Skip to content or view mobile version

Home | Mobile | Editorial | Mission | Privacy | About | Contact | Help | Security | Support

A network of individuals, independent and alternative media activists and organisations, offering grassroots, non-corporate, non-commercial coverage of important social and political issues.

How to secure privacy in a post-9-11 world of anti-terrorist hysteria

Keith Parkins | 07.05.2004 15:42 | Analysis | Social Struggles | Technology | Terror War

In a world of post-9-11 anti-terrorist hysteria it is more important than ever before to secure our privacy.

When we see a bunch of terrorists being carted away by the Mad Mullah Blunket at the Home Office and locked away indefinitely without trial, we breath a collected sigh of relief. We can sleep little easier in our beds at night now we know another bunch of blood-thirsty, Muslim fanatics have been locked away, the sort of fanatics who would slit our throats as soon as look at us, who would blow up our friends and relatives with suicide bombers. Those of us who opposed the Draconian anti-terror legislation are not so sure, we know how wide the definition of terrorism was drawn, those Muslim fanatics could just as easily have been a group of environmentalists activists destroying a genetically modified crop.

When the world turned to e-mail, the security agencies had a collective wet dream, no more intercepting and steaming open envelopes, listening in on boring phone calls in the hope of hearing something interesting, now it was possible to do key word searches and automate the whole process.

 http://www.heureka.clara.net/sunrise/spooks.htm
 http://www.heureka.clara.net/sunrise/spooks2.htm

That is until along came Phil Zimmermann, veteran human rights and peace campaigner, who released into the public domain, hard (ie military strength) encryption. For this noble act he was subjected to several years harassment by the FBI. And the harassment was not just limited to Phil, it was also extended to anyone who was foolish enough to communicate or associate with him.

 http://www.philzimmermann.com

But the genie was out of the bottle, the public now had hard encryption, they had the computing power to make full use of it. For the first time, activists, and criminals and terrorists, had the means to encrypt their communications so that no one could read it, and I mean no one, not even NSA or GCHQ could read it.

This quite naturally caused paranoia in the intelligent services, faced with nirvana, the ability to read everyone's private communications at will, very easily, they were facing their worse nightmare, they could not read anything, the door had been slammed shut in their face.

Big Government was not slow to react. In the US, an attempt was made to ban the use of hard encryption, an attempt that failed miserably. The UK, learning from the experience of the US, tried a more subtle approach, yes you could use hard encryption, but you had to hand your encryption keys over to a government agency. This would be like being forced to hand your front door keys into your local police station, with the assurance, we won't use them to gain illegal access to your house, honest. Would you hand your back door keys to a government minister?

But all was not well in the world of PGP.

PGP, Pretty Good Privacy, was the programme Phil Zimmermann developed to give the world access to hard encryption. He originally gave PGP away as freeware, whilst retaining the copyright. PGP very quickly became the de facto net standard for encryption, Phil became a modern-day folk hero. He had stood his ground against the dark forces of the state and he had won.

Phil established a company to develop PGP further, and to turn it into a commercial product, whilst still retaining a freeware version. What was also special about PGP was that the source code was freely available. One of the reasons why PGP became such a success, was that with the availability of the source code, further development of PGP become an international collaborative effort, and everyone could check the implementation by studying the source code.

The problem was, Phil's company lacked the resources for the further development of PGP, and it was sold out to Network Associates (NAI). Big Business had acquired PGP. Rightly or wrongly, Phil himself was seen as selling out. Everyone's worse fears were proven correct, PGP went rapidly down hill.

Even people like myself, who had been at the forefront promoting PGP, there was not an event I attended without handing around PGP, lost interest. At the end of last year, I attended a Killer-Coke conference at SOAS looking at the activities of Coca-Cola and its associations with death squads in Colombia. In the past I would not have hesitated to hand around copies of PGP and urged people to use it, even offered to run workshops, but I did not, it did not even pass my mind. An opportunity lost.

 http://www.heureka.clara.net/sunrise/pgp.htm
 http://www.indymedia.org/front.php3?article_id=369491&group=webcast
 http://colombia.indymedia.org/news/2003/12/8120.php

But the good news is that PGP is now out of the hands of NAI, a new company has been set up to promote the commercial side of PGP and Phil Zimmermann is once again firmly in the driving seat.

 http://www.philzimmermann.com
 http://www.pgp.com

What is PGP? What is encryption? Why do we need it?

In the post-9-11 anti-terrorism hysteria, the erosion of civil rights, the need for encryption should be patently obvious.

Sending e-mail has often been likened to sending all our correspondence by postcard not letter. The actual reality is far worse, it is more like posting all your correspondence on the village notice board. Anyone who wishes to, can read it.

Encryption scrambles our electronic files so no one can read it.

 http://www.heureka.clara.net/sunrise/whypgp.htm

Traditionally, we exchange secret keys, and it is these keys which are used to read our encrypted communications. The problems is if our secret key falls into the wrong hands. Whoever has access to our secret key, they too, can read our encrypted correspondence.

It was in an attempt to solve the problem of key distribution, that public key encryption was developed. We now have two keys, a secret key and a public key, a key pair, closely related to each other. We keep our secret key, our public key may be widely distributed, indeed it is an advantage if it is.

There are public key servers to which we can post our keys and from which we can download the public keys of people with who we wish to securely communicate.

 http://www.keyserver.net

If someone wishes to communicate with me, they obtain my public key, encrypt with my public key, I decrypt with my secret key, which remains with me at all times, is never distributed. No one other than me can read the encrypted message, not even the person who encrypted and sent the message.

This appears to have solved the problems of key distribution, it does not matter who sees or has access to our public key. Unfortunately not. We no longer care who sees the key, but we now have the problem of key tampering and key substitution.

Someone could claim to be me, post to key servers a key claiming it to be mine. What is intended to be secure communication for me, goes to a third party, I cannot read it even if I did receive it.

Key servers do not validate who uploads a key, there is not a secure channel between ourselves and the key server.

Various mechanisms are in place to avoid these problems, but best practice is always to exchange keys in person.

In the absence of a face-to-face meeting, all keys have a 128-bit digital fingerprint. Speak to the person over the phone, verify each other's key fingerprint. Or exchange the key fingerprint by a tamper proof route.

I have two PGP keys, here are their fingerprints:

RSA key

2A66 6A8F 9142 48C8 4898 38AD 2FD3 4508

Diffie-Hellman key

7392 49B2 768B D207 82F6 BA25 7009 B189 4645 D502

Details of my keys and the facility to download keys

 http://www.heureka.clara.net/sunrise/mykey.htm
 http://www.heureka.clara.net/sunrise/mykeys.htm
 http://www.keyserver.net

All keys may be signed. You and the person with who you wish to communicate may have a mutual friend. If he has signed your keys, and you trust him to only sign keys when he is sure of the owner of those keys, then you have a means of verifying that you each have each other's keys. For this reason, only ever sign a key if you are absolutely certain of the owner of that key. Other people may be relying on your honesty and integrity.

 http://www.heureka.clara.net/sunrise/pgpsign.htm

Take every opportunity to exchange keys. This creates an interlocking web of trust.

 http://www.heureka.clara.net/sunrise/pgpweb.htm

PGP, developed by Phil Zimmermann, is an easy to use, hard encryption systems, that generates and maintains secret-public key-pairs.

 http://www.heureka.clara.net/sunrise/pgp.htm
 http://www.pgpi.org

Some see HushMail as a web-based alternative to PGP, a secure equivalent to PGP. I do not.

I do not envisage HushMail as an alternative to PGP, rather as a complement for those tricky situations when it is not possible to use PGP. It may be you do not have your own computer and make use of net cafes, or e-mail from school, college or work, and do not wish anyone to read your personal e-mail, in such cases, HushMail is a more secure alternative to other web-based e-mail such as HotMail or Yahoo Mail.

In its favour, HushMail is recommended by Phil Zimmermann (designer of PGP) and conforms to the OpenPGP standards.

'If you want a highly mobile way to do PGP-style encrypted email, you might consider HushMail, from Hush Communications. HushMail is a web-based encrypted email service that uses a downloaded Java applet to encrypt and decrypt email in your browser. There's nothing to install, because it's all done in your browser. Which greatly simplifies deployment in large corporate environments. It's also handy for road warriors who might need to check their encrypted email from an Internet cafe. Sign up to try out HushMail for free, but if you pay for an upgraded subscription, you get better service and you will be keeping another OpenPGP vendor in business, which the OpenPGP community really needs. And for all you Macintosh fans (such as myself), assuming you are current with Apple's software updates, HushMail now works with Safari on Mac OS X.'

A security precaution if setting up a HushMail account. If you think you are being monitored, go to a net cafe in some anonymous town or hotel or airport transit lounge and set up the account from there. The reason being the keys are generated in a downloaded Java applet that runs on a virtual machine within the web page. The keys are then encrypted and stored on the HushMail server. You are connected to the HushMail server via a secure link.

 http://www.heureka.clara.net/sunrise/hushmail.htm

This of course assumes that wherever you go they do not have keyboard sniffers installed, even worse, keyboard sniffers that jump into action when 'hushmail' is typed!

If on the road, you could have PGP and your keys on a memory stick and run from the stick.

There have already been attempts to ban the public use of hard encryption. It is already banned in several countries. These attempts to ban any form of encryption, other than maybe very weak encryption that the state can easily read, are going to grow, especially in the post-9-11 anti-terrorism hysteria.

It is therefore incumbent upon all of us who value our civil liberties to not only use encryption, but to encourage others to do the same. The more people who are using encryption, the harder it will be to ban its use.

Websites

 http://www.heureka.clara.net/sunrise/pgp.htm
 http://www.pgpi.org
 http://www.philzimmermann.com
 http://www.openpgp.org/
 http://www.eff.org/
 http://www.crypto.org/
 http://www.epic.org/
 http://www.cdt.org/
 http://www.privacyinternational.org

Further reading

Steven Levy, Crypto: How the Code Rebels Beat the Government--Saving Privacy in the Digital Age, Penguin USA, 2001

Whitfield Diffie and Susan Landau, Privacy on the Line: The Politics of Wiretapping and Encryption, The MIT Press, 1998

Simon Singh, The Code Book: The Evolution of Secrecy from Mary, Queen of Scots, to Quantum Cryptography, Doubleday & Company, Inc., 1999

David Kahn, The Codebreakers: The Story of Secret Writing, Simon & Schuster Trade, 1996

An Introduction to Cryptography, PGP Corporation, October 2003 {distributed with PGP}

Keith Parkins, PGP Workshop: rough notes for PGP Workshop, 27 April 2004 {8-page manual distributed with PGP Workshop CD}

Rip it up, SchNEWS, 31 March 2000

The Empire Bytes Back, SchNEWS, 4 August 2000

Dan Brown, The Da Vinci Code, Corgi Books, 2003

Resources

A PGP Workshop CD is available – everything you ever wanted to know about PGP but were afraid to ask.

PGP Workshop CD
10 Church Road East
Farnborough
Hants GU14 6QJ
England

Send £5 (five pounds sterling) or CY£5 (five pounds Cyprus) for UK and Cyprus, or $10 (ten US dollars) or €10 (ten euros) for Europe, US and rest of the world.

Cash only to cover shipping costs.



Keith Parkins
- Homepage: http://www.heureka.clara.net/sunrise/pgp.htm

Comments

Display the following comment

  1. Deniable Encryption — Amias Channer
Upcoming Coverage
View and post events
Upcoming Events UK
24th October, London: 2015 London Anarchist Bookfair
2nd - 8th November: Wrexham, Wales, UK & Everywhere: Week of Action Against the North Wales Prison & the Prison Industrial Complex. Cymraeg: Wythnos o Weithredu yn Erbyn Carchar Gogledd Cymru

Ongoing UK
Every Tuesday 6pm-8pm, Yorkshire: Demo/vigil at NSA/NRO Menwith Hill US Spy Base More info: CAAB.

Every Tuesday, UK & worldwide: Counter Terror Tuesdays. Call the US Embassy nearest to you to protest Obama's Terror Tuesdays. More info here

Every day, London: Vigil for Julian Assange outside Ecuadorian Embassy

Parliament Sq Protest: see topic page
Ongoing Global
Rossport, Ireland: see topic page
Israel-Palestine: Israel Indymedia | Palestine Indymedia
Oaxaca: Chiapas Indymedia
Regions
All Regions
Birmingham
Cambridge
Liverpool
London
Oxford
Sheffield
South Coast
Wales
World
Other Local IMCs
Bristol/South West
Nottingham
Scotland
Social Media
You can follow @ukindymedia on indy.im and Twitter. We are working on a Twitter policy. We do not use Facebook, and advise you not to either.
Support Us
We need help paying the bills for hosting this site, please consider supporting us financially.
Other Media Projects
Schnews
Dissident Island Radio
Corporate Watch
Media Lens
VisionOnTV
Earth First! Action Update
Earth First! Action Reports
Topics
All Topics
Afghanistan
Analysis
Animal Liberation
Anti-Nuclear
Anti-militarism
Anti-racism
Bio-technology
Climate Chaos
Culture
Ecology
Education
Energy Crisis
Fracking
Free Spaces
Gender
Globalisation
Health
History
Indymedia
Iraq
Migration
Ocean Defence
Other Press
Palestine
Policing
Public sector cuts
Repression
Social Struggles
Technology
Terror War
Workers' Movements
Zapatista
Major Reports
NATO 2014
G8 2013
Workfare
2011 Census Resistance
Occupy Everywhere
August Riots
Dale Farm
J30 Strike
Flotilla to Gaza
Mayday 2010
Tar Sands
G20 London Summit
University Occupations for Gaza
Guantanamo
Indymedia Server Seizure
COP15 Climate Summit 2009
Carmel Agrexco
G8 Japan 2008
SHAC
Stop Sequani
Stop RWB
Climate Camp 2008
Oaxaca Uprising
Rossport Solidarity
Smash EDO
SOCPA
Past Major Reports
Encrypted Page
You are viewing this page using an encrypted connection. If you bookmark this page or send its address in an email you might want to use the un-encrypted address of this page.
If you recieved a warning about an untrusted root certificate please install the CAcert root certificate, for more information see the security page.

Global IMC Network


www.indymedia.org

Projects
print
radio
satellite tv
video

Africa

Europe
antwerpen
armenia
athens
austria
barcelona
belarus
belgium
belgrade
brussels
bulgaria
calabria
croatia
cyprus
emilia-romagna
estrecho / madiaq
galiza
germany
grenoble
hungary
ireland
istanbul
italy
la plana
liege
liguria
lille
linksunten
lombardia
madrid
malta
marseille
nantes
napoli
netherlands
northern england
nottingham imc
paris/île-de-france
patras
piemonte
poland
portugal
roma
romania
russia
sardegna
scotland
sverige
switzerland
torun
toscana
ukraine
united kingdom
valencia

Latin America
argentina
bolivia
chiapas
chile
chile sur
cmi brasil
cmi sucre
colombia
ecuador
mexico
peru
puerto rico
qollasuyu
rosario
santiago
tijuana
uruguay
valparaiso
venezuela

Oceania
aotearoa
brisbane
burma
darwin
jakarta
manila
melbourne
perth
qc
sydney

South Asia
india


United States
arizona
arkansas
asheville
atlanta
Austin
binghamton
boston
buffalo
chicago
cleveland
colorado
columbus
dc
hawaii
houston
hudson mohawk
kansas city
la
madison
maine
miami
michigan
milwaukee
minneapolis/st. paul
new hampshire
new jersey
new mexico
new orleans
north carolina
north texas
nyc
oklahoma
philadelphia
pittsburgh
portland
richmond
rochester
rogue valley
saint louis
san diego
san francisco
san francisco bay area
santa barbara
santa cruz, ca
sarasota
seattle
tampa bay
united states
urbana-champaign
vermont
western mass
worcester

West Asia
Armenia
Beirut
Israel
Palestine

Topics
biotech

Process
fbi/legal updates
mailing lists
process & imc docs
tech