The scandal isn’t Swedish

June 19, 2008

So Sweden just passed “lex Orwell” allowing their Gestapo^H^H^H^H^H^H^Hsecret service to put all electronic traffic coming in or going out of the country under surveillance (fellow Zopista and Swede Lennart Regebro has written about this as well). This is, by far, the most drastic law in this respect and I’m literally speechless. Fortunately, something like this would be quite unconstitutional in this country (but then again IANAL, so what do I know). Mind you, this hasn’t stopped the German coalition of the willing from passing a law on data retention whereby all telecommunication providers in Germany must store telecom data for 6 months and provide them to the authorities when necessary. And if you live in any other European country, chances are good your government has also passed similar laws as there’s a EU guideline that inspired the German law.

Anyway, all of this really isn’t a scandal. It’s sad, wrong, and many other things. The real scandal, however, is that nobody is using email encryption. If we all wrote encrypted emails, good luck to any government agent trying to make out what we’re writing each other. We use encryption when buying junk off the internet, when doing online banking, even when checking in code into a version control repository. Why aren’t we doing email encryption?

Yes, I’m aware email encryption is out there and actively used, for instance by enterprises and corporations to prevent industry espionage (when I worked for Siemens, Infineon, etc., confidential emails to out-of-office addresses always had to be encrypted). When I say “nobody is using it,” I mean my mom and dad, my best friends, my fellow students at university, heck, even I. Where’s the built-in encryption functionality for Apple Mail? For Thunderbird? For Outlook? For Gmail? Who needs Exchange for the rest of us when there isn’t even email encryption for the rest of us?

12 Responses to “The scandal isn’t Swedish”


  1. Yup. You can integrate GPG with some email clients though. Not webmails, sadly. There you need to cut and paste.:-/

    Also, you need to encrypt the commnication with the mail server. That’s easier, especially if you you webmail.🙂 And the communication between the servers need to be encrypted, and I’m guessing it typically isn’t, even if ESMTP allows it, I think.

  2. philikon Says:

    I know that you and I can *add* encryption functionality to email clients, but surely I can’t possibly explain this to my mom or dad. Why isn’t it just built-in? Why don’t you automatically get encryption keys when you sign up for an email account? Why doesn’t it Just Work(tm)?


  3. Yeah, beats me. It’s not that it’s complicated to do. At least not in the open source world, where exporting these technologies is less of an issue.

  4. encolpe Says:

    > nyy ryrpgebavp genssvp pbzvat va be tbvat bhg bs gur pbhagel haqre fheirvyynapr

    Pna jr frevbhfyl vagrtengr bar clguba tct zbqhyr vagb bhe nccyvpngvbaf gb pelcg nyy qngn fgberq naq hfr bayvar qrpelcgvba sbe hfref ?

  5. Fernando Correa Says:

    I agree it should be built-in. It should be built-in for every networked app (!).
    Thunderbird would be an excenlent candidate to have this defaulting to all email accounts and if you wanted, and *only* if you wanted, you would be able to disable encryption.
    In fact, it should be pretty hard to disable this feature to enforce security.

    I hope Brazil’s government never start doing such things. I’d move to pirate bay’s island if they start it.
    Mmmm…..they might have started already.

  6. Tres Seaver Says:

    The whole issue is the trust mechanism for *other* people’s keys. Making that Just
    Work for folks who can’t be bothered means giving Big Brother another way to snoop.
    Qui custodiet custodiens?

  7. philikon Says:

    Tres: All you really need is a central, trusted site to manage other people’s public keys. We already have such trusted sites when it comes to SSL certificates, why can’t the same work for public keys that are used in emails? Knowing that such services already do exist, I can’t help but wonder why they aren’t hooked up to the email programs.

  8. Erik Says:

    Even if the data is encrypted the mere fact that communication has occurred is sometimes enough. What you would need is that the entire message, including header, is encrypted and tunneled in and out of Sweden. GPG + Tor might cut it, as long as the Swedish gestapo don’t set up their own Tor node and you happen to get that node as entry/exit point.


  9. Sorry, I think it is still a scandal😉

    Nevertheless email encryption could be used more. But then it also needs to be simpler to use and in fact it isn’t. Maybe this move gives this a push though.

    And email btw. is only one thing, a whole traffic analysis is a different thing.

    And what is a central, trusted site? That’s the next thing which will be legislated away.

  10. Doug Napoleone Says:

    Here is a good screencast on using Firefox+FireGPG+Gmail to encrypt your gmail. Of course this assumes that the person you are sending too also is using a client which supports PGP (or is doing a similar hack on top of GMail).

    http://www.irongeek.com/i.php?page=videos/using-GPG-PGP-FireGPG-to-encrypt-and-sign-email-from-gmail


  11. […] folgen, Anleitung zum Verschlüsseln der eigenen Festplatte und von Netzwerk-Sessions. Auch Philipp hat sich schon gefragt, warum denn eigentlich nicht mehr Leute E-Mail-Verschlüsselung benutzen. Für mich ist die Antwort […]


  12. […] Philipp von Weihausen comenta algo interessante. “Anyway, all of this really isn’t a scandal. It’s sad, wrong, and many other things. The real scandal, however, is that nobody is using email encryption. If we all wrote encrypted emails, good luck to any government agent trying to make out what we’re writing each other. We use encryption when buying junk off the internet, when doing online banking, even when checking in code into a version control repository. Why aren’t we doing email encryption?” […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: