January 4th, 2007
There was a bit of a flap about privacy today, though I’m not sure how many people noticed it: according to some newspaper and television reports, a signing statement attached to a Postal Reform bill signed by President Bush in late December may have created a mechanism allowing the government to open first-class mail without a warrant. See “Bush Signing May Change Mail Laws” in the January 4th New York Times and “Opening and Tracking the Mail, a New Old Story” in the January 4th issue of Wired Blogs for two examples of the coverage; there’s probably much more out there, if you do a Google search.
After the initial reaction — how dare they? how many more surprises are waiting for us in “presidential signing statements”? — I calmed down and thought about it for a few minutes. First question: how much snail-mail do I get, and what are the consequences if someone opens it? Most of it is unsolicited junk mail; I wish that someone would please open it, and then throw it away. Then there are the magazines; I don’t subscribe to any underground terrorist magazines, and if they really want to open my issue of IEEE Software, they’re welcome to. And then there are bills — lots and lots and lots of bills. I suppose that it would bother me if I found out that the Homeland Security Department was opening my phone bill and my credit-card bill; but I have a feeling that they’re getting all of that information directly, in computerized form, from the telcos and the banks already.
So am I getting any “real” mail, the old-fashioned kind where someone hand-wrote a long, rambling missive about what the relatives are doing in Oshkosh? Well, I’ve gotten a flood of Christmas cards, and some of those had long, rambling notes about a full year’s worth of trivia from the Smiths and the Johnsons; and while some of it was interesting, I really wouldn’t care if I was tenth in line to read it. As for real letters … I don’t think I get any of those any more. If so, I don’t remember them.
What I do get, of course, is email messages — about 300 a day, after the spam has been filtered out. According to some statistics cited in an MIT report on spam mail
“US consumers received more than 140 billion spam messages in 2001, according to a report last week by Jupiter Research. Spam accounted for 46 percent of the 261 billion e-mail messages sent last year. An estimated 645 billion spam e-mail messages will be delivered by 2007, Jupiter said in its report.”
I suspect email is where you’ll find the vast majority of noteworthy messages being exchanged by terrorists, drug smugglers, insurgents, assassins, thieves, Mafia dons, and various other nasty people. And that’s probably where the government should be focusing its resources … indeed, I suspect that’s where the National Security Agency is using a lot of its vast supply of CPU cycles.
But wait: shouldn’t email be considered as sacrosanct as first-class snail-mail is (or was)? Well, not so: remember the Patriot Act? According to a February 28, 2006 article in the New York Sun (see “Patriot Act E-mail Searches Apply to Non-Terrorists, Judges Say,”),
“Two federal judges in Florida have upheld the authority of individual courts to use the Patriot Act to order searches anywhere in the country for e-mails and computer data in all types of criminal investigations, overruling a magistrate who found that Congress limited such expanded jurisdiction to cases involving terrorism.”
Note the emphasis on “all types of criminal investigations,” not just terrorism or perceived threats to national security. Again, a bit of Google searching will reveal several more interesting tidbits, if you’re curious: for example, Google tells me that a government document entitled “Field Guidance on New Authorities That Relate to Computer Crime and Electronic Evidence Enacted in the USA Patriot Act of 2001” defines e-mail as not only the text of the message itself, but also any attachments “consisting of any type of data, including voice recordings.” So the digitized voice-mail that gets stored at home, in the office, or on some telco computer can be searched; so can the Excel spreadsheets and the slightly risque JPEG images of last month’s office Christmas party.
But leaving aside the issue of attachments (which, if necessary, can be translated in a brute-force fashion into a textual representation, and then “de-translated” at the other end), there’s one major difference between e-mail and snail-mail: email can be encrypted. If I assume, as I do assume, that any number of federal, state, municipal, and foreign governments may have the desire and the legal wherewithal to intercept (i.e., “open”) my email messages, and I really do want those messages to remain private, then I can encrypt them using readily available packages like PGP. The encryption software can be integrated, in a seamless way, with most popular email programs; and I can use the same packages to encrypt JPG’s, files, documents, spreadsheets, and other stuff that I might want to attach to a message.
Whether the NSA or Homeland Security Department can overwhelm the efforts of a well-chosen, carefully implemented citizen-level encryption effort is something I’m not really competent to discuss — and besides, I don’t want scary people from mysterious agencies knocking on my door and giving me stern lectures about such stuff. My hunch is that if I was careful enough, and if I tried hard enough, I could encrypt my email sufficiently well that it would take a long, long time (e.g., millions of years) for government agencies to crack it. Of course, they could simply hang me by my thumbs and play Brittany Spears albums until I screamed for mercy — which would take about 5 minutes — but we all agree that that’s not playing fair.
Of far more importance is the fact that, with few exceptions, almost nobody bothers encrypting their email. In the 10-15 years since encryption packages like PGP have been available, I’ve been in a few situations where encryption would have been appropriate for communications about sensitive corporate R&D projects, details of legal proceedings, and other perfectly legitimate things. But I’ve never … well, almost never, perhaps once or twice — been able to find anyone interested, and willing to invest the small amount of time and effort required to install and use the encryption packages.
Thus, I think that for most people, the news that government authorities might start opening our first-class mail is just another example of Scott McNealy‘s famous 1999 quote, “You have zero privacy anyway. Get over it.” If it really matters, eliminate your snail mail, send the information by email, and encrypt it with a carefully chosen key. Otherwise, stop whining.