I’m not often a fan of conspiracy theories, except for entertainment value. This one is interesting because it combines international intrigue, the elections, and our world of notoriously poor email security.
The conspiracy arises from foreigners trying to influence the United States election. They spy on unprotected emails and leak the contents to influence US public opinion. This isn’t limited to attacks on the Democratic candidate Hillary Clinton. Some suggest that Fox News and the Trump campaign have also been attacked this way.
We could be blocking this threat, except that pressure groups within the government want to leave as much information unprotected as possible, notably law enforcement and intelligence agencies. I think we face a greater threat from foreign exploitation of our unprotected emails than we face from impeded investigations or even a few terrorist bombs.
Speaking on the cryptography mailing list, Phillip Hallam-Baker outlined a series of “remarkable and quite unexpected developments” during the campaign season in both the Republican and Democratic camps. While several are tied directly to leaked emails, others may have arisen from intercepted emails. As Hallam-Baker says,
If you have someone’s entire email history, manipulating them into taking actions you want them to take becomes quite easy.
A lot of countries and other entities (ISIS for example) would benefit from chaos in the United States. A fouled-up election would yield plenty of chaos even if there isn’t gunfire in small towns.
Russia is a common thread in several election-season surprises, and not just as the prime suspect for hacking the DNC’s email. Donald Trump is astonishingly pro-Russian and pro-Putin, especially for a Cold War-era Republican.
Email Protection Today
In ancient times (20 years or more) email was never encrypted. It moved from user to user and site to site as raw, easy-to-read text. The 1980s saw “privacy enhanced mail” developed to encrypt email messages, but it was too complex for widespread use. As spam became a problem, email services added encryption to recognize trustworthy servers that didn’t tend to distribute spam.
The chosen encryption only protected email during transmission. Attackers and investigators couldn’t eavesdrop on email messages, except at relay points and when they resided in mail boxes. Further protections weren’t widely available. Thus, email contents could be easily retrieved by the email server’s administrators, or by law enforcement. Outside spy agencies needed to hack into the email server to read such emails, but most agencies knew how to do this.
Some “free email” providers took advantage of this lack of protection. They could analyze customer email texts for market research or to target advertising.
Protecting Email Effectively
Here’s the solution:
Email messages should be encrypted at all times except when created or read.
The author should encrypt the email so that only the recipients can read it. Privacy enhanced mail pioneered this technology. A few messaging and email systems work like this today, including Apple’s iMessage.
Why Email Isn’t Often Encrypted
The reason is simple: government agencies have pressured technology vendors, including Apple, to discourage people from using encryption. This may sound like another hare-brained conspiracy theory to people not in the cybersecurity business, but it’s true.
In February 2016 the FBI acquired a court order to demand Apple help decrypt an iPhone used by the now-dead suspect in a domestic terrorist attack. While this didn’t involve iMessage encryption specifically, it illustrates the problem. The suspect’s iPhone had been locked, and the locking process encrypts everything on the phone. The court order assumed that Apple could use some technical magic to retrieve the suspect’s unlock code and decrypt the phone’s contents. Apple fought the court order and the FBI eventually found its own team of cybersecurity experts (in an overseas company) to decrypt the phone.
While the Apple case was recent and widely reported, similar cases abound. During its investigation of Edward Snowden, government agencies compelled Snowden’s encrypted email service, Lavabit, to help retrieve and decrypt Snowden’s emails.
Why Crypto is Important
The government claims that crypto makes criminal and terrorism investigations more difficult, thus putting America at risk. These claims can get extreme at times, too. But these investigations rarely prevent bad events, and encryption rarely halts an investigation. Instead, our unprotected computing systems put us all at risk, all the time.