Thursday, May 18, 2023

Yet again, we are reminded that NOTHING IS PRIVATE ON THE INTERNET


I've lost count of the number of times I've been told that software such as ProtonMail, or Signal, or Telegram, are protected from "snooping", and that anything posted there is private and won't be revealed to anyone, even law enforcement.

Oh, yeah?

On May 10, Stephan Walder, a public prosecutor and head of the Cybercrime Competence Center in Switzerland’s Canton of Zurich, had a presentation on cybercrime at an event. Martin Steiger, a Swiss lawyer who had been live-tweeting from the event, claims Walder incidentally mentioned ProtonMail as a service provider that voluntarily offers assistance to law enforcement for real-time surveillance, without requiring an order from a federal court.

Steiger has published a blog post on ProtonMail’s alleged practices — the blog post is available in both German and English — and summarized the obligations of such service providers for cooperating with authorities under Swiss laws.

While ProtonMail provides end-to-end encryption, which prevents the company from reading the actual content of emails, it does have access to metadata. Citing the U.S. National Security Agency (NSA), Steiger pointed out that metadata can be highly valuable to law enforcement and intelligence agencies.

Steiger has highlighted that while ProtonMail uses the fact that it’s based in Switzerland as a marketing advantage, citing strict Swiss privacy laws, the company is actually subject to local surveillance laws, and while it’s not subject to more extensive surveillance obligations, it does voluntarily help law enforcement surveillance operations, based on what Walder allegedly said.

Steiger has pointed to ProtonMail’s transparency report, where the company mentions one case where it conducted real-time surveillance of a user at the request of authorities.

“Every user of ProtonMail (or ProtonVPN) must decide for himself whether the email service is trustworthy,” Steiger said. “The difference between advertising and reality at least speaks against too much trust for ProtonMail.”

There's more at the link.

ProtonMail has (of course) denied the allegations.  (What else would one expect?)  However, I believe them.  I don't think the Swiss authorities would allow ProtonMail to continue operating unless it cooperated with their security needs and concerns.  I don't think any national government would do so.  They're too paranoid, too obsessed with being able to gain access to whatever information they decide they need - and to hell with individual privacy, legislated or otherwise.  While ProtonMail may claim that they have no access to the contents of our e-mails, I'm willing to bet a large sum of money that more than one government has figured out back-door ways to examine those contents anytime they wish.  That's the way they operate.

The same goes double for US government security agencies, of course.  They're not just paranoid, they're manic.  As Sundance has pointed out several times, the "national security state" (what he calls the Fourth Branch of Government) is the true "Deep State", and they won't tolerate anything that impedes their snooping.

Former Obama era intelligence officials, those who helped construct, organize and assemble the public-private partnership between intelligence data networks and supported social media companies, have written a letter to congress warning that any effort to break up Big Tech (Twitter, Facebook, Instagram, Google, Microsoft, etc.) would be catastrophic for the national security system they have created.

Citing the information control mechanisms they assembled, vis-a-vis the ability of social media networks to control and approve what is available for the public to read and review, the intelligence officials declare that any effort to break up the private side of the intel/tech partnership will only result in less ability of the intelligence apparatus to control public opinion.

They willfully admit that open and uncensored information is adverse to the interests of the intelligence state and therefore too dangerous to permit.   They specifically argue, if the modern system created by the partnership between the U.S. government and Big Tech is not retained, the national security of the United States is compromised.

. . .

Twitter, Facebook, Instagram, YouTube and even Google itself, are financially and operationally dependent on the scale of the data processing system that is run by the U.S. government.  The capacity of each of the big social media companies to exist, operate and be financially viable, is dependent on the backbone of interconnected data networking, and massive data processing.

The scale of simultaneous user data-processing is not financially viable without the U.S government subsidizing it.  That’s the free coffee that cannot be duplicated in the private sector by any competing social media company.  That’s the cost and scale system behind the partnership that permits Big Tech to operate.   Ultimately, this is what the intelligence apparatus needs to keep hidden from the American (and global) public.

. . .

Essentially, the U.S. government is in control of our social media networking.

Again, more at the link.

There is no privacy on the Internet.  Period.  That's the way it is.  Big Brother is watching us, and won't permit or tolerate any attempt by anybody to get around that.  If you don't believe that, try encoding or encrypting the text in a normal e-mail sent via any service you wish, and see whether it gets through or not.  I've heard more than a few reports, from people who've tried it, that the recipients didn't receive it, or it arrived "garbled" and unreadable, or that a critical attachment was missing.  Same goes for images you send.  Steganography is well-known, and there are filters that specifically examine images to see whether anything about them suggests that it's being used.  If those filters are tripped, you can bet your bottom dollar that your image will be copied and sent to people and agencies with no sense of humor at all, and you'll come under some pretty intensive scrutiny.

Every single electron or pixel that goes from our computers to others, or arrives on our computers, has been and is being scanned multiple times as it passes through various intermediate servers.  We have no electronic privacy whatsoever, whether we like it or not.  If you want to keep something private, talk about it or communicate through non-electronic media:  and even then, unless your communication is hand-carried from source to destination, don't assume it'll remain private.  Why else do you think the US Postal Service copies the address of every single item of post it handles, and keeps that information on hand?  There's no good operational reason to do so, except to snoop on what people are sending to whom.

Our government and its security services operate in a permanent persecution complex fueled by distrust and paranoia.  Any attempt to avoid or evade their scrutiny is, from their perspective, anomalous and therefore suspicious conduct.  That's the bottom line.  The only solution I can see comes, again, from Sundance:

The United States federal police force, the FBI, is politically weaponized against American citizens.

The United States intelligence community is politically weaponized against American citizens.

The United States justice department, the DOJ, is politically weaponized against American citizens.

We need to take down the four pillars that support the Fourth Branch of Government.  The Office of the Director of National Intelligence (DNI), the Dept of Homeland Security (DHS), the Dept of Justice National Security Division (DOJ-NSD), and the Foreign Intelligence Surveillance Court (FISC), all need to be dissolved.

After those four pillars are removed, the Patriot Act needs to be abolished and the FBI placed under the jurisdiction of the U.S. Marshals service.




Michael said...

Casablanca quote:


Cybersecurity is a matter of computer power. Let alone simple "Legal backdoors".

Who OWNS the Supercomputers? or at least allied associates.

Supercomputers vs some servers and your laptop.

Details at 11.

Divemedic said...

That's the reason why those who conspired on the Russian collusion operation were communicating via 2 meter HAM radio. By its very nature, HAM radio in that band is hard to monitor.

Francis Turner said...

For readers who skim read it is worth noting that the proton article dates from several years ago. That's not to say it is wrong but it is worth bearing in mind. I know quite a few people in the security space who use protonmail (I do myself as well). It's not perfectly secure but if you exchange email with other protonmail users those emails are likely to be not visible to governments at all, though the swiss government can probably figure out who you are emailing with

Given that email headers are in the clear for mail servers and have to be so that an email can be correctly routed, meta data about who sends email to whom can never be hidden (if you send emails to people on other servers). The only way to limit that is to communicate exclusively between mail servers that are under control of individuals you trust and which are hosted in places you trust. But even then anyone who is listening on the path between will know that you are communicating even if they can't know precisely what you said of who you said it to. Given that most people have outsourced their email to Google, Microsoft and so on it is almost impossible to do business with most people this way but if you want to have a private email list server or similar for you and people you trust this is the only way. In such a case you would be advised to maintain multiple email accounts, one for the insecure email accounts you need to comunicate with and the second for the secure ones. This is a lot of work for limited extra gain.

Aesop said...

And while you're up, I'd like world peace, the winning Powerball ticket, and Anna Kendrick's private cell phone number.

TechieDude said...

Proton mail encrypts the data in transit and in storage on its servers.

First you have to get to the data, then you have to unencrypt it. I don't see how they do that at scale, or if it would be worth the money. I think they do a best effort job of securing your data. Besides, in Switzerland, they'd be under GPDR rules. I think the only way they break that is to get a mole or traitor at protonmail. Then again, any decent IT operation would be monitoring traffic and intrusion detection.

That said - once that email leaves your encrypted client and heads to gmail or yahoo mail, it ain't encrypted and like you said, they are compromised.

Far easier to get it from your windows desktop or mobile if they are looking at you.

Anonymous said...

I have heard that Microsoft had put in a backdoor to the RSA encryption/decryption routines for government agencies to access. Supposedly, the government agencies play a big role (unofficially) in deciding what new levels of encryption get adopted. That way they insure that only the ones they can break are in public use.
Lastly, one of the methods that has been employed in the past, is to hijack the DNS of certain sites, and re-route the traffic through a government agency server to capture all data to/from the owner of the DNS entry.
Basically, assume all common methods of communications are being monitored. Even the USPS scans every piece of mail it handles.

Anonymous said...

RE: Former DOJ official Bruce Ohr's (M16 agent Steele's "handler", imo) wife Nellie (Russian SME) who coincidentally worked for Fusion GPS.
Nellie, in her mid forties undertakes to get ham radio permit.
Imagine that...middle aged woman with ZERO tech history decides during "spooling up" of Deep State conspiracy against DJT to learn about HAM and get a permit..

Unseen said...

The Italian student who threatened an American HS in CA with a bomb attack while using Tor found out about muh anonymous as he was apprehended and extradited.
That story is memory holed but it happened during Year Zero reign of Chimpy the Kenyan.
Gov has spyware that all scanners agreed to ignore.

Will said...

I think a valid concern would be patent privacy for inventors. What keeps your early design data confidential? You can't mention anything if random .gov agents have access to your communications. What is to keep one of them from taking your ideas or data and giving or selling it to someone else for compensation, or just to cause you financial harm?
I suspect that this sort of problem has a chilling affect on new ideas. Supposedly, China searches emails for this sort of info, but if even encryption doesn't protect you, then what?

Anonymous said...

As a licensed, general class, amateur radio operator, I can assure you that the 2M Ham band is exceptionally easy to monitor. Also, with a very simple and cheap setup, I can do radio direction finding, and triangulate to find the location of a transmitter, provided it stays active long enough, or frequently enough. We hams actually do this sort of thing for sport.

Also, FWIW, a Technician class amateur radio license is pretty easy to get, so "zero tech histoy" isn't much of a barrier.

Anonymous said...

Sigh... watch how many people call me a liar (I lost thousands of dollars in the stock market over this, not lying):
Tor browsers and the whole network is owned by the fbi/cia/fedgov.
Elliptical curve cryptology is broken, has been known for over 20 years. A canadian company had the patent, was unbreakable, I owned a lot of shares. Then a white paper leaked showing the cia had it bagged from the get go, and the company tanked.
Nothing on the internet is secure.

Anonymous said...

re: Anonymous @RSA.

No, Microsoft didn't put a backdoor in RSA encryption. RSA put a backdoor in RSA encryption by recommending an encryption method that was easily decrypted by the NSA (and everyone else who knew about the flaw.)

As far as 'Protonmail helps police', NO, the 'metadata' that they're referring to is the data necessary for the successful delivery of the email. It includes the sender email address, recipient email address, and the ip addresses of every relay through which the message passes on its route from sender to recipient. It would be like trying to hide the sender and recipient of a postcard mailed from your own mailbox--not possible.

froginblender said...

@Francis Turner Good info, thanks.