NSA And Your Privacy, How To Hide In Plain Sight 

Lightning flashes, splitting the darkness and casting a brilliant, grey light upon the boxy concrete building. The sight evokes a feeling of dread. It’s funny. For all its striving, the government cannot seem to communicate any other feeling in its architectural designs. This site would benefit from a flower bed or a colorful flag . . . but razor wire? 

I’m referring to the euphemistically-named Utah Data Center in Bluffdale, Utah—once a plot of dry desert grass, now a sprawling federal compound comprising a total of twelve cooling towers and two Chiller plants. Chilling is right. The Wall Street Journal calls it a “symbol of the spy agency’s surveillance prowess”.  

Edward Snowden, National Security Agency (NSA) contractor turned snitch, pulled back the curtain at the Intelligence Community Comprehensive National Cybersecurity Initiative Data Center (in case you’ve ever wondered whether Doublespeak exists outside the book 1984). Behind the curtain sits a wizard of data storage capacity some have estimated at yottabytes or zettabytes—a.k.a., “tons and tons”. For perspective, 400 terabytes can store every book that has ever been written. Given that the suspected capacity of the Utah Data Center is a trillion times greater, its wizardry could hold a trillion copies of every book in the world. 

But they aren’t actually storing books. They’re storing copies of every text message, every email, every phone call, and every web search any of us has made since 2013. And now that the Artificial Intelligence genie is out of its lamp, we know how easy it is for this “benevolent” spy agency to find anything they want. (Hang on a second, my tin foil hat is sliding off a little.) 

Now, I’m often told by passers-by, “The government doesn’t care about me. I’m a nobody.” That’s true. They don’t care about you. Until they do. In 1932, approximately 3.9 million “nobodies” were starved to death in Ukraine. According to an authoritative article on History.com, the reason was (partly) “to punish independence-minded Ukrainians who posed a threat to [Stalin’s] totalitarian authority”. 

Here in Cochise County, we have a lot (terabytes, maybe?) of independent-minded citizens—nobodies, if you will—posting messages to Facebook and Instagram, Snapping, Tweeting, DM-ing, emailing, chatting over the phone without reserve. We nobodies have a choice to make: we can either continue to have faith that our privacy protections are guaranteed, or we can hide. 

If you’d like to hide, then consider encrypting all your communications. Two excellent choices are the Signal app for texting and phone calls and Proton Mail for all your email communications. I use them, and I know a lot of brilliant people who do the same, not because we have anything illegal to hide, but because we believe our private communications should remain private. 

The NSA plays an important role in safeguarding our Republic. May they continue to do so. Like lightning in a storm, may they shed light on the darkness that threatens to swallow us 

The Dangers of Unencrypted Email

Postcards from War: Recently, I was reading some of my grandfather’s faded postcards from World War I. I happened to read one in which he mentioned being released from quarantine: March 11, 1918, Fort Lewis, Washington – the Spanish Flu pandemic.

Then & Now: Postcards were how our grandparents sent brief messages over long distances. They are the antique analogs to modern email. The messages and attachments you send via email are every bit as private and secure as that dusty, old postcard.

Is This Normal: Recently, a close associate of mine, I’ll call him “John”, was required to take a defensive driving course. The business providing the service asked John to send a copy of his driver’s license. John promptly took a picture of his driver’s license in beautiful, high-definition color and attached it to an unsecure email. He didn’t even question it.

How It Works: Let’s look momentarily at a seemingly benign example to illustrate what happens when you hastily click the “send” button. Say you work for a medical practice and you send an email from your office to a patient. Here’s what happens:

  1. The email leaves your computer.
  2. It travels on your Internet Service Provider’s (ISP) network.
  3. It arrives at your mail server – a server you probably don’t control.
  4. Your hosted email provider then forwards a copy of the email to the patient’s mail server, probably webmail, like Gmail.
  5. A copy of the email languishes on the mail provider’s server.
  6. It then takes the last leg of the journey to land on the patient’s personal computer.

Everybody Sees It: As you can see, at any of those points, the email (like a postcard) can be read by anyone with access. That means, if any of those computers storing a copy of the emails is compromised, so are the emails. All of them.

Unsecure By Design: Email is by design, unsecure. That is why you should never, (let me repeat, EVER) include any important, private information in any email, not just the protected health information (PHI) of patients. Unencrypted email is simply the wrong medium for transmitting sensitive data.

From the hhs.gov website:

Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual.

For Healthcare: Now, I’m not a HIPAA lawyer, and this is not legal advice, but basically, if you are a medical practice, you know that much of your communication with patients is over email. In fact, many prefer it. So as long as you warn the patient that your email communication is over unsecure media, and the patient acknowledges, then you may be absolved of the consequences of a PHI breach … maybe. You can even get patient acknowledgment with (ironically) a simple email waiver form that the patient signs and returns to your office, over email.

Secure Options: If you only send PHI through your Electronic Medical Record’s application, it may take care of the encryption for you. But if not, there are email providers that will encrypt your emails. If you use Microsoft Office 365, there is a tier that will allow you to encrypt email. Other email providers like ProtonMail offer encryption capabilities. A Chrome extension even exists allowing you to encrypt Gmail. It can be a little inconvenient because you have to think up a strong password for each email, then you have to deliver the password to your patient by calling or texting them. If emails containing sensitive data are sent infrequently, the risk is lower. You decide whether you’d rather go through the effort or experience a breach.

You don’t have to protect sensitive data forever. Its value degrades over time. Conversely, that little postcard my grandfather hastily scrawled over 100 years ago is ever more precious to me.