Security on the Cheap
Reasonably Secure Email Redirect without Going Broke

by
Peter Gallivant

Some people have expressed a desire for an affordable "secure" email redirect; I was forwarded a reference to "a month's mortgage payment."

An email redirect is the Internet equivalent of postal forwarding. A concern providing such a service gives you an email account, but not a corresponding POP¹ mailbox. Instead, when a person sends an email to your redirect account, the server there immediately forwards the missive to another mail account serviced by an actual POP mailbox.

It may seem redundant to use an email address to service another email address. But people do use redirects for a variety of sensible reasons. For some, a permanent redirect address, which can be pointed to any POP address provides continuity of address when changing mailbox or Internet service providers; when your mailbox moves, there is no need to notify acquaintances and business colleagues of a change of address.

Other people use redirects as a layer of protection against spam. And for some, the redirect gives a certain degree of privacy, as the address need not be associated with an ISP in one's own city. Sometimes a redirect address is chosen for the novelty value of the domain name used.

Personally, I find the continuity issue to be the greatest value of a redirect.

You may obtain an email redirect from Free-Market.Net. This fine institution will provide such free of charge; they also offer other levels of membership for paid dues.

    Aside: Free-Market offers many services for the libertarian which make it worth your financial support. They have an outstanding on-line searchable database of freedom-related information, a daily news clipping service, and people-networking tools. And you may even subscribe and pay anonymously, never giving any identifying information.

Security

As expense is a specified concern, I will concentrate upon free services and products. And indeed, since currency never changes hands, nor credit card information, such gratis services may enhance one's privacy by avoiding the need for a money trail, no line of bread crumbs leading back to your person.

In the email arena, there are several other aspects to "security." That which first comes to mind is protection of the message content, and is often provided by the use of encryption products such as Pretty Good Privacy (you may obtain freeware versions at: MIT (US) and PGPi (exportable international edition)). But one should likewise consider the wisdom of bothering with encryption only to reveal the secret topic in the email's unencrypted subject line; use your email wisely. Would you scrawl a listing of a postal letter's contents upon the front of the sealed envelope?

Another aspect of mail security is traceability; can someone backtrack a message which you have sent back to you? This problem has been solved long since through the use of anonymous remailers such as HavenCo and MixMaster. These services receive your mail, strip off header information traceable to you, then forward the message to its destination. The email may be routed through multiple anonymizing relays, and can have random delays programmed in to defeat traffic analysis techniques.

Yet another point is whether an email sent to you can be traced to your physical presence. The more casual investigations can be defeated by the simple use of an anonymous webmail account, as might be provided by Yahoo.²

Typically though, such accounts do not protect you from traffic analysis, nor from a government monitor on your access line.

Scaling Up

Assumptions: Tight budget ruling out paid services such as IDSeal mail or Anonymizer's encrypted anonymous browsing, and telephone access.

It is said that "you get what you pay for." So it will be here. You are not paying financially, but you will in terms of a lack of convenience.

First, you want to divorce the account creation actions from your current existing on-line identity. Start by obtaining a second, anonymous, Internet access account from a free service such as NetZero. You will be asked intrusive questions during the application and registration process. Lie. When possible, use this dial-up account only with a telephone line which is not formally associated with you.

Once you are anonymously on-line, enhance that anonymity by pointing your web browser at IDZap. This is an anonymous browsing service which acts as a proxy for your web adventures, masking your identity from the world. Using this lessens the chances that your logon can be associated with any particular sites visited. You may well discover that you need to enable cookies and Javascript in your IDZap settings.

Via IDzap, or any other such service, visit your webmail provider-to-be, and open an account. Again, I recommend a cavalier attitude towards unnecessarily inquisitive registration forms. I also recommend a service supporting SSL encryption, if you selected an anonymous browser which supports SSL. Thus, if a government agency happened to have a tap on your computer line, they still would not see the content of mails you send and receive.

With your shiny-new email address in virtual hand, go to your chosen redirect provider and open that account, likewise wreaking merry havoc with snoopy questions. Set the redirect to point to the new anonymous mailbox.

You are now set.

Using Your Mailbox

Depending upon the level of caution you deem necessary, you may wish to use the same procedures (non-home telephone line, NZ account, and IDzap) to access your email account as you exercised to create it. But security being an original concern, never access your account without using at least one of these precautions.

Regardless, never, ever send an unencrypted email which contains identifying data. Never include such in the address or subject fields. You will find it safer, though inconvenient, to download all your received mail; then decrypt, read, answer, and encrypt off-line. Consider that America's new experiment in Orwellian authoritarianism, Homeland Security, now legally permits service providers to read your mail and share it with beetle-browed thugs if anything about it should make them uncomfortable.

When sending mail, consider whether the use of an anonymous remailer, as aforementioned -and possibly using a traffic analysis-confusing delay - would be tactically wise for any given email. Encourage correspondents to do so, as well.

Caveat

None of this is perfect protection from snooping. If you are the target of an official investigation - and someone believes you to be important enough, or dangerous enough, to merit the exhaustive effort - your every Internet activity could be monitored, and cross-referenced to server responses at politically "questionable" websites, which could permit a statistical correlation of account to physical identity. That may include known webmail servers. Your own computer might be infested with a keystroke monitor. Even the RF emanations of an unshielded computer can be monitored.

But all life involves some risk. You might be struck by an automobile while crossing the street. Simply determine what precautions are reasonably required and implement them.

Take care.


1. POP: Post Office Protocol. The standard which defines email handling over the Internet.

2. Other free webmail services include:
MailVault: Encrypted, PGP-compatible. Somewhat unreliable.
Hush mail: Encrypted, PGPi-compliant, somewhat slow, bloated interface.
Hotmail: Included as an example of what to avoid. A Microsoft service, which guarantees that your privacy is Job None.
Keep and Bear Arms: Not encrypted. Also allows POP access (Outlook, Eudora, etc.), but doesn't not support SMTP on a dynamic (dial-up access) IP.

Search for other mail, remail, redirect, access, and anonymizing services.

________________________________

Comment on this article
View all comments on this article

________________________________

Did you like this article?
Please consider rewarding the author's
hard work with a donation.


Don't have PayPal yet?

________________________________

Please rate this article! Knowing what you like will help us provide the content you want.

Bad Poor Average Good Excellent

If there's anything specific you'd like to say about this article, please do so here. Comments may be used in an upcoming Letters to the Editor.



Copyright © 2002 by Doing Freedom! magazine. All rights reserved.