The NSA and XMission
Last November, I was invited to tour the new NSA Datacenter in Bluffdale as part of a Utah consortium of datacenter operators. The facility is impressive, as it should be when you spend over a billion dollars. Yet any questions about purpose were deflected by our tour guide. Instead we got raw specs about how big the generators were, and how many gallons of diesel their tanks could hold.
I had always heard the rumors that the NSA had Star Trek style computational power that was 20 years ahead of what the industry was using. They could read erased hard-drives, crack the toughest encryption, and have an omniscient power to know where any national threat was at any time. As news reports revealed this last week, the reality is closer to earth. They’re simply capturing as much information as they can, indexing, and storing it. I have seen estimates that the amount of running storage they will have in Bluffdale could capture world communications for the next 100 years.
Apple, Google, Facebook, Microsoft, and Yahoo were fingered by The Guardian as having collaborated with the NSA in their data collection program. This was immediately denied by Google’s Larry Page and Facebook’s Mark Zuckerberg. Some accused them of sidestepping the issue, claiming that “no direct access to servers” did not preclude cooperation with the NSA. Only they know the full depth of that question, and I hope they will be forthcoming with further details.
As for XMission, numerous customers asked whether we had ever cooperated with the NSA. The answer is no. We’ve never been approached either. I have, however, seen repeated attempts to pry subscriber information from us that I have turned back. The motto for XMission is “The Internet service that I would want to use” and that makes our privacy policy radically simple. We protect your privacy as it were our own. I have seen comments this past week that if you trust your data to an Internet or cloud provider, then suddenly your “papers and effects” are not protected under the 4th Amendment of the U.S. Constitution. Let me make this crystal clear – When you trust your data with XMission, it becomes my “papers and effects” and I will not turn over any information without a proper court-signed warrant. If the NSA or any government or commercial entity approached me for a broad tap on the XMission network, I would not only tell them, “No,” I’d preface that with a “Hell.” Some argue that privacy isn’t protected under the constitution, but even if you believe that (I don’t) it doesn’t mean we as American citizens need to accommodate every demand to violate it. Although the focus on the NSA this week is deserved, the joke goes that the reason Americans are upset is that the NSA didn’t provide them with a free browser, calendar, and email.
I was appalled to see calls for a boycott of U.S. tech providers. It lumps us all in with companies who care more about their shareholders than their customers. To this extent, XMission is publishing it’s Transparency Report to demonstrate that we don’t agree with this and have been fighting for customer privacy since the beginning. Warrantless requests have repeatedly been refused. XMission cooperates with law enforcement when they provide a proper judicially authorized warrant. Sadly, investigations rarely follow this constitutional requirement. XMission also doesn’t datamine, inspect, or sell your information you trust with us. Employees have been fired for violating this cardinal rule by looking at email content without customer authorization.
Sharp eyed inspectors of our Transparency Report will note the FISA request of November 29th, 2010. XMission complied with that request only after consulting with our attorneys and the Electronic Frontier Foundation. It was specific monitoring of one IP address. What irks me about the manufactured outrage of Utah’s congressional delegation over NSA domestic spying is that they have signed off the NSA Bluffdale Data Center and FISA expansion repeatedly. They have supposedly been briefed on their actions as well. If they are angry about the lack of oversight of the NSA, do your job and provide oversight of the NSA.
However, I am convinced that no level of oversight of the NSA, nor boycott of U.S. tech companies, nor relying on trustworthy companies like XMission will turn back governmental snooping of the Internet. Regardless of the cooperation of names like Google, Facebook, and Microsoft, it has been a well known fact that the NSA has been intercepting calls and Internet traffic. This exploits a weakness the Internet has had since its inception. The Internet was built on trust, and nobody anticipated interception of data would be a problem. The only way to fix this is through encryption. XMission’s email servers use encryption to transfer data across the Internet to other email servers, yet only 17% of inbound connections utilize it. On the bright side, 70% of our outbound email is encrypted. Everyone has the ability to add encryption to their emails for free, and as this spying continues, I expect it will become the norm. In spite of the Star Trek rumors about the NSA breaking encryption, I trust mathematicians more. If you want to protect your privacy on computers and the Internet, utilize encryption as much as possible, and keep your important data at home or work. Then demand that the companies who provide you services disclose their policy towards governmental and commercial requests. If they won’t give you that information, it’s time to change to a Internet/cloud provider who cares.
Netflix Super HD: now available to XMission customers! XMission upgraded to Zimbra 8.0.4 on June 15th
Comments are currently closed.
Hooray! This is one of the many reasons that I chose XMission as my ISP.
Way to go, I love reading about how XMission continues to fight the good fight and the suggestions to people to use encryption etc.
I’ve worked with encryption long enough to say with authority that cracking encryption is a fantasyland. The most common attack vector is the private key passphrase. If you’re using a modern algorithm (no, MD5 doesn’t count, and SHA-1 barely does) with a high-entropy passphrase (I’m talking at least 20 characters), the chances of getting in anytime within the your lifetime (much less the next 100M or so years) is laughable.
Glad to hear you advocate email encryption. From the context, I gather you are talking about SMTP over TLS, rather than content encryption (S/MIME, PGP, etc.).
In my experience, not only is support for SMTP over TLS low, but when it does exist, frequently the mail is sent despite problems verifying the certificates, which of course enables a man-in-the-middle attack. Do you have any data on how much of this encrypted data is associated with valid certificates?
I freaking love X-MISSION.
Seriously, thanks for writing this letter. I have been a customer for many years, and see myself as one for many years to come.
Sean
Jim, it is TLS, and usually it is done over self-signed certificates (ours is signed). Primarily isn’t used for server verification, as man-in-the-middle would require either redirecting DNS records and/or the destination IP address. It does provide encryption against interception though.
This is why I have always used Xmission, and always will.
Its also why I have always voted for Mr Ashdown in every election he has ran for, and always will.
Well met good sir.
Thank you to Pete Ashdown and all the terrific folks at Xmission. This is why we are happy to be longtime subscribers and quite willing to pay for great service and high ethical standards. It is indeed troubling how little outcry there is amongst the general public about the NSA revelations. There should be no reason that our government can’t use pre-Patriot Act legal means, with targeted, proper warrants. Wholesale nationwide data gathering and long-term storage is a recipe for abuse. And all that irrelevant data likely makes intelligence analysis harder. The government claims these top-secret programs have prevented attacks, with no proof. Why wouldn’t standard procedures have been able to do the same? From my perspective, the “bad guys” have won if we have lost our civil liberties to this extent, and also lost the political will to protect them.
Also, a real threat to our collective security is climate change and the conflicts and damage resulting from increasingly erratic weather patterns. The NSA Bluffdale facility will be a net contributor due to its gargantuan (mostly coal fired) electricity consumption. Yet another reason to love Xmission, due to the company’s environmental commitment.
I applaude Xmissions stand on this issue. One very cautionary note. There are people that work undercover (meaning their original employment for Agency XYZ is not disclosed) for the Government/NSA, that come into an ISP, State or local government. They apply for a job at the entity in question, usually have stellar credentials and back grounds. They appear to be dedicated and loyal people. They work a while and insert code/routing/software/make changes so that a particular agency can make the connection so to speak. Then they move on to the next job which may be at a corporation or other business. Generally speaking this under cover talent pool extends at times from the lowest levels to the executive management level. They like it because they get two checks, one from Agency xyz and the other from the outside world.
Someone would ask, “How can this be so?” Certainly somebody would see or know.” The answer is that usually the boss up the ladder delegates work off to his talent pool. Generally does not know, see or hear every change made in an organization. If you walked into a data center with executive, pointed to a switch port with a network cable plugged into to it and ask them where does this go, the likely answer is they don’t know, but they will check with their people, blah blah blah. Guess where you put the under cover talent pool?
[…] The only solution to internet snooping was encryption, he said, a point he repeated on a blog. […]
After reading this, I will seriously consider switching to XMission as my ISP, regardless of financial cost.
BTW, for any Skype users…
http://12160.info/page/dump-skype-piss-off-the-nsa?xg_source=shorten_twitter
Dump Skype – Piss Off The NSA
By Grimnir | June 30, 2013
Let’s keep our transmissions OUR transmissions!
Our family has been using XMission since dial-up. I read enough articles and watched enough spy thrillers to know that the government was infringing on our 4th Amendment rights. I applaud Edward Snowden for having the courage to give us the name of the face of the NSA program. And I applaud Mr. Ashdown and XMission for standing up for the rights of it’s customers and not cowering to the whims of the government who wish to play Big Brother.
-Jeff
Pete, congrats on taking a stand. Very inspirational.
Regarding encrypting SMTP – I am not 100% sure, but I think there’s a problem relying on “self-signed certificates” as a way to avoid MITM attacks. By definition, self-signed certs means there is no independent validation that the certificate being presented for a given hostname (e.g. mail.xmission.com) is organizationally attached to the entity you’re talking to. Meaning, a MITM can present forged self-signed certs to both sender and receiver without either thinking there was anything unusual. This is of course only true if the MITM actually was able to intercept and change traffic between those two points, and not simply monitor what is being said. So that’s slightly safer than most, but definitely not beyond the realm of possibility.
Of course it really would be ideal if the different mail clients out there could show the end-user the trustworthiness of the links between sender and receiver, in the same way a web browser shows you green when talking to an HTTPS site whose cert validates, and an even more bold green when it hits an Extended Validation certificate. As it stands now, for reliability, a mail server probably wants to accept mail over TLS even from servers with broken or self-signed certs, but explaining that to the end-user in a useful way remains a challenge. It would be great if there were a tutorial out there about how to do this right.
Brian