Over the past few months, the world has watched as Edward Snowden – a now ex-employee of NSA contractor Booz Allen Hamilton – leaked information that confirmed what we all assumed; that the government is spying on us, in a very, very big way.
Privacy and security have always been important to me, but far from being an expert, I decided to reach out to Simon Persson, the owner of secure email provider CounterMail, and ask him a few questions about PRISM, online privacy and security, and what he thinks about crypto-currencies like BitCoin.
Let’s dive right in…
Simon, could you tell our readers a little bit about yourself, your background, and why you decided to start a secure email service?
My name is Simon Persson, and I am the founder of Countermail. I’m 40 years old, I live in Stockholm, Sweden.
I got my first computer in 1983, it was a Spectrum 48k, which had 48k in RAM and a 3.5Mhz CPU, pretty exotic in those days, but today’s mobile phones are around 1000 times more powerful! I was immediately hooked, especially with the programming aspect, most of my friends preferred playing games on their computers, but I always had programming as #1 interest, playing games was #2. I have been programming since then.
In the late eighties I became more and more interested in hacking and cryptography. I remember I always felt that IT-security is the future, because computerization will only increase, and when companies start sending their information through the cables, it must be protected well. But it wasn’t until 1999 I became seriously interested in cryptography, I got a present from my mother, it was The Codebook (by Simon Singh). At that time there was an active competition in the book, the cipher challenge, with a first prize of 10,000 pounds (GBP), so it made the book even more interesting. I still recommend it when people ask about books about cryptography. It’s one of the the best introduction books.
After reading that book I really realized how important cryptography is, and will be. During world War II, it was a matter of life and death, strong encryption may save lives, and weak encryption may kill people.
Since 1999 I started implementing cryptography in most programs I made, sometimes even though it was not necessary 🙂
I used Hushmail for many years, until 2007 when it became clear that they could disable the encryption for individual users. At that time, there was no other provider with web based OpenPGP end-to-end encryption. So I started planning to create my own service, with OpenPGP end-to-end security, no unencrypted emails or passwords should be stored on my server. I registered the domain name in 2008, but it was not until May 2010 the service was ready to open up.
In light of PRISM and all the recent NSA shenanigans, where do we go from here? I’m especially curious to hear your thoughts on people’s behavior in regards to security going forward.
More people will understand that they need to be cautious when the send stuff over internet, it’s not only NSA that could tap into your information, an advanced hacker or criminal organization could do similar things with your data.
I hope that companies start realizing that their trade secrets could be compromised when using weak or backdoored encryption. I think more people will try to learn the basics in IT-security.
How do you choose your passwords? Randomly generated, or do you have a system? Many people seem to have trouble striking a balance between security and memorability.
I use different levels, a less important site gets an easier password, and more sensitive places get longer & harder passwords. The most sensitive information, like server disk encryption, gets a randomized password. I also use SafeBox (a password manager in Countermail) to keep track of passwords.
I think it’s safe to assume that you’ve heard the “if you’ve got nothing to hide…” over the years. What are your thoughts on this in respect to personal privacy?
Yes, I heard it many times. I think it’s based on ignorance or naivety. A Swedish professor of criminology said that those “I got nothing to hide”-persons do no exist IRL, everyone have something that they want to keep private. Information can also be misinterpreted, a quote from a french politician: “If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang them”.
There are no government or police organization that can protect their data 100% against leakage, and the people working for the government are just like normal people, mostly good, but some evil. Some may abuse the information. The government must be allowed to use surveillance against targeted suspected individuals, but not against the whole population and innocent people, aka. mass surveillance.
Secure email services seem to be a dime a dozen these days; what sets CounterMail apart from say, HushMail?
There are many things, here are some of them:
- We are under Swedish jurisdiction and swedish laws, Sweden still have better privacy laws than many other countries
- We don’t log IP-addresses
- You can pay anonymously if you follow our instructions, or simply just use Bitcoin
- Incoming email will be encrypted to your public key, which means no emails will be stored as plaintext on our server, only in encrypted format
- Web based OpenPGP encryption with no possibility to disable the end-to-end encryption, passwords and decrypted texts is never sent to our server
- We have an USB-key option, which gives you two factor authentication, and increased protection
- Our webmail server do not have any hard drives, only CD-ROM, which means no “leakage” to any hard drive is possible
- Our customers never have any direct connection to our mailserver, regardless how they connect to their account, IMAP/SMTP/webmail always connects to a diskless server (tunnel)
- You can delete the private key from our server (but we recommend this only for advanced users, your private key is always encrypted on our server anyway)
- We have an additional encryption layer to protect against man-in-the-middle attacks
If anyone can find any other established provider that have all our privacy and security features, we will give that person $10k as a reward!
Aside from securing our email, what’s one other easy win for the average computer user in terms of securing their personal privacy?
Learn how to use FireFox + the NoScript add-on, and use that as your main web browser. With NoScript, the first time you visit a domain you have to manually allow a certain domain to run a scripts and plugins. If I had to choose between an Anti-virus software and a “NoScript”-plugin, I will choose the “NoScript” plugin. You should not allow global scripting/plugin execution in your web browser, only to domains you trust. Also set your browser to remove cookies when you close it, to prevent tracking and give you more privacy. A good antivirus program and a software Firewall is of course also good to have.
Bitcoin and other crypto-currencies have really started making waves this year. What are your thoughts on their viability? I’ve seen quite a bit of backlash along the lines of “they’ll only be used for money laundering!”.
I like the idea with crypto-currencies, they are decentralized and give much more privacy compared to normal payment methods. However, I would not put all my savings into Bitcoin, there are some theoretical attacks that could crash the currency, but it’s very hard to “kill” BitCoin permanently. The Banks and the governments do not like it, so they will probably try to use the “fear”-factor or “criminal”-factor on it.
Is there anything else you want to tell our readers about CounterMail or security in general?
HTTPS/SSL-encryption alone do not give enough security against an advanced attacker, I and many other in the IT-security field already knew that before it was confirmed in the NSA leaks by Snowden.
Start using PGP email encryption, or at least try to learn how it works. OpenPGP is not locked to a specific provider, it’s an open standard that could be installed on almost any computer platform, with many email providers. One benefit with Countermail is that most PGP-actions is done automatically, so it’s easier to get started, and of course the fact that incoming unencrypted email is automatically encrypted to your public key, this feature is something that many providers lack. When Edward Snowden started to communicate with the journalists, he wanted them to use PGP encryption, and he had to learn them how to use it. So far, everything indicates that PGP still holds up, even against NSA.
I’ve heard Snowden’s revelations described as “the least surprising, most unexpected” thing to happen, and I think that’s pretty accurate. Though governments have been spying on foreign bodies since time immemorial, advances in technology have made this easier than ever, both abroad and domestically.How could any spy agency resist that kind of temptation?
In a way, I actually find the whole situation kind of funny. Temptation aside, can we really be upset when we’ve been so complacent pushing back as a society? I would really love to hear your thoughts in the comments below.
And Simon, thank you very much for taking the time to answer my questions, and allowing me to share them with my readers. I greatly appreciate it.