Who’s reading your email?-FACT exclusive

June 12, 2008

FACT comments: Sami ben Gharbia of Global Voices Advocacy and a frequent FACT contributor and Robert Guerra of Freedom House and CitizenLab, developers of psiphon circumvention software share a very interesting perspective on email surveillance. We think there are disturbing similarities to the interception of activists’ emails in Tunisia and the emerging practice of email monitoring in Thailand. Monitoring is virtually required if webmasters and ISPs are to remain in compliance with Thailand’s new Cybercrime Law.

However, there are a few simple steps if you want to keep government busybodies out of your inbox-and you should care! Don’t delay: read this to the end and implement these basic security practices on your

Sami ben Gharbia: A number of human rights defenders in Tunisia are reporting having the same and strange problem with their webmail accounts on Yahoo, Gmail, Hotmail, etc. The content of the messages sent to them by fellow human rights activists are changed with other content that has nothing to do with the original messages. Opening any message makes it disappear from the inbox folder (opening = deleting)

This only happen when you log to these webmails in Tunisia. Today I tested this with the Tunisian lawyer and activist, Abdel Wahab Maatar. I logged into his account from the Netherlands and I was able to read his emails as normal. The content that I read in Holland is not the same he is reading in Tunisia; only the titles are the same!!!

This problem has been reported recently by RSF.

Reporters Without Borders:    Reporters Without Borders is also surprised by the problems Tunisian Internet users are having with their email. Messages sent to them by human rights organisations such as the International Association for Supporting Political Prisoners (AISPP), the Tunisnews website or Reporters Without Borders are illegible on arrival.

Several sources said the messages can be seen in the inbox and can be opened, but often there is nothing inside and, once opened, they disappear from the inbox. “It looks like badly concealed filtering,” a specialist said.

Here is a passage from a discussion between two Tunisians about their email correspondence (their online pseudonyms have been changed for their protection):

“XX says (18:51):

Your pc acts up from time to time

c=12FF/ says (18:52):

I opened the message and I found this in English: “Yesterday I ate a lovely cheesecake, but now I have a terrible stomach-ache. Are you a doctor.” It is bizarre.

XX says (18:52):

You mean, no attachment?

c=12FF/ says (18:52):

No (…)

(18:57): The problem is that the message disappears afterwards. It is not normal.


XX says (19:21):

I have just sent you a third message … Can you see what you have received?

c=12FF/ says (19:21):

In English: “We will meet next Sunday. Hoping you will be there. Greetings” (…) What are these messages in English that come with your emails? (19:22): and the weirdest thing of all is that your messages disappear afterwards. Without a trace.”

On 22 April, Reporters Without Borders sent a press release about the plight of the Tunisian opposition weekly Al-Maoufik to one of its contacts. The message’s subject line was “TUNISIA (Press release) – double financial threat to weekly Al-Maoufik.” The sender was RSF INTERNET (internet@rsf.org). When the recipient opened it, this is what he read:

see you

From: sir_john@rush.uk Top of form

Bottom of form Excuse me, have you seen Barbara? I’m looking for her everywhere. Çççççççççççççççççççççççççççççççççç

Tunisia is the Maghreb’s most repressive country as regards on online free expression and it is on the Reporters Without Borders “Internet enemies” list. Nonetheless, bloggers are active in Tunisia.Videos posted online on 10 April showed the size of protests in the towns of Redeyef and Diin Moulares in the southern mining region of Gasfa and the repression that ensued.

Robert Guerra replies:

1. It might be worthwhile to check to see if it’s affecting SSL webmail as well.

I mention this, as most webmail systems just enable SSL for login – but then turn it off once the authentication is done. This allows for the login/password to be protected, but then once logged in – everything is visible.

For example, most people tend to login to gmail using “http://gmail.com” – which just applies SSL to login, however  accessing gmail via “https://mail.google.com” secures both the login and viewing of email.

I recommend :  A quick survey of the affected webmail services should be done. One should test using “normal” login, as well as any “security” options that might not be turned on by default.

Sharing the results – would be useful, as it is likely that the Tunisian’s example might – unfortunately – propagate to there countries… Thus, users should know which webmail systems are affected.

If indeed DPI is taking place, might be worthwhile to raise it on the numerous DPI discussions taking place. The discussion in Canada – is quite active, one where activists could use the Tunisian example to help their case.. ref – http://www.neutrality.ca/

2. Have your colleagues in Tunisia log into their webmail using Psiphon.

3. Check if POP/IMAP-based email is also being affected.

– as above, check using SSL-enabled and not-enabled accounts.

4. Check to see if the same issue takes place with “fresh/new” webmail accounts.

– it might be that existing accounts have been compromised in some way. Should ask if the accounts that are being affected were accessed at public (ie. net cafe) PCs . if so, passwords might have been captured.

If there’s real-time interception of traffic – SSL could be of help. But users need to make sure of two things:
1. That SSL is always on…otherwise, anyone can see the traffic.
2. That users use their own machines. If they use a public iInternet cafe, who knows what might be installed. If a keylogger and/or screen capture program is installed – well, it’s a BIG challenge to find ways to use the machine.
3. If a public machine is being used – then, one should try to use one of the secure tools that have a virtual keyboard. Vaultletsoft <https://www.vaultletsoft.com/start/downloads.html> (“Secure, portable, spam-free and internationalised [i18n] privacy protection based on Bouncy Castle 256-bit AES and 2048-bit RSA encryption”) can be used without installation.

FACT: Watch for lots of new circumvention tools and information on FACT’s forthcoming Beat the Censors – Unblock ICT! CD, version 2.0…


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: