Defence Against the Dark Arts, Lesson 1.2: Further on email encryption


One year ago, we learned that the internet is under surveillance, and our activities are being monitored to create permanent records of our private lives — no matter how innocent or ordinary those lives might be.

Today, we can begin the work of effectively shutting down the collection of our online communications, even if the US Congress fails to do the same. That’s why I’m asking you to join me on June 5th for Reset the Net, when people and companies all over the world will come together to implement the technological solutions that can put an end to the mass surveillance programs of any government. This is the beginning of a moment where we the people begin to protect our universal human rights with the laws of nature rather than the laws of nations.

We have the technology, and adopting encryption is the first effective step that everyone can take to end mass surveillance. That’s why I am excited for Reset the Net — it will mark the moment when we turn political expression into practical action, and protect ourselves on a large scale.

Join us on June 5th, and don’t ask for your privacy. Take it back. – Message from Edward Snowden to Reset the Net.



Edward Snowden’s video

A few weeks ago, I wrote about my – rather pitiful – attempts at email encryption. Since then, I have been meaning to follow this up but, as these things go, there were always other things I urgently wanted to write about.

But today is the day that we reset the netSo here is another of my small bits of doing that.

You see, in a rather exhilarating bit of coincidence, I recently found a tweet with a link to a very interesting and helpful video explaining PGP encryption – the precise thing I have been trying to get the hang of – to journalists.

To one very specific journalist, in fact – and it came from a very special source.

This is Edward Snowden’s tutorial for Glenn Greenwald, urging him to set up email encryption in order to communicate securely with his source.

I wish I’d had that weeks ago. Not only is it a very helpful step-by-step guide of setting up email encryption. It also makes some points that I was still unsure about a bit clearer.

So as a follow-up to my other post last on this, here are some of the points the video covers which I think are worth repeating.


Webmail isn’t your friend

Webmail, Mr Snowden says, is doubly dangerous.

Emails can be intercepted in transit, obviously, which is why we should be going to the trouble of learning about email encryption (also because it’s really fun and makes you feel powerful). Interception in transit can happen to any email – whether sent through webmail or not – so encryption always makes sense as it protects intercepted email from being read by You-know-who.

The other danger about webmail is potentially much graver.

You see, you can be as careful as you like, unless you compose – and encrypt!! – your messages outside of webmail – that is not in an internet browser – “Webmail clients…will “autosave” a draft copy of your sensitive email BEFORE YOU HAVE HAD A CHANCE TO ENCRYPT IT.”

So if you are not careful, there is bound to be an unencrypted draft copy on a provider’s server somewhere. And that “draft/sent/received message that has been saved by a webmail provider is forever outside of your control. Even if you delete it…”

It is precisely these drafts, sent or received messages, copies of which are bound to be stored somewhere even after the original message is deleted, that law enforcement agencies are happy to subpoena when trying to make a case against you.

Obviously that blows my few arguments in favour of webmail out of the water.

I would still argue that unless you are sending highly sensitive material and your main interest is to use encryption to make things harder for spooks and hackers, webmail client encryption is still better than no encryption at all. Having said that, the Mailvelope client now opens a different window to compose your message in and you should use it (do NOT, I repeat, NOT compose your message in your browser!) However, if you want to be the most secure you can be, it is best not to use webmail at all.

In any case, it’s probably a good idea to heed these words from Defence Against the Dark Arts tutor Remus Lupin Edward Snowden:

Do not compose your email in an internet browser! Webmail clients…will “autosave” a draft copy of your sensitive email BEFORE YOU HAVE HAD A CHANCE TO ENCRYPT IT.


On PGP encryption

So basically using webmail could undermine many of your best encryption efforts. It does make sense to take into account that Mr Snowden obviously had the worst possible scenario in mind when he made the above warning (and others): he was trying to convince Glenn Greenwald of the necessity for secure encryption between journalists and their sources. Clearly, what he was thinking of was someone making it to the top of the NSA’s Persons of Interest list and being subject to targeted surveillance.

Again, I believe that for the average user that danger is (as of now) rather remote and webmail encryption is still better than no encryption at all but I am happy to be corrected and anyway: we all want to be as secure as we can be, don’t we? It’s the best we can do to reset the net and take back our privacy.

With that, PGP encryption, if used correctly, can obviously really help. Mr Snowden himself stresses this again:

GPG is solid security and it is reasonable to rely on that.

He also offers a rather neat explanation of how precisely the public key encryption system works:

The sender’s private key is combined with the recipient’s …public key(s) to create a mathematical problem (a ciphertext) that protects the plaintext. This ciphertext can only be solved by the recipient’s private key(s). The solution is the plain text.

Now, I am by no means good a maths but I like the illustration of what PGP encryption does: we basically have a complex mathematical equation – a riddle if you like – (the ciphertext) made up of the sender’s private key and the recipient’s public key (k1+k2 = cyphertext). The recipient’s private key, after receiving the ciphertext, can solve the riddle. The solution to that riddle is the plain text.


Problems with PGP

Even with this kind of encryption, a couple of problems remain – nothing, after all, is 100% secure in this day and age.

As such, if someone managed to get hold of your private key (for example by seizing your laptop at airport security (for which there are precedents) and then also obtained your passphrase, they would be able to decrypt all your encrypted messages.

Which is as good a case as any for not leaving your technical equipment lying around and keeping your passphrase secure – and picking a very good passphrase, of course!

Just in case you need reminding, a good passphrase

– is very long

– uses upper case and lower case letters

– uses special characters like &!*£

– uses numbers

Just make sure you come up with something that is memorable to you, or you might have serious trouble remembering a passphrase that is 20-odd characters long!

As long as you keep that passphrase secure, all should be well – “acquiring a certificate and passphrase requires a lot more effort than just reading everything in transit” (or subpoenaing Gmail) – although, in some countries (like the UK), you can be compelled to reveal that passphrase on pain of imprisonment.

That’s because the UK considers withholding a cryptogenic passphrase to be a crime under their Regulation of Investigatory Powers Act – or RIPA, for short.


A few words on RIPA

Again, most average users probably won’t have their equipment seized at airport security or be subject to prosecution under RIPA but that doesn’t mean we shouldn’t all be reasonably cautious with our equipment and passphrases. That’s just common sense.

RIPA itself is a good example, by the way, of why Edward Snowden’s revelations are so important: it shows how far some laws lag behind the kind of technical capabilities available to the intelligence agencies these days. One of the things that Edward Snowden has enabled us to do is to review these laws and make sure they properly rein in and oversee the powers of the surveillance apparatus.

Take a look at the kind of powers RIPA grants law enforcement, especially the use of communications, directed surveillance and informers. Also look particularly at when these powers can be used.

You will notice that they are by no means limited to counter-terrorism. By contrast, “intrusive surveillance” and “interception of a communication” (i.e. content) – powers the kind of which are so obviously problematic to anyone that they cannot be snuck past public attention the way similar powers online can – are only allowed in more limited circumstances.

This goes to show that legislation like RIPA fails to take into account precisely how intrusive the collection of, for example, communication data (the notorious metadata) is. The only reason that the true magnitude of metadata collection does not seem to have registered with everyone is that it is not as visible as a surveillance camera in someone’s living room.

One more reason, obviously, why legislation needs to be amended.

In the meantime, though, making it a little harder for anyone trying to surveil us or steal our data is the best we can do – to fight the fire that the NSA et al are setting to the internet.

Based on Mr Snowden’s video, I have practised my encryption a little more, and I will continue to do my best. I ask you to do the same!

Let’s reset – and claim back – the internet!


3 thoughts on “Defence Against the Dark Arts, Lesson 1.2: Further on email encryption

  1. Pingback: Verteidigung gegen die dunklen Künste 1.2: noch etwas zur Emailverschlüsselung | Notes from Self

  2. Wow! This could be one particular of the most useful blogs We’ve ever arrive across on this subject. Basically Wonderful. I’m also a specialist in this topic so I can understand your hard work. affdcdddkcbd

  3. Pingback: Need another reason to encrypt your email? Read this. | Notes from Self

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s