Are The Feds Sniffing Your Remail?
Foreign and domestic intelligence agencies are actively monitoring worldwide Internet traffic and are allegedly running "anonymous remailer" services designed to protect the privacy of electronic mail users.The startling claim that government snoops may be surreptitiously operating computer privacy protection systems used by private citizens was made earlier this year at a Harvard University Law School Symposium on the Global Information Infrastructure. The source was not some crazed computer hacker paranoid about government eavesdropping. Rather, the information was presented by two defense experts, Former Assistant Secretary of Defense Paul Strassmann, now a professor at West Point and the National Defense University in Washington, D.C., along with William Marlow, a top official at Science Applications International Corp., a leading security contractor.Anonymous remailer services are pretty much what the name implies. By stripping identifying source information from email messages, they allow people to post electronic messages without traceable return address information.But Strassmann and Marlow said that the anonymous remailers, if used properly -- and in tandem with encryption software -- pose an unprecedented national security threat from "information terrorists." Intelligence services have set up their own remailers in order to collect data on potential spies, criminals, and terrorists, they said. Following their Harvard talk, Strassmann and Marlow "explicitly acknowledged that a number of anonymous remailers in the US are run by government agencies scanning traffic," said Viktor Mayer-Schoenberger, a lawyer from Austria who attended the conference. Marlow said that the [US] government runs at least a dozen remailers and that the most popular remailers in France and Germany are run by respective agencies in those countries."Mayer-Schoenberger was shocked by the defense experts' statement and tried to spread the news by sending an email message to Hotwired, the online version of Wired magazine. Although the story did not make headlines, his note quickly became the email message relayed 'round the world, triggering over 300 messages to Strassmann and Marlow. It was followed by the electronic version of spin control.Strassmann quickly posted a denial. In an interview, he said the Austrian completely misunderstood what he and Marlow had said. "That was false," Strassmann said of Mayer-Schoenberger's message. That was the person's interpretation of what we said. ... We did not specifically mention any government. What we said was that governments are so heavily involved in this [Internet issues] that it seems plausible that governments would use it in many ways." (Marlow did not return a call for comment.)But Harvard Law School Professor Charles Nesson, who heard the original exchange at the Harvard conference, recalls the conversation as Mayer-Schoenberger described it. Mayer-Schoenberger also stands by his story. I remember the conversation perfectly well," he emailed from Vienna. They said a couple of additional things I'm sure they don't want people to remember. But the statement about the remailers is the one most people heard and I think is quite explosive news, isn't it?" "Marlow said that actually a fair percentage of remailers around the world are operated by intelligence services," Mayer-Schoenberger recalled in a subsequent interview. "Someone asked him: 'What about the US, is the same true here as well?' Marlow said: 'you bet.'"The notes for the Harvard symposium, posted on the World Wide Web, also lend credence to Mayer-Schoenberger's account. "The CIA already has anonymous remailers -- but to effectively control [the Internet] would require 7,000 to 10,000 around the world," the notes quote Marlow as saying. @EASE WITH EAVESDROPPINGPrying into email is probably as old as email itself. The Internet is notoriously insecure; messages are kept on computers for months or years. If they aren't stored safely, they can be viewed by anyone who rummages through electronic archives -- by searching through the hard drive, by using sophisticated eavesdropping techniques, or by hacking in via modem from a remote location. Once email is obtained, legally or not, it can be enormously valuable. Lawyers are increasingly using archived email as evidence in civil litigation. And it was Oliver North's email (which he thought was deleted) that showed the depths of the Reagan administration's involvement in the Iran-Contra affair.Moreover, it's easier to tap email messages than voice telephone traffic, according to the paper written by Strassmann and Marlow. "As email traffic takes over an ever-increasing share of personal communications, inspection of email traffic can yield more comprehensive evidence than just about any wire-tapping efforts," they wrote. "Email tapping is less expensive, more thorough and less forgiving than any other means for monitoring personal communications." @ RISKTwo kinds of anonymous remailers have evolved to protect the privacy of users. The first, and the less secure, are "two-way database remailers," which maintain a log linking anonymous identities to real user names. These services are more accurately called "pseudonymous" remailers since they assign a new name and address to the sender (usually a series of numbers or characters) and are the most vulnerable to security breaches, since the logs can be subpoenaed or stolen. The most popular "pseudonymous" remailer is a Finnish service "at anon.penet.fi"."I believe that if you want protection against a governmental body, you would be foolish to use anon.penet.fi," said Jeffrey Schiller, manager of the Massachusetts Institute of Technology computer network and an expert on email and network security. Last year, in fact, authorities raided anon.penet.fi to look for the identity of a Church of Scientology dissident who had posted secret church papers on the Internet using the supposedly private service. The second kind of remailers are "cypherpunk" services run by computer-savvy privacy advocates. Someone desiring anonymity detours the message through the remailer; a remailer program removes information identifying the "return address," and sends it on its way. Schiller says that a cypherpunk remailer in its simplest form is a program run on incoming email that looks for messages containing a "request-remailing-to" header line. When the program sees such a line, it removes the information identifying the sender and "remails" the message. Some remailers replace the return address with something like "email@example.com."Further protection can be obtained by using free, publicly available encryption programs such as Pretty Good Privacy and by chaining messages and remailers together. Sending the message from remailer to remailer -- using encryption at each hop -- builds up an onion skin arrangement of encrypted messages inside encrypted messages. Some remailers will vary the timing of the outgoing mail, sending the messages out in random sequence in order to thwart attempts to trace mail back by linking it to when it was sent.@ISSUE: THE RIGHT TO PRIVACYLinking encrypted messages together can be tricky and time-consuming. So who would bother? A. Michael Froomkin, an assistant professor of law at the University of Miami and an expert on Internet legal issues, says anonymity allows people to practice political free speech without fear of retribution. Whistleblowers can identify corporate or government abuse while reducing their risk of detection. People with health problems that are embarrassing or might threaten their ability to get insurance can seek advice without concern that their names would be blasted electronically around the world. A battered woman can use remailers to communicate with friends without her spouse finding her.The Amnesty International human rights group has used anonymous remailers to protect information supplied by political dissidents, said Wayne Madsen, a computer security expert and co-author of a new edition of The Puzzle Palace, a book on the National Security Agency. "Amnesty International has people who use remailers because if an intelligence service in Turkey tracks down [political opponents] ... they take them out and shoot them," he said. I would rather err on the side of those people. "I would rather give the benefit of the doubt to human rights." Strassmann and Marlow, on the other hand, see the threat to national security as an overriding concern. Their paper, "Risk-Free Access into the Global Information Infrastructure via Anonymous Remailers," presented at the Harvard conference, is a call to electronic arms. In it, they warn that remailers will be employed in financial fraud and used by "information terrorists" to spread stolen government secrets or to disrupt telecommunication, finance and power generation systems. Internet anonymity has rewritten the rules of modern warfare by making retaliation impossible, since the identity of the assailant is unknown, they said. "Since biblical times, crimes have been deterred by the prospects of punishment. For that, the criminal had to be apprehended. Yet information crimes have the unique characteristic that apprehension is impossible. ... Information crimes can be committed easily without leaving any telltale evidence such as fingerprints, traces of poison or bullets," they wrote. As an example, they cite the Finnish remailer (anon.penet.fi), claiming that it is frequently used by the ex-KGB Russian criminal element. Asked for proof or further detail, Strassmann said: "That [paper] is as far in the public domain as you're going to get." At the Harvard symposium, the pair provided additional allegations that anonymous remailers are used to commit crimes. "There was a crisis not too long ago with a large international bank. At the heart of the problem turned out to be anonymous remailers. There was a massive exchange around the world of the vulnerabilities of this bank's network," Marlow said. But David Banisar, an analyst with the Washington, D.C.-based Electronic Privacy Information Center (EPIC) downplayed this kind of anecdote, saying that such allegations are always used by governments when they want to breach the privacy rights of citizens. "I think this information warfare stuff seems to be a way for the military trying to find new reasons for existence and for various opportunistic companies looking for ways to cash in. I'm really skeptical about a lot of it. The problem is nine-tenths hype and eight-tenths bad security practices," he said. Already existing Internet security systems "like encryption and firewalls could take care of the problem."The public should not have to justify why it needs privacy, he said. "Why do you need window blinds? Privacy is one of those fundamental human rights that ties into other human rights such as freedom of expression, the right to associate with who you want, the right to speak your mind as you feel like it. ... The question shouldn't be what do you have to fear, it should be 'Why are they listening in?' With a democratic government with constitutional limits to democratic power, they have to make the argument they need to listen in, not the other way around." Froomkin, from the University of Miami, also questioned Strassmann and Mayer's conclusions. "First of all, the statistics about where the remailers are and who runs them are inaccurate. I can't find anybody to confirm them," he said. "I completely disagree with their assessment of facts and the conclusions they draw from them. ... Having said that, there's no question there are bad things you can do with anonymous re- mailers. There is potential for criminal behavior." Banisar doubts that intelligence agencies are actually running remailers. "It would entail a fairly high profile that they tend to shy away from," he said. However, it is likely that agencies are "sniffing" -- monitoring -- traffic going to and from these sites, he said.@ WORK SNIFFING THE NETNot in doubt, however, is that the government is using the Internet to gather intelligence and is exploring the net's potential usefulness for covert operations. Charles Swett, a Department of Defense policy assistant for special operations and low-intensity conflict, produced a report last summer saying that by scanning computer message traffic, the government might see "early warnings of impending significant developments." Swett added that the "Internet could also be used offensively as an additional medium in psychological operations campaigns and to help achieve unconventional warfare objectives." The unclassified Swett paper was itself posted on the Internet by Steven Aftergood of the Federation of American Scientists.The document focuses in part on Internet use by leftist political activists and devotes substantial space to the San Francisco-based Institute for Global Communications (IGC), which operates Peacenet and other networks used by activists. IGC shows, Swett writes, the breadth of DoD-relevant information available on the Internet."The National Security Agency is also actively sniffing" key Internet sites that route electronic mail traffic, according to Puzzle Palace co-author Wayne Madsen. In an article in the British newsletter Computer Fraud and Security Bulletin, Madsen reported that sources within the government and private industry told him that the NSA is monitoring two key Internet routers -- which direct electronic mail traffic -- in Maryland and California. In an interview, Madsen said he was told that the NSA was "sniffing" for the address of origin and the "address of destination" of electronic mail.The NSA is also allegedly monitoring traffic passing through large Internet gateways by scanning "network access points" operated by regional and long-distance service providers. Madsen writes that the network access points allegedly under surveillance are at gateway sites in Pennsauken, N.J. (operated by Sprint), Chicago (operated by Ameritech and Bell Communications Research) and San Francisco (operated by Pacific Bell). Madsen believes that NSA monitoring doesn't always stop at the US border, and if this is true, NSA is violating its charter, which limits the agency 's spying to international activities. "People familiar with the monitoring claim that the program is one of the NSA's 'black projects,' but that it is pretty much an 'open secret' in the communications industry," he wrote.Electronic communications open up opportunities to broaden democratic access to information and organizing. They also provide a means and an opportunity for governments to pry. But just as people have a right to send a letter through the post office without a return address, or even to drop it in a mail box in another city, so too, electronic rights advocates argue, they have the right to send an anonymous, untraceable electronic communication. And just as the post office can be used maliciously, or to commit or hide a crime, remailers can be used by cruel or criminal people to send hate mail or engage in "flame wars." And like the post office, the highways, and the telephone, the Internet could be used by spies or terrorists. Those abuses, however, do not justify curtailing the rights of the vast number of people who use privacy in perfectly legal ways.Robert Ellis Smith, editor of the Privacy Journal newsletter, said government agencies seem obsessed with anonymous remailers. "They were set up by people with a very legitimate privacy issue," he said. "Law enforcement has to keep up with the pace of technology as opposed to trying to infiltrate technology. Law enforcement seems to want to shut down or retard technology, and that's not realistic. Anonymous remailers are not a threat to national security.