↓ Twitter is updated more often, so read it! ↓

A market for a paranoid level of security on personal mail servers?

A Facebook friend of mine posted a story in the Telegraph about the British government wanting “to track every phone call, email, text message and website visit made by the public if they argue it is needed to tackle crime or terrorism”.

Conspiracy theories and tinfoil-hat-ism aside (“They’re already doing it! Every government! Even the US!”), this lead me to ponder a bit and consider a new market:

Encrypted personal email servers.

I wonder what people would pay for a service like that. Each person gets their own “server”, likely a VPS. Mail inbound or outbound wouldn’t be encrypted at the transport or application level, but perhaps mail to other servers in this network would be encrypted in transit.

Mail stored on disk would be encrypted, but the user would have to input a password in order for the storage area to be accessible whenever the server started up. A caveat would be that the encrypted storage area is accessible while the “server” is powered on–however, the moment it is shutdown, the data would be encrypted and require the user’s password.

On top of all of this, we urge users to utilize PGP encryption on all of their email. PGP keeps the messages themselves secure, and the security on the server keeps them doubly secure.

$35/mo per server up to perhaps 10 addresses? Also use it as a certain amount of file storage through WebDAV or the like?

Help me think out the logistics, folks who are more experienced than I.

Meta note: a series of full posts coming in the next week or two regarding travel–there’s a reason I’ve been silent!

Regarding the mandated data retention sections of the SAFETY Act of 2009

Sent via e-mail to Senators Specter and Casey, as well as Congressman Altmire, all of Pennsylvania…

Senators and Congressman,

I write in regards to a bill with the short title “Internet Stopping Adults Facilitating the Exploitation of Today’s Youth (SAFETY) Act of 2009”. This bill was introduced with virtually the same text into the House by Mr. Smith of Texas as H.R. 1076 and into the Senate by Mr. Cornyn as S. 436.

While the overall goal of the bill — a reduction in the use of the Internet to facilitate the trafficking of child pornography — is noble, I am concerned that a key section of the bill is overbroad and unenforceable.

The section to which I am referring is Sec. 5, the “RETENTION OF RECORDS BY ELECTRONIC COMMUNICATION SERVICE PROVIDERS.” I include the text of the section here for reference:

Section 2703 of title 18, United States Code, is amended by adding at the end the following: “(h) Retention of Certain Records and Information- A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user.”

My interpretation leads me to understand that this section would require any person operating an electronic communication or remote computing service to retain at least two years of logs of temporarily-assigned network addresses.

If interpreted as broadly as possible, this law could require every person who owns an Internet router — a very common, inexpensive, often wireless-capable networking device — to retain these logs for two years. These devices have a very limited storage capacity and generally do not have logging facilities enabled by default.

This law would essentially obsolete every home and small business router, as Americans would be compelled by federal law to buy a certainly more expensive router capable of storing an great amount of log files. This device would also have to be capable of backing up these logs to one or more external devices in order to ensure that the owner is protected from device failures. The price of these new routers would be much higher than the current market price of a router and this legislation would open the possibility of lawsuits against router makers when a router fails to log or retain the logs.

While this procedure is standard rigmarole for computer- and technology-savvy Americans, including information technology professionals, it is a difficult and potentially costly one for those who are not so inclined.

A single power outage or accidental or natural disaster could put someone in a position where they have violated federal law, as they acted as an electronic communication and remote computing service provider and did not retain records as federal law requires.

This is, of course, assuming that the federal agents responsible for enforcing this legislation do in fact police it. Instead, this new data retention requirement will go largely unnoticed, unacknowledged, and unenforced. It will become a law used to convict the ignorant, the careless, and the negligent instead convicting those actually responsible for exploiting children.

I can assume that one or more of you has a wireless router in your home. This law would apply to you, as well. You would need to ensure that your wireless router logs all addresses which it assigns, and you would need to ensure that your logs are retained for at least two years. If for some reason something happened and those logs were lost, you would be guilty of violating federal law.

Moreover, the identifying information contained within these logs is easily fabricated and even easier to masquerade. Two of the three major operating systems can masquerade the most commonly used unique network hardware identifier — a MAC address — with a simple command. A trivial program does the trick for the third. Such a simple fact would easily dismiss a MAC address as evidence in a court test of this entire law, not just the section against which I am campaigning.

I understand that these bills have probably been referred to committees for further exploration. I urge you to exercise extreme caution if this bill comes up for vote alone or as a part of a larger piece of legislation. I urge you to see Section 5 stricken in its entirety on the grounds that it is unenforceable and overbroad.

Thank you for your attention to this matter. If you wish to discuss these or other technology-related bills, my phone is always handy and I’m always willing to share my knowledge.

Colin Dean
Volant, PA

CC: Senator Casey, Senator Specter, Congressman Altmire

Blog reader note: Slashdot links to an excellent summary by C|Net’s Declan McCullaugh entitled Bill proposes ISPs, Wi-Fi keep logs for police.