Industry Observations

Government Surveillance: Why it doesn’t matter if you delete your email

Every three months I have a task alert reminding me to “delete cloud data.” This kicks off an hour or two spent clicking checkboxes and trashcan icons, getting rid of as much data as I can that is stored on someone else’s servers (Gmail, other Webmail, Twitter Direct Messages, LinkedIn messages, Facebook messages, and so on). The reason I do this is simple: to protect against the eventuality that someone will hijack one of my online accounts.

Even as a security pro, I’m not so arrogant as to think that I can’t be hacked, and my online accounts are especially vulnerable since I am not in total control of them. I figure that getting hacked is only a matter of time, either through a social engineering trick or exploitation of a website vulnerability. We’ve seen a number of celebrities and security pros alike suffer this already. For me, when the day comes, I want to limit the data loss exposure to no more than three months. It’s not that any of my data kept in “the cloud” is super sensitive, but I still don’t want it dumped on Pastebin.

While this ritual has served me well, there’s one glaring problem: the National Security Agency (NSA). Well, specifically PRISM and any other surveillance programs that they and other governments have. According to published reports, government agencies have what can only be described as wholesale access to end-user data located at Google, Facebook, and many other companies storing email and other interpersonal communication. Through various “transparency” reports released, we’re talking tens of thousands of requests without much, if any, governmental oversight or people having the power to legally object. Protecting my data against this sort of compromise is very different and renders my aforementioned data deletion useless. I’ll explain why.

Let’s say you use Gmail, or any Webmail provider for that matter. Using a browser, you craft an email, send it to another Gmail user, then subsequently delete that message from your Sent folder. Let’s say that recipient then responds to your email. You read it, and then promptly delete it. From your perspective, in your account the data is gone and anyone directly hijacking your account can’t see that anything was ever sent or received. This is exactly the outcome we were looking for. BUT, this is not necessarily true from the service provider’s perspective, or for government surveillance.

You see, the Gmail user you’ve been emailing still has a perfect transactional record of all of your sent/received email, which is sitting somewhere in their account, probably in their Inbox or Sent folders. Now, scale this out to all the email you send to any Webmail provider, and you start to get the idea. You might have deleted your email in your account, but no one else has deleted your email in their account. When Google (et al) receives a governmental order to hand over all email to/from “@gmail.com”, they can do the search system-wide. To be fair, I have no idea if they actually perform the search this way, but the fact is that they technically can.

At this point it’s also important to appreciate that when you delete email on a Webmail service, there is zero guarantee that your email has in fact been deleted. At least, nothing like the assurance you get with your own system(s).

When explaining this situation, a common reaction is suggesting Google should simply encrypt your email/data, so that not even they can read it. Before getting to that, let’s understand why Google, Yahoo, Facebook, and hundreds of companies offer you free online services. They do so because in exchange they get access to your data – however sensitive – and personal interests, no matter how private. They sell aggregated access to this data to advertisers who wish to promote their brand or influence your buying habits. That’s essentially how they make their tens of billions of dollars annually.

This relationship is not necessarily a bad deal and so far, it isn’t even controversial. What’s controversial is that Google, or any other “free” Webmail provider that needs to read your data to make money, obviously they can’t encrypt it from themselves to protect against government surveillance. It would be contrary to their business model. On this point even Vint Cerf, one of the fathers of the Internet and Google’s Chief Internet Evangelist, agrees. In the wake of the PRISM headlines, a main concern of theirs is that users will freak out and withdraw their data, decrease use of the service out of fear, and they then lose money. I think their concerns are well-founded.

That’s why, in response, companies like Google, Yahoo, Twitter, Facebook and others are eager to reassure their users and consumers that they are going to resist surveillance to the extent they legally can do so and continue to be “transparent” with them by disclosing the number of times that government has made data requests. They’ll even go so far as to challenge a government gag order to make sure they can disclose to users with as much details as possible. The truth of the matter is, “transparency” is probably the best these companies can do, but it’s just not good enough – nor will it ever be unless these companies change their business models, which they can’t, so they won’t, so we’re stuck.

What’s the answer then? On any individual user level, my quick advice has always been: if it’s something that you can’t afford to lose, or something that is truly personal to you, don’t put it on the Internet. In the same vein, if you’re going to be browsing NSFW sites while at work then do so using a search engine that does not track your data. DuckDuckGo and a few other sites like it can be a good option for this. And then, of course, you could use PGP or other tools to encrypt your email content before pasting it to Gmail. Unfortunately, personal email encryption software hasn’t proven itself very easy or attractive enough for mainstream use. And admittedly, PGP itself does not completely safeguard your email from the government or other prying eyes: the email envelope itself, which includes valuable info such as sender, recipient, subject, time sent, mail servers, etc., is still visible.

For companies like Google, Yahoo, and Facebook, the only real solution they can offer to their users is to redesign their business models so that they are not reliant on the ability to store and read user data to succeed. Yes, far easier said than done, but let’s just consider that for a moment.

If, for example, Facebook charged it’s more than one billion users just $5.00 USD for an entire year’s worth of the service, it would more than make up for the 2012 revenue it receives from advertisers. Without complete reliance upon advertisers for revenue, Facebook would no longer have any real reason to keep your data or reason not to encrypt it. A similar model could be applied to Webmail as well. In fact, Google offer paid-for corporate email hosting already via Google Apps. So why isn’t the email encrypted from themselves? (Or maybe it is?)

For Google, Yahoo and Microsoft, advertising based on search terms just does not need to be targeted at the individual – this eliminates the need to retain search analytics information. It doesn’t eliminate advertising completely, it just makes advertising tied to individual search queries no longer tied to your personal information – which means they don’t have to store the data, or if they do, leave it in such a way that they can read it.

Perhaps in all of this I’m just being naive, even a little bit idealistic. The more likely reality is there is simply too many business conflicts of interest for these companies right now under their current models to charge for their services directly and encrypt the data, so the only thing they can do is offer “transparency.” For me, that’s just not good enough.