My latest FOIA: DOJ's use of "hotwatch" orders for credit card transaction data

(sent by fax this morning)

This letter constitutes a request under the Freedom of Information Act (“FOIA”), 5 U.S.C. §552. I am seeking records concerning the use of “hotwatch” orders directing credit card issuers to disclose prospective credit card transaction information.

Background

On October 11, 2005, the US Attorney from the Eastern District of New York submitted a court filing in the case of In re Application For Pen Register and Trap and Trace Device With Cell Site Location Authority (Magistrate's Docket No. 05-1093), which related to the use of pen register requests for mobile phone location records.

In that case, the US Attorney’s office relied on authority they believed was contained in the All Writs Act to justify their request for customer location information.

In support of its claim, the office revealed that:

Currently, the government routinely applies for and upon a showing of relevance to an ongoing investigation receives “hotwatch” orders issued pursuant to the All Writs Act. Such orders direct a credit card issuer to disclose to law enforcement each subsequent credit card transaction effected by a subject of investigation immediately after the issuer records that transaction.

A Google search reveals no other mentions of “hotwatch” orders other than the government’s filing in this case. Likewise, a search of Federal and State cases via Lexis Nexis reveals no other information.

I request any records, including memoranda, policies, procedures, legal opinions and statistics concerning the use of “hotwatch” orders or other requests for prospective credit card transaction information. The scope for this request shall include all documents created between January 01, 2000 and May 10, 2009.

FBI budget request raises questions

From ABC News:

The budget request shows that the FBI is currently developing a new "Advanced Electronic Surveillance" program which is being funded at $233.9 million for 2010. The program has 133 employees, 15 of whom are agents.

According to the budget documents released Thursday, the program, otherwise known as "Going Dark," supports the FBI's electronic surveillance intelligence collection and evidence gathering capabilities, as well as those of the greater Intelligence Community.

"The term 'Going Dark' does not refer to a specific capability, but is a program name for the part of the FBI, Operational Technology Division's (OTD) lawful interception program which is shared with other law enforcement agencies," an FBI spokesman said.

... the program is designed to help the agency deal with changing technology and ways to intercept phone calls such as those used by VOIP (Voice Over Internet Protocol) phones or technology such as Skype.

That is rather interesting, considering that in 2008, there were only 10 electronic communications intercept court orders requested nation wide (by both Federal and State law enforcement). As for Skype and other encrypted communications -- again in 2008, only two instances of encryption were encountered, and neither posed a barrier to investigators, who were still able to obtain the information they wanted.

So. Either we're paying 23 million in development/staff costs per intercept (assuming the number has stayed the same since 2008), electronic intercepts have jumped in number by an order of magnitude, or.... the FBI and other agencies are engaging in electronic surveillance in a way that evades the traditional reporting requirements for wiretap and intercept orders. I wonder which it is?

Current Red Hat Linux employee & Fedora project lead may have played key role in use of government spyware in former job at FBI

Updated at 10PM on April 20: There has been a fantastic discussion of this issue on a Fedora related mailing list. The short version is that only three people have access to the secret key used to sign Fedora updates, and Mr. Frields is not one of them.

Updated at 11AM on Saturday to provide a bit of clarity, and to define CIPAV

Did a current Red Hat employee and the project leader for Red Hat's Fedora free Linux distribution previously install and support government surveillance spyware onto the (Windows) computers of suspects while a FBI employee back in 2005?

Based on publicly available documents, it appears so.

Page 93 of the recent 153 page FOIA document dump (Warning: huge pdf) obtained by Wired News appears to be a ticket report from a 2005 surveillance request to the FBI's Cryptographic and Electronic Analysis Unit.

The document requests "CIPAV support as per discussion between EP [redacted]". The document also notes that the request is for a "Data/Voice Intercept with Encryption"

(click on image to see a larger version)

CIPAV ("computer and internet protocol address verifier") is, as Wired reports, a software tool designed to infiltrate a target's computer and gather a wide range of information, which it secretly sends to an FBI server in eastern Virginia.

As Professor Paul Ohm tweeted on Friday evening, it appears that the censors at the FBI forgot to remove the username of one of the engineers working on a case: 'pfrields'.

A bit of Googling reveals that pfrields is the handle used by Paul W. Frields, now an employee of Red Hat Linux. His blog also notes that he is currently the Fedora Project Leader.

Of course, there could be more than one pfrields on the Internet... which is where PGP keys come into play.

A quick query of the MIT Public PGP server reveals that the following email addresses are all using the same public key:

pub 1024D/BD113717 1997/09/19

Paul W. Frields <pfrields@fbi.gov>
Paul W. Frields <paul@frields.com>
Paul W. Frields <paul@frields.org>
Paul W. Frields <stickstr@cox.net>
Paul W. Frields <pfrields@redhat.com>
Paul W. Frields <stickster@gmail.com>
Paul W. Frields <stickstr5@hotmail.com>
Paul W. Frields <pwfrields.cart@fbi.gov>
Paul W. Frields <Paul.Frields@ic.fbi.gov>
Paul W. Frields <stickstr@cyberrealm.net>
Paul W. Frields <stickstr@novacoxmail.com>
Paul W. Frields <pfrields@fedoraproject.org>

Based on this information, it would appear that someone claiming to be Paul W. Frields with an email address at fbi.gov is now using the same public key as someone signing emails as Paul W. Frields with a redhat.com email address. Based on documents from a PGP keysigning party in January of this year, this collection of email addresses appear to have been verified by other members of the Linux community.

Finally, a configuration file in a web-accessible subversion repository on Paul Frields' own webserver mention the fbi.gov email address, which seems to be a pretty solid link confirming that the Linux developer is a former FBI employee.

Of course, even if the pfrields who worked for the FBI is the same pfrields who now leads Red Hat's free Linux distribution, there isn't necessarily any cause for concern.

After all, unlike the CIA agents who tortured prisoners, and the illegal wiretapping performed by NSA employees, the work of the FBI seems to be above board -- well, except for the FBI's misuse of National Security Letters, oh and the likely illegal backdoor the FBI has to Verizon Wireless's backbone network.

No need to worry though, since all of the CIPAV spyware requests do seem to have been accompanied by a court-approved search warrant.

Let us for the moment assume the best -- that Mr. Frields is a good patriotic American who has the deepest respect for civil liberties, and went to work for the FBI in order to help hunt down terrorists and evil-doers.

Even so, I suspect that many users of the Fedora Linux distribution, particularly those outside of the United States, might be shocked to find out this news, just as many Americans might be shocked if they learned that a former KGB agent was now in charge of keeping their computers secure.

Given that a select few members of the Fedora project likely have access to the private keys necessary to sign and release automatic updates to the operating system, the fact that one of these persons has in the past been involved with the insertion of spyware onto the computers of individuals without their knowledge or permission might be something that many Fedora users might be concerned about.

It's not that former government employees - even those in charge of installing spyware - should be excommunicated from the rest of the development community (after all -- there are former NSA engineers who have done amazing work on the SE Linux project). It's just that we should think twice before placing them into the open source community's most sensitive positions - just as the FBI would never grant the highest security clearances to a former hacker.

As of press time (2AM on Saturday morning), Paul Frields had yet to respond to queries submitted via email or twitter. If he does respond at a later date, this blog post will be updated to reflect his comment.

Disclosure: I've had my own fairly negative experience with armed FBI agents, who later raided my home at 2AM. Readers of this blog should consider that when evaluating this article w/regard to any bias I might have.

Hat Tip: Wired's Kevin Poulsen was the first to google pfrields and discover that he might be a Linux geek.

Thoughts on the FBI spyware documents

Kevin Poulsen of Wired has now posted the documents he received in response from the FBI to his FOIA request.

In short, the FBI has been using their own homebrewed spyware to collect information on suspects who are using proxy servers (such as Tor to hide their own IP addresses.

The EFF, CNET and Wired all submitted similar FOIA requests, and likely received the same documents in response. I do hope that either Wired or EFF appeal the heavy redaction by the FBI's FOIA office. As Professor Paul Ohm writes, "The 152 pages don't take long to read, because they have been so heavily redacted. The vast majority of the pages have no substantive content at all."

While there are lots of issues raised by the FBI's spyware tool, I want to focus on one particular issue here: The FBI's method of infection.

As Wired's Kevin Poulsen notes:

The documents shed some light on how the FBI sneaks the CIPAV onto a target's machine, hinting that the bureau may be using one or more web browser vulnerabilities. In several of the cases outlined, the FBI hosted the CIPAV on a website, and tricked the target into clicking on a link. That's what happened in the Washington case, according to a formerly-secret planning document for the 2007 operation. "The CIPAV will be deployed via a Uniform Resource Locator (URL) address posted to the subject's private chat room on MySpace.com."

Remember now that this CIPAV spyware tool has been designed to locate hackers smart enough to use proxies to hide their IP address information.

Is the FBI's spyware tool spread through the use of suggestive messages (such as this hypothetical example) left on a suspect's MySpace page?:

"Hi, I am a sexy 18 year old cheerleader, and I'd like to meet you. Please click here to find out how to contact me"

Such a message will contain a link to a page on an FBI controlled web-server which then uses an unpatched browser vulnerability to force a drive by spyware infection.

While that might work for a few stupid teenagers, it is unlikely to work on real tech-savvy hackers.

What is far more likely is that the FBI has asked MySpace, Google or Yahoo to insert the drive-by malware infection code directly into their own websites, so that the next time the suspect signed into their account, their browser would automatically be infected without the need to trick them into visiting a FBI-controlled Web site.

Such cooperation by Web 2.0 companies (if it indeed occured) would be fascinating, troubling and would likely do significant damage to their reputations -- which would also explain the significant redaction in the FOIA documents.

If there is a lesson to be learned from this document release, it is that if you want to protect yourself from the FBI's CIPAV spyware tool, you should make sure you're running the latest version of your Web browser (and should probably avoid IE). Those people stupid enough to transmit anonymous bomb threats using Internet Explorer 6.0 are likely to end up in jail very quickly.

Airport Security x 3

This blog post is likely to be the last until September, as I'll be leaving Munich next week, and will spend the entire month of August backpacking in India. I expect to have email access in Ladakh, and I doubt if there will be decent Internet in the remote villages in the Parvati Valley - at least, there wasn't any when I visited last year.

Today's blog post is in three parts, all related to airport security: The end of my legal troubles, the successful publication of my airport security research paper, and a brief writeup of my recent experience going through British airport security.

---

I received word from my awesome pro-bono legal counsel, Jennifer Granick, that TSA has wrapped up their investigation, and will not be filing civil charges against me. The FBI dropped their investigation in November last year. It looks like the entire affair is now over.

Ten months after the FBI strong-armed my ISP into taking down my website (as well as ransacking my home, and making off with my computers and passports), the flaws that I highlighted are still exploitable, and have not been fixed. The reimplementation of my boarding pass generator by "John Adams" (that was first released on November 1 2006) also remains online.

In addition to the help of super-lawyers Jennifer Granick and Steve Braga, I received an outpouring of support from around the world, from the students, faculty and staff at Indiana University, and from my friends, family and loved ones.

One particular friend provided me with a place to stay the night the FBI visited, and had it not been for their instance that I come with them, I would have been at home when the G-Men broke in at 2AM, guns drawn. To this person in particular as well as everyone else who helped out, I am eternally grateful.

---

Security research is typically a two part process: You break something, and then you fix it. My boarding pass generator and numerous blog-posts highlighting the no-id + no-fly list problem were the first part of the research process. A newly released academic paper fixing the flaws is the second part.

I am proud to announce that my paper "Insecure Flight: Broken Boarding Passes and Ineffective Terrorist Watch Lists" has been accepted for publication by the IDMAN 07 working conference, where I'll also be presenting it in Rotterdam, Netherlands in October.

Bruce Schneier, Senator Schumer, and others did a great job in highlighting the fake/modifiable boarding pass problem years before I built my hullabaloo causing website. However, no academic has yet written about this. My paper fully explores the interesting combination of the ability to fly without ID, and the government's insistence on maintaining a no-fly list. I have personally flown without ID over 12 times, and I do not believe that anyone else has really written about the fact that this essentially neutralizes the no-fly list. I also present a new physical denial of service attack against the TSA passenger screening system.

It is important to note that I do not take a position on the no-fly list in the paper. The US government has spent over $250 million dollars on implementing the list. The paper thus explores methods to effectively enforce it. The paper presents a technical solution to the problem (digitally signed boarding passes), which will enable TSA staff to instantly learn if a pass is valid or not, or if it has been tampered with, as well as stopping all other known attacks.

Were the airlines in the US willing to check the ID of each passenger before they board a flight - something they did right after 9/11 - my technical solution wouldn't be necessary. 100% effective enforcement of the no-fly list is only possible when airlines check all IDs at the gate, and when the US government takes away our right to fly without ID.

A pre-publication copy of my paper can be downloaded here.

---

I was in London two weeks ago to see family. I flew in a few hours after the failed bomb attack, and was watching TV in east London when the idiots tried to drive a flaming jeep into Glasgow airport.

I flew back to Germany a couple days later, and in spite of the fact that I had to get up at 4AM for my flight, I paid close attention to the security procedures in place at Stansted Airport.

• There is now an unwritten but enforced rule banning large umbrellas. If it can't fit in a carry on bag, you're forbidden to take it through security. British airport security staff thus seized my golf-umbrella.



• Just as in the US, the British consider hummus to be a liquid. I took the top off the container, held it upside down, thus demonstrating that it would not pour out, but the screener insisted that I give it up. The supervisor on duty did at least let me sit on one of the bag-searching tables, with people's bags being searched on both sides of me. Thus, under the watchful corner-of-the-eye of her security staff, I ate all the hummus and pita bread I had brought with me as my lunch. The supervisor even went out of her way to bring me an unrequested cup of water . I can't imagine TSA staff doing this.
  
  
• Print at home boarding passes with the airline Easyjet contain a computer-readable barcode. This barcode is read by airport security screening staff, before you even enter the metal detector/x-ray line. I'm not sure what happens if the barcode doesn't find a match - but I did observe that my name came up on the screen, which the security staff member then compared to my ID. This means that if your name is not associated with a paid ticket in the reservation system, you will not even gain access to the security screening area. Quite impressive.
  
  
  
• Once Easyjet staff began boarding, they looked up every passenger's name in the reservation system and checked it against an ID before letting the passenger onto the airplane. No passport, no entry.

Comparing US domestic flight security to European flight is not 100% fair. You do not need to show ID to travel within the US, and except for a few select situations, you cannot be forced to show ID in the US. Europeans do not have this right, and as the individual European countries are much smaller than the US, you are essentially always crossing some international border when you fly.

US airlines somehow managed to get the government to let them stop asking for ID at the gate - after they complained about the labor costs and delays the process introduced to the flight-boarding process.

Nonsense.

If Easyjet, a no-frills airline that won't even give you a free glass of water, can ask passengers for ID and somehow manage to turn a profit, as well as get their flights off in a reasonable amount of time, then the US airlines are not telling the truth.

I lived in the UK when the IRA, through the use of bombs placed in train-station rubbish bins, forced the authorities to remove every trash can from train and tube-stations in London.

While the Israelis get a lot of credit for their airport security skills - as others have pointed out before me, Israel is small, and doesn't have many flights in or out. London's Heathrow is one of, if not the the busiest airport in the world. The British have had this airport security thing figured out for years. If the US government is serious about enforcing the no-fly list, they should learn a thing or two from the Brits, and force all airlines to check passengers' ID against a computerized reservation system record at the gate.

The flip side of course, is that if the US government finally accepts that the no-fly list is a pointless waste of money, then that money can be spent on more important things - like training TSA staff to actually find the weapons and bombs that currently seem to miss, again and again.

FOIA frustrations, lessons learned

I submitted a Freedom Of Information Act (FOIA) request to the FBI last month, to get "access to and copies of any and all documents (including but not limited to) memos, electronic mail, presentations, briefings, meeting notes, guidelines and policies relating or mentioning to "Tor", "onion routing", "onion router", and "anonymous/anonymizing proxy/proxies""

I received word today that my request had come back empty. This is rather shocking, since I've personally spoken to FBI agents who know about Tor - and logically, it, or similar anonymizing proxies must have come up during investigations....

It turns out that with a standard FOIA request, no matter what you ask for, or how it is phrased, the FBI only searches their database for records that have the words of interest in the subject. If an FBI agent writes a case note about someone under investigation, and Tor comes up as part of the report, you won't get it back under a simple FOIA request. Simply put, an agent has to include the word "tor" in the subject of the memo/note for it to come back during a FOIA search.

The magic words, it seems, is to ask for a "full cross-reference search". If you do this, I'm told (by the FBI FOIA people), then they will actually search the contents of all records, instead of just the subject headers..

Grrr.. 1 month wasted just to find that out.

FOIA resubmitted....

Un-SAFE Behavior

Update:

Source code pulled until I chat with a couple legal minds. It's only 15 lines of perl, so it's not too tricky to create.

----


DISCLAIMER: I do not support child porn. I think it's sick, twisted, and should not be tolerated in our society.

However, I think that government surveilance and censorship are even more evil. I do not want to make life easier for child pornographers - but the threat of feature creep in anti-child porn systems is far too dangerous. One day it targets child porn, the next week it targets images of Mohammad (P.B.U.H.), and the week after, copies of the Anarchist Cookbook. No thank you.

----

Declan reports that Senators McCain and Schumer have proposed the SAFE act, which would create a national database of child porn images - or I'm guessing, simply require that the FBI make their own database public. ISPs would be given access to this database, and would be required to screen traffic and alert the authorities of any user who transmits/hosts an image that matches a fingerprint in this database.

For obvious reasons, they aren't going to give ISPs access to an actual database containing child porn. Thus, they're most likely going to give them a list of hashes of known child porn. The ISP's will then have to compare all sent/received attachments in emails and hosted files to this database of hashes. If they get a positive match, the ISP will be required to tell the G-Men.

I'm against this kind of thing for so many reasons. I don't want my ISP monitoring the traffic that passes through their network. I don't transmit any child porn, but this sets a very bad precident. Once the infrastructure is in place for them to compare hashes of child porn, it won't be too difficult for them to start comparing hashes of music, copies of dissident literature, photographs of dead soldiers in Iraq, anti-Scientology documentation, or anything else that someone with their hand in a Senator's pocket doesn't like.

Moreover, this law would also covers obscene images of minors including ones in a "drawing, cartoon, sculpture, or painting." (The language warns that it is not necessary "that the minor depicted actually exist.") This is not a good thing.

Lets get technical now...

MD5/SHA1 hashes are a very very bad way to compare images. If one single pixel in the image changes, the fingerprint completely changes.

There are significantly better methods to compare images to see if they are the same - which can withstand resizing, any number of slight modifications in Photoshop, or the modification of a few pixels - the problem with these, is that they are slow. If an ISP is going to run a comparison against every image that crosses its network, it needs to be super fast - which is why they'll probably end up using MD5/SHA1.

To combat against this evil intrusion into our private Internet behavior, I now introduce 'broken glass'. Apologies for the shoddiness of my code. This has been whipped up in a few minutes.

It is a perl script that when given an image file, will change 1 pixel's red component by +/- 1. It's not enough for the human eye to see, but it will make the MD5/SHA1 hash fingerprint of the image be completely different.

The perl script can be downloaded: *Removed*

It was developed on a Linux Ubuntu system. You may need to install imlib's perl bindings. On ubuntu, this can be done by issuing the following command:

apt-get install libimage-imlib2-perl


Just in case my server falls over, I'm including the relatively short source code here too:

#!/usr/bin/perl

# Chris Soghoian
# Feb 7, 2007.
# Licenced under the GPL. Find it via Google.

# Broken glass
# v. 0.1
# Modify a one pixel of an image by +/- 1 of its R (of RGB values).
# This will break any MD5/SHA1 comparison of images.


*EDITED*

Plausible Deniability via 2 wifi-routers?

I like the idea of having an open wifi access point in my house. It makes me feel warm and fuzzy to know that people can use my excess bandwidth - something I've paid for, but am not really using.

However, there are a few major problems with simply leaving your access point unlocked.

1. Security - Anyone sitting outside your house instantly has a way of bypassing your firewall and getting access to your local network. This makes it much easier for you to get hacked.

2. Privacy - Anyone sitting outside your house can sniff your wifi network, and see the packets flying back and forth between your laptop in the living room, and the access point. Given that not all internet traffic is encrypted, this is a bad bad thing (do you really want someone to know which google queries you're submitting)?

3. Network Speed - While you may be happy to let your excess bandwidth get used by the folks next door - do you really want those dirty hippy freeloaders to get priority on your network, or at the least, do you want to have to compete with their downloads?

Which is why I now have 2 wifi routers.

I have a Buffalo 54G router which runs dd-wrt, a neato linux based customizable router, which runs an encrypted wifi network - this is the network that my own laptop and various wireless devices connect to. This device runs as the main router for the house, does all traffic shaping, firewalling, etc.

I have another el-cheapo wifi router plugged into the buffalo. This no-name router is left open, unlocked, and advertises itself as "Anarchy Free Wireless".

The linux-wifi router allows me to set a virtual vlan, so that the el-cheapo router doesn't get to see my internal network. Traffic from the no-name router is sent directly to the Internet connection. Do not pass go, do not collect 200 dollars.

On top of all of this, I have Quality of Service set on the linux router, so that the freeloaders across the street get the dregs of my Internet connection. Whatever I have left over, they can use - but if I need it, I get priority. This is exactly how it should be.

There were a few reasons I wanted to set this up - at the least, I shouldn't have to reveal my wifi password to friends that come over for a cup of coffee. Just because you want to check your email from my living room, it doesn't mean you should be able to later port-scan my home network from the comfort of your car.

But best of all - I now have quasi plausible deniability. For sure, this hasn't been proven in court yet, but it at least puts me on better ground than if my network were locked. If the G-Men ever show up at my house again (assuming it's for something that I didn't actually attach my name to, unlike last time), I can quite reasonably claim that it wasn't me, and that it must have been one of the hippy art students across the street.

Plus, in theory, I might be able to qualify as a common carrier under the DMCA. Given that I don't keep any logs at all on my wifi routers, I have absolutely no way of knowing who is using my open network - and just like a Tor exit node, I may be able to ignore DMCA threats - or at least explain that it wasn't me, and that I don't know who it was.

Avoiding the NSA through gmail

I've been thinking a fair bit about the EFF's lawsuit against AT&T. According to court papers and press reports, AT&T is giving the NSA a direct network tap at multiple locations around the country, giving the US government access to all unencrypted email/IM conversations and web traffic that flow through AT&T's network. It's probably fair to assume that a few other backbone providers are also doing the same thing.

Consider the following situation:

Alice sends an email from her home computer (connected via Verizon DSL Connection) to her friend Bob, who checks his email from his desktop computer at work. Alice uses Hotmail, and Bob uses his company's email servers.

Alice's web connection to hotmail will most likely flow across AT&T's backbone, and if it doesn't, it'll cross one of the other Big Boys, like Level 3. Once Alice has created her email, it'll flow from Microsoft's email servers to Bob's employer's email server - unencrypted, again, probably over one of the major backbones, until it reaches Bob's desk.

There will be at least a couple chances for the NSA to sniff this.

What if Alice sends an email to her pal Charlie, who also uses hotmail?

Well, again, the spooks will have a chance to watch Alice construct the email, and then will be able to see Charlie login to hotmail and read it. Key to note here, is that since the email stays within Hotmail's network, it never has to flow across the Internet to go from Alice to Charlie.

Which brings me to the subject of gmail.

Google is nice enough to allow SSL encrypted sessions. Whereas Yahoo and Hotmail merely allow you to login via SSL (just to stop a passive network sniffer learning your email password), google allows the entire session to remain encrypted. Thus, any interaction between a user at their home computer, and Google's gmail servers remains secret, providing the user changes the url to be https://

Let us now consider a situation where Alice and Charlie each have gmail accounts, and each login via ssl. Alice's connection to google is encrypted, the email flows from one gmail user to another, so it never leaves google's network as it is transmitted from Alice's outbox to Charlie's inbox, and then Charlie's connection to Google is SSL encrypted, so the contents of his email is not revealed to anyone watching his packets cross the backbone.

Right now, very few of gmail's users are using SSL. It us turned off by default (mainly for performance reasons, I'm guessing. 10 million users all requiring an SSL handshake is expensive in processing power).

As gmail's user base grows, and if their users can be convinced to embrace SSL, the NSA's wholesale data slurping from the backbone will increasingly become less useful.

"If we all use encrypted email (PGP/GPG), we won't have this problem" - this is the very true. However, I cannot convince my less technically savvy friends/relatives to use PGP. It has far too many usability problems - still.

However, most of my friends already use gmail - due to the way accounts were given out in the early days, gmail has a very geeky user base. All I need to do now, is to convince them to use SSL... Which is where the Customize Google firefox extension comes in useful.

Customize Google is mainly used to screen out google's advertising - both in gmail, and in the "ads by goooogle" that you see everywhere on the web. I typically install this on the computers of most of my less tech savvy friends. In addition to blocking out ads, Customize Google also turns on SSL for all gmail/google calendar sessions, without requiring that the user do any fiddling themselves. Problem solved!

Small Print:

This only stops the massive sniffing of data currently done by the US government of backbone traffic. This in no way protects you from the feds asking Google for the contents of your email - either by presenting a warrant, or more likely (since it doesn't involve asking a judge), a national security letter. I have good reason to believe that the FBI did this to me - but that's beside the point. This at least requires them to know who you are, and to be interested in you - whereas under the current NSA sniffing scheme, they can watch all email flow by, and analyze it without knowing who they're interested in spying on.