Saturday, May 11, 2013

Making your e-mail public

An idea has been brewing between me and my neighbor Vahe: make your e-mail public. Now, initial reactions of this idea on Twitter, and later in person when pitching it to folks has been radically negative. There are a few reasons. First, the technical argument: you can't do it easily and securely. Second: Why would you ever do that? I have stated before I was confident that this would be technically possible and I hoped my friend Faiyaz was serious when he said he'd help review the technical aspects and hack this up one evening. Turns out Faiyaz thought I was joking and when we met we failed to even review the idea. Today I decided it was time to get this fleshed out and I now have a proof of concept. I'll explain how I did this silly little experiment and also explain why I personally think its important.

Why would make your e-mail public?
  • Try to get public political figures to voluntarily follow to help address corruption
  • Make a technical statement against e-mail today being as good as being public
Let me go into a little depth on each of these and then I'll explain how I did what I did. I'm just a free software developer, this means I hack only on free and open source software. I do not write any proprietary software. Doing this grows on you a thick skin, specially if you're dealing with large projects where people at times want to express throwing a toilet at you from a different continent. I'm comfortable with the idea as most of my e-mail already is public. Most of my work e-mail is public given that I get paid to work on public projects which already means I post to public mailing lists to accomplish a lot of what I need to get done. I'm  therefore a sort of public developer. I'm no political political figure but I wish political figures did take on more of a public role when they are in office. Now, not all of my e-mail needs to be public and I also understand political figures at times may need to keep e-mail private, even while on office. But can their e-mail become public at a later point in time? Can we get assurance that this will happen as well? I'm not the protest type of guy, I rather lead by example and I want to encourage public office figures to consider opening up at least some of their e-mail as a way to help eliminate corruption.

When it comes to global super powers, your e-mail is as good as if it were public anyway. I can provide a few examples of this. First is project Aurora where Google and others got hacked, allegedly to gain access to gmail accounts from Chinese dissidents. At times your own country can turn on you as well, in the case of the US this obviously became possible because of all the terrorism security FUD of all the silly laws being passed that enables US to do a lot of nutty things. For an example go read EFF's account on the NSA syping on Americans. While at it go read the EFF's page on Surveillance Self Defense. We can surely continue to fight for our rights and also help increase security. For example I applaud Google for enabling users to opt in for two-step authentication. They also have developed application specific password support to let your applications get a random password for specific tasks instead of using your password. This is all good, but it still leaves open the issue of our e-mail being good as public to our own government. I obviously don't have anything to hide but its a matter of principle as to why this situation outrages me. If I want to also help fight corruption through example what if... I could open up certain aspects of my e-mail sent to a specific address? This way I give people a heads up that if they use a specific address it will be public. If I want to to receive private e-mails I could simply ask the recipient to encrypt the message with my public key. If I want to open encrypted e-mails I can give away my private key and its password after a certain amount of time.

Sold? I provided a diagram of how I did my little proof of concept. I'm lazy to create a new fancy cool domain name for this purpose but perhaps you might want to for your setup if you want to replicate. To illustrate and provide a proof of concept test case I decided to use my e-mail address given that e-mail sent to that address is public anyway and any private data is encrypted by admins. The short verbal recipe for the impatient hacker: gmail, a gmail filter for all e-mail sent to and add a label for it, two personal boxes -- one public box and another private box, IMAP, two-step authenticationapplication specific password for IMAP, and a modified NoPriv for Maildir to html converter, git over ssh for transfering only public html data to the public box. NoPriv is a nice little GPLv3 python script does IMAP for you, and then converts Maildir format mailboxes to html, Kudos to Remy for this project, it was the only one I could find using a reasonable language under a reasonable license. I do intent on sending my small set of changes to Remy soon. Thanks to Salvandor Mendoza for letting me use one of his virtual private servers to test this.