Email monitoring in the U.S. possible or likely?

[rickfarang]

I have question about email question that I hope can be answered by someone with some in-depth understanding of how email and the internet work.

 

Here's the background: A friend of mine is politically active in a city and county of in the United States. Lately, he has been sending complaints to a Grand Jury, getting into some pretty serious stuff. A nearby university is one of his targets, and people of high influence at the universtity are also involved with some of the political groups he is calling attention to the actions of. He is concerned that someone at university might be monitoring his email so as to obtain some advance warning of his next move.

 

Here is the question: His internet connection is via ADSL to a large commercial ISP. Can anyone imagine a way that someone at the university could be monitoring his email, short of corrupting someone or some system at the ISP?

 

He is starting to correspond via encrypted files, and he wonders whether he is overly paranoid.

 

Thank you in advance for any insight.

[keekwai]

Sending very sensitive information on the Internet without encrypting it may not be too different than sending the information through the post office on a post card. Maybe even worse because emails are so easily copied and stored for years. It doesn't hurt for your friend to be paranoid and send encrypted email. If I could get all my emails contacts to use PGP I'd send only encrypted emails even if I just wanted to bs about the weather.

 

Getting a large ISP to cough up someone's email doesn't seem likely but there are other methods. Just to give an example a program like this can be used to record email and other activities then email the results to whoever the snoop is:

 

http://www.spectorsoft.com/products/eBlaster_Windows/index.html

 

Email Recording

eBlaster records incoming and outgoing emails, including Hotmail, Yahoo mail, AOL email, Outlook, Outlook Express, and Microsoft Exchange email.

 

Optional Remote Install

If it is not feasible for you to physically go to the PC on which you wish to install eBlaster, SpectorSoft offers a Remote Install Add-On

[Neo]

PGP encryption is pretty solid advice. However, sending encrypted messages might bring attention to yourself. They might not be able to read it, but they will know it is encrypted and can determine the source and destination.

[rickfarang]

I have passed your comments along to my friend. Thank you both for your comments.

[SiamIAm]

Also it would be fairly easy to monitor his un-encrypted email if they were logged on to or listening to his pop 110 port or stmp port 25 via a telnet (internet) connection. All they would need is his IP address. A firewall would help prevent this exploit but they are notoriously easy to get around or spoof. As someone already said, encryption is the way to go. Unless it's a government agency involved they will have a very hard time un-encrypting it (*unless the password is weak). Email is VERY easy to intercept and monitor...

[krml]

On the issue of encryption. Having dealt with people who work for NSA here in America, most of the encryption cipher codes that exist were created by the intelligence community or in conjunction with them.

 

They are easily able to decipher these codes because they have the back door to them.

 

PGP was one of the only ones that was developed by a private organization. This of course caused the intelligence community some moments of worry.

 

Now in order to get PGP you need to register to use it. This of course allows the government if need be to have access to your cipher code by contacting PGP and telling them they want the code for so and so. PGP would have to comply. Of course the gov would have to get subpeonas and so forth...but you get the idea.

 

If they want to see what you are doing they will whether it is encrypted or not.

[Neo]

PGP uses public keys. What this means is you generate 2 keys, not 1. There is one key called the public key to encode messages that you give freely to everyone without caring who gets it. This key allows anyone to make an encrypted message, but this key cannot be used to decrypt. There is a different key called the private key you keep to yourself that allows decrypting. Generating keys can be done with software running on your own machine. Registering the public key may be needed for some usages in order to make royalty payments as PGP uses patented algorithms or it may be done to make it easier for people to find how to send encrypted messages to you. Even if you do register your public key, I do not see a security issue in doing so.

[keekwai]

krml said: "Having dealt with people who work for NSA here in America, most of the encryption cipher codes that exist were created by the intelligence community or in conjunction with them.

They are easily able to decipher these codes because they have the back door to them."

 

Did the people who work for the NSA provide this misinformation to you?

 

Good chiphers are public, open to scrutiny and unlikely to have 'backdoors'. By backdoors you may mean ones built into the software used to do the encryption. A backdoor that would allow the key to be made available to a government agency for example.

[SiamIAm]

It's my understanding that in the 90's there was a bill that was enacted that forced all public encryption programs to allow governmental interdiction, and had to be built into the program...

[BaronTT]

That was a while ago so I don't remember all of the details.

 

I am sure that the US government wanted to have a key or other way of getting in. They made a big fuss about it.

 

And that's why a lot of programs using the same algorithyms but without the facility for the US government became very popular. Israeli firms were well-known for making a lot of the good quality programs. Some of the best.

 

For a while you couldn't 'legally' export certain encryption programs made in the US because the cyphers were too strong. But overseas firms, such as the good ones in Israel, provided the strong cypher software to overseas markets.

 

So the powerful programs were easily available overseas, and people were buying those. The US SW companies lobbied and complained heavily.

 

I THINK that the regulations were changed so that even the US SW doesn't have the limitations any more.

 

I don't remember the exact history. Faulty memory from old age.