Protecting Email Communication: Is it Possible?
In the two years since former government contractor Edward Snowden released information about the extent to which the United States government was surveilling its citizens, the push to be able to protect private information has gotten much stronger. Protected email accounts and versions of the web existed well before Snowden’s leaks; however, discussions over how to truly protect online communication have proliferated since. One important aspect of these conversations is whether it’s appropriate to continue to allow the government to have access to citizens’ communications, but there’s simply no easy answer to these questions.
It’s within this wholly uncertain context that lawyers and law schools are beginning to address these questions. Southwestern Law School, a leading voice in media law located in Los Angeles, California, is one of the institutions tackling these issues head on. Recently, Southwestern Law’s Donald E. Biederman Entertainment and Media Law Institute hosted its annual online privacy conference, featuring a panel entitled “Government Access to Data: Surveillance, Privacy and Security After Snowden.” The panel featured leading voices in the field of online privacy: Jon Callas, a cofounder of both Blackphone and Silent Circle, and Timothy Edgar, a professor at Georgetown University Law Center and a visiting fellow at Brown University’s Watson Institute for International Studies. It was moderated by Lee Tien, Senior Staff Attorney at the Electronic Frontier Foundation. Read on to learn about the panel’s discussions on the topic of private email and its role in the legal field.
Protecting Online Communication: A History
In order to explore the discussion about online privacy that the Southwestern Law panel undertook, it’s important to understand the context of protected communication. Even before Snowden’s leak, no one liked to imagine that their private communications were easily readable. More importantly, so many of us now store our most important information online–whether that is bank accounts, identification information, or medical records. Pieces of our personal information that used to be kept under lock and key in paper form are now stored in electronic, intangible ways. So it makes sense that ever since this kind of online storage has existed, some have sought to protect their information from prying eyes.
But after Snowden’s leak the urge to protect information became particularly focused on one set of prying eyes: the U.S. government. During the Southwestern Law panel, Tien introduced the complicated conversation about protected communication as follows:
That issue has come back in the post-Snowden world. Because one of the things that became really, really clear from his revelations is that the government spends a lot of time and energy thinking about how it can subvert and undermine the technology we use to protect our privacy.
This brings us to the concept of encrypted email–one of the most basic building blocks of protected communication. There are multiple ways to encrypt email, but at its most simplistic form, encryption means that a message cannot be read by anyone who is not authorized to do so–whether it’s a government agency, employer, or a hacker looking for vulnerable personal information to exploit.
Encrypted email usually involves public and private “keys.” As the names indicate, public keys are available to the public–essentially anyone with whom you want to trade emails–and private keys are kept by the owner of the email account. Imagine Person A wants to exchange emails with Person B. Person A gives Person B her public key, and Person B writes an email, then uses the public key to encrypt it. When Person A receives the email, she needs to use her private key to unlock the email that has been encrypted with the public key–and because she’s the only one who has the private key, she’s the only one who is able to do so.
Of course, that is just encryption at a very basic level and it can be significantly more nuanced than that. The encryption described above requires some people to have keys–usually an account provider such as Gmail, for example. The next level of encryption that is said to be on the horizon will place the encryption process on the computer rather than on servers, so even the company providing the service won’t have the key. But that’s also where the legal concerns the Southwestern Law panel discussed start to come into play.
The Legality of Encrypted Email
There’s nothing inherently illegal about encrypting emails, but that hasn’t stopped those who create the programs and services from running into legal trouble here and there, particularly with the United States government. One case discussed by the Southwestern Law panel surrounded an email service called Lavabit, founded by entrepreneur Ledar Levison. Snowden used Lavabit, and when he fled the country after revealing information about the NSA’s surveillance program, the FBI wanted to access his account. However, the government requested the private encryption key for Lavabit generally in its attempt to access Snowden’s key. Lavabit provides encrypted email to nearly half a million people. Levison at first was unwilling to give that information, and chose to shut down the company after a very long legal back and forth in which he was served multiple times. The dominant narrative about what happened to Lavabit focuses on the complicated nature of what the FBI was asking for. During the panel, Tien explained the sheer difficulty of what the government was asking Levison to do:
After Lavabit shut down, some similar companies followed in its wake. SilentCircle, also offering encrypted email services, shut down in anticipation of similar issues with the government at some point in the future. Callas, a co-founder of SilentCircle, explained the decision to shut down while at the Southwestern panel, citing fear of a reputation hit, and saying that “when the house next door gets raided, you wonder if you’re next, and that’s when you make sure that your shredder is working.”
Despite Lavabit’s abrupt closure, companies haven’t stopped their quests to create truly private, encrypted email–they’ve just had to become more careful. One of the new companies that sprung up in the wake of the Snowden revelations and the subsequent focus on encrypted email is called ProtonMail. It promises that new frontier of encryption: a company that doesn’t have the keys to encrypted email. If a company doesn’t have the keys itself–the way Lavabit did–it can’t provide them when the government comes to call. Andy Yen, one of the founders of Proton Mail, explained:
We encrypt the data on the browser before it comes to the server. By the time the data comes to the server it’s already encrypted, so if someone comes to us and says we’d like to read the emails of this person, all we can say is we have the encrypted data but we’re sorry we don’t have the encryption key and we can’t give you the encryption key.
ProtonMail isn’t the only new service that’s attempting to make encrypted email even more private. Levison, along with a number of like-minded partners, created the Dark Mail Project, which is working on a new set of email protocols called Dime. Dime is specifically focused on metadata in addition to the actual messages being sent. Metadata includes things like location and time when a message was sent. That kind of information has also been highly coveted by the government. Again, like with ProtonMail, the logic is that if the provider doesn’t have the information the government is looking for, the government can’t go after the company.
Whether or not that’s strictly legal, however, does appear to be a gray area. Since some of these features are so cutting edge, it’s hard for American law to keep up with it. As Dailydot explains it:
As the law currently stands, people aren’t required to build online services that are accessible by a government request; but, if your service is in any way penetrable, the operators of those services can be compelled to turn over what information the government could theoretically access.
This lack of clear guidelines has sparked frustration from both email encryption companies and the government, which has led to the government asking for something called a “backdoor.”
A backdoor to encrypted email is pretty much exactly what it sounds like: a special entrance for the U.S. government–normally the FBI–to use in order to access data in case it needs to do so. But whether or not they should be instituted is a contentious point of debate. While the Southwestern Law panelists tended to argue against backdoors, in order to understand their points, it’s important to acknowledge the arguments for backdoors purported mainly by the government.
Arguments in Favor of Backdoors
The FBI’s argument for a backdoor is multi-faceted, but it all essentially boils down to a single idea: national security and safety. The most compelling argument is that if these types of software are used to arrange terror plots or other nefarious acts, the FBI, or any other relevant agency, needs to be able to gain access to that information. As President Barack Obama put it in January 2015: “If we find evidence of a terrorist plot…and despite having a phone number, despite having a social media address or email address, we can’t penetrate that, that’s a problem.”
Those who espouse the necessity of backdoors also point out that it has nearly always been possible for the government–particularly the American government–to listen in on or read private correspondence between citizens if there is a national security issue at risk. While there are rules about reading citizens’ mail or wiretapping conversations, those options have almost always been open to government officials if the proper channels and rules were followed. The idea that a type of communication could be created in which the government simply could not access the messages is not consistent with American security practices to date.
Arguments Against Backdoors
One of the strongest arguments on this side is that creating a backdoor for the government weakens the system as a whole. There’s really no way to create a backdoor that only the U.S. government can use–it creates vulnerabilities that enterprising hackers, terrorist groups, or foreign governments can also exploit, albeit with a bit more difficulty. So, allowing the government to have access to encrypted emails in order to fight terrorism could backfire and weaken national security.
There’s also a counter-argument to the idea that the U.S. government has traditionally had access to our private communication. This argument posits that the government’s ability to search private citizens doesn’t entitle it to whatever it wants, but rather gives it permission to try to gain access. As Edgar put it during the Southwestern Law panel:
The FBI director has been making the government’s traditional argument, which is the government has a right to monitor communications as long as they get a lawful order for it, under whatever that legal standard is. And I’ve always thought, even since law school, that just gets it completely backwards. The government’s warrant isn’t a right, it’s a permission. It’s a judge saying you are permitted under the law to do something that if you were a private citizen would be illegal because we think it’s important for law enforcement or national security.
There’s also the concern that the U.S. government would use backdoors to continue one-size-fits-all surveillance on American citizens. According to a poll conducted by the Pew Research Center, 73 percent of Americans think it is acceptable for the U.S. government to monitor suspected terrorists, yet only 37 percent of Americans think it’s acceptable for the government to spy on American citizens. Given the significant evidence that that type of monitoring was exactly what was happening, it makes sense that many would be hesitant to allow the American government in to monitor “terrorists” if that means giving it access to non-suspects as well.
So is it actually possible to have entirely private email?
It’s not an easy question to answer. Instead, it’s a matter of weighing priorities and sacrifices, and those aren’t consistent from person to person, let alone the American government as a whole. Southwestern Law, as well as other legal and academic institutions, is working to answer these questions, but it’s important to keep in mind that there may never be a cut-and-dry answer.
In order for communication to be completely and fully protected, we have to realize that we may get to the point where companies and developers are building systems so protected that no one can break them, not even their creators. That is viewed by some as deeply problematic, because there really will be no ability for surveillance or access for the government at that point.
While we aren’t yet at that point, it’s indubitable that Snowden changed the way that we look at privacy, national security, and communication, and his releases sparked a larger national debate about how to protect email. But the reality is that there may never really be an answer to the question of how to protect our online communications.