The news has been awash with stories lately of how the National Security Agency has the ability to access the telephone records and internet usage patterns of Americans and possibly others around the globe. Our own website featured an article on this subject when the story first broke over a week ago. While bringing down a system that may be violating the entire country’s Fourth Amendment rights is a little outside the scope of our abilities here at Techcitement, there are a few things you can do to protect your privacy.
A good first step is securing your electronic communication. Cryptography, from simple letter substitutions to one-time pads to World War II-era Enigma machines, has been around in some form or another for centuries. One of the most commonly used forms of cryptography used today is referred to as public-key cryptography. Imagine it this way: Let’s say you want your friends to be able to send you secret messages. You give each of your friends a secret decoder ring, straight out of a 1960s box of cereal.
“Great! My friends will encrypt their messages to me using the decoder ring, and I’ll use my ring to decrypt them!”
This works fine until the neighborhood bully beats up one of your friends, steals his ring, and uses it to decode all of your secret messages.
Public-key cryptography has a clever work around for this problem. Instead of giving everybody the same secret decoder ring and keeping the same ring for yourself, you design your friends’ rings (the public key) such that after they encrypt their message, the only ring that can decode the message is yours (the private key). This method also works in reverse, so that after you encrypt a message with your private ring, the only way it can be decrypted is if someone has your public key. This adds two layers of security. You can trust that a message could only have come from someone with your public key, and your friends can trust that a message from your private key could only have come from you. Now, the only way the neighborhood bully can read all of your messages is if he beats up both you and your friend, while also stealing both rings.
An industry standard public-key cryptography standard is Pretty Good Privacy (PGP). I first started using PGP in the late 90s and find myself generating a new keyset every few years. For a good fictional look at PGP-style cryptography, read Neal Stephenson’s Cryptonomicon. In 1997, PGP developed an open standard called OpenPGP that is backwards compatible with previous versions of PGP and can be used to create cryptography programs without having to pay a licensing fee.
A good free OpenPGP utility is The GNU Privacy Guard (GPG), which is open source, published under the GNU Public License, and absolutely free. GPG comes in both Windows and Mac OS X flavors. I’ve only ever used the Mac version, so I’ll focus on that here. I assume that the Windows version has similar functionality.
Setup is easy. GPGTools allows you to generate your own public and private keys, manage the public keys of your friends, and comes with plugins to allow you to encrypt, decrypt, and sign messages natively in the OS X Mail client. People who are less Terminal averse than I am can accomplish the same things at a command line level in Terminal.
After you’ve set up your keys, there are a few different ways to share your public key with friends. You can email somebody your public key as a plain text message. This is relatively straightforward, but if somebody intercepts your friend’s email, he she will have access to your public key and could theoretically impersonate your friend. You could save a copy of your public key onto a memory stick and hand it to your friend directly. This is a little more time consuming, but is probably the most secure way to ensure that your public key is delivered directly to the person you want to receive it. If you’re less picky about who has access to your public key, you can upload it to a public key server, such as the one hosted by MIT (I’ve uploaded my public key to MIT’s key server and linked to it in my biography at the bottom of this page).
There’s a whole other layer of security in PGP keys that takes on a bit of a social dynamic. If you receive a public key from somebody and trust that person implicitly, you can use your private key to digitally sign the public key and return it. That way, anybody else who downloads your friend’s public key will see that you’ve signed it and can assume that you trust this key’s authenticity.
Sure, this all sounds complicated. However, it’s a whole lot easier than wearing so many decoder rings that your fingers can’t bend and easier to keep track of which ring belongs to which friend.
That didn’t turn out so well for this guy.
Thing ring, do your thing!