The security benefits of using Gmail

Tor developer Jacob Appelbaum evidently surprised many in the software-security business recently when he announced on Twitter that "using Gmail has been the best legal services investment I've ever made." The issue, evidently, was a secret US government request for Appelbaum's email data—one which Google was equipped and willing to fight in court. Google's actions, Appelbaum suggested, other email providers would likely have been unable or unmotivated to take. The debate that followed Appelbaum's Twitter post raises a number of questions about the relative merits of engineering and legal talent when it comes to service providers.

Court orders

The case that brought Appelbaum's use of Gmail to the forefront is a court order requested by the US Department of Justice (DOJ) that told Google to hand over roughly one year's worth of Appelbaum's Gmail records—specifically, the email addresses of everyone with whom he had exchanged mail and the IP addresses he had used to access his own mail. The order was issued in January 2011, and pertained to the 2010 Wikileaks diplomatic-cable disclosure.

According to Ryan Gallagher in The Intercept's write-up of the case, Google fought the court order on both free-speech and unreasonable-search-and-seizure (i.e., the US Constitution's First and Fourth Amendment) grounds. It also attempted to notify Appelbaum that his records had been requested, but was blocked from doing so by a gag order. Interestingly enough, the DOJ argued that the gag order was important to the case because Twitter had notified several targets of similar secret court orders that their records had been requested (Appelbaum among them), and it disliked the subsequent backlash.

The email metadata was evidently turned over in March 2011, and the government finally agreed to unseal the court records in April 2015, in partially redacted form. Google subsequently notified Appelbaum of the order. In The Intercept's story, Appelbaum commented that the news of the legal battle was neither shocking nor necessary to confirm what many already suspected. He noted that, since he now lives in Germany, any further pursuit of the investigation will be more difficult for the US court system to conceal.

That is more or less a predictable response to such a circumstance. Other whistleblowers and critics of US government surveillance have clearly also been the targets of similar secret court orders—as the 2013 Lavabit shutdown indicates. But Appelbaum's comment calling Gmail a "legal services investment" on June 18 sparked a lot of questions. The conventional wisdom, after all, is that it is safer to use one's own server or to sign up with privacy-centric email provider—which Gmail certainly is not, given Google's dependence on user-tracking ad delivery as a revenue stream.

Appelbaum posted a general response on June 22, saying: "A few people have asked why I would use GMail; the purpose is simple: 0) free legal service from Google 1) expose the processes and results!" A few minutes later, he added: "For many years, I have used services specifically to trap the US Govt into picking fights that will become public." He also noted that he could not afford to hire Google's legal team, but that: "They did this work for free. Now we all know."

Varying threats

Twitter, it must be said, is not the easiest platform on which to follow a multi-threaded discussion such as the one that ensued on June 22. However, a few relevant points can be picked out from the traffic. The central issue is that the threat of surveillance by the NSA or any other attacker using technical means to intercept traffic is decidedly different from the threat of court-ordered record seizure. Programmers may naturally gravitate toward the technical challenges, but they ignore the other side at their peril.

In reference to the use of Gmail, Twitter user "Austerity_Sucks" asked Appelbaum "you don't recommend others use Gmail for any reason even if similar to yours right?" Appelbaum then answered that "it depends. I generally think @riseupnet is the right choice."

Riseup.net, for those unfamiliar, is a donation-funded email (and other communication services) platform that puts a strong emphasis on user privacy: deleting logs, removing IP addresses from email, and so forth—even taking steps to ensure that what records it does keep cannot be used to identify individuals. On one occasion in 2012, a Riseup.net server was seized by law enforcement. The disks were encrypted and the company was not forced to hand over decryption keys, so no data may have been recovered. In addition, Riseup.net refused to put the machine back in service after it was returned, in case some backdoor had been installed.

The service is, thus, somewhat akin to that previously offered by Lavabit. User "OaklandElle," however, called the recommendation "terrible advice," commenting that: "In terms of government surveillance, it's incredibly naive to believe that the feds will only use legal means to obtain information."

But that was not really the issue that Appelbaum faced in the Wikileaks court-order incident. That was a case where the main problem was the secrecy of the government—preventing Google from even notifying Appelbaum that he was the target of a court order. Mass interception and analysis of Internet traffic by intelligence services (or anyone else) is a technical, not a public-policy, concern. As Appelbaum mentioned elsewhere in the discussion, "different techniques for different attackers. DoJ isn't NSA."

OaklandElle and several other users contended that email is an inherently insecure means of communication, regardless of whether Riseup.net or any other project is the service provider. Appelbaum concurred, saying that "using email means you've already chosen the wrong tool for a job that requires actual security." He also pointed out that a number of US-based service providers had cooperated with the NSA's PRISM data-collection program.

To what degree any email provider based in the US has willingly complied with PRISM is hard to say—specifically, whether or not a company allows the NSA to access server logs directly. The Electronic Frontier Foundation publishes a report about service providers' cooperation with the authorities, although it naturally relies on some second-hand information. Google, for one, has said that it fights requests for user data that it feels are overly broad, that it will notify users when it has received a request for a user's records, and that it does not participate in PRISM's bulk surveillance.

Such claims will understandably be met with skepticism by some users, and they do not address the issue of NSA wire-tapping that operates entirely off the official, public record. As the 2011 request for Appelbaum's records indicate, though, Google does at least resist court orders on some occasions. So requests that come through the court system may eventually be brought to light, even if other, off-book NSA interception efforts remain hidden.

Had Appelbaum been using Microsoft's Outlook.com (which is suspected of cooperating with PRISM) instead, it is possible that neither he nor the Internet at large would ever have heard of the DOJ records request. Had he run a private email server, he might have had a system that could be more effectively hardened against technical attacks, but when the DOJ court order was served (either to him or to his hosting provider), he would not have been able to challenge it. There is no substitute for taking one's encryption and online-privacy setup seriously, but in this case, at least, there may also be value in working with a service that has plenty of lawyers on staff.