Jan 19, 2008

Chasing email tails

In the news, the Irish Justice Department is going to implement an EU Directive for storing and saving email transaction information (not the emails themselves, just things like to/from/when, etc). Many people argue against this based on privacy issues. And that's a very valid issue. However there's another flaw that rarely gets covered: it won't work. I'd argue it's actually damaging to real security. I'm an Irish resident but I suspect very few of my online communications are logged under this directive. Some of my email is handled by a server in the States (and accessed via an encrypted channel) and I communicate with many friends via IRC frequently via an encrypted channel (and only one server is based in Ireland). With very little effort I could ensure that all of my online communications would be done via encrypted channels, outside of Ireland and in a way that can't be traced. In addition I could do it in a way that wouldn't arouse suspicion - using protocols that any computer professional might use in the course of their job. If I can think of that then surely anyone having discussions they wouldn't want the government to know would take advantage of these methods and more. So the vast majority of this information being stored is of people the government has no interest in. Like 99.999999% of it will be useless information that will need to be stored and sifted through to find anything of interest. And what will be found - the fact that Alice mailed Bob on Tuesday? And it's email so you can't even really prove that it was Alice who sent the mail. That's a lot of effort for the tiniest of facts. Worse still, far too many people will think this issue is solved. There are times when the government has a valid reason to gather information on suspects. Expending all this effort to gather useless information (and to ensure compliance) means we won't be expanding as much effort trying to find important information (and to find out how criminals are really communicating).