I heard on AmericasDebateRadio that there was a discussion in the chat room of whether Americans should have a reasonable expectation of privacy in e-mail. I couldn't find an existing topic on this exact issue. In general, I am wondering whether the existence of free technology to make e-mail almost perfectly private should figure into whether there is a Constitutionally "reasonable expectation of privacy" with regular e-mail. (Those already familiar with e-mail and PGP should feel free to skip to the questions for debate).

The way e-mail works, messages are normally sent to many machines on the Internet in clear text between sender and recipient. Anyone with a cable modem can run a simple program called a "packet sniffer" on their home router to read their neighbor's e-mail, as well as see the Web pages they are looking at. The traditional way to protect your online privacy is through encryption software.

There is a pretty good way to get all the privacy you want for your e-mail, and it has historically been called "Pretty Good Privacy" (PGP). The most common free version of the software is now GNU Privacy Guard (GPG), but all compatible solutions in the category are still informally called PGP. The easiest way I know to use PGP is to install Mozilla's Enigmail with Thunderbird on any major OS, but more and more e-mail software is shipping with built-in PGP support.

Top cryptologists and mathemeticians assure us that PGP is an incredibly tough nut to crack. It was so feared by the U.S. government that its creator, Phil Zimmerman, was jailed for a while, but the charges were eventually dropped. If you want to know the gory details of how PGP works and why it works so well, I'd suggest listening to the first few episodes of Steve Gibson's Security Now podcast. Most of us may not care why it works, so long as it works.

The problem with PGP is that it can still be a pain to set up and use. Both the sender and receiver of the e-mail have to run PGP in order for the system to work. They have to go through a process of generating, publishing, and signing the digital keys that are used to lock and unlock the e-mail messages. They may also want to run The Onion Router for even more privacy. Privacy technology is getting easier and more pervasive, but because it's not fully automatic yet, it's not as widely used as I believe it should be.

Another method of encryption, used by G-Mail and others, can secure your connection between your machine and your service provider though an "SSL" connection, using the "https" prefix, so that your neighbors can't spy on your e-mail over their cable modem. This is the same way banks keep Web transactions private. However, unless the e-mail recipient is using the same e-mail provider, your e-mail over SSL gets transferred in the clear as soon as it gets passed along by the service provider. For that matter, it can also be seen in the clear by your service provider. With PGP, only you and the recipient can read the message; everyone in the middle sees only random-looking gibberish. For many reasons, SSL is not (yet) as secure as PGP.

Courts have consistently ruled that e-mail sent from the office has no reasonable expectation of privacy. The EFF, a digital rights advocacy group, strongly disagrees. Home e-mail might get a different ruling.

Considering that an extremely effective e-mail privacy solution is freely available to anyone who cares to learn about it and install it; and any expectation of privacy for cleartext e-mail would be relatively unenforceable, I am mulling over the following...

Questions for Debate:

1. Should all e-mail sent from your own computer have a reasonable expectation of privacy as a matter of principle, or should any reasonable expectation of e-mail privacy be limited to those who take the initiative to encrypt their messages? Does the fact that privacy software is free make any difference?

2. Do you use PGP or any other e-mail privacy technologies? If so, what insight can you offer others? If not, would you bother to install and use PGP if the Supreme Court were to rule that your only reasonable expectation of e-mail privacy would be when using strong encryption?

In today's day, Email is becoming more and more of a substitute for snail mail. The truth is that if I dig through my neighbor's mailbox and read his mail, it's a federal offense. There's no law that says he should have to put 3" of tape on all his letters to keep me out, or a lock on the box. Why is email different? If I'm paying bills, making purchases, or just sending a note to the wife, why should someone legally be able to intercept these messages? Why should I have to encrypt it?

I think it should be a criminal offense, if not federal for someone to intentionally intercept my email.

Real mail and email are not the same thing. Not even remotely. Just because they share 4 letters (mail) you should never confuse the two. The delivery methods are completely different - yadda yadda.

Technology in regards to mail has failed and frankly hasn't changed much in 30~40 years. There was never an expectation that SMTP was going to be secured and subsequently it hasn't been.

You have no right to privacy at school, at work, OR at home. The paths your email travels are NOT yours. You don't own them. If you want to own them you'll need to make major investments in infrastructure. Hey BA I run my OWN email server! That's great who owns the edge router? Who own the pipe? The answer is not you.

However, if you want to have a reasonable shot at privacy other than through obsfucation you can encrypt your network data.

As a general rule I don't. I also don't send ANYTHING important through email.

I'm much more worried the Supreme Court will rule that Personal Encryption requires you to leave the encryption keys with the Government.

Some might say that the technology is fundamentally different, but I'll go with the mail analogy. Regular e-mail is like a postcard, and encryption is like an envelope. If a postcard gets misdirected to your house, it's not a federal offense to read it. Where the analogy breaks down is the delivery system. Whereas only your own postal mail is usually hand-delivered to your box, e-mail works more like a community drop, where there's an unlocked box at the end of the road and everyone's postcards are easily visible to anyone else sending or receiving a postcard from the same community drop.

I'm starting to feel like Sen. Ted "Tubes" Stevens.

It is very rare these days for anyone to pay bills or make purchases online without SSL encryption (a digital envelope?). The difference between paying bills and sending a note to your wife is that encryption is relatively effortless when paying bills (just look for the "lock" icon in your browser), while putting an envelope on a postcard to your wife takes a some initial effort installing PGP.

If e-mail automatically worked in a way to make privacy a reasonable expectation, I'd agree. Unfortunately, the e-mail system is a complete mess. If I need to troubleshoot my Skype connection with a packet sniffer, there's my neighbor's spam right in the open for everyone to see. Right alongside his botnet trying to hack my router, probably from a virus he picked up over e-mail. E-mail is hopelessly broken and begging to be replaced with something more reliable and secure. The next "version" of the Internet, IPv6, shows some promise with a dedicated security layer that could encourage more widespread e-mail encryption-- we'll see.

Until then, maybe we should know better than to expect any privacy in any form of mail that doesn't at least use an envelope. For e-mail, that's PGP. I haven't really made up my mind about how the law should handle e-mail privacy, though.

1.)I agree with Aevans176 on this. It is mail, albeit in a different form. While the equipment to ship the e-mail may not be mine, it should be expected that the message is and thus, is not fair game for any and all to view it. Just because they can view it, doesn't mean that they have the right to. If we follow that analogy, then your mail can be opened at a whim as you don't pay the mailman, his truck to operate, or anything else related to the delivery process. To me, that is a red herring as "personal effects" in a constitutional sense does not depend on any way, on ownership. So if the government wants to read e-mails without a warrant, they shouldn't be allowed to do so. If my ISP wants to turn over e-mails to the government, ditto.

2.)I do not, but I will seriously be looking into that option. I order books and cigars off of the internet and they have so-called "secure lines" or whatever that means. I remember that hotmail had an encryption box that you could check when you wanted to send an e-mail to someone. I could be wrong, but I don't think that option is there any more.

I have used PGP for many years to encrypt files on my computer that I would not like to be opened if the PC was stolen. It is easy and effective if used with a decent length password. The problem with email as you have said is both user and sender usually need to have a public key – few do.



Yes!
One way to send a secure message with PGP even to a person who does not have it is to use the SDA (secure digital archive) option. This creates a file, from say a Word document, that can be opened with a password – which you can send separately or give the person on the phone. Problem is the file ends in .exe and Outlook screens it out – so you need to ZIP it up.

That does it! Pain but it works. More folks should get PGP which can integrate with Outlook.






Actually you do pay with the stamp and it is against federal law to open first class mail and read it. Not so with email

Questions for Debate:

1. Should all e-mail sent from your own computer have a reasonable expectation of privacy as a matter of principle, or should any reasonable expectation of e-mail privacy be limited to those who take the initiative to encrypt their messages? Does the fact that privacy software is free make any difference?
No, yes, sortof.... Email sent from your computer should have the same expectation fo privacy as physical messages. The problems are threefold here, based on the ruling you link.

A physical message transmitted solely through private entities currently has no greater legal expectation of privacy than a piece of paper blowing down the street. The arrangement to transmit the message may include privacy expectations, but such are matters of contract, not, to my knowledge, statutory law.

A physical message transmitted through the US mails does have certain expectations of privacy, but those expectations are bound by the relationships between the sender, the receiver, and proximate second parties. Personal mail received at the office has reduced privacy standing.

The transmission chain of physical messages is relatively simple, and generally consists of a few clearly identified carriers, both private and public. In most cases, a single carrier will handle the entire transmission. As a result, insuring privacy is, from a legal standpoint, a fairly simple matter. Such, however, is not the case with e-mail, plus "steaming open one's mail and then resealing it" is a much simpler matter with email than it is with physical messages. For this reason, I think that the Wiretapping law is the correct realm, rather than Postal law. With physical messages, you generally have to get physical possession to snoop, not so with electronic.

From my perspective, the problem encountered with the Interloc ruling, which I believe was correct, is that the company was perusing messages that it was handling for the receiver, and nothing within their contractual arrangement prevented such behavior. Essentially, this particular instance would be no different from McDonald's assigning someone to listen in on conversations within their restaraunt between MickeyD's customers and solicitors from Burger King. Email sent from the office is clearly done utilizing company resources, so an employer definitely has a right to snoop on those, just as an employer has the right to listen in on phone calls made on the employer's phones. (Whether or not the employer can listen to the other end of the conversation is a whole 'nudder ball of wax.)

That's my understanding of the current law. Should some things be changed? Yes, I think they should, primarily because the transmission chain for electronic messages is far less amenable to a simple contract approach. Everybody except the sender, the sender's immediate agent, the receiver, and the receiver's immediate agent should be prohibited from digi-snooping. The relationships between the messagers and their immediate transmitters should be a matter of contract, with a default position established by law. Exactly what that default should be, I'm not sure, but one shouldn't be too challenging to create.

2. Do you use PGP or any other e-mail privacy technologies? If so, what insight can you offer others? If not, would you bother to install and use PGP if the Supreme Court were to rule that your only reasonable expectation of e-mail privacy would be when using strong encryption?
I don't use it or any other such technologies, thus I can't at this time provide any insights. If the Supreme Court were to so rule, I would hope to see legislation that corrects the matter. If I felt the need for email privacy, then I would investigate strong encryption, but feel no such need at this time. All communications between me and my henchmen are handled telepathically, so I'm not concerned about anybody getting wind of my plans to take over the world.

bwa haha
bwahahahahahaa

nuts! Did I just say that outloud?


Because you are not authorizing the government to act on your behalf in transmitting the message. Interfering with the US mail is interfering with the government itself. Reading over somebody's shoulder as they carry JoeBob's lunch order (i.e. physically transmitting a message) isn't illegal. Rude, yes, but not illegal.


Agreed, although I think its unlikely.