DRM: February 2009 Archives


February 2, 2009

From the NYT article on Obama's e-mail:
After all, Gov. Sarah Palin of Alaska found her e-mail account broken into and her messages posted online last year when she was running for vice president. Imagine a president's e-mail put on display for the whole world to see -- or perhaps just for the head of a hostile foreign intelligence service.

To minimize the risk, the government technology gurus have made it impossible to forward e-mail messages from the president or to send him attachments, people informed about the precautions say. His address is likely to be changed regularly as well. And the president's friends and staff members are being lectured about security.

So, it's trivial to stop people from sending him attachments. Your average email filtering system can do this no problem. Lecturing people about security is easy too (though probably futile). However, as far as anyone in the public computer security field knows, from forwarding e-mail that was sent to me is basically impossible. Once the email is available on a computer you control, you can do pretty much anything you want with it, including foward it. The only real exception to this if the computer isn't really under your control, but is running software controlled by the government, which isn't really scalable. Even that's not enough: the government would need to replace your hardware with something that they control because otherwise you can modify the software to allow forwarding. That isn't to say one couldn't label mail with some "no forwarding" tag, it's just that your mail client wouldn't be required to obey it. Indeed, as far as I know there's no widely accepted tag like this, even for advisory purposes.

Even if it were possible to prevent you from forwarding emails from the president, it's not clear how this would prevent the threat described in the first paragraph. OK, so you can't forward the message, but nothing stops you from just whipping out your camera and taking a picture of the screen and sending that to the New York Times, foreign intelligence service, etc. Remember that that's just digital information too, so it's pretty much equally easy to forward. Even if we imagine that a digital photo is problematic for some reason [technical note: sometimes people propose schemes designed to make it difficult to photograph or videotape movies, etc. Generally the idea is to exploit some misfeature of the recording sensor, that isn't an issue in ordinary recording scenarios.] there's nothing stopping you from having a second computer which you use to—and this might be too sophisticated for some attackers—retype the entire message and send it to someone else.

Neither you or I is ever likely to receive an email from the president, to this isn't a very cosmic issue. However, a very similar delusion, namely that you can stop people from making copies of the music and videos you sell them, has been the cause of a very large amount of inconvenience for users, so it's not trivial to get this right either. I suspect that pretty much any computer security person (Alex Halderman, call your office) the reporters had talked to would have dumped cold water on this claim, but I also suspect that they didn't even know enough about computers or think about the threat model enough to be suspicious; they just wrote it down. I wonder what would have happened if someone had told these reporters that in the future Air Force One would be powered by perpetual motion machines?