Jun
25
2011
Privacy and Encryption: Lose one, lose ‘em all
Author: Jeremy Smyth
Let me start with a little imagination. An analogy, if you will.
Imagine, if you will, that you are on holiday. You want to send a “wish you were here” type message to your friend back home. You have two choices: a cheapish picture postcard, or a more expensive sealed envelope. What do you choose? If you’re like the vast majority of us, you will likely choose the postcard, for both picturesque and cost reasons.
On the other hand, let’s assume you want to send your credit card number and salary details to an insurance agency. Again, do you choose the postcard, or the sealed envelope? I will not insult your intelligence by saying what the “right answer” is. I will however allow someone else to continue this analogy on my behalf, with a slight piece of satire:
the government has announced that it will soon be mandatory to use state-approved envelopes to send all mail. these new envelopes will be entirely transparent when viewed under a federally produced lightbulb, but there is no need to worry about these lamps getting out to bad people, since it is time-tested proof that all government employees are completely honest and lack all self-serving traits present in every other human being. besides, it’s for your own good and protection! and if you have something to write that you don’t want everyone to read, maybe it’s time for that all-important self-examination to reveal your underlying paranoia complex…
(quote taken from a Slashdot comment, written by someone called CrudPuppy)
How does that make you feel? If you honestly sat down and thought about that eventuality, would you be happy about the idea of someone, anyone, being able to read your most private thoughts and words? Is it fair to expect that once it’s written down, “The Government” — whoever that may be at the time — has a right to view it? The fact is, some governments are currently attempting to change their laws to curtail the individual’s right to this sort of privacy, whether you want to believe it or not. For example, the American Wiretap Bill prohibits using emails as evidence without a warrant, but this article shows that the authorities want to read parts of such communcations without a warrant. The new proposal is called the Combating Terrorism Act of 2001, and it considerably extends the surveillance powers of the FBI to such an extent that Senator Orin Hatch said “No reasonable expectation of privacy exists”.
This is an important statement from such a high-profile member of the government of the most powerful country on Earth. Most “civilised” countries (and I use that term semi-ironically in light of the meaning it has developed in U.S. media since Sept. 11 2001) have privacy laws, in which “The Individual”, i.e. me and you and your best friend and the milkman, has a right to privacy, to not disclose any personal or “private” information under normal circumstances. Article 12 of the United Nations Universal Declaration of Human Rights reads as follows:
Article 12.
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.
Although this is not enforced as law, it is understood that member countries in the UN follow the spirit of the Declaration. Specifically in this case, correspondence whether written or by telephone is protected from “arbitrary interference”. Practically speaking, the contents of sealed envelopes are protected by law in many countries, except in certain circumstances such as imprisonment. Unfortunately, most of the legislature of these countries, and indeed the populace at large, and the media that feed the populace, are ignorant of the technological counterpart to the “sealed envelope” privacy I have outlined above.[1]
Let me explain. When you send an email, it is like a postcard. Much worse — it is more like a postcard that passes through many different postal services, and can be photocopied at any point. In fact, it is usually photocopied at (at least) two points along the route: the Internet Service Providers at each end of the connection. If either end is in a business, i.e. if you send or receive email at work, then chances are there will be yet another copy somewhere in that computer. And most people are not aware of that fact, that their daily correspondence is routinely copied and stored by entities outside their control.
Encryption
Enter encryption. Encryption is a mechanism whereby the sender “scrambles” the contents of a communcation at source, with the intention of maintaining privacy until the intended recipient decrypts or “unscrambles” the message. The equivalent of a sealed envelope, if you will. The sealed envelope can be photocopied by anyone en route, but the only useful information on the copy will be the address of the recipient. Similarly, an encrypted email would look like the following:
—–BEGIN PGP MESSAGE—–
Version: PGP Software
Comment: Any Plain text Message you likehQEOAz23QZbhSPHnEAP/fNq8vWQg0qi0VN/L5QVS8R+Jwvzx+oHSxHOAHsepUYZl
msVIVgYY4g4Ptd4numv67W2+y/eW4qhTlInOmHloAZtu239FPjad/mwapfC4z/EA
QoyhsuzaQt6NsDpRvMnMSW5zwAMQBAlt/b/e3CTO6GpxOehFzPiesi1ltX8hU10D
rNCadlmjwEB7xi9oqcmFawRQmhkNAZ2SWYcxOk3yGXlkx+NWdewq3r+VM8KHdhA
yuT75f+Dw58+jplyjFWhITCZREDSt/EH56K/6NaUVtKI0sDMARWbt69BQSYMO3At
3IkpDtSFdJREJRKK8fpa+hBa9pdGaG1nmTNJYuR91FAYjdll1Rbzfu72zLYnRnuJ
21ECE0rHN3dmcv21ZMtPn8Q8mWTRHapavgJqJkA0GRQmmZ7niJMxi8YknyJwyvyG
=kn6s
—–END PGP MESSAGE—–
As you see, it’s a lot of garbled nonsense, and could be copied as often as you like, without affecting the privacy of the contained message.
The particular mechanism used in the above example is called PGP, aka Pretty Good Privacy, and was created by Phil Zimmerman. (here’s a faq, if you’re interested). It’s what I use, in the form of GPG.
PGP and its relations use a form of encryption known as public key/private key cryptography. The best analogy I can come up with right now is of a castle with two keys to the King’s chambers; one key to lock the door, another to open it. All the security guys can lock the door, but only the King can open it. The “public” key is freely distributable — anyone with a public key can lock the door, and there is no security risk, but only the King has the private key.
In exactly the same way, I have a public key available on www.keyserver.net for each of my main email addresses (put my email into the search box to get the key), which anyone can use to encrypt, or “lock the door to” an email intended for my eyes only. On receiving an email encrypted with my public key, I can then decrypt it with my private key, and read whatever the contents were, or view any attachments.
Currently, PGP encryption is freely available, but still slightly beyond the user-friendly point at which it can be accepted by the masses. I urge you to try it though, if only to give yourself the assurance that your online communication is as hidden as your post. One way to give it a try is to set up an address with www.lokmail.net, which is a free online mail service similar to Hotmail with the added benefit of public/private key encryption. And if you use Outlook, try GnuPG-Plugin, a freely available add-on to Outlook that allows you to encrypt your mails and manage your keys.
Lose ‘em
Back to Governmental Intervention. The media has been brewing up a storm for some time about technology being used to commit crimes. I have written before about the DMCA, which is one example of a very bad law that was passed due to ignorance – certain tools are banned because they could be used to break the law. Imagine banning hammers and chains because gangs use them to fight each other, or banning cars because people can speed in them, or pantyhose because bankrobbers pull them over their heads. I would like you to keep that analogy in mind while considering the following, because a little fear of the unknown is exactly what is allowing the controlling elements of some governments to pass draconian laws without a public outcry.
This USA Today article was released in June of this year, months before Osama bin Laden reached his current level of notoriety. Even the article’s title, “Terror groups hide behind Web encryption”, reeks of a fear of the unknown, this technological monster that aids terrorists. Should the article read “Terror groups use craft knives”, or “Terror groups use demolition explosives” or “Terror groups wield nail files”? These are other tools used by Osama’s crew, but we hear no outcry over their use. Why? Most likely because these are familiar items, things we know and understand in our daily lives, like hammers and chains and cars and pantyhose.
Now here’s the clincher. Encryption is like the envelope you seal your private correspondence in. Well the story about the FBI’s lightbulb looking at your “specially-seethru envelope” is not complete fiction: This article talks of one US Senator and his idea to introduce a “back-door” into encryption software. Another article about the same issue gives an additional insight. Such a back door would be equivalent to the FBI’s lightbulbs spying on your secret correspondence.
Fortunately, I don’t live in the US, nor do most people reading this (I would imagine). US laws don’t stretch as far as Europe yet. An article in the Irish Times in July 2000 discusses a (then new) European law forbidding the decryption by any individual (including the GardaĆ, our national police force). This means encryption will keep my communications private indefinitely. Or does it? Much of the technology used on the internet was developed in the United States, and most internet standards are ratified there. If such a law is passed, the encrypted community would suddenly become polarised into those with a backdoor, and those without. I know which camp I would prefer to be in, but knowing the unilateral/isolationist bent of many US leaders, it is likely that such a law would preclude the ability of my software to interact with an american’s software, which means I would be forced to use the special transparent envelopes to communicate with americans.
And hope that the people in control keep a sensible view on how to define a criminal. And don’t move the goalposts[2]. Remember 1984? (the book, not the year). I’d rather not live in a time where Thoughtcrime was punishable. By removing all privacy from my correspondence, we inch closer to that day by day.
[1] See here for an Irish Times article on “Echelon”, a technology used by the US intelligence services, and which is in direct violation of Article 12 of the UN Universal Declaration of Human Rights. Oh, and here for a European Parliament report’s perspective on Echelon, recommending the use of encryption to circumvent the “authoritarian and totalitarian” practices of Echelon users.
[2] Probably not in context, but I have to say it anyway. Another bill in draft stage at the moment (Sept. 26th) is definitely moving the goalposts. Previously, defacing websites was considered a crime, with its own appropriate punishment. If this bill becomes law, that same crime is punishable by life imprisonment, and is on a par with other acts of terrorism, such as that perpetrated on Sept. 11. The mind boggles.
Note: this is an article I published in 2001, on an old news site. Leaving it here for posterity. Many links are broken. I may fix this eventually!
Image courtesy of alancleaver_2000, licenced under a CC-A licence
