Internet security is a pretty big deal these days. In the age of Wikileaks and Edward Snowden, the scope and scale of surveillance by government agencies is staggering, and what’s perhaps most frightening about these revelations is that it is unclear just how aware of these activities even government officials were, and how much they understand. Last month, Australian senator George Brandis, Australia’s attorney general no less, said: “What people are viewing on the internet when they web surf will not be caught. What will be caught is the web address they communicate to.” When lawmakers who deal with the operations of intelligence services demonstrate this level of ignorance, it is deeply troubling.
In the distant past, privacy was not a huge concern. Mostly because it was automatic. Before the ubiquity of computers, the internet, and digital cameras, it took a lot of effort to spy on people and store their information. You could hide things more easily, and it cost nontrivial amounts of resources to take photos and store them. Not today. The extent of our online lives also guarantees that not only is it easy to monitor and store records of our online activities, but that doing so actually yields meaningful information. In the past, details of our private lives were quickly washed away in the passage of time, but now those details remain for a very long time.
“But I have nothing to hide” I hear you say. But that’s missing the point – it’s not about hiding criminal behaviour, it’s about controlling information. If a government agency were to collect a lot of information about you, they could quite easily use it against you. Even though governments are theoretically democratic and answerable to the people (even Vladimir Putin won the Russian presidency with a large majority of the popular vote), the disconnect that sometimes exists between what governments think that their agencies do, and what they actually do, is cause for concern.
But what are we to do? “Exercise caution” is probably the best advice I can give. Understand that pretty much any information that makes it out onto the internet is basically in the public domain, even if you think it is “private”. Of course, one should avoid being paranoid, mostly because it’s unproductive. Try to remember that it’s no use being too secretive about things like addresses and telephone numbers, since even in the bad old days before computers, these things were still relatively easy to find. The devil is in the small details.
It is a well-known fact among my internet friends that I maintain a very active Facebook account. How do I reconcile this with my concerns about privacy and surveillance? It’s difficult, I’ll admit. I use it to keep in touch with friends who live far away (indeed, most of my friends fall into that category) and for that, it is an invaluable tool. But I try to keep everything connected to my Facebook fairly superficial – news articles, pictures of cats, and links to lists on cracked.com, and the occasional music video. In many ways, my Facebook profile, even though the vast majority of my posts are “friends only”, is treated like my public facade. For real communication, I prefer real life interaction (phones or face to face) and if that isn’t possible, email.
Secure your email
So how does one keep their email secure? With difficulty is the short answer. But as Edward Snowden said, technology can save us, or at least save our privacy. Encryption is the answer because with the widespread use of computers, not only does it come with the unprecedented opportunity for us to be constantly monitored, but also the tools for us to protect ourselves. As a rule of thumb, everyone should encrypt the contents of their hard disks. Luckily, this is not a difficult thing to do and there currently exist many different and easy ways to do this, moreover, there exist programs which allow you to keep your hard disk encrypted while you’re using it. The performance hit is very slight, imperceptible to most, and the encryption is very strong because this kind of encryption is symmetrical – the same key is used to both lock and unlock the box.
When communicating however, it is difficult to be able to use symmetric encryption since the sender and receiver would both need to have the same key, and exchanging keys securely can be difficult. For these purposes, we have public key cryptography. With public key cryptography, you have a pair of keys and one is used for encrypting while the other is used for decrypting. The encryption key is made public (hence the name) while the decrypting key stays private. Anyone can use your public key to encrypt a message and send it to you, but only you can decrypt it. Try to imagine it as one of those padlocks that you can snap close without needing a key, but which requires a key to open.
Public key cryptography depends on operations which are easy to do in one direction, but not the other. Anyone who’s ever played with a Rubik’s cube will understand.
Mathematically, public key cryptography depends on operations which are easy to do in one direction, but not the other. Anyone who’s ever played with a Rubik’s cube will understand the general concept. More specifically, if you take say… two very large prime numbers and multiply them together, you end up with another very big number. However, if you don’t know either of the numbers that you started with, it is very difficult to figure out what they were from the product of the two. Current public key cryptography systems are vastly more complicated than that, but that is the basic gist of how they work – the big number locks the message, and the two smaller numbers are needed to unlock it.
Luckily, we have Pretty Good Privacy, or PGP for short. Thanks to this encryption system, and the programs built around it, very strong encryption is widely available even to non-technically-minded people. The principle is very simple – a public key is used to encrypt and send a session key – a one-time-use symmetric key, and the symmetric key is used to encrypt/decrypt the message. There are various standards and conventions defined by the OpenPGP working group which serve to make sure that everyone that uses PGP is actually doing the same thing.
So first you need to get your hands on the programs. This used to be a fairly involved process, but these days the software has been packaged into fairly convenient bundles based on what operating system you use. GnuPG is an implementation of the OpenPGP standard which is distributed under the Gnu General Public License. If you go to the homepage (linked), there are links to installers for both Windows and Mac operating systems. The great things about these installers is that they integrate very well into your everyday lives. The Mac program – GPG Tools (previously MacGPG) comes with a plugin to Apple’s own mail program. All the programs also come with keychain managers, which is important for keeping track of the public keys of the people with whom you are communicating.
The first thing you’ll need to do is generate a set of keys. Each package of programs should have a keychain manager which should guide you through this process. Your keys will consist of a public key and a private key. The public key should be uploaded to a keyserver like pgp.mit.edu and the private key should be kept private. A note about keys – always try to generate the most secure key possible. A 4096-bit RSA key will be more secure than a 2048-bit RSA key, for example. Also, your private key will be locked by a passphrase, you should make that as long as is practical (remember that you’ll have to type it out fairly often). A short sentence describing something personal to you, with a few numbers and special characters thrown in, and possibly an intentional typo or two will make the password more difficult to crack (hacking passwords typically involves having a computer try many different combinations of dictionary words and numbers).
When you want to send an encrypted message to a friend, you find their public key (usually on a keyserver which stores public keys, like a phonebook) and use it to encrypt the message. If you want someone to send you an encrypted message, they need to get your public key, either through a keyserver or you can just email it to them, encrypt the message, then send it to you. All that these programs do, is make the process easier and more automatic by helping you manage keys, by doing the encryption and decryption automatically. The integration of these cryptography programs with regular email clients is very close to seamless, and the only ‘inconvenience’ I really notice is having to type out a password every now and then to send or receive certain emails (the encrypted ones).
As a general rule, I try to avoid webmail these days. Even though companies like Google are making genuine attempts to thwart the NSA’s surveillance, any centralised email system is flawed by its structure. Think about it – it’s much more difficult to hack the emails of hundreds of different people on separate computers, each with separate passwords, than to break into the email accounts of hundreds of people who happen to store their mail in the same place.
As for mobile devices, there is Android Privacy Guard and iPGMail BUT, as a general rule you really shouldn’t be reading and writing secure emails on mobile devices – they’re not very secure. Maybe someday they will be, but for now stick to your laptop for ‘important’ communication.
as a general rule you really shouldn’t be reading and writing secure emails on mobile devices – they’re not very secure
A message from Ed
For those who are still unsure, Edward Snowden himself has prepared a handy how-to guide for setting up and using PGP on a windows computer using the gpg4win program.