The Online Activist
WI

Without Impunity

Derechos
Index | E-mail  

July 1998
V.II No.2



Encryption: Protecting your Privacy Online



If you do human rights work in most countries, you are used to being watched. You know that your phone calls are probably intercepted, your faxes are read before you get them (if you get them), and perhaps you are even followed when you go to meetings. You also have to assume that all your e-mail and other electronic communications are intercepted. The fact is, it's very easy for anyone with a modicum of technical knowledge and bad intentions to intercept your e-mail as it travels from computer to computer on its way to its destination. Anyone who can gain access to any of the computers that your e-mail goes through can intercept it, and as many of these systems are not very secure, it's not hard to gain access to them. High school kids can do it, and you can bet that technicians with the intelligence services can as well. In some countries, this is made even easier by the fact that the government controls the pipeline through which all communications going in and out of the country.

There is very little you can do to stop agents from tapping into your phone lines (for the time being, at least), but it is rather easy to make sure that no-one can read your e-mail messages, even if they intercept them: encrypt them! Encryption is simply a method of scrambling information into a jumbled mess and that needs a "secret code" to be read. One might also think of encryption as a way of "locking" information such that only a certain key could "unlock" the information. That information could be an electronic mail message, a file, picture, or any other type of electronic information.

In the past, people had to agree on a secret key to encrypt and decrypt messages - which meant that they probably had to meet face to face to avoid anyone from getting their hands on it. Things have changed, and a relatively new method called "Public Key Encryption" allows you to send encrypted messages without revealing the sender or receiver's secret key. In public key encryption, each person has two keys: a public key and a private (or secret) key. The public key can be distributed widely while the secret key is kept in your computer or on a floppy disk and is only accessible through a pass phrase of your choice.

To send an encrypted message to someone, you would use the intended recipient's public key. Through a complex mathematical relationship, the message you encrypted using the recipient's public key can only be decrypted by the recipient's secret key. In other words, you have lockeda message in such a way that only the recipient can unlock it. The most common program that allows you to do this is called PGP - Pretty Good Privacy. It's available both commercially and for free on the Internet (go to http://www.pgpi.com/) for Macintosh, Unix, Windows95/98/NT, DOS, and other operating systems. The newest versions integrate easily with e-mail programs such as Eudora and Microsoft Outlook, making encrypting a message as easy as clicking a couple of times and typing your pass phrase.

Why should you use encryption?

The answer is easy: to prevent others from reading your messages. It's the same reason why you send important letters inside envelopes rather than on the backs of postcards: to protect the privacy of your words. Whether you write to a friend to tell him about the latest movie you've seen, or to a colleague to report death threats your friends are getting - the contents of your messages are nobody's business but your own and the intended recipient's. There is no reason why anyone, not a mischievous kid who is trying his cracker skills, or a member of the intelligence forces, should know what you are saying.

Sometimes human rights activists are afraid that governments will think they have something to hide if they take precautions to encrypt their communications. But the right to privacy in communications is a humanright, and activists should not forgo it just because governments may want to point an accusing finger at them. In addition, you do have things to hide, at least if you are doing your job well. The names of your clients or the people who have reported human rights violations to you should be kept private, unless the victim authorizes that it should be made public. Plans for future actions, strategies that you are planning to implement, coordinations with support groups abroad, details of upcoming campaigns -these are all things that governments should not be forewarned about - but that's what you are doing when you don't use encrypted communications.

Human rights activists also argue sometimes that the intelligence services already know everything about you and your plans, so there is no point in hiding anything from them. This will surely be a self-fulfilling prophecy if you do nothing to safeguard your information and communications. And even if the intelligence services have the means to find out what you are doing through other means, why should you make it easy for them? If you make it harder, and have them commit resources trying to open your encrypted messages, their attention may be diverted from other activities. It is a very good idea to encrypt as many of your communications as you can, both sensitive, important messages and non-important ones alike. That way, those trying to intercept them will never know which one is important and which one is not.

How secure is encrypted information?

The security of encrypted information depends on the method of encryption and the complexity of the pass phrase. The strength of a particular method of encryption is often measured by the number of bits in the key. A higher number indicates stronger encryption for a given method. For example, a 1024 bit key is stronger than a 128 bit key. Any encrypted information can be decrypted with enough time and computer resources, but using strong encryption can make it very costly for someone to decrypt your information. At current technological standards, it may take hundreds of years (and lots of computer power) to "break" a 1024 bit key.

The security threat to encrypted information arrives once you decrypt the message. If you store it decrypted in your hard-drive, anyone with access to your computer will be able to read your messages. Unfortunately, when you deal with hundreds of files it's sometimes cumbersome to encrypt all of them after you use them. To the rescue comes a new product called PGPdisk, which enables you to make all or part of your disk drive encrypted. Any files or directories that you create or move to this section are automatically encrypted and only accessible with your passphrase. Because someone can open your encrypted files if they obtain your secret key and your pass phrase, it is essential that you use as difficult a pass phrase as possible and that you keep it very safe (memorize it!).

Is encryption legal?

Encryption is legal in most countries; indeed we believe that the right to keep one's papers and correspondence private through the use of encryption should be considered a fundamental human rights. However, some countries are trying to restrict its use. In a future issue we will discuss this in more detail, but you should know that it's illegal for people in the US to export PGP - an American activist who gives a copy of PGP to a foreign NGO is guilty of arms dealing and can go to jail.

So what now?

Get a copy of PGP and begin encrypting your correspondence. You can find a copy of Derechos' public key at http://www.derechos.org/pgp.html