The Antidote To E-Snoops

Author: BY HIAWATHA BRAY, GLOBE STAFF Date: 08/03/2000 Page: C1 Section: Business

UPGRADE / HIAWATHA BRAY Last week, I offered a half-hearted defense of the FBI's notorious Carnivore program, the one that can scan millions of e-mail messages in pursuit of terrorists, dope dealers, and sellers of illegal cable TV boxes. It seems to me that the technology isn't that dangerous if it's hedged about with strong legal safeguards.

And one other thing - Carnivore won't work. All the e-mail snooping in the world will be of little value against bad guys who encrypt their messages. The Feds may be able to read the addresses, which must be sent in the clear. But use a good crypto program and everything else in the message is just a blur of seemingly random characters.

Of course, computers can eventually decipher the messages - in a few million years per message, using your typical supercomputer. And even if some genius in the basement of the National Security Agency has found a way to decode each message in, say, a week, he'd still be overwhelmed by the sheer number of messages he'd have to crack.

It makes you wonder why the FBI even bothered to develop Carnivore, until you ask yourself whether you encrypt your own e-mail. Here's a good Baptist bet for you: If 50 readers of this column can prove to me that they use e-mail encryption, I'll slip an extra $50 into the collection plate next Sunday.

It's been several years since I tried an early version of Pretty Good Privacy, one of the first e-mail scramblers. With its talk of hash algorithms, passphrases, public and private keys, it made my brain hurt. Dr. Evil himself would probably be repulsed by the complexity of the process. For a law-abiding sort like me, it wasn't worth the bother.

But it needn't be this way. Web browsers come with sophisticated encryption software built right in. It kicks in automatically when you use your credit card to buy something online. This same encryption engine can be applied to your e-mail by obtaining a "digital certificate," basically a set of keys that let you send and receive scrambled messages. Standard e-mail programs like Microsoft Outlook and Netscape Communicator let you plug in these certificates and use them with ease.

Most people haven't known about this feature, or they aren't willing to pay the minimum of $14.95 a year charged by Verisign Inc., the best known dealer in digital certificates. But in the grand tradition of the Internet, somebody thinks he can give away the certificates and make it up in volume. WildID (www.wildid.com) passes out free certificates good for 30 days, and sends you an e-mail when it's time to renew. The company hopes to make money by attracting millions of users to its site and bombarding them with ads.

The WildID system requires you to fiddle with some browser settings that most folks never touch, but in only a couple of minutes I was sending secret messages - with nobody to send them to. Just as in the days of Pretty Good Privacy, WildID sends encrypted messages only to other WildID users. That's fine if you send messages only to fellow members of the Soprano crime family. But your notes to others remain insecure.

Another secure mail service called ZixMail (www.zixmail.com) offers a handy backup. ZixMail runs inside its own client software, instead of the e-mail program you normally use. Also, it's not as easy to set up as WildID.

But ZixMail has a clever feature that lets you send secure e-mails to people who don't use the product. What they get is an unencrypted e-mail that contains a link to a Web page where the message is waiting. When the recipient clicks the link, the Web page uses the browser's standard encryption system to download, decode, and display the message. It's pretty slick.

It's still not quite slick enough. Most of us will keep on sending our e-mails in the clear. But if the government is ever caught abusing its e-snooping technology, ZixMail and WildID will have all the business they can handle. And the FBI's poor old Carnivore will starve to death.