It's Executive Order 12333 not 12003, which is quite different. Also, we have sources that say they do the same bulk collection with credit card purchase transaction metadata (WSJ reported the Thursday of the week last June that began the Snowden disclosures). Although that's not commsec. Responding to and earlier email on this thread out of order (sorry Theodore), I think devaluing the power of metadata and traffic analysis is a bad path to start down on. Content often has to be further interpreted and in many cases context can be inferred from metadata. Matt Blaze has a great Wired opinion article that makes a number of very good points with respect to what one can learn via metadata. best, Joe > On Feb 3, 2014, at 14:56, Theodore Ts'o <tytso@xxxxxxx> wrote: > >> On Mon, Feb 03, 2014 at 02:02:31PM -0500, Dale R. Worley wrote: >> >> The recent news reports that I have seen are that the NSA's pervasive >> monitoring focuses on "metatada", "who is talking to whom". And the >> trouble with end-to-end confidentiality mechanisms is that they do not >> hide the destination address; indeed they can't. And it seems to me >> that almost no confidentiality systems have been focused on >> confidentiality of message destinations. > > That's what NSA is doing for telephones, and briefly using e-mail > analyzing communications between US preson under their authorities > (or claimed authorities) under section 215 of the Patriot Act. > > It would be a mistake to assume this is *all* they are doing. Indeed, > it's likely that the NSA is actually doing keyword based filtering of > content, for communications that are between non-US persons and where > the endpoints are outside of the US. This is done under their > authorities granted to them under Executive Order 12003. > > Given that the FBI wanted to drop "Carnivore" servers in US data > centers to do this kind of keyword based filtering many years ago, > it's certainly within the capabilities the US Intelligence Community. > > So to the extent that non-US persons want the same level of privacy > that apparently US persons have (unless there is some other secret > court order with some other secret law interpretation we're not aware > of which is enabling the FBI to do this kind of snooping, and we just > don't know about it yet), it's not surprising people are interested in > encrypting e-mail bodies. > > Encrypting the endpoint identities is a lot more difficult, since you > need to route the information somehow. There are solutions such as > onion routing, but they ease of use isn't quite there, and I don't > think they currently would scale well if huge numbers of people were > using them. > > Certainly hiding the RFC-822 headers, including the subject lines, > inside the encrypted body would certainly be a good start, but of > course that doesn't solve the issue of the SMTP envelop information. > > - Ted