A few (very often repeated) words on PGP

If you have heard about PGP and are using it already, stop reading. Seriously, go pet a dog in the park, play a board game or write a spy novel. You will find nothing new here. Seriously, this is for the new folk.

Hi, new folk! Some of you may have heard about PGP before. Some of you may want to claw back a bit of your privacy, or maybe you’re just wondering what all the hooplah is about. Why should we care about where our e-mail goes through? It’s just e-mail, no one cares what it’s about, right? Right?

Well, not really. Let us start in ancient history, or the 19th century, to be exact.

Back then, we only had physical mail, often referred to today as “snail mail”. A correspondence between two people involving an envelope, a piece of paper and a lot of ink. Good for people, bad for trees. A stamp on the outside, maybe a seal if you’re feeling fancy and off we go.

What made mail special in that time? Well, in Europe, there is a nice thing called the secrecy of correspondence. The fact is, without an express agreement, no letter sent or received by me may be intercepted by any third party. The post office? If they so much as glance at the “Dear sicko”, they’re toast. If the mailman opens my Reader’s Digest, he’s in a lot of trouble. We had these laws for so long that no one takes them into account anymore. It’s just the rule that you don’t open people’s letters unless you’re the cops and you got a great big warrant.

Americans got this too, it’s in their 4th amendment (source: Wikipedia, shoot me). Furthermore, even if all laws were thrown to the wind, we have the Universal Declaration of Human Rights. Yes, that age-old, almost forgotten document!

Article 12 of the Declaration states:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

What does this tell us? If we are not directly suspected of a crime, our mail should be snoop-free.

Why is it, then, that surveillance programs such as PRISM tore Article 12 a new asshole? And should we, law-abiding citizens, take this abuse lying down?

Let us start with the latter: no, we shouldn’t take this lying down. More on that later.

When PRISM got Google et al. on board, Google handed the NSA all their e-mail traffic on a silver platter. This traffic was (and let us assume it still is) searchable by any National Security Agency employee… and any other friendly agency. This is the important part: Even if you are not in the US, your country’s domestic intelligence agency can request data on you if they don’t feel like doing all the legwork themselves. Better add your neighborhood spooks to the Bcc! Why not, they’re going to read it anyway!

Well, now, to all the “taking stuff lying down” business. What can we do to protect our stuff from being snooped?

Use PGP. Generate a key, there’s a load of manuals online. Get a key now and get encrypting! Stop everything you’re doing and get a keypair. One hint: DON’T USE AN ONLINE GENERATOR. Do it offline, some people may opt to do so on a separate, dedicated machine, but you don’t have to go overboard.

Now, we have a keypair, you and me. What next?

Now, we exchange public keys. Think of a public key as a box with a padlock. You give me the box and padlock, I write my letter and I lock it with the padlock you gave me. Only you have the key, which means it’s a private key, get it? That’s the quick and dirty of public-key cryptography. You’re now smarter than most.

You and me can now exchange private messages that are very difficult to decipher, if not impossible. There are different key strengths, go for 4096bit, because what are you, a pussy? Can’t you wait for your PC to generate something giant? Do it.

Now, why do I want you to sacrifice convenience for security? Why do I want you to generate a key? Well, there is the whole privacy thing, you may have missed that one, but there’s another thing which I didn’t see mentioned yet and that makes perfect sense to my drunk brain: Herd immunity.

Imagine you are Google. What is the baseline for your e-mail department? Usually, unencrypted, snoopable e-mail. Simple stuff. The person sending PGP encrypted stuff stands out like a sore thumb, right? Anytime you see gibberish on the screen, you sure as hell are going to pay attention to it! Who is it going to, how long is it, any attachments? Metadata is the name of the game here. You cannot snoop the text, but you can see who’s chatting.

Breaking this encryption takes a huge load of horsepower and is believed to be impossible if strong enough keys are used, but remember, there is no need to attack the encryption alone. We know who it’s from, we know where it’s going, what if the recipient hasn’t got his stuff secure? One person in a thousand, no big deal. We’ll run the usual NSA stuff and usually get what we want. It may or may not work.

Now imagine if we all used encryption for our mail. Just imagine, PGP message blocks everywhere. What would NSA do then? It is no longer that simple to get all the messages and read them! Sure, you could get them if you really wanted to, but damn, it’d take more time than just, you know, looking.

So, in order to protect your privacy and make others stand out less, use PGP whenever possible and feasible. Tell your friends, tell your family.

Oh, one more thing: You may not feel you need privacy today, but you may be in dire need of some tomorrow. Laws change. What was legal yesterday may not be legal tomorrow. Today, I can talk about my crippling hentai addiction openly, but if a law against hentai gets passed, I suddenly

1) become prime suspect, and 2) will be under surveillance most of the time.

To be frank, my paranoia used to be irrational, but now, it’s so simple to be surveilled all the time, who’s to say I’m not?