I haven’t written a lot yet about Mr. Edward Snowden and the NSA PRISM program. I will in time, but want to be careful not to be spreading misinformation, and not to merely be repeating what everyone else says.
There’s been no shortage of advice on encrypting your own data, but there is one pitfall to that.
The NSA claims that communications from U.S. citizens are dropped once they are discovered. That would be the correct thing to do from a legal standpoint. What I want, more than anything, is assurance from the POTUS that the NSA is, in fact, doing exactly that.
I haven’t started signing my e-mail messages with “Sent by a U.S. citizen from an IP address owned by AT&T in the United States of America,” but it’s very tempting. My IP address is in the mail header, so the only question is my citizenship. If the NSA kept a database of U.S. e-mail addresses, that would be the fastest way to resolve that. Resolving an IP address to the country it belongs to is trivial. For that matter, resolving my IP address to the part of St. Louis I’m in is rather easy. That’s why, for example, when you’re visiting a web site for a newspaper in a different city, you still see ads relevant to the city you live in. I get St. Louis sales pitches when I’m checking up on the Kansas City Royals.
The problem when you encrypt is that it suddenly becomes nontrivial–if not downright impossible–to sift U.S. communication from non-U.S. communication. So intercepted communications are kept indefinitely.
This is a bit of a cop-out, since the mail headers are unencrypted–only the attachment is encrypted. But that’s not something everyone knows.
So my snarky side wants to create a script that encrypts worthless pictures of cats and e-mails them to random people continuously. That would be a good way to protest–it violates no laws and harms no one. Deliberately encrypting the pictures with a weak password and a weak encryption algorithm increases the chances that they’ll decode the pictures and know that they’re intercepting garbage.
If you have a Mac or Linux box, you could use OpenSSL to encrypt the data using RC2 encryption, which is easy to break. That might be the only practical use for RC2, come to think of it. Windows users will need to install command-line OpenSSL, then they can do the same thing. The command would look something like this:
openssl rc2 -in cat.jpg -out secretsquirrel.jpg
When prompted for a password, keep it simple. Something like “cat” or “ged” or “nsa” seem appropriate.
Do I believe the NSA is telling the whole truth? Absolutely not. But I am inclined to believe some of what they’re saying. And as someone who worked seven years as a government contractor and was better qualified for Edward Snowden’s job than he was, I know he was exaggerating about some things. Some of his exaggeration was clearly deliberate, and some was likely accidental. I’ll get into that at a later date.
I’m pretty sure that the knee-jerk reaction to start encrypting all e-mail messages, regardless of how mundane, is overreacting. At the very least, it causes undue attention to be called to you.