By now, many of you will have already seen this (statement by Deutsche Telekom in English). I really don’t like it when businesses play with people’s emotions like that, trying to get their share of the FUD stirred by recent events. I am aware that I am kind of contradicting myself by writing this very post, but I think the initiative has gone a little too far.

I understand that businesses are businesses and they have to earn their money somehow, that’s why I usually don’t care. A lot of crypto and privacy products have surfaced lately, and I can see how anyone developing or otherwise invested in such products must have embraced the recent events, thinking “Now or never!”. And this is perfectly normal, that’s how good advertising/marketing usually works, in order to be successful you have to somehow tap into people’s emotions to make them buy your product. Let’s not judge that further, this is how it works, and we’re pretty much used to it already.

Being a German myself, I am really pleased that Germany does have some very strict data protection laws, and in general there is a feeling that data protection and privacy in general are values that are not violated easily. Given the recent revelations, it was all too natural that there was public discontent with the situation. It was easy to point our fingers westwards, claiming it’s all the NSA’s fault, that such behavior cannot be tolerated among partners and the usual “ZOMG what a scandal we never knew”.

But what I find offending is…

It’s funny that the “E-Mail made in Germany” initiative now tries to advertise the apparently good reputation of data protection laws in Germany - because a couple of weeks later, there are strong indicators that a) the German government knew about the eavesdropping the whole time and b) there are again strong indicators that the BND (the German equivalent of the NSA) apparently does the same thing. I’m pretty sure there was a lot of ‘I’ll show you mine if you show me yours’ going on the whole time. It was even outright hilarious when I heard on the news that the BND now claims that with recent events, they need to extend and strengthen their existing practices even further - of course, all in the name of protecting German citizens. You gotta love politics - different day, same bullshit. Instead of turning this into a Germany or Europe vs. the NSA thing, we should consider that it doesn’t really matter where we live, the interest in our data is global, there’s no single “bad guy” to point our fingers at.

This is why I had this feeling of “You gotta be kidding me” when I read about “E-Mail made in Germany”. One of the key selling points is praising those same data protection laws that we all know might apply for companies but maybe not so much for the BND. What’s an outright impudence though is the fact that all they seem to do is turning on SMTPS. Well thank you, but other providers have had that for years. I’m not going into the details, others have done a much better job (English translation) than I could.

Sorry, but I’ll stay with my old provider

Let’s summarize: we are now supposed to leave our current email providers and join the German-only email elite. In return we get SMTPS (which our current provider probably already uses) and the assurance that our mails will never leave the country and will only be stored on German servers. In plain text, of course, so that we can be sure that the BND can access them before any other agency can! Sorry friends from Europe or (OMG) outside Europe, you may still send emails to me but your mails will never be marked with that German seal of excellence… I doubt that yet another icon marking things as secure will help - it’s not like the existing ones did a very good job at improving the situation.

Instead of promoting a solution that would really improve our privacy, I think it’s safe to say that at this point, the whole initiative is nothing more than a marketing gag that is supposed to convince some users of GMail, Yahoo Mail and friends to make the switch to good old German providers. Unfortunately, there is nothing that leaves any impression of improvement. Politicians are as clueless as ever, praising the initiative as a success and an important step given recent events and the resulting raised public interest in privacy and secure communication. Let’s pat each other on the back a little and indulge ourselves in being the great minds that we are. No comment.

So… what can we do?

Many advice has been given, for example using end-to-end encryption with PGP or S/MIME. While I share the opinion that these are pretty good standards that have been battle-tested for quite some time, they bring inherent complexity to the table. Everyone else you intend to communicate with will have to support these technologies, too. This is easy if you’re a technical person, but… not everyone is. This is why I’m a little concerned about what might happen in the immediate future: Right now, the whole issue is big news. There is public rage and discontent, but people will also quickly realize that there is not much to mitigate the situation right now. A few people will make the switch to email encryption, but for the majority, after the waves have settled, life will go on as usual.

Those few that actually switched will then face another problem. It has been rumoured that emails with encrypted contents could be flagged by agencies scanning them. Now imagine you have one hundred suspects and only one of them sends encrypted emails back and forth - who would you concentrate your efforts on?

Let’s face it, if you are a political activist really in need of secure and private communication, then you probably shouldn’t turn your computer on. Ever. Nor should you carry an iPhone. It’s like in the Sopranos where Tony says he would never ever buy a cellphone or in The Wire where the people selling drugs use throw-away cells. Your whole life should only consist of ephemeral data with nothing attached to you that would ever allow to pinpoint you or any of your actions. It’s hard to imagine that in a country where the government is known to mess with DNS you would ever use GMail or Facebook to communicate information that might endanger your life. And yet it happens. Besides privacy, an even more important goal would obviously be to not raise any suspicion with any of the communication happening. The tool to use in this situation is steganography, which is the art and science of hiding information in a way that only the intended recipients can retrieve it while any outsiders won’t even notice the presence of a hidden channel. This is a good introduction for anyone interested in the details.

I believe we should be careful about giving “advice”. We should consider the fact that there are people out there whose life depends on maintaining their privacy. This is different from the average citizens that just don’t want their privacy to be violated. In both cases, I’m sure it’s good advice to do your own research, not to trust some random guy like me on a blog, and certainly not to trust any marketing campaigns.

Am I suggesting now that

If you have nothing to hide, you have nothing to fear?

Quite the opposite. I hate that argument and consider it to be one of the biggest lies ever. Here is a great article analyzing why privacy matters and you can also find some good information in Ross Anderson’s Security Engineering. In Germany, we should actually know better. We have a history of government surveillance with the Stasi in the German Democratic Republic and the Nazis before that. They all claimed surveillance was for the safety of the citizens and for the greater good. Let me tell you a secret - nobody felt any safer, everybody lived in constant fear of “doing something wrong”. And now, just roughly 20 years later, it should suddenly be a good thing?

Major adoption of technologies like GPG or S/MIME would certainly help improving the situation. In any case, I think it’s safe to say that currently the only reliable way of securing your privacy is to do the encryption on the client, locally on your machine. As soon as the data leaves your machine in plain text there are numerous ways to intercept it. If you have the time and the chops, the best solution might be operating your own (physical!) mail server.

The number one problem with server-side cryptography/security right now is that even if some company treats your data perfectly secure on the transport level, somebody might eventually knock on their doors forcing them to reveal any data they store on their servers in plain text. This is why I believe that if application providers are really concerned about our privacy, now is the time to design systems that render coercion or collaboration of individuals useless. I’d be happy to trust an application provider with handling my data if I knew that they couldn’t be forced into leaking it to third parties. End-to-end encrypted data is counterproductive to the business of most companies (think Google ads) - the challenge for companies and academia alike will be to design robust schemes where accessing the data is still possible while forcing them to access the data without user consent is not. There are interesting research projects going in this direction, let’s hope we will have something ready for mass adoption rather sooner than later.

github repos

@emboss on GitHub