On sending encrypted emails

Friday, 2 August 2013

The information leaked by Edward Snowden reveals that the use of encryption (such as PGP encrypted email) is an "anomalous event" which can be used to "find a strong-selector for a known target" or "find a cell of terrorists that has no connection to known strong-selectors" (see p15). What this seems to mean is that, for example, the collection of a PGP encrypted email may prompt further investigation into the sender and recipient of the email.

This is a short account of an episode which provides very weak anecdotal evidence of this. The essence of the account is that I once sent an encrypted email and the land line to my house was disconnected, roughly 15 hours later, for 9 days.

In December 2012 I read "Quantitative Analysis of the Full Bitcoin Transaction Graph" by Dorit Ron and Adi Shamir and decided to try and anonymously obtain a small amount of bitcoin. I had decided that I certainly didn't want to obtain them through Mt. Gox, or similar bitcoin exchanges, who would certainly reveal my identity if pushed. After some searching I found a person in Germany who would accept money in the post and who had a PGP key and email address. I sent them an email, encrypted to their PGP key, to enquire whether they would accept £30 in the post for some bitcoin.

I received a positive reply around 7 hours later, but unfortunately the reply was in the clear and contained the plain text of the message I'd originally sent. I'd learnt my lesson, encryption only works when both ends of the conversation are equally committed to keeping it confidential. Also, it's not that easy to anonymously convert cash to bitcoin.

8 hours later (15 hours after I'd sent the encrypted email), I was working at my computer when the internet died. The phone line was dead too: no dial tone. I called British Telecom (BT) about an hour later, using a mobile phone, and got through to their Asian call centre. I answered the scripted questions and tried to explain, unsuccessfully, that the phone line was dead and that the fault was certainly not with any of the equipment attached to the line. An Engineer was scheduled to come to the house three business days hence and I was warned that there would be a charge for the engineer call-out if my equipment was found to be faulty.

A short while later (I don't know why) I thought to ring the dead line from a mobile phone and was surprised when I heard the ring tone and when the phone was answered: the callee was at a business premises nearby and their phone number differed from mine by just one number (the rightmost; and we're connected by the same local exchange).

I thought that I'd cleverly found the problem with the phone line and I rang BT again to tell them of my finding. I won't go into all of the awful experiences I had trying to get any assistance from BT support staff, but to summarise: I couldn't get anyone, even a member of "Executive Level Complaints (Consumer)", to understand that both the interruption and the extremely poor customer service were unacceptable to me. All my efforts were met with patent lies: "there is an engineer working on the line, in the street outside my house", probable lies: "your fault is part of a common fault. This means that there's a few people affected by this, and an underground engineer is due out on [the fifth day] to fix this" and what felt very much like stonewalling and denials of culpability.

Nine days after the interruption of telephone service, a "very nice" engineer phoned the house and spoke to one of the other house-dwellers (I wasn't at home) to say that the problem had been fixed. A description of the problem was provided, but it amounted to "swapped some wires over" when recalled by the technically uninclined house-dweller.

Conclusion

I believe that one of the following statements is true:

  • The service interruption was unconnected to the encrypted email I sent.
  • The service interruption was a bungled attempt to tap the line as a response to the encrypted email I sent.
  • The service interruption was a deliberate act as a response to the encrypted email I sent.

What is very definitely true is that I haven't sent an encrypted email since that time: I have no wish for my actions to adversely affect my fellow house-dwellers and I have no wish to again be in the embarrassing position of being unable to commit code to a repository for a client's important project.

As an aside, I consider myself fairly informed on the topic of information security and have long known that I have no defence against an adversary who has sufficient determination and resources. Now though, I act as if all of my devices are totally compromised and I trust no secrets to any of them. In effect, I act as would a terrorist.