If CIA Director David Petraeus can't keep the FBI from searching his private Gmail account, what privacy protections do you have? We are digital privacy experts at CDT. AMA

That is a bit of a loaded statement. Petraeus was the CIA Director, there was a national security risk.

So if the FBI decides there is a national security risk, then all rights are out the window? No warrant needed?

The FBI can use National Security Letters to get non-content (your address, email to/from, the number of the credit card you use to pay for service, and more) when there's a national security risk. If they want content, they need an order under the Foreign Intelligence Surveillance Act. In the Petraeus case, it's not clear that they used that authority. The did reportedly use criminal authorities.

Well, I don't live in the USA, but it would be interesting to know exactly what information can be gathered without a warrant.

Does it include ISP logs, and if so, how far back do those logs remain held.

Hey moffstang - Here are some things that the Justice Department says it can obtain without a warrant: the content of opened emails stored with a webmail service like Gmail; email stored with a webmail service that is over 180 days old; our location information generated by our mobile phones; documents we store in the cloud.

Non-content information, such as IP addresses, routing data, sender and receiver information can all be gathered without a warrant. The ISP makes a busines decision for itself regarding how long it wants to retain such information. There was a data retention mandate before Congress earlier this year, but it was fortunately stripped from the bill it was in after push back from advocates.

Suppose I want to make a completely untraceable email account. Not 100% untraceable -- I understand if the FBI or whatever gets involved, they'll find a way. But just a simple account that no local police force could ever break. What should I do? Just sign up for gmail at a public computer and never access it from an IP that can be traced to me?

And proxys. Use several proxys.

Do you think 7 is enough?

Tor uses three

Hmmm, it depends a lot on what you mean by "break". In the Petraeus affair (yuk yuk) they presumably used IP logs to figure out it was Broadwell or to eliminate as many people to get it close to her. So, you could do what you say but you'd have to be sure to never access that account from any location/IP address that could be traced to you. I'd like to think that you can do this from anywhere using TorBrowser (an anonymous browser), but I suspect to get TorBrowser to work with GMail there might be some problems. If any Tor afficionados care to speak up, please do. (I could test this myself, but need to run to a meeting). --Joe Hall (CDT technologist)

I don't see any reason why TOR wouldn't work with GMail. In fact, to the application using the TOR proxy, it is all pretty transparent.

I was working on a router getup for a client no long ago that would transparently route all HTTP/HTTPS traffic through a TOR proxy. It did "Work" but TOR needs more exit nodes. (Really, it just needs more people participating in general). The latency was OK most of the time, but there was about 45ms of jitter (way to much for VOIP phones and video chatting, probably enough for all other forms of communication) and 3-5% packet loss.

If you feel spendy, you might donate to https://www.torservers.net/ who aim to provide high-bandwidth exit nodes all over the world.

How would your recommend protecting our digital information in our GMail/Hotmail/*/Cloud accounts? Should we all be encrypting our emails and IMs?

For me at least, I am pretty dependent on my GMail account and say, moving to another service could be challenging.

Joe Hall here (CDT's senior staff technologist):

The answer to this question fundamentally depends on what you're trying to protect and who from (and their capabilities). I definitely recommend using off-the-record encrypted IM when you use GChat, but note that, unfortunately Google's term for "Off The Record" is not encrypted but it merely makes sure that no one keeps logs. True OTR chat is authenticated and encrypted and the keys are discarded such that if someone tries to pin you to a chat log they've saved, you can easily claim they made it up. Clients like Adium (Mac) support this but go here to see which IM clients truly support real OTR IM: http://www.cypherpunks.ca/otr/

As for email, if you are talking about sensitive stuff, I very much recommend you learn how to use strong crypto tools like GPG/PGP. It can be daunting at first, because doing things right requires that you learn a bit about crypto: http://www.techrepublic.com/blog/opensource/get-started-with-gnupg/165

Finally, everyone out there should be using a password manager (I disagree strongly with Mat Honan about the death of the password)... these tools store passwords, create very strong ones and even type them in for you (to bypass keylogging malware). Lastpass, Keepass, 1password ($$$) and Password Wallet are all good examples.

And if you don't know how to surf anonymously using the TorBrowser, please go here, learn about it and download the latest one! https://www.torproject.org/about/overview.html.en

At the risk of sounding like a cynic, I'm wondering how effective you believe email-writing campaigns are, such as the one featured on your website. Is a cause like this not futile without support from corporations, as was the case with SOPA et al.?

Good point. VanishingRights is just one part of our strategy. We also have a huge coalition of companies, trade associations and groups from across the ideological spectrum called DigitalDueProcess, which includes Google, Microsoft, AT&T, Facebook, and many others. They know that the weak laws on the books are a problem that needs to be fixed. But don't underestimate the value of individual contact with Congressional offices - that still counts - especially phone calls. VanishingRights contains phone numbers of key Senators.

Thank you for both for your response and for the second link; DigitalDueProcess should be getting far more attention!

I just want to emphasize the point about phone calls > emails. Emails to Congressional offices are better than nothing, but to break it down into a simple (and not 100% accurate equation), you can think of one phone call to a Congressional office being worth about 100 emails. We've heard this time and again directly from Congressional staffers. Also, I once heard Ben Huh of Cheezburger say something really interesting: He keeps his elected representatives' numbers programmed in his smartphone, and whenever he disagrees with a bill or has something to say about it, he doesn't hesitate to call the offices up. This is the type of (hyper)active citizen engagement that could make a difference if enough people do it. Congressional offices definitely pay attention if they get enough calls from constituents on a single topic.

[deleted]

That is a broad question. I'll start with a broad answer and point to some resources. In the US, the Constitution, of course, is the bedrock source of your rights. While the Supreme Court has given a very strong interpretation to the 1st Amendment (free speech) as applied to the Internet, the courts have been slow in applying the 4th Amendment (protection against government searches) to the digital environment. That leaves the matter with Congress, and the main statute on the books, the Electronic Communications Privacy Act, is outdated, having been written in 1986. While the government needs a warrant from a judge to read your regular postal mail, and a warrant from a judge to listen to your phone calls, under ECPA it does not need a warrant to read much of your email, or your stored docs, calendar, photos - anything in the cloud. We're working to overcome that. See VanishingRights.

[deleted]

The international human rights framework does protect privacy, including privacy of communications. And some of the international human rights courts have begun fleshing out what that means in terms of limits on government surveillance. CDT and others are working on this issue from an international perspective. One recent output is the Brussels Principles drafted by several human rights groups. The International Chamber of Commerce put out some guidelines from a corporate perspective. Look for more from CDT in coming months.

[deleted]

Hey MoT - The point of VanishingRights.com is to ensure that domestic law enforcement--from the Department of Justice/FBI (the top of the totem pole) down to local law enforcement--have to get a warrant from a judge before accessing our private digital information. This is the protection that is supposed to be granted to us by the Fourth Amendment - it's a matter of due process; that is, making sure law enforcement goes to a judge first, to prevent an abuse of powers. One of my libertarian colleagues has described the Fourth Amendment as the 'crown jewel' of Americans' civil liberties, and we think it should provide protection for our digital information just like it does for our postal letters and telephone calls, especially as we all rely more and more on the Internet and smartphones.

How do the online/digital rights of Americans compare to those in other countries? In your opinion, which countries are setting the best examples for legal rights to digital freedoms and privacy?

We're launching a project to do that analysis right now. Center for Democracy & Technology will be working with activists from a number of countries to develop "human rights indicators" against which surveillance laws can be measured. Once we have agreed to indicators, we'll start mapping country laws against them. The result can be used by advocates to argue for improvements to their own country's law by pointing out what other countries are doing.

Do you have any ideas as to how pgp encryption could be easily incorporated into sites like hotmail/gmail/et cetera that was intuitive and also secure?

It would not only help with privacy for when people get into our email boxes but would make mail transfers safer and something that is very important to me, my data sitting on google's server would be encrypted.

I'm thinking about this from the perspective of having key rings on phones and desktops that people with no tech skills (ie my 75 year old dad) can easily implement but keep them secure.

Using a thumbprint scanner or facial recognition instead of a password might be a quick path to making the key ring only accessible to authorized people.

Well, I copy and past ciphertext into GMail's edit window. ::) And, alas, the firefox plugin for gpg in Gmail, FireGPG, died a slow death... it's a very hard thing to do without direct buy-in from Google (the Gmail interface changes so much that it can be impossible to keep up). Thunderbird and other mailers have very good support for GPG/PGP... such as the enigmail plugin for thunderbird. I'd suggest using that for Gmail over IMAP when you need to send signed/encrypted stuff and otherwise just paste in ciphertext and securely delete cleartext!

Is this a global issue? Need internet users in other countries be as concerned? If so what can be done on a global level to combat privacy concerns?

It is -- you can see it in the Google, Twitter and other companies' transparency reports. Here's a story about Google's latest:http://www.eweek.com/security/google-reports-government-surveillance-requests-continue-to-rise/. We do need to get a better handle tho on what is happening on a global level in terms of surveillance. We're working with some others to develop standardized reporting models -- a medium or long term project.

What, in your informed opinion, would be grounds for the FBI or another organization to begin looking into a private citizens affairs? And could they have any idea that they were under surveillance?

FBI needs only a sneaking suspicion as grounds to begin to investigate. In a "preliminary investigation" it needs only a tip or lead that it thinks should be tracked down, including an anonymous one. Under DOJ Guidelines adopted a few years ago, FBI in one of these preliminary investigations can use a pen register or trap and trace device to find who you are emailing, and who emailed you, even at this very early stage. See:https://www.cdt.org/policy/investigative-guidelines-cement-fbi-role-domestic-intelligence-agency-raising-new-privacy-cha

If I understand correctly, under ECPA there is no warrant requirement for my gmail? Whats the standard then? Probable Cause? Reason to Believe? Half-Baked Hunch? Is there any check on law enforcement's ability to simply request my cloud-based info from Google on a whim?

Good question. Much of your email content is available to law enforcement at a very low standard -- mere relevance -- and without judicial authorization. The prosector simply fills out a subpoena and serves it on your email provider. This applies to any email older than 180 days. For newer email, they need a warrant. However, DOJ, exploiting a quirk in the language used in the statute, says that for any newer email that you actually open, the warrant requirement goes away! Thus, junk mail you ignore is protected, anything so important as to be read is not. The www.vanishingrights.com effort would fix this problem and require warrants for all email. Warrant means probable cause plus judicial authorization -- a high standard.

[deleted]

Alas, you'll need to take some time to learn about GPG/PGP or, god forbid, S/MIME. It gets very technical quick.