So: you think your email is private? Think again…

I used to bang on about the emails-are-postcards thing that Andy Yen talks about here. But I gave up, because nobody seemed interested. Back when the email client Turnpike natively allowed PGP (Before Someone Stepped In And Stopped It) I was becoming used to using PGP-signed emails, and, when appropriate, encrypted ones too.

I signed up for a free protonmail account some time ago. If you believe in the concept of privacy, I urge you to do so, too. We need to make emails-in-envelopes commonplace, before Those Who Would Read Everything We’d Like To Keep Private In The Name Of Anti-Terrism* lock the door and throw away the keys.

* … all but Those Of You Who Have Nothing To Hide (in your dreams).


About pendantry

Phlyarologist (part-time) and pendant. Campaigner for action against anthropogenic global warming (AGW) and injustice in all its forms. Humanist, atheist, notoftenpist. Wannabe poet, writer and astronaut.
This entry was posted in Communication, Core thought, Strategy and tagged , , , . Bookmark the permalink.

10 Responses to So: you think your email is private? Think again…

  1. colinc says:

    OK, so I’ve finally(!!) took the time to watch most of the video and peruse some of the ProtonMail site that you linked. As an aside, I’m [a little] surprised that this will be the first comment to this article 10 days after its posting. Things that make me go “Hmmm!”

    Pushing on, there are more than a few “problems” I’ve found with this. Andy Yen discredits himself to some degree with his opening comments. For example, the WWW was NOT “created by scientists at CERN 25 years ago.” It actually originated (yes, it was NOT “world wide” THEN) by DARPA linking a few of their EARLY computers (room-sized or larger) to those sitting at several colleges, institutes and universities (of similar size) in the late-1960s and early-’70s, which then expanded over time. A few moments later, Yen claims that our/your “data will last forever.” Forever is an unimaginably long period of time and there is ZERO technology today that will preserve anything that long! (I know, these are mere quibbles to the wibble!:)

    However, what he then elaborates on as the “workings” of ProtonMail only describes a SLIGHT, minor even, re-working of the original PGP. (Note, I attempted to use PGP more than 20 years ago and, while _I_ had virtually NO “trouble,” I found too few others willing to learn or use it.) Lastly, what he describes not only will NOT work (…it’s too many stupid people) but SOME governments [probably?!] already have software (recall StuxNet?) that will obviate its intended function. Arguably, it MAY function “well” in some respect but, always remember, if someone is motivated enough to get into your car/home/storage/life there are NO locks, window-bars, or other mechanisms that will prevent it. In other words, locks and alarms ONLY keep out the people too lazy or stupid or, indeed, “honest” enough to bother bypassing one’s defenses. There are, of course, a few more quibbles I could raise, but I’ll leave those as an exercise for other readers.

    • pendantry says:

      I do hear what you’re saying, but (having used PGP myself as well as protonmail) I can vouch for the fact that protonmail hides all of the complexity. It’s as simple to use as any other email system.

      And yes, you’re right: no lock is uncrackable. However, the real point is: you wouldn’t send a postcard to anyone that had, say, your bank details, or maybe a love poem on it, would you? You’d put it in an envelope so that the contents were hidden from those who happened to be involved in passing the message along. An envelope is even easier to open than an encrypted email, but custom goes a long way towards protecting our privacy. The point is: we currently lack that custom.

      • colinc says:

        Yes, I concur completely that “we[sic] currently lack that custom.” However, as I alluded earlier, PGP was not much, if any, more “difficult” than what is being offered by ProtonMail!!! So, do we not have to ask [ourselves] WHY did PGP not become the custom? For example, YOU are using ProtonMail, presumably (with some, tho’ I’ve not seen it), but how many of the people with whom you communicate via that service are ALSO using ProtonMail? How many people with whom you communicate via email do you suppose will EVER use ProtonMail? What effect could it possibly have on your blog-posts, or those of others, or the related comments? What, specifically, do you suppose will cause it to become the “custom” more readily than PGP? IF, and that’s a BIG “if,” ProtonMail actually succeeds in what it is purporting to do, how long do you suppose it will be before TPTB proclaim it, too, to be “illegal” and “target” any-/every-one who uses it? What, if any, evidence do you have that indicates that ProtonMail is NOT a direct routing of email to the NSA or some other “spy” agency? Just because their servers are in Switzerland (known as one of the biggest tax-dodge enabling countries on the planet)? Are you just accepting Andy Yen’s word (which he didn’t offer) that ProtonMail is “fool-proof” or “hack-proof” just because he was granted the spotlight in a TED talk? What, if any, remuneration or accommodation are YOU being granted for your, ahem, “support” and attempted propagation of ProtonMail? I look forward to your response(s).

        • pendantry says:

          Some paranoia is healthy: too much is not a good thing.

          • colinc says:

            Are you implying that I am “paranoid?” How/why is what I’ve written any different from your advocation of using encrypted email? Why not just rely on “snail-mail” for “confidential” communications? After all, paper, CDs and DVDs are pretty cheap, as are flash drives, and won’t cost much to send. Perhaps we would all be better served by questioning why governments/politicians and their secret-seeking agencies seem to be rabidly paranoid. Exhibit A might be…

            Crypto-Wars Escalate: Congress Plans Bill To Force Companies To Comply With Decryption Orders

            … but I’m sure there is a plethora of similar “legislation” being considered, if not already enacted, around the world. I won’t question why that was the only aspect of my comments you addressed.

          • pendantry says:

            Reason for my previous brief response to your overlong message: life is too short :/ Sorry if you were offended by it. PS We each can only do what we can.

          • colinc says:

            No offense taken and none intended, I was merely asking questions, and I apologize for, perhaps, “poor wording” if either of the former was inferred. I had not realized that my earlier comment was “overlong” as it was shorter than some previous ones. Perhaps you should recommend/enforce a comment-length policy. 🙂

            I concur completely that “life is too short!” Which is also one of the “lessons” from Lazarus Long in R. A. Heinlein’s “Time Enough for Love,” so “take big bites!” 🙂

        • pendantry says:

          Ok, to be fair, I am going to try to address some of your points (although I have to admit that I think a fair number of them are totally irrelevant).

          1. On ‘who created the WWW’: irrelevant. Counter-proposal: Who invented the digital computer? If you think you know the answer, go look up Konrad Zuse, and if you’ve never heard of him, ask yourself the question ‘why is that?’.

          2. On ‘data lasting forever’. I’ve been a firm advocate of the belief that it doesn’t; the main reason being that systems change too frequently. I’ve written several fiction pieces on computer systems that have been lost forever because I made the mistake of writing them on an Amstrad PCW. However, potentially, data can last forever, if we ever learn to quit reinventing the wheel. I admit that this is unlikely.

          3. On the assertion that ‘using PGP is not difficult’: this was not my experience. However, PGP, when I used it, was usable via numerous methods. One of these was using DOS commands, and I would have trouble believing anyone who tried to claim that such an environment was ‘easy to use’. The email client Turnpike (version 5 — PGP was removed from version 6!) made it much easier to use — but I would argue that, at the time, the additional complexity was too much for the average computer user of the time to cope with (they were still struggling with “what the heck does ‘.com’ mean?”). It’s easy to forget how far we’ve come in a short time span (unless especially if you’re young and you’ve grown up with this stuff). You say you “found too few others willing to learn or use it”. I think you need to ask yourself why that was.

          4. On ‘why did PGP not become the custom’: this one is easy. Microsoft (who originally claimed that the Internet was a flash in the pan, a fad, but who later changed their mind and decided they were going to own it) never implemented PGP in their email client. Do I really need to go into their Grand Vision of ‘a PC on every desktop’, which involved ‘gifting’ (sic) ‘free’ (sic) copies of their proprietary operating system to gullible education establishments? (Hey, kids: the first hit’s free!).

          5. On using protonmail: yes, I agree, as things stand it’s unlikely that protonmail will make much of an impact except upon those who already understand the issues. Microsoft already has too great a stranglehold on the market. But one has to try to educate. This is what free market ‘choice’ (sic) is (in theory) all about. My experiences trying to educate folks about the Dvorak keyboard have taught me that. I do have a protonmail account. I don’t use it much because nobody with whom I communicate uses it much. Catch-22. Do you have a protonmail account? (and if you don’t: how can you opine on its ease-of-use in comparison to PGP?).

          6. Q: “What, specifically, do you suppose will cause it to become the “custom” more readily than PGP?” A: greater awareness. (Though I hold out little hope of such awareness ever arising — see ‘Dvorak’).

          7. Q: “IF, and that’s a BIG “if,” ProtonMail actually succeeds in what it is purporting to do, how long do you suppose it will be before TPTB proclaim it, too, to be “illegal” and “target” any-/every-one who uses it?” A: not long. One only needs to look at the recent fiasco with the FBI trying to strong-arm Apple into compromising its security systems to realise this. But again, this is down to public awareness; and most of the public have absolutely no understanding of the technical implications of the technology. I’m not saying ‘people are stupid’; I’m saying they possess cluelessness of the worst sort (they don’t even have the first inkling of what it is they’re unaware of).

          8.Q: “What, if any, evidence do you have that indicates that ProtonMail is NOT a direct routing of email to the NSA or some other “spy” agency?” A: none whatsoever. (Hence my throwaway ‘paranoia’ comment above, for which I apologise: it was cheap.) However, one has to decide to trust some people, or one becomes totally paralysed. I personally do not believe that the folks behind protonmail are trying to pull the wool over my eyes. I do, however, acknowledge that I could easily be mistaken about this.

          9: Q: “What, if any, remuneration or accommodation are YOU being granted for your, ahem, “support” and attempted propagation of ProtonMail?” A: absolutely none whatsoever. I am, and have been for decades, a firm believer in (a) the individual’s right to privacy and (b) the belief that this is in serious danger of being eroded by default.

          I hope that answers all of the points that you’ve raised: if not, please don’t hesitate to interrogate me some more. (I do, however, reserve the right to delay responding, while hoping that someone other than me will jump in*).

          * maybe I’m out of touch, but I’m of the opinion that blogs should be conversation starters. I don’t own the questions I raise, and keep hoping that they’ll spark interesting dialogues (as they have sometimes done). Others seem to be of the opinion that a blog owner has an obligation to respond to each and every commentator individually: I have to admit that when I see a blogger responding to every. single. comment. I think to myself (a) where do they find the time? and (b) I am in awe of their ability to come up with responses that don’t sound trite.

          Apologies for any typos or inconsistencies in the above, but it’s been a long day, I’m tired 😛

  2. colinc says:

    To be more fairer :), it would seem that I indicated that some of my initial sentences were “mere quibbles to the wibble,” aka “irrelevant.” I’ll strive to eliminate such trivialities from future comments. Otherwise, thanks for the reference to Zuse, I had not heard of him. Interesting, makes one wonder why the Nazi’s weren’t more successful.

    I’ll concur that it’s theoretically possible for “data [to] last forever,” at least as long as one doesn’t subscribe to the “Big Bang Theory” and subsequent “collapse” of the entire Universe back into “nothingness.” (For the record, I perceive the “BBT” as just another spin on the creation myth and, as such, use it as “evidence” that there is no shortage of dogmatic belief in science, which convinces me that “our” species has only lasted as long as it has via sheer and utter “dumb luck.”) Also, one would have to have some way to obviate certain other “laws” of Physics.

    When I wrote “while _I_ had virtually NO trouble” [using PGP] I wasn’t even implying that it was “easy.” There was a learning curve to scale but, after that, as with anything given diligent practice, it didn’t present major “problems”… TO ME!! In contrast, I tried to encourage more than a few people to use PGP and it proved to be beyond their capacities. Of course, that was a huge impediment to it “becoming the custom.” Interestingly, perhaps, this instigated me to do a little research on PGP, which I’d used in conjunction with the “Pegasus” email-client many moons ago. I was somewhat surprised to find that PGP is, in fact, still in existence and being used (by some people). Moreover, the “inventor” of PGP, Phil Zimmermann, is also alive and was involved in the creation of the “Hushmail” service, which is probably a better comparison for ProtonMail than PGP since it, too, attempts to keep the end-user from having to deal with the “complexity” of private and public keys, even though they still exist “in the background.”

    Of ultimate(?) importance, you are absolutely correct about “the public” having little to no understanding or awareness of ANY of the implications (technical or otherwise) of ANY technology. I think it was A.C. Clarke that pronounced that “Any sufficiently advanced technology [relative to a less ‘advanced’ species] will appear indistinguishable from magic.” Lo and behold, this would seem to be the situation today, at least for a large percentage of the population. In the old days, whenever I finished building or repairing a PC with the owner/user standing beside me, I’d ask, “Ready for the smoke-test?” If they asked what the “smoke-test” was, I’d explain that it was different kinds of smoke inside the chips that made the computer work and turning the power on (booting the PC) would indicate if there were any leaks! 🙂

    In conclusion, I also concur with your concern to “the individual’s right to privacy” and that it “is in serious danger of being eroded.” Of course, that “erosion” has been ongoing for at least a couple of decades, now, and looks to continue at an accelerating rate into the foreseeable future. Finally, I also concur that “blogs should be conversation starters” and that the blogger is NOT obligated in any way to respond to ANY comment, let alone ALL of them, and ALWAYS in a time and manner solely at the discretion of the blogger. Otherwise, I think “this parrot is no more, it has ceased to be” and I hope you have no troubles through the week. Oh, and my apology for another “too long” post. 😉

    • pendantry says:

      Ah. You’ve clarified one point that I had misunderstood: you imply that PGP is too complex for most to handle. It’s clearly no surprise that it hasn’t made more headway; and this is why I find protonmail to be worthy of promotion (since it hides the complexity).

      I’ve not heard of ‘hushmail’, thanks for the heads-up. Wikipedia suggests it requires PGP keys; I’d be inclined to think that this is one of the additional complexities that would tip it over the edge for popular usage. By comparison, the only difference of note between protonmail and, say, hotmail, or gmail, is that protonmail requires two passwords: one to log on, and another to access your secured data.

      Concerning Clarke’s Third Law, I’ve since reformulated that as “Any sufficiently different technology is indistinguishable from magic.” (I have no illusions that my words will be remembered, though).

I'd love to hear what your views are!

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s