649) | about a year ago | (#44531409)

If you're in the Soviet Union, the NSA is better, no joke. Think about why. Pop quiz later.

Because you're a time traveler?

Re:KGB better than NSA? (0)

Anonymous Coward | about a year ago | (#44531139)

You'd really rather have the KGB looking over your shoulder rather than NSA? Surely you are joking.

There may not be much to see when looking over his shoulder from a distance of a few thousand miles.

If you don't want random "parallel constructions" of "crimes" from your private life to be made by some U.S. law officers or prosecutors in order to blackmail you?

Sure. If you have mostly small stuff "to hide", you could not care less what some guy in Russia knows about you, but you would not want to spread knowledge in your own back yard. In particular if that NSA guy over there is interested in buying your house, preferably for less than you'd want to. Or is pissed at your dog.

Re:KGB better than NSA? (1)

Anonymous Coward | about a year ago | (#44531211)

ask Snowden :)

Re:KGB better than NSA? (3, Interesting)

gmuslera (3436) | about a year ago | (#44531251)

The KGB still don't send drones to kill innocents to other countries, things that happen with the NSA if you are not in US, and maybe in a short time, even if you are.

Re:KGB better than NSA? (1)

DeathGrippe (2906227) | about a year ago | (#44531317)

You don't know that for a fact. Russian intelligence is every bit as invasive as ours, and is subject to far fewer restrictions. Putin himself recently said that the US is only doing what the Russians have been doing all along. And, don't forget, Putin is the former head of the KGB.

Not really. (0)

Anonymous Coward | about a year ago | (#44531325)

They just send teams to democratic countries like the UK to hunt down traitors to Putin and use radiation to take them out. Much preferable to the drones the US uses which are utilized only in war zones.

Re:KGB better than NSA? (3, Informative)

PolygamousRanchKid (1290638) | about a year ago | (#44531329)

The FSB and SVR, the artists formally known as KGB, have limited resources. They are used to going after those that they evalutate as threats.

The NSA has unlimited resources. The NSA just goes after everybody. They can afford to skip the evaluation phase.

Re:KGB better than NSA? (2)

sshir (623215) | about a year ago | (#44531357)

Actually, it's a rather common practice. Assumption is that with the exception of rare cases (i.e. Chechens), KGB (a.k.a. FSB) does not talk to FBI. So they are played against each other: Don't want NSA reading your stuff - tunnel to mail.ru (or such), don't want FSB - tunnel to gmail. Don't like both reading the same message - try Asians (and btw, you have some serious problems my friend.) I would not go with Europeans though - there were some nasty scandals in the past (even with Swiss of all nations)

Wrong question (3, Insightful)

Anonymous Coward | about a year ago | (#44531039)

Since the NSA programs are designed primarily to intercept communications between US and non-US folks, if you are in the US and store your mail somewhere else you are asking the NSA to collect all of it. Today, if you are in the US and have your hosting in the US the NSA only gets the parts that go between you and someone in another country (or where you said some "interesting" thing like "that new pressure cooker that fits in my backpack for camping is the bomb". If you move your mail to another country, the NSA will be collecting it all (assuming your communications end point is still in the US). Yes, encryption, VPN, yada, yada. You really don't gain much by moving it.

Re:Wrong question (2, Interesting)

Anonymous Coward | about a year ago | (#44531195)

Since the NSA programs are designed primarily to intercept communications between US and non-US folks,

You haven't been listening. They are designed to intercept everything. The queries are supposed to relate to outside communication and/or anything else of interest (by definition, if someone looks at it for some reason, that means it is of interest). But everything is intercepted.

Yes, encryption, VPN, yada, yada. You really don't gain much by moving it.

Except that decrypting stuff is expensive, so the average NSA snooper will incur traceable costs he might need to justify better than "oh, I just had a hunch I might be interested in my neighbors mail".

Re: Wrong question (1)

Anonymous Coward | about a year ago | (#44531221)

It's much harder to dragnet SSL traffic from a foreign server. You gain plenty by moving abroad.

Re:Wrong question (0)

mcgrew (92797) | about a year ago | (#44531223)

Excellent comment, to bad you can't log in so your score would be above zero. I hope moderators will mod him insightful and this (my) comment offtopic.

Re:Wrong question (2)

gl4ss (559668) | about a year ago | (#44531377)

eheh.
the whole debacle is about NSA applying such rules in quite loose form, they dont' care for shit.
Today if you're in the USA, NSA can get it all "by the book"(their book, not the lawbook) because you talked to some dude on a foreign forum - you did that by posting on slashdot. so you're screwed.
but true, it doesn't help much, only thing that would help would be to get people sending you mail to encrypt it before they send it to you.


however - hosting it outside of USA definitely does help against men in suits with secret court orders,
because those only work in USA(and puppet states, in most puppet states too you'll need a local court order at least because the secret USA one isn't worth shit).

Re:Wrong question (1)

DNS-and-BIND (461968) | about a year ago | (#44531393)

The NSA was like that. Not any more. They're intercepting everything, international or no.

I always liked the NSA. They were the good guys as long as they were the ones giving us an advantage. Now they've followed the rest of the federal government into "we're just expanding our power because we can" mode. Sad, NSA did a lot of good back in the day.

Use PGP. (-1)

Anonymous Coward | about a year ago | (#44531041)

Use PGP.

Re:Use PGP. (1)

lister king of smeg (2481612) | about a year ago | (#44531475)

I have tried to convince others that I regularly corespond with to use encryption but the reactioni get is either

1 I don't have anything to hide I m not interesting enough to bother. and encryption is hard

or

2 they have all of the encryption broken because I heard it from my brother who heard it from a reliable source and your explanation is to technical of why they haven't really broken it.

I have given up on trying so now I just cryptographicly sign my email so at the very least it can't be forged.

hushmail.com (1, Informative)

Anonymous Coward | about a year ago | (#44531047)

it is in canada. the americans could still get to it, but at least they would need a proper canadian warrant, not just a nsa search button. i wouldn't suggest it if you plan to do crime, but if you just want basic civili liberties it is a worthwhile option.

Re: hushmail.com (1)

Anonymous Coward | about a year ago | (#44531137)

Ironically, the services you'd most like are probably in China and Russia.

Re:hushmail.com (1)

gmuslera (3436) | about a year ago | (#44531289)

This Hushmail [wired.com] ? They already gave customers emails to US authorities, and we are talking about 6 years ago. Not sure how or if things changed, but i would avoid them, or at the very least their web interface.

Re:hushmail.com (1)

julesh (229690) | about a year ago | (#44531545)

Yes, they surrendered data with a court order. Pretty-much any service provider in most countries will, and when there's actual evidence of serious crimes tied to your identity it's easy to get such a court order in most countries. These were targeted, court-approved disclosures, which is a very, very different thing from massive unwarranted trawling.

Also: if you avoid their javascript-based interface and use the java applet, they still *can't* disclose your emails, as they are never available unencrypted on their server.

Roll your own... (5, Insightful)

flogger (524072) | about a year ago | (#44531049)

My email server is sitting in my laundry room. I also host some message forums and picture galleries for just my family and friends. It is how I communicate with them.

Only about 1/3 of my family and friends use my server for email.... So any over seas email service is going to have the same limitation as mine. If I email my sister from my server, that email goes to gmail. So now the NSA knows what I sent to my sister.

So unless everyone you communicate with is outside of the US or on a server outside of NSA's reach, it won;t do any good.

Sorry to break it to you, but in the war against terror, the American people have lost.

Re: Roll your own... (1)

MarioMax (907837) | about a year ago | (#44531113)

I agree completely, roll your own is the best method. The only issues with it is technical know-how, and ISP limitations (and cost). But if those are a non issue, there is no better solution.

Re:Roll your own... (3, Insightful)

wezelboy (521844) | about a year ago | (#44531283)

Let's get hypothetical...

One of your nephews or cousins that uses your e-mail server decides to purchase a pressure cooker online. He also has some friends in Europe that he e-mails once in a while. What do you do when the NSA asks you for all the e-mails stored on your server?

Re: Roll your own... (2)

MarioMax (907837) | about a year ago | (#44531347)

Demand a search warrant issued by the local county or state judge, and have the county sheriff deliver it in person. No search warrant, no search.

Re: Roll your own... (2)

wezelboy (521844) | about a year ago | (#44531417)

That might by you some time at best. You can wipe the server drives, but then you will be charged with contempt or worse obstruction of justice. The first you may hear of it is your front door smashed in and cops with guns (and a warrant) in your house.

Re:Roll your own... (1)

Anonymous Coward | about a year ago | (#44531349)

What do you do when the NSA asks you for all the e-mails stored on your server?

Switch on the degausser which obliterates the data on the server,
then remove the hard drives and melt down the platters.

Re:Roll your own... (4, Interesting)

ImdatS (958642) | about a year ago | (#44531443)

A while ago I had a similar thought. My solution was quite easy:

Install an email system that does the the following: Normally, when "standard" email arrives, it is processed as usual.

When an email arrives from an authorized sender (such as you), in a very specially formatted way and with special content, the mail server immediately starts destroying all emails, all communication logs, and all attached backups. It literally not only unlinks the files, but also replaces all impacted file-contents with "0". You can even do it on block-level completely reformat (overwrite) the hard disc in a way that it looks crashed. It then initiates a clean re-install of a clean, unused, fresh out-of-the-box system.

The only that you have to do is to make sure none of the backups are available... Then again, I would probably NOT have historical backups of emails outside somewhere, but rather backups on devices that *are* connected to the server and erase those too...

End result: "Ooops, sorry, but it seems, my server has crashed..."

Re:Roll your own... (1)

ImdatS (958642) | about a year ago | (#44531453)

Alternatively, you could have everything on an encrypted hard disc and instead of deleting the files, you delete the key (overwrite it on a block-level). So could hand-over the hard disc but since the key is not retrievable anymore (and you could make it so that it looks like a hard disc failure), that's it...

Re:Roll your own... (0)

Anonymous Coward | about a year ago | (#44531359)

thanks for letting us know where your communications are being done.

Re:Roll your own... (1)

ickleberry (864871) | about a year ago | (#44531387)

I run my own email server as well. Not hard to set up and maintain dovecot+postfix + roundcube (optional) at all but unfortunately a lot of people are a bit *too* addicted to convienience and have outsourced everything to the Big Bad GOOG

Kremvax, of course! (1)

Anonymous Coward | about a year ago | (#44531055)

Tuffmail (1)

sinkasapa (2587241) | about a year ago | (#44531059)

Tuffmail was a service I chose because it was the best but it also happens to be a Canadian company.

http://www.tuffmail.com/ [tuffmail.com]

Open Source Email server (0)

Anonymous Coward | about a year ago | (#44531069)

I believe the best solution would be a home email server with features such as calendar, IMAP access and maybe a dedicate mobile app

Use your own domain and host (3, Informative)

MarioMax (907837) | about a year ago | (#44531071)

Domain names are relatively cheap, and hosting is relatively cheap. I go that route myself. The only people that have access to my server is the hosting company (which is no worse than Google to be honest)

if you have the means, the very best solution is to run an email server out of your home or place of business.

Re:Use your own domain and host (1)

fustakrakich (1673220) | about a year ago | (#44531257)

...if you have the means, the very best solution is to run an email server out of your home or place of business.

Only to have SWAT haul it all off under some asset forfeiture statute.. Your home and business are not safe, anywhere, well, maybe Iceland... up to a point

Re: Use your own domain and host (1)

MarioMax (907837) | about a year ago | (#44531365)

Perhaps, but nothing is stopping them from doing the same to your hosting provider either.

Re: Use your own domain and host (1)

fustakrakich (1673220) | about a year ago | (#44531439)

Exactly, so, in essence it makes no difference. Your communications are not safe or secure.

Re:Use your own domain and host (1)

GrBear (63712) | about a year ago | (#44531463)

As one who's tried to setup a mail server under Ubuntu several times, there's alot of black magic and voodoo involved to get it to work right, including vacation messages.

We're still using antiquated software like sendmail and dovecot that requires a degree to understand the cryptic config files.

This is not for the faint of heart, and certainly not plausible for the average user. Until something more user friendly comes along, don't expect this to happen all that often.

Zimbra by VMWare seems to be making good headway in making it much simpler though.

Doesn't matter (0)

Anonymous Coward | about a year ago | (#44531073)

If you use a non USA one then they most likely monitor it even more then they do USA hosted ones. If you use a foreign host expect them to get all your shit not just the metadata.

Too little too late (0)

Anonymous Coward | about a year ago | (#44531075)

Who cares? The NSA killed email. What good is it if you are secure but none of the recipients are? What we really need is end to end encryption. It probably won't happen.

Does the submitter realize (0)

Anonymous Coward | about a year ago | (#44531081)

that if s/he lives in the US then their net traffic will be routed via a US ISP, which presumably is within the reach of US law enforcement?

Apologizes if this is "well, duh, thanks for nothing". But TFS forgot to mention some pertinent details.

Re: Does the submitter realize (0)

Anonymous Coward | about a year ago | (#44531183)

If OP connects to a VPN overseas then that problem doesn't exist, assuming he isn't using PPTP.

really? (0)

Anonymous Coward | about a year ago | (#44531101)

By posting this as a slashdot front page submission, you've basically told them that you have something to hide.

Hope you enjoy the investigation of your wrongdoing.

rediffmail? (0)

Anonymous Coward | about a year ago | (#44531105)

Indian privacy laws are something I know nothing about, but if the kgb wouldn't bother you I doubt you would do worse in India.

Wrong Question (5, Insightful)

ocularsinister (774024) | about a year ago | (#44531107)

What you should be asking is "How do I get everyone to sign and encrypt their emails as a matter of course?"

Re:Wrong Question (0)

Anonymous Coward | about a year ago | (#44531191)

Never going to happen, get over yourself.

Re:Wrong Question (0)

Anonymous Coward | about a year ago | (#44531343)

Blacklist people who refuse to use encryption, and live with the fact that you have a lot less friends/customers.

Re:Wrong Question (1)

cartel1982 (2955737) | about a year ago | (#44531411)

Encrypt? Using RSA?

The NSA has an undisclosed black budget and has been pouring money into quantum computing for over a decade. They can read encrypted messages.

Re:Wrong Question (2, Insightful)

Anonymous Coward | about a year ago | (#44531493)

That is fucking bullshit. The NSA don't have a monopoly on scientists and practical quantum computing is decades off.

There's nothing the NSA would like people to believe more than that they can magically break modern encryption that would take 1000,000s of processor years to decrypt. The more people believe it, the less they will bother using encryption and the easier it is to keep tabs on the few that do.

Re:Wrong Question (1)

anfi (707720) | about a year ago | (#44531467)

User2user encryption is important but it is not all. Some people may dislike idea NSA.gov(.us) registering even "communication patterns" (when, to whom, size). User2user encryption does not cover it.

"Communication patterns" with big supporting databases can "suggests" A LOT.

P.S. There would be no american revolution with NSA.gov.uk watching carefully ;-)

Makes no difference. (4, Insightful)

dgatwood (11270) | about a year ago | (#44531141)

From all reports, most or all of the countries where spying occurs, despite their very vocal public outcry against what the U.S. is doing, are in fact sharing information with the U.S. government. And even if they don't, the U.S. can simply grab the data on its way out of the country to that server.

The only way to make email secure is to abandon email in favor of a protocol that supports end-to-end encryption, such as iMessage, XMPP, etc. and to tweak your centralized server and/or clients to require that end-to-end encryption be used. And even then, the metadata (who sent mail to whom) is at risk. The only way to prevent metadata from being trackable is to either develop a new system in which locating a user does not require credentials and use Tor to connect to the centralized server (e.g. use wide-area Bonjour to advertise your current IP address) or design a whole new messaging system built in a darknet.

Either way, email is and has always been just as secure as sending a postcard (which is to say, completely insecure), and cannot readily be improved upon significantly in this regard without starting over from scratch.

Re:Makes no difference. (1)

fustakrakich (1673220) | about a year ago | (#44531239)

With DNS and TCP-IP there is no 'darknet'. The safest way is to splatter your signal all over the place and let the intended audience sort it out of the chaff, like all those secret messages in the classified ads sections of the newspaper.

use encryption (4, Insightful)

stenvar (2789879) | about a year ago | (#44531147)

Many E-mail providers overseas require you to give personal information to sign up, often due to legal requirements in those countries; sometimes they verify that with a credit card number or simply by comparing your address data with government databases. Many countries (including much of Europe) also have data retention requirements and give their own police and intelligence service nearly free reign, and they may well exchange data with the US anyway, so it's not clear you're better off. And some providers of anonymous services may simply be fronts for intelligence agencies. And, of course, if the other parties to your E-mail use a US provider, your data is already available to US intelligence agencies, and your foreign E-mail account will stick out.

As an American, if you want to communicate privately, you have to use encryption, and preferably steganography. Getting an E-mail account in another country really doesn't help very much.

It won't save you (2)

msobkow (48369) | about a year ago | (#44531193)

If you are emailing people who use GMail, Live, Yahoo, or a US ISP for their email provisioning, your emails to/from them are still tracked. So unless you're planning to drop all your US contacts as well, you're not helping yourself much.

Here in Canada we have a bigger issue -- all of our network pipes connect to the bigger pipes in the US. So even though we might be emailing a fellow Canadian from one Canadian ISP to another, the traffic still gets routed and sniffed through US servers.

The same is a problem for people in the EU -- the emails get routed through the pipes that are monitored by the UK's spy agency.

The NSA doesn't have to install backdoors on email servers to monitor you at all. And they *don't* typically make requests when they're spying on someone in particular -- they just sniff the traffic on the big data pipes directly.

And seeing as all those pipes run through the major partner countries like the UK, Australia, and the US itself, we're *all* fucked.

NSA Avoidance List (2)

Leghkster (603558) | about a year ago | (#44531201)

Try https://prism-break.org/ [prism-break.org] for some recommendations of OS, email, IM and more.

Open source? LOL (1)

unassimilatible (225662) | about a year ago | (#44531485)

You're really advocating open source software as a way to avoid the NSA? LOL.

Forget about it (1)

fustakrakich (1673220) | about a year ago | (#44531203)

The NSA and all its foreign counterparts own the world, Okay, they work for the owners... But it should be clear that privacy is an illusion... Your service provider is taking up any remaining slack.

Try Eclipso (0)

Anonymous Coward | about a year ago | (#44531231)

http://www.eclipso.eu

It support encryption as well.

Do NOT forget the telco and the routing (1)

CaptainOfSpray (1229754) | about a year ago | (#44531233)

NSA and GCHQ are also siphoning off data from the telcos (BT and others) at the telecoms servers, at which point who your email provider is becomes irrelevant. [You can assume that anything GCHQ knows, the NSA also knows]. It has also come out that BT has allowed GCHQ to tap the Transatlantic cables at the shore station in Bude, Cornwall without the knowledge or consent of several telcos that are not otherwise co-operating. So AFAIK you need either (1) a non-US non-UK telco and ISP with a routing that does not go through UK, or (2) encrypt everything.

NSA and foreign mail hosts (1)

Checkered Daemon (20214) | about a year ago | (#44531241)

You should probably take into account that the few, and obviously mainly ignored, privacy protections you do have evaporate the nanosecond your communication leaves U.S. borders. Supposedly within the U.S. the NSA is limited to email metadata collection (look up the older term 'pen register' for the legal history of law enforcement access to this kind of information), but when you interact with a 'foreign agent' the sky's the limit. Ellison may have known more than we thought when he said, "You have no privacy. Get over it."

Re:NSA and foreign mail hosts (3, Interesting)

Clsid (564627) | about a year ago | (#44531369)

I think there are ways around it, not a 100% perfect but at least make their job a lot harder. Services like lavabit were good and it goes to show that they needed to use some nasty legal tactics to make them open up. Those tactics are not available when you use providers in countries like Russia or China. Sure, they can tap the underwater fiber all they want, but I think it still is better than nothing.

Startmail (2, Informative)

Anonymous Coward | about a year ago | (#44531263)

www.startmail.com -- currently in closed Beta -- and based in the Netherlands.

Securing email is complicated (3, Informative)

FuzzNugget (2840687) | about a year ago | (#44531269)

Securing your local data is easy, because you have end-to-end control. Securing email is complicated because you'll never be able to maintain complete control. It requires coordination and mutual understanding between you and everyone you email, and that's just not going to happen unless you're in a tightly-controlled organization and all of your communication is internal. I'm assuming you're an end-user at home, not an IT manager in a large corporate environment.

If your ISP allows it (and that's a big if in today's spam wars), you could run your own email server to host email service for yourself, your family and your friends and require SSL/TLS connections for all communication. Don't forget TrueCrypt or luks/dm-crypt for disk encryption on the server itself. But this only protects against eavesdropping and snooping for email users on your hosted service. There's basically nothing you can do about emails sent or received from outside of your own service. And then there's the assumption that email recipients inside of your hosted service will adequately secure their own devices (good luck getting grandma to use TrueCrypt).

If you can actually accomplish this, well, you have better powers of persuasion than I (my boss is a smart and tech savvy guy and I can't even convince him). Your best bet is: don't use email for anything you wouldn't want publicized.

Roll your own? (1)

Anonymous Coward | about a year ago | (#44531275)

To all the people suggesting to host your own servers in the basement: do you have the resources to challenge a FISC order? Hardly!
The second your email recipients are not on the same network, i.e. work off the same router, your communication is accessible to the spying agencies. Sure you could use PGP to encrypt your mails, but the metadata is still available. TOR is not really an option anymore.
Hosting on some provider's infrastructure is just replacing google, yahoo, with that provider. Who do you trust, and how much?

The only real solution to the issue MUST be a political solution. But good luck on that one!

Where are you located? (1)

Anonymous Coward | about a year ago | (#44531301)

If you are in the US I guess its tough luck, because if you have your email leave the US for foreign soil then it will be captured.
If you use encryption anywhere , it will be stored indefinitely until a time comes and there is sufficient computing horsepower to decode it.

I would suspect at this time that having your email sent anywhere outside your own country would trigger some scrutiny no matter where you live.
Its not always the ISP where the scavenging occurs (ie under sea cables) , satellite links.

I suppose we wont hear anymore of twitter empowering democracy articles. Nor the web as a great equalizer.

In the US this puts a whole new light on the ongoing effort to bring broadband to everyone. Not as a great educational or empowering tool for the rural on nontechnical population , but maybe more for the monitoring ability,

A coworker of mine who had terribly slow internet speeds was offered free 3 times the speed upgrade. I half joked with him that NSA techs were falling asleep monitoring him with his slow slow internet connection.

Years ago now... the first consumer device to not have an on/off switch was/is the household portable phone. That should have been a portent of things to come.

I do not feel that the this can be undone. Like Bears to honey , you cant just say stop. We sll become constant suspects of some future crime or some past minor crime that we didnt know we committed. We all become Russian in mindset where all electrical devices are suspect and monitoring is assumed the norm.

We did it to ourselves. Can you even expect the average congress critter to understand the technical aspects of the how modern communications work?
The term metadata is waved around as if it is something trivial. If you have my phone number you know who I am. If you have my MAC address you know what machine I am using and IP address. If you have my IME I number you know what cell phone I am using. This is all metadata.

Welcome my son to the machine...

Here are some (1)

Clsid (564627) | about a year ago | (#44531331)

The best I have found so far are Yandex from Russia and Netease 163.com from China. 163 is extremely fast if you are in China, but it has some advertising and the interface is all Chinese, so I would suggest the English version of Yandex mail instead at mail.yandex.com.

I'm planning to get a dedicated server with the state telco in Venezuela for precisely this reason. That and also run a Tinyproxy/OpenVPN and figure out WebDAV to have my own Google Drive/SkyDrive, etc. If anybody is interested just write to aclsid at 163.com.

hushmail (2)

phantomfive (622387) | about a year ago | (#44531379)

Hushmail is one of the oldest 'secure' mail systems, and they moved out of the US specifically to avoid problems like the NSA. They're worth looking at, I guess.

Re:hushmail (2)

☛ (3015109) | about a year ago | (#44531525)

Except HushMail won't hesitate to deliver a unique java client-side applet embedded with a keylogger to intercept the target recipient's passphrase. They are a Canadian company and we have a tighter working relationship with Canada than any other Country to the point that we used to send all Macs up to Canada and have the RCMP perform forensic analysis on them. We stopped doing that when we built-out our own facilities. Google the National Computer Forensics Institute in Hoover, AL. Now Canada sends their stuff to us.

Re: hushmail (0)

Anonymous Coward | about a year ago | (#44531539)

Their TOS explicitly states they can and will decrypt emails if asked to by law. They are not worth looking at

Is this not a paradox? (1)

Anonymous Coward | about a year ago | (#44531401)

I understand the desire to your email off-shore, but since the NSA claims to be looking at all foreign traffic, doesn't this mean you will be placing yourself directly in their sights? As much as I hate it, the solution to this is going to have to be a political one rather than a technical one.

Has to do with Lavabit shutting down? (1)

Anonymous Coward | about a year ago | (#44531413)

This Ask Slashdot probably has something to do with lavabit shutting down http://news.cnet.com/8301-1009_3-57597954-83/lavabit-chief-predicts-long-fight-with-feds-q-a/
And they can't even talk about what exactly happened. That is just evil.

Hosting is the issue. (0)

Anonymous Coward | about a year ago | (#44531511)

The only way is to host your own email server, and use strong encryption on all of your data.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...