Keeping email private…

Whenever one of the market-anointed tech titans speaks, people start to pay attention to their privacy… or lack thereof. In this instance, the question received regarded email, asking about alternatives to Microsoft & Google offerings, as compared to a Swiss service ProtonMail. Get your beverage(s) ready, this is going to be a long one.

Disclaimer: I am not a lawyer, and I did not sleep in a Holiday Inn Express last night. This discussion is relative to my understanding of United States Laws and court decisions. Your mileage may vary. 

First – how much inconvenience are you willing to suffer to keep your email private? What are you willing to pay?

On the surface, ProtonMail (which prides itself on end-to-end-encryption, and being based in Switzerland) seems like the obvious winner, since there’s a free version. But there are issues here. First is the recently passed CLOUD Act (Clarifying Lawful Overseas Use of Data Act, HR 4943, signed into law March 23, 2018) which allows for bilateral treaty-based exchange of overseas data between signatories. Note there is already such a treaty in existence with Switzerland. Proton’s off-stated “we only store encrypted data” claim is only good to the extent a user is not otherwise compelled to give up a password… or that the encryption is as described. Further, the only interface allowed to Proton is via web browser…

Gmail/Hotmail etc – “free” or “paid” – your email is going to be read by robots, mostly looking for advertising ‘bait’ or to build a better profile… (more on this later). Of course, these offerings win on convenience, and of course “free!”

Finally, there’s “roll-your-own” email. Invest in a server, configure your own email, have your own custom address pool, make your own filters and blocks, set auto-replies, run email lists… in simple terms, do everything the big boys can, but in your own way. All the mission-critical email for me has run on my own email server for more than twenty years. I use Gmail as a convenience, and am forced to use Outlook by various clients.

Now – let’s look at the legal implications on privacy, for the three offerings above. In the US, email privacy is governed by two major acts: the aforementioned CLOUD Act, and the ECPA (Electronic Communications Privacy Act, 1986). Most email communications falls under the [ancient] ECPA guidelines (assuming it is stored in the US).

The ECPA defines five types of communication for email. Three of those types require a warrant for access; two require a subpoena. Subpoenas are routinely issued by lawyers in the name of the court; penalties may be assessed for non-compliance. Warrants are issued by a judge, have stringent requirements for issuance, and are usually enforced by police agencies.

The ‘warrant required’ types of communications are: email in transit, email stored on a home computer, and email in remote storage, unopened, stored for 180 days or less.

The subpoena required types of communications are: email in remote storage, opened, and email in remote storage, unopened, stored for more than 180 days.

I run a combination server – it is IMAP when I’m away from home, and POP3 when I’m home. In simple terms – during a work day outside the house, or while travelling, I’m running the server in much the same mode as one does with any web-based system. The email is available via remote access (remote storage in ECPA terms). When I’m home, I have a POP3 client which downloads the email to a home computer, and erases that mail from the server.

In this mode, my critical email is always in the warrant-required states per the ECPA. Warrants are issued under standards more than 200 years old – it must be based on probable cause, describe the place or person to be searched, and for what evidence the search is being requested; all under oath or affirmation to a judge or magistrate. I feel reasonably secure.

Hope this helps the decision matrix.

ps – Gmail’s robots really kick in after about 200 emails are in the account. Want to baffle the builder? Set Gmail to operate in POP3 mode (delete after download) and watch the fun. (Running NoScript and disabling the Google Stats scripts also screws up the profile builder).

 

Advertisements

Ink-stained rant

One of the tasks tonight was printing out student work; it needs to be printed so I can grade it and hand it back. Nowadays most students won’t print their own work… usually, I think, from the cost involved.

The big cost is ink. My usual printer for everyday use is a worn Epson Stylus C-120. It uses four colors but five cartridges -doubling up on black – and if I were to use Epson-brand ink, the cost for one set of cartridges would be about  $60. Each cartridge holds 12 ml of ink – thus Epson ink costs $1,000 per liter, or a bit less than $4,000 to the gallon. And you thought gasoline was high-priced?

I don’t use Epson inks. I print way too much to go that route.

For the first couple of years I used a CISS – Continuous Ink Supply System. This is a set of 5 cartridges with tubing which loops outside the printer to a set of tanks holding bulk ink. The cost of the CISS was $35 – for 100 ml of ink in each tank! Re-inking costs were about $30 per 500ml – far less than name-brand.

CISS systems expect to be used, a lot. Daily works best. Otherwise the inks slowly draw back down the supply lines into the tank. If the time between use is too great, the inks may clot up a bit at the feed end of the tanks… at which point it’s easier to pull the system out and replace it rather than fix it. Been there, done that. These inks are dye-based and not particularly stable, but work just fine for daily print work (mostly text).

For now, I’m using generic dye-filled cartridges bought on Amazon – the vendor name changes with each purchase, but on average I’m paying $1.25 per cartridge… everything is working fine, except the ‘status’ messages from the Epson printer driver software.

Epson’s printer drivers give a visual depiction of remaining ink; and a warning pop-up when the capacity is ‘low.’ What I’m finding out is that ‘low’ is… a marketing ploy as opposed to any sort of reality. Two days ago I got the pop-up, urging me to buy ink as I was ‘low’ on black. Earlier tonight when I started to print, the indicator was at the bottom, indicating imminent emptiness – or so it seemed. Two hundred and four pages later, the indicator is still at the bottom… and the black ink is still printing nice and strong.

Tsk tsk tsk.

Crossing the line…

Here I go again, messing up the lines. Crossing over from professor to student; twice a week changing which side of the room I’m on. It’s time to learn!

This time it’s a refresher class – CISY 225 Web Page Development I.

From reading the syllabus I gather I’ll be working up several websites over the next six weeks:

  • A personal site. In this case, it will be the renaissance of njrr.net – a project started years ago which never advanced. This time round I hope to make the site into a template set which can then be fed by PHP/MySQL code – otherwise I was facing the Brobdingnagian task of maintaining 200 or more individual pages (not as involved as njchurchscape but still…).
  • A commercial site – think this will be the [long overdue] facelift for woodall.com. Seventeen years with the same design is perhaps a bit long in the tooth.
  • An e-commerce site – hmm… think I smell a honeypot in my future.

Should be an interesting ride.

Carolina [cable] hospitality

One of the tasks to carry out during my three week sojourn in NC this spring was to fix up the problems with TV/Telephone/Internet Access at the beach house.

Our family beach house is a condominium – ostensibly the complex provides cable TV and Internet, but the Internet is shared-access wifi with the rest of the complex, and we prefer dedicated access. For years that meant dealing with CenturyLink – a telephone company so bad it changes its name every few years in a futile attempt to regain credibility.

Of late, though, the incumbent cable carrier has made a play for business, and thus my parents decided to change over to Time Warner Cable (Eastern Carolina division). They ordered the service while they were in temporary quarters (the condo was being repaired from 2011 hurricane damage).

The telephone port worked fine… they had no idea how to work the set-top box… and the goofball contract installer couldn’t leave well  enough alone on the router and reset it back to factory default.

And by the time I arrived, while it was working, we had not seen an invoice for service.

So I initially went on-line to figure out where the issues were, and ran into a problem – I couldn’t get in, because the billing system is separate from all the other systems – and it needed the account number, which I didn’t have (no invoice yet!) and wanted the phone number. I put in the phone number for the unit – no dice. Put in the NJ home phone. No go. Put in my personal and then business line numbers. Still nothing (we’ve had all these numbers at least 15 years). Finally tried the phone number from the temporary quarters – and that worked!

So I got in that far, but couldn’t change the phone number… and found security was based on “last 4 digits of the subscriber SSN” – which didn’t match either parent’s SSN, apparently. And of course  TWC also wanted a “customer code” which was on the missing invoice.

Thus it meant heading off to Newport to the cable office.

…and after a 30-minute drive, finding a line to stand in, and eventually getting to two agents who worked diligently for about 40 minutes to fix all the problems in the billing. Turns out the contract installer decided to “correct” the information in the work order and screw things up. (Somewhere,  a village is missing its idiot.)

Now we know the account number; have set up payment methods, turned off pay-per-view and international calling for the summer rental crowd (no more calls to India or Singapore), and even negotiated a better rate for the service.

The office agents were competent and thorough – far superior to telephone and online agents. At least cable systems have actual staffed offices where you can get things done; the supposedly superior telephone companies do not (union labor made that too expensive years ago).

I reset the router back to our normal setup, after booting off the leeches… and finally all is well.

And two days later it was time to pack up and come home (to NJ).

Wonder if any of it will work properly in the fall.

Ruminations on a semester finished…

Summer School is over. Done. Kaput.

This was an experiment, on two levels. One, for me to take a course prior to teaching same; and second, adapting a semester-long course into a six-week quickie version.

Note to self: do not teach advanced classes during a six-week session. There is not enough time for the knowledge to sink in – the eureka moment arrives a bit late for most students.

Second note to self: students do not necessarily recall much if anything useful from prior semesters; even down to the trivia of how to log in to computers in our Hands-On-Lab (procedure has been the same for six years now). Do not expect students to have practiced any of the skills taught in prior courses.

Taking a class in preparation to teach it was an eye-opener. I have a much better idea of where the confusing parts are, which parts will be easy, and how problematic a lecture-intensive class is for non-native English speakers.

I do hope the students this fall read the book before class. It makes it easier on me and they’re more likely to pass the quizzes…

A technical note about hosting…

I provide a lot of hosting support for my students. It’s best to learn on real-world systems, not XAMPP or other self-contained simulators. Thus I’ve registered a domain, set up GoogleApps for email and wiki-like services; and configured a linux-based host for the class.

This doesn’t have to cost a lot. The “SmallMan” server was built new for a budget of $325. It consists of: Intel 510DMO (dualcore 1.6Ghz Atom cpu), 4GB RAM, 500GB disk drive, dual-network addon card, an extra fan, an ITX case and P/S, and a DVDROM drive. It hosts three VMs, providing 23 webhosts, two email servers, various other support services… and draws a whopping 25 watts under heavy load.

Unless I look at it I can’t tell it’s running.