Tutanota releases iOS encrypted email app after notifying NSA

The German encrypted email service Tutanota has released its iOS app, weeks after its Android app came out. The delay in the release of the iOS app was apparently due to the need for those publishing open-source apps of this kind to first notify the NSA and the U.S. Commerce Department of their existence — it seems Apple is more strict about making sure this measure has been taken.

Tutanota, already available as a free webmail service and paid-for Outlook plugin, uses encryption based on open-source implementations of algorithms using 128-bit AES and 2048-bit RSA, though PGP compatibility should also be introduced somewhere down the line.

It automatically encrypts and decrypts the emails that users send to other Tutanota users. If a Tutanota user sends an email to someone not using the system, it can also be sent encrypted (the email is encrypted in the sender’s client and she has the only key) but the password will need to be shared with the recipient via phone, in person or using some other method. Unencrypted emails sent to a Tutanota user are also encrypted with the recipient’s public key once they reach the company’s German servers.

Currently, the downside is that users have to use a “tutanota.de” email address, which isn’t necessarily an attractive option for everyone, but company founder Matthias Pfau told me the firm will soon add other domain options. Those wanting to use their own domains will also get to do so at some point, but that will be a paid-for premium feature.

Pfau said the iOS and Android apps had been submitted to their respective app stores at the same time, but [company]Apple[/company] requires suppliers of open-source security software using cryptographic functions with asymmetric algorithms to — as U.S. export regulations dictate — notify the Commerce Department’s Bureau of Industry and Security (BIS) and the NSA’s ENC Encryption Request Coordinator of what they’re putting out there. This seems to be about notification only, rather than seeking approval from these agencies as such.

I wasn’t previously aware of this requirement, but here’s what the rules say (PDF) about “publicly available encryption source code”:

You must notify BIS and the ENC Encryption Request Coordinator via e-mail of the Internet location (e.g., URL or Internet address) of the publicly available encryption source code or provide each of them a copy of the publicly available encryption source code. If you update or modify the source code, you must also provide additional copies to each of them each time the cryptographic functionality of the source code is updated or modified. In addition, if you posted the source code on the Internet, you must notify BIS and the ENC Encryption Request Coordinator each time the Internet location is changed, but you are not required to notify them of updates or modifications made to the encryption source code at the previously notified location.

Anyhow, should you use Tutanota? Well, the fact that you need a special email address is in itself a limiting factor: chances are people know your existing email address and will default to using that. There are several encryption systems out there that rely on pre-shared passwords (such as OX Guard) and, while they do avoid the difficulties of dealing with the PGP key system, unless you can exchange passwords in person you’re arguably less secure than if you were using PGP – it really depends on whether you’re under heavy targeted surveillance.

In theory, you don’t need to trust Tutanota to use its system, as you would hold your key (and the company wouldn’t be able to remind you of it if you lose it). The company has had a security scare in the past, with a researcher finding a cross-site scripting vulnerability, but that flaw was patched up and Tutanota subsequently went open-source and published its code. That means it can be freely audited, though it doesn’t necessarily mean that it has been thoroughly audited. Pfau told me a couple bugs had been flagged this way, but they had nothing to do with the service’s security.

UK wants hot tech grads to do spy work before building startups

The British government is considering a program that would see the most promising tech graduates spend some time working for the GCHQ signals intelligence agency, the U.K.’s equivalent to the NSA, before they move into the private sector.

As per a Thursday article in The Independent, confirmed to me by the Cabinet Office on Friday, the scheme would give the U.K. a rough equivalent to the system in Israel, where many tech entrepreneurs have come out of Unit 8200 of the Israel Defence Force. Unit 8200 is also a signals intelligence operation, and the cybersecurity firm Palo Alto Networks is a notable spinout.

According to the Cabinet Office sources quoted in the Independent piece, the idea would be to “capitalize on the expertise in GCHQ in terms of IT commercialization” by creating “a secure space where business can work with GCHQ and build an eco-system between the two.” (Side note: For more security-related U.K. civil-service-speak, check out the brilliant Sir Bonar Neville-Kingdom spoof account on Twitter.)

In short, part of the attraction lies in the idea of making money out of GCHQ’s in-house spy tech. In Israel, some Unit 8200 technologies have ended up being commercialized through startups created by former members. The Cabinet Office reckons the same could be done in the U.K., particularly around cybersecurity technologies — Cabinet Office boss Francis Maude visited Israel in November and, I am told, came away with lots of ideas around “digital and cyber”.

No doubt GCHQ would also benefit from the fresh ideas bubbling away in the brains of U.K. tech’s future stars, not to mention the potential for continued links in the future.

Of course, all Israelis have to go through the army anyway, so funnelling bright young tech minds through the local spook house is a relatively easy task there. GCHQ and the Cabinet Office may have a harder time of convincing promising British techies to spend time hanging around spooks, particularly with GCHQ’s mass surveillance programs – illegal under international law — having been exposed by the leaks of NSA contractor Edward Snowden.

While GCHQ has remained tight-lipped about its specific activities, since the Snowden leaks it has made a couple attempts at publicity. In November its new chief, Robert Hannigan, attacked U.S. tech firms for “benefiting” terrorists by extending encryption across their products and networks, and in December it released a tablet app for kids to, er, teach them the basics of encryption.

How the internet’s engineers are fighting mass surveillance

The Internet Engineering Task Force has played down suggestions that the NSA is weakening the security of the internet through its standardization processes, and has insisted that the nature of those processes will result in better online privacy for all.

After the Snowden documents dropped in mid-2013, the IETF said it was going to do something about mass surveillance. After all, the internet technology standards body is one of the groups that’s best placed to do so – and a year and a half after the NSA contractor blew the lid on the activities of the NSA and its international partners, it looks like real progress is being made.

Here’s a rundown on why the IETF is confident that the NSA can’t derail those efforts — and what exactly it is that the group is doing to enhance online security.

Defensive stance

The IETF doesn’t have members as such, only participants from a huge variety of companies and other organizations that have an interest in the way the internet develops. Adoption of its standards is voluntary and as a result sometimes patchy, but they are used – this is a key forum for the standardization of WebRTC and the internet of things, for example, and the place where the IPv6 communications protocol was born. And security is now a very high priority across many of these disparate strands.

[pullquote person=”Jari Arkko” attribution=”Jari Arkko, IETF chair” id=”903271″]Fortunately we decided we should have strong encryption[/pullquote]As IETF chair Jari Arkko told me, if previous battles over the inclusion of encryption in the internet protocol set hadn’t been won by those advocating greater security – their opponents were governments, of course – then using the net would be a riskier business than it currently is. “Fortunately we decided we should have strong encryption, and I do not know what would have happened if we did not make that decision at the time,” he said, pointing to e-commerce and internet banking as services that may never have flourished as they have.

With trust in the internet having been severely shaken by Snowden’s revelations, the battle is back on. In May this year, the IETF published a “best practice” document stating baldly that “pervasive monitoring is an attack.” Stephen Farrell, one of the document’s co-authors and one of the two IETF Security Area Directors, explained to me that this new stance meant focusing on embedding security in a variety of different projects that the IETF is working on.

As Arkko put it:

I think a lot of the emphasis today is on trying to make security a little more widely deployed, not just for special banking applications or websites where you provide your credit card number, but as a more general tool that is used for all communications, because we are communicating in insecure environments in many cases — cafeteria hotspots and whatever else.

On Sunday, Germany’s Der Spiegel published details of some of the efforts by the NSA and its partners – such as British signals intelligence agency GCHQ — to bypass internet security mechanisms, in some cases by trying to weaken encryption standards. The piece stated that NSA agents go to IETF meetings “to gather information but presumably also to influence the discussions there,” referring in particular to a GCHQ Wiki page that included a write-up of an IETF gathering in San Diego some years ago.

The report mentioned discussions around the formulation of emerging tools relating to the Session Initiation Protocol (SIP) used in internet telephony, specifically the GRUU extension and the SPEERMINT peering architecture, adding: “Additionally, new session policy extensions may improve our ability to passively target two sides communications by the incorporation of detailed called information being included with XML imbedded [sic] in SIP messages.”


“The IETF meeting trip report mentioned in [the] Spiegel article reads like any boring old trip report, but is of course a bit spooky in that context,” Farrell told me by email (the piece came out after my initial interviews with Farrell and Arkko). “Hopefully intelligence agencies will someday realise that their efforts would be far better spent on improving internet security and privacy. In the meantime, their pervasive monitoring goals are part of the adversary model the IETF considers when developing protocols.”

[pullquote person=”Jari Arkko” attribution=”Jari Arkko, IETF chair” id=”903272″]IETF is committed to finding out all weaknesses and dealing with them[/pullquote]Arkko, meanwhile, said: “The IETF’s open processes, broad review, and open standards provide strong foundations against both unintentional and intentional mistakes and weaknesses in internet protocols. There is obviously no guarantee that there are no unknown weaknesses in internet technology, but the IETF is committed to finding out all weaknesses and dealing with them to the best of our ability.”

Those open processes were apparently enough to, around a year ago, ensure the failure of a campaign to oust an NSA employee from the panel of an IETF working group that deals with cryptographic security. So, if its processes are to be trusted, what exactly can we expect from the IETF regarding combat mass surveillance by such agencies?

Fundamental rethink

Snowden’s revelations prompted a fundamental rethink within the IETF about what kind of security the internet should be aiming for overall. Specifically, the IETF is in the process of formalizing a concept called “opportunistic security” whereby — even if full end-to-end security isn’t practical for whatever reason — some security is now officially recognized as being better than nothing.

“One thing the IETF did wrong in the past is we tried to get you to be either ‘no security’ or ‘really fantastic security’,” Farrell explained. “Typically, until recently you had no choice but to run either no crypto or the full gold-plated stuff, and this slowed down the deployment of cryptographic security mechanisms. The idea of opportunistic security design is that, each time you make a connection, you’re willing to get the best security that you can for that connection.”

So, for example, a provider of a certain service may decide to turn on encryption even if they can’t authenticate the client device. As Farrell put it, these “in-between states are well defined now.”

He noted how web giants such as Facebook and Google have stepped up mail-server-to-mail-server encryption in the wake of Snowden. Facebook sends a lot of emails to its users and, according to Farrell, 90 percent of those are now encrypted between servers. Google has also done a lot of work to send encrypted mail to more providers. “This doesn’t prevent targeted attacks – man-in-the-middle is still possible in a lot of cases, but you can at least get halfway,” he said, adding that this may be enough to dampen pervasive surveillance.

Email - generic

Farrell noted:

My personal belief if that, if you get halfway, it’s much easier to get the second half. I’ve seen really large mail domains turn on the crypto, and some say they can’t see a change in CPU use. Now the next step is getting good certificates in place, getting good administration. It’s easier than going from zero to the end.

One experimental draft that Farrell is working on would see opportunistic security added to the Multiprotocol Label Switching (MPLS) transport mechanism used in core telecommunications networks, “just above the fiber.” This is some way off happening, if indeed it works out at all – it’s dealing with extremely high bitrates and would require implementation in hardware. But, as Farrell noted, it shows how the IETF is working on adding encryption to all layers of the stack.

“The MPLS issue will probably take years before we see progress, but when we do see progress it will have significant impact quickly,” he said. “One reason I understand people are interested in this is because it might be a direct mitigation for some of the fiber-tapping cases that have been reported. Even partial deployment could be quite significant.”

New versions

HTTP 2, currently being finalized by the IETF and the World Wide Web Consortium (W3C), is on the way, and it will support the padding of traffic so as to make it harder for spies to draw inferences from packet size. This will mean the addition of a few bytes here and there, which may have an impact on latency if badly executed, so that’s a challenge for both the IETF and the standard’s implementers.

The IETF is also officially killing off RC4, a cipher used in the Transport Layer Security (TLS) protocol that supposedly provides the security behind the “https” you see denoting secure connections in web addresses. RC4 is now known to be vulnerable to attack. (For that matter, TLS’s security is also up for debate – Sunday’s Spiegel article suggested the NSA and GCHQ were able to decrypt TLS sessions by stealing their keys.)

Farrell noted that TLS 1.3 should be fully-baked sometime in 2015, making it faster and more attractive to implement, and it would incorporate heftier changes than those made in previous iterations. One planned change will involve turning on encryption earlier in the “handshake” process, where the client and server exchange keys, so as to counter monitoring of the handshake contents.

Meanwhile, a separate working group is trying to develop a new DNS Private Exchange (DPRIVE) mechanism to make DNS transactions – where someone enters a web address and a Domain Name System server translates it to a machine-friendly IP address – more private.

[pullquote person=”Stephen Farrell” attribution=”Stephen Farrell, IETF Security Area Director” id=”903273″]Thinking about confidentiality for DNS was so off the table for the last few decades[/pullquote]”Some privacy-sensitive information can be exposed through DNS,” Farrell explained, citing the example of a web address that refers to an embarrassing disease – information that might be exposed even if the web traffic itself is encrypted. “This is a good example of the kind of change that’s happening. Thinking about confidentiality for DNS was so off the table for the last few decades – the people running DNS were saying this is all public data.”

The DNS case highlights one of the key problems that the IETF must wrestle with — encrypting traffic can make it harder to carry out certain network management operations that people are used to being able to carry out. Carriers would find it harder to do load balancing if all DNS activity was secured. As Arkko pointed out, end-to-end encryption would mess with things like caching. These problems are not easily overcome.

“We have to have some real thought go into this and understand what the trade-offs are,” Arkko said. “That is largely the debate we are having now.”

What you need to know about the NSA document dump

While many Americans were cozying up on the afternoon of Christmas Eve, the National Security Agency was busy posting dozens of quarterly reports detailing incidents where it potentially violated U.S. laws through improper monitoring of U.S. citizens and foreigners.

Here’s what you need to know about the document dump:

What is the NSA supposed to do?

The NSA, like other American intelligence agencies, relies on a 1981 executive order that legalized the surveillance of foreigners living outside of the U.S. It uses that same executive order “to sweep up the international communications of countless Americans,” the American Civil Liberties Union writes.

“At the targeting stage, NSA collects only those communications that it is authorized by law to collect in response to valid foreign intelligence and counterintelligence requirements,” the NSA report’s executive summary reads. “After foreign intelligence or counterintelligence information is acquired, it must be analyzed to remove or mask certain protected categories of information, including U.S. person information, unless specific exceptions apply.”

“Data incorrectly acquired is almost always deleted,” it continues.

After data is collected, it is placed in a large database that the agency’s employees can search with highly specific requests.

“For instance, a query for “improvised explosive devices” would likely be prohibited as overly broad and result in a reportable incident—even if the analyst required the information for her job,” the summary states. “Results returned from improper queries may be deleted. …”

Why were these documents released?

Of course, it doesn’t happen quite like that. Edward Snowden’s 2013 leaks revealed the NSA is monitoring more than 1 billion people globally. Its spying on Americans is expansive.

The American Civil Liberties Union filed a Freedom of Information Act lawsuit that has been dredging up documents since July 2013. These most recent documents are a series of quarterly reports turned over to the President’s Intelligence Oversight Board. They date from late 2001 to mid-year 2013.

“In general, each NSA report contains similar categories of information, including an overview of recent oversight activities conducted by NSA’s Office of the Inspector General and the Office of the General Counsel; signals intelligence activities affecting certain protected categories; and descriptions of specific incidents which may have been unlawful or contrary to applicable policies,” the NSA executive summary states.

What do the documents contain?

The heavily redacted reports detail many, many incidents where NSA agents pulled up the wrong information with the database. Each incident is followed by a statement that the data was either not accessed or the query and results were deleted.

Other reports cover agents being granted access to data without the proper training or using searches that were no longer meant to be in effect. Raw data was at times accidentally emailed or kept on an unsecured computer.

There is also at least one instance where an NSA employee purposefully sought out data that was both unnecessary and illegal. One document states a woman went through her husband’s phone contacts “without his knowledge to obtain names and phone numbers for targeting” over a period of 2-3 years.

What will happen to the NSA?

This is not the first documentation of errors and abuse by the NSA. A 2013 letter to Senator Charles Grassley from the NSA inspector general documented “intentional misuse” in 12 different instances.

The Privacy and Civil Liberties Oversight Board published a report in January stating the case for ending phone records collection. But legislators have yet to pass any limits on the NSA’s power.

So in the grand scheme of documents released by the NSA, these are not the most shocking. It is unclear when public outcry will turn into actual legislative action.

German court denies Snowden visit bid

The German high court has denied an attempt by two of the country’s opposition parties to have NSA whistleblower Edward Snowden visit Berlin to testify before the Bundestag, Germany’s parliament.

The Karlsruhe court reportedly said that the suit was an administrative issue that had to go before the Federal Court of Justice instead. The suit had been filed by the Greens and the Left, seeking to force the government to allow Snowden into Germany – he is currently still stuck in Russia, and Chancellor Angela Merkel’s administration has not been keen to let him in, lest the visit further impair relations with the U.S.

The German government has previously asked whether Snowden would be willing to testify before the parliamentary inquiry into the NSA allegations if the committee members went to visit him, but his lawyer has said he would only be willing to testify in Berlin.

Meanwhile, a formal probe into the alleged bugging of Merkel’s phone by the NSA has so far come up short. The investigation launched in June, more than half a year after those allegations were published by Der Spiegel, leading to a great deal of public frostiness from Germany towards the U.S.

Germany’s chief federal prosecutor, Harald Range, told a press conference on Wednesday that there wasn’t enough evidence to bring charges in the case. He said: “The document presented in public as proof of an actual tapping of the mobile phone is not an authentic surveillance order by the NSA. It does not come from the NSA database.”

The original Spiegel article in question (PDF) did not actually depict the document in question, which included Merkel’s phone number as a “selector”, though it did show others that apparently came from the NSA. Range, whose investigation continues, said the Spiegel reporter who produced the document had not provided further details to aid the investigation, and neither had the BND spy agency.

Perhaps importantly, the original article did not claim that the document came from the Snowden cache, but rather said more ambiguously that Spiegel‘s wider investigation had taken in “internal documents of the U.S. National Security Agency and other information, most of which comes from the archive of former NSA contractor Edward Snowden.”

UPDATE (December 13): Der Spiegel has hit back over allegations in some reportage that the Merkelphone document was a fake. The publication said on Saturday that Range had categorically denied during the press conference that the document was a fake. It also reiterated that what it had published and passed onto Merkel’s office was “a transcription and not the original document”, and accused Range of trying to “publicly undermine the credibility” of Der Spiegel.

UK cable-tapping programs are legal, spy court rules

The U.K.’s Investigatory Powers Tribunal (IPT), a semi-secret court that deals with complaints over the authorities’ surveillance activities, has declared that the authorities’ tapping of major internet cables that touch the U.K. is legal in principle and does not breach human rights.

The ruling came in a case that had been brought about by Amnesty International, Privacy International, Liberty and the ACLU. The case centered on the U.S. Prism program and a British scheme called Tempora, which – according to the documents revealed by NSA leaker Edward Snowden – involved U.K. spy agency GCHQ tapping into much of the world’s communications by targeting core internet infrastructure.

The U.K. is a crucial hub for these cables, giving the spies the ability to monitor data flowing from most parts of the world. To do so, it has secured help from carriers such as the Vodafone-owned Cable & Wireless.

The IPT ruled on Friday that GCHQ could in principle legally tap the cables under the Regulation of Investigatory Powers Act 2000 (RIPA), a piece of anti-terror legislation that enables much of the U.K. authorities’ surveillance activities. It also said Prism, through which the NSA gains access to data from the systems of web service providers, is legal and conducted with sufficient oversight.

However, the court is still keen to find out more about the past legality of GCHQ receiving bulk intercepted material, which may relate to British citizens, from the NSA and other international partners.

Privacy International and Bytes for All, a Pakistani NGO defending activists in that country who feared their communications were being monitored by the British, said in a statement that they will now appeal the IPT ruling at the European Court of Human Rights.

The IPT stated in its ruling:

Technology in the surveillance field appears to be advancing at break-neck speed. This has given rise to submissions that the UK legislation has failed to keep abreast of the consequences of these advances, and is ill fitted to do so; and that in any event Parliament has failed to provide safeguards adequate to meet these developments. All this invariably creates considerable tension between the competing interests, and the ‘Snowden revelations’ in particular have led to the impression voiced in some quarters that the law in some way permits the Intelligence Services carte blanche to do what they will. We are satisfied that this is not the case.

It went on to say that the intelligence services must get a warrant to intercept “substantial quantities of communications” and can only access material from those communications “if it is necessary in the interests of national security, for the purpose of preventing or detecting serious crime or for the purpose of safeguarding the economic wellbeing of the United Kingdom.”

The case has already uncovered more than was previously known about the U.K. authorities’ previously secret legal rationales for their spies’ activities. It is also the first case in which the IPT has held public hearings — though many of the hearings were still closed.

Further hearings about “whether there has been in fact any unlawful interception or treatment of the Claimants’ communications” — in other words, whether the spies broke the law before Snowden and this case forced them to reveal their policies — will also be held behind closed doors.

Privacy International deputy director Eric King said:

With GCHQ’s mass surveillance of undersea cables reported to have increased by as much as 7000% in the last five years, today’s decision by the IPT that this is business as usual is a worrying sign for us all. The idea that previously secret documents, signposting other still secret documents, can justify this scale of intrusion is just not good enough, and not what society should accept from a democracy based on the rule of law.

Bytes for All country director Shahzad Ahmed added:

The idea that the UK is not obliged to offer any privacy protections or safeguards to individuals outside of Britain when conducting surveillance is absurd, and puts at risk the privacy and free expression of human rights activists around the world.

Here’s the ruling:

Investigatory Powers Tribunal Tempora ruling

[protected-iframe id=”1ef3d0d253caf8070399f08f91de0a2f-14960843-16988840″ info=”https://www.scribd.com/embeds/249250025/content?start_page=1&view_mode=scroll&show_recommendations=true” width=”100%” height=”600″ frameborder=”0″ scrolling=”no”]

This article was updated several times with new information.

NSA spies on carriers to break call encryption, report suggests

The NSA spies on the internal emails and documents of major mobile carriers and their industry body, the GSM Association, according to an article published Thursday by The Intercept.

According to the piece, the spy agency is or was running a program called AURORAGOLD, which involved targeting the GSMA in order to find or even create weak spots in carriers’ network technology. If this is the case, it may be yet another example of the foolhardy breaking of widely used security mechanisms in ways that other spies and criminals can potentially also exploit.

The GSMA’s “IR.21” documents are shared between carriers to allow customers to roam internationally between their networks. According to the NSA documents published by The Intercept, IR.21s provide valuable information about new technology that the carriers are using, helping spies to figure out how to “discover vulnerabilities,” “introduce vulnerabilities where they do not yet exist” and find threats to the spies’ existing surveillance methods.

The GSMA is also a hub for the development of new cellular privacy technology. Worryingly, the article suggests that the AURORAGOLD program may have aided NSA attempts to crack A5/3, a type of encryption for cellular communications. Earlier stories based on the Snowden leaks indicated that the NSA has already cracked the older and weaker — but widely used — A5/1 cipher.

It’s not entirely clear whether or not the NSA and GCHQ have had success in cracking A5/3 yet, but some experts are worried:

As the piece noted, the U.K.-based GSMA receives funding from the U.S. National Institute of Standards and Technology (NIST), which has already had to warn companies off using one of its own security standards because Snowden’s leaks indicated the NSA had tampered with it.

GSMA spokeswoman Claire Cranton told me by email: “We are aware of the Intercept story and are currently investigating the claims made in the piece. We are unable to offer any further comment at this time.”

Turns out that German intelligence agency can spy on some Germans

Germany’s equivalent to the NSA is able to spy on some German citizens thanks to a loophole in the country’s laws, a government surveillance inquiry learned last week. According to a former lawyer for the Bundesnachrichtendienst (BND), the agency can legally intercept the work-related emails and phone calls of Germans working abroad for foreign companies, as these communications are attributed to the employer. The German government has since confirmed this. It was previously thought that it was illegal for German intelligence to spy on any of the country’s citizens. The inquiry is examining the implications of Edward Snowden’s NSA revelations. In July, a BND employee was arrested for passing details about the activities of the investigating committee to the Americans.

Surveillance-limiting USA Freedom Act fails to clear Senate

The flawed bill fell two votes short of what was needed, creating an odd situation where the bulk collection of communications records and other metadata can continue for now, but some of the underpinning legislation becomes likely to expire in mid-2015.