A few days ago I wrote about a public-private partnership between the Russian spy folks and Russian hackers that was uncovered when the Feds indicted two hackers and two Russian spies. In that case, the hackers gave the Russians the data that they wanted and kept and used the rest for themselves.
Now there are reports of a similar but different arrangement with the Metropolitan Police in London. These reports are unsubstantiated as of right now.
The anonymous person who used to work for the intelligence community (or so they say), said it worked this way.
Scotland Yard worked with the Indian police who hired hackers to hack the emails of political dissidents. The hacked passwords were supposedly then returned to Scotland Yard so that they could then read the emails of environmental campaigners and journalists. It is not clear how the hackers benefited from this other than for being paid for their work. How the public-private partnership between the Indian hackers and Indian police worked may come out in the future – or may not.
Some of the passwords were verified by their owners as being their passwords, which certainly adds some legitimacy to the conversation.
The person who reported the crime said that the police had been rummaging through journalist’s and activist’s emails for several years.
The complaint was referred to the Independent Police Complaints Commission (IPCC) and they are reported to be investigating. The IPCC is already investigating a complaint that the intelligence unit shredded large numbers documents in 2014 in spite of an order to preserve the documents for review by the court. The complainer said that documents had been shredded on a far greater scale than the IPCC seems to be aware of.
Lawyers who received the letter in question said it contained 10 userids and passwords and they were able to confirm that five were the correct password for those users and one more was almost identical.
The Metropolitan Police said that they need to keep track of thousands activists to detect the few bad apples. They didn’t explain HOW they might do that – legal or otherwise.
Combine this with the details that WikiLeaks revealed about CIA efforts to hack into iPhones and there certainly is the appearance of widespread efforts to eavesdrop on people’s emails.
Certainly law enforcement has authority to a certain amount of eavesdropping, based on a set of rules laid out by law. Those laws vary from country to country.
On the other hand, there is sometimes a bit of fuzziness as to what is legal and what is not.
It may be easier – although likely much less legal – to obtain the password of people they want to monitor such as journalists – than to get multiple warrants. It is also likely difficult to get a warrant to monitor the emails of journalists if the journalist is just reporting the news.
For those people who wear tin foil hats (i.e. think the government is out to get them), this is just more evidence that they are right.
For people who just want to increase their level of privacy, using two factor authentication definitely helps to make it more difficult for this tactic to work – at the cost of a little more effort to log in.
For those people who want to go the extra privacy mile, using a solution that encrypts your email from end to end where you keep control of the encryption keys is a more secure solution. This solution, while significantly improving the privacy of your email, is also significantly more complicated to use.
Email solutions that claim to be encrypted but do not require you to know or manage any encryption keys likely do not provide much additional privacy for a variety of reasons.
Bottom line is that it depends on your level of paranoia and the length that you are willing to go to in order to gain some additional privacy.
For most people, keeping the contents of their email private is, at best, a nuisance. For other people, including journalists and investigators, privacy likely rises to a higher level.
Information for this post came from The Guardian.