olivergajek

When we first heard of Edward Snowden in June 2013, we heard of the collection of metadata at Verizon. It took us a while to figure out if that was troubling.
Now we know that it is. Who calls whom at what time and how often reveals many things that we may want to keep private. How often I call my doctor, priest, psychiatrist, or astrological hotline is my business and none of yours.

The same goes for Email where people now are asking for privacy solutions, as they have understood how personal and private this information is and that they can’t trust the promises of technology and service providers. People naturally have turned to PGP for email encryption as the widely accepted standard for protecting their private messages.

But, guess what, PGP only encrypts the body of your message. Subject line, sender, recipient, time, IP address, and a host of other technical details are transmitted in the clear.

Trouble is that they have to be in order to make their way to the intended recipient across public networks. Much like a letter that you post will have a recipient address and a return address and a post office stamp that your postman and your neighbor can inspect. So while the content of your letter will be private while sender and recipient will not be anonymous.

So the big question becomes if this is a problem or not. Three things to consider:

It’s a problem depending on what you’re afraid of. Me, I’m afraid of somebody breaking into my Gmail account and posting 10-year old messages on the web for everybody to see. Every now and then I stumble across some old message and am embarrassed by what I wrote. Nothing more, nothing less. Thankfully not in the league of Colin Powell and Corina Cretu, but still. Wouldn’t want to see the old stuff in public. And this is just embarrassment in retrospect. I don’t even know what might be embarrassing or problematic in the future. Think of being denied entry into some country where you criticized an emerging party in an email ten years ago. And now that party is in power and they have read that email. That’s the kind of stuff that worries me. Turns out that PGP encryption of my message text takes care of this very nicely. So I’ll have some of that PGP encryption and pronto.

Of course I’m interested in exposing even less for embarrassment or misuse. So an email provider that is very specific on metadata retention is certainly interesting. They really have no need to keep a complete record of who I communicated with and about what once the messages have been delivered. So transparency about data retention, ideally audited by independent and trustworthy experts, and completely open communication on attempted breakins and governmental requests for data access would absolutely win my business. Full disclosure: We’re working on that…

Since this is such a big issue we can reasonably expect for the technology industry to address the issue of encrypting metadata for email. The so-called Darkmail alliance has gotten quite a bit of press last year and may come up with an exciting technology change. We haven’t heard much from them recently so it’s a bit hard to say more. And of course it will be useful only if it turns out to be a genuine standard adopted by multiple technology and service providers.

In the meantime it’s probably best to apply the old 80/20 rule. If I can encrypt 80 percent of my email content with 20 percent of the effort then that’s good enough for me. That is why PGP wins for the foreseeable future.

A lot of talk these days about “Digital Sovereignty”. Whereby well-meaning people like to think that they can keep control of their data by ensuring that the data are kept in a certain legal or geographical area and somehow never leave.

But that is probably fundamentally flawed. Among other things one should consider:

• Internet pipes do not stop at geographical boundaries. Stuff flows everywhere and you cannot stop it. Which is what makes the Internet so useful and so cheap. Recent discussions in Switzerland for constructing a multi-billion dollar “special” Internet for the military (and banks no less) seem highly problematic.
• The stuff that runs the Internet probably does not come from your country. For years we have been told to avoid Chinese telecoms equipment. And now we find Cisco and others complaining that their equipment is tampered with systematically. 

For any threat I might want to avoid by domiciling data in my geography, I can imagine a straightforward attack that keeps that threat very much alive even if we close the pipes at the borders. The bribed or disgruntled data center or telco employee always has been and always will be attack vector #1. 

Much better to think about proper, meaning end-to-end, encryption applied within my personal jurisdiction. If only I have the keys then I can use public servers and services across the globe and I get all the benefits and none of the risks.

If you’re still skeptical take a look at this recent announcement about Visa and Mastercard moving their servers into Russia. Digital sovereignty indeed!

In a nutshell: Too much James Bond thanks to the reissued box sets with all the wonderful actors reading the sometimes less than wonderful works of Ian Fleming. And a major discovery, Karl-Ove Knausgard. Who you may or may not like, no guarantees.