"This whole situation definitely feels like the start of something much larger than just Google pulling out of China."
The assumption in government (and of security researchers) right now is that every time you send an email, it gets read by 25 or so countries. However, they haven't bothered to tell the general public this yet. My guess is that they are going to use this incident to either start to break this news to the general public, or else push through additional computer security measures. Possibly both.
A temporary stopgap, at best, especially in a world where so few people use it. Encryption is maximally useful when people don't see -- or it doesn't matter that people see -- that you're using it.
My guess is that people who really, really want to protect what they saying and that they're saying it use nonsense spam as a steganographic medium.
Is your implication that smart, clueful people are never evil? Of course, you can always find an apologist who will explain that any given regime wasn't or isn't evil, so how would you test that?
No, not at all. My implication is that analyzing encrypted email traffic is probably the last place you should be looking. Trying to break encryption is almost always the hardest way to acquire information. Physically intimidating people, targeted client-side attacks, or a number of other things that you can do will be much more effective and easier than breaking crypto.
On the flip side of your statement, I think evil, oppressive regimes hire very smart and talented people.
But the OP didn't suggest breaking the encryption, but to run a traffic analysis, which includes things such as identifying the realworld identities of people sending encrypted email, determing who those people are communicating with (both for their encrypted and unencrypted emails), and other ways of extracting information from messages without needing to actually break the encryption.
Once you've carried out this analysis, you know on who you can apply the more realworld techniques that you suggest.
Or, the goons will just install a keylogger on your computer while you're away from the house. Or they'll try to exploit one of the umpteen jillion vulnerabilities in OSes and browsers to install something similar on your system remotely.
Or, they'll use a TEMPEST attack to read your screen without you even knowing it. Or they'll use a similar attack to read your keystrokes wirelessly.
Or, they'll get you in a room and use a $5 wrench on your face until you tell them what they want to know.
Breaking encryption is far down the list of techniques that are worthwile to oppressive regimes.
Hey, IT Goons. Spy on the network traffic to find out who is using encrypted communication, and who they are communicating with. Then pass that information to the knee-breakers, so we can find out what they are hiding.
This has nothing to do with breaking crypto. The breaking is done in an oubliette.
You can still analyze that Bob emailed Cindy and that Cindy emailed Marge, even without knowing the content of the emails. IIRC, the FBI has some sort of software that does this with telephone communications to identify 'networks' that was originally developed to combat the mafia.
Yes, and you can break Bob and Cindy's fingers to get their passphrases. That is a very easy step. That is why steganography should be used. There shouldn't even be an ecrypted text for them to try to decrypt, at least as far as they know. Because once, there is, they can always get the password. The next best thing is is fake encryption or some kind of nested encryption, so that the outer layer decrypts to something plausable but ultimately benign.
A password doesn't even fall under 'free speech', so even in a free country like US one can get slapped with 'obstruction of justice' if one doesn't provide a password. I'll leave it to your imagination to what happens in other, more oppressive countries...
But I guess that large webmail providers can band together and ensure that e-mails between their systems are encrypted (i.e. all messages sent by gmail to other gmail addresses or hotmail addresses are encrypted).
Then users would just use HTTPS to check their mail and everything would be encrypted.
This is not perfect, but it is at least a stopgap.
Considering most of the email I send is from gmail to gmail, if it's getting read by 25 or so countries, Google has much bigger problems than they've been letting on.
The assumption in government (and of security researchers) right now is that every time you send an email, it gets read by 25 or so countries. However, they haven't bothered to tell the general public this yet. My guess is that they are going to use this incident to either start to break this news to the general public, or else push through additional computer security measures. Possibly both.