Electronic Communication in High-Risk Foreign Territories

That title sounds way more formal than it should.

About six months ago, several people hosted a party for a friend returning from a very dangerous country in North Africa. Several friends there had been through the process of using code names during the course of their missionary work, and one common theme kept appearing:

“They read your emails.”

I frowned. How would you even know a government was reading your email? “Oh, they do.”

I didn’t want to be a jerk, so I didn’t press the issue too hard, and it was actually a pretty interesting conversation, but as a technical person, I’m not content with those sorts of answers. It is common for people to ascribe powers to governments that either do not exist or only exist in very limited contexts.

Now, playing it safe doesn’t ever hurt (or does it?). I’m not so bold in my knowledge of technology that I would say, “Yeah, sure, go ahead and talk about Jesus, God, and the Holy Spirit. Feel free to announce which cities you are in and what sort of missionary work you are doing and when.” Here are some thoughts on this subject:

  • There is nothing that inherently connects you to your email address. You can create an account for John Doe 999 or anything on gmail and Google isn’t going to know any better. They can correlate the IP address you are registering from, but you can register through an anonymizer or go to a coffee shop and register from their network.
  • Governments can’t (yet) break AES. Seriously, if your connection is encrypted, you’re pretty solid. Now, this can be circumvented if you are using a browser or computer that has been tampered with. In this situation, if you login to your email from that location others can potentially ‘see’ what you access. But this is a very particular situation and is a separate issue from the government having access to your email. In this case, you technically give them access. It is also different from them reading your emails or even having access to the emails that you do not open.
  • You can’t court-order information from a company that does not operate within your jurisdiction. This one is almost a no-brainer. However, many countries operate together. Beware the gag order. But you have to be kidding me if you think governments have the time and budget to court-order access to every traveler within their borders. They do profile people, however, but limited budgets means you have to be a big fish to turn up on the radar.

Another note: it’s great to be security-conscious about what you are sending through email, but I have yet to hear anybody talk about deleting sensitive words from all of their previous emails. In the discussions I have heard, it is always about what you are actively sending. It depends what you truly believe by “they read your emails.” See how this gets very technical very fast?

Anyway, this has been on my mind lately and I’d like to do more research. Time permitting, it would be really fun to put together a paper outlining the research and some solid conclusions that can be used in the field.