-
Notifications
You must be signed in to change notification settings - Fork 0
Why Use PGP
I'd like to take a few minutes to talk about e-mail, and in particular why you might want to learn about and use a program called "PGP", which stands for "Pretty Good Privacy" While using PGP is more work than using plain email, I hope I can persuade you that it is definitely worth that extra effort.
Suppose Alice wants to send e-mail to Betty. If we take the way the Internet works, and translate that to the way the real world works, this is what it looks like. Alice writes her message on a post card and hands it to the mailman. The mailman hands it to another, who hands it to another. It eventually makes it to a "mail server", which is something like a post office. Then it goes on to Betty's post office and eventually to Betty.
A couple of things are not quite like the real world: notice that each of those mail carriers now have a copy of the original post card, and can read it any time they want -- even send it to someone else. On the Internet, you can never "send" a message. You can only ask someone to copy it to the next person. Another thing you might notice is that the message is on a post card, not in an envelope? Why would you do that?
This is how "normal" email works. Twenty five years ago, the people who used email were mostly geeks who didn't have a social life anyway, so they didn't care if anyone snooped in their stuff. (just kidding.)
But what if someone did want to spy? As it turns out, it's actually pretty easy: just pretend to be a mail carrier. The Internet term for mail carrier is "router".
Fast forward a few years: a lot more people start caring about email, and caring that nobody else reads mail addressed to them. The common practice today is what we might call "secure" email. Instead of sending the messages directly through the routers, Alice uses TLS, or "Transport Layer Security" to create a kind of opaque tunnel directly to the post office. The post office (sometimes) creates another TLS tunnel to the other post office, and Betty can get the message from her post office via TLS. Our little spy kid is out of the loop, because he can't understand the stuff inside the tunnel: it is encrypted.
What does the spy do? He breaks in to the post office or "mail server". All of the messages are still on post cards, and he can copy as many of them as he wants.
Oh, and Big Brother wants a piece of the action too. So he has congress pass a law, ironically called the "Electronic Communications Privacy Act" that very vaguely says when and how he can "ask" your post office to give him copies of all your post cards. I won't go into detail, but I would suggest that Thomas Jefferson would not be happy about it if he were around today to scream at our politicians. And you shouldn't be happy about it either.
So what do we do now? Maybe we should ask: "Why are we writing our messages on post cards in the first place? Why not use envelopes?" Good questions: let's do just that. The Internet equivalent of an envelope is encryption. And specifically in the context of email, we can use PGP. I won't go into detail, but I will tell you that it works ... really well. So well that the US government spent many years trying to ban it, to keep people outside the United States from using it, to keep it out of the hands of "The Enemy". Well: They lost that battle. The cat is out of the bag. PGP is available to most people who want it. But in some places -- the places where it is most needed -- using it is still illegal, and those governments punish those "criminals" horribly.
So we have some magic fairy dust that can protect our messages so well that Big Brother is very much afraid that everyone will start to use it. The fear pitch is "The Internet is 'going dark'" meaning "so many people are starting to use encryption, that it is getting harder for us to spy on everyone."
You may think, "It's just e-mail. I'm not doing anything wrong. I have nothing to hide."
I'm not going to speculate about why someone might think it's OK to use post cards for all correspondence. Let me read a part of a message someone wrote to Phil Zimmermann, the author of PGP. This is not from a bad spy movie:
"we have one case where you could highlight the value of PGP to "Good" citizens, we were working with a young woman who was being pursued by Islamic extremists. She was an ethnic Muslim from Albania who had converted to Christianity and as a result had been attacked, raped and threatened persistently with further attack.
We were helping to protect her from further attack by hiding her in Hungary, and eventually we helped her travel to Holland, while in Holland she sought asylum, which was granted after the Dutch Government acknowledged that she was directly threatened with rape, harassment and even death should her whereabouts be known to her persecutors.
Two weeks before she was granted asylum, two armed men raided our office in Hungary looking for her, they tried to bring up files on our computers but were prevented from accessing her files by PGP. They took copies of the files that they believed related to her, so any simple password or ordinary encryption would eventually have been overcome. They were prepared to take the whole computer if necessary so the only real line of defense was PGP.
Thanks to PGP her whereabouts and her life were protected." https://www.philzimmermann.com/EN/letters/
That's just one story. There are hundreds more like it.
But the real point is: No one should have to justify his right to privacy. It is really no one's business why you want privacy. Your reasons for wanting privacy are, well, private.
In the United States, we have a lovely document called the Constitution. One part of it reads:
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated..." (U.S. Constitution, amend. IV)
This is important. We need to remember it and protect it and teach our kids about it.
Unfortunately, many people in the US Government today consider the 4th amendment more of an inconvenience than anything else. They have written laws and set judicial precedent that have whittled away at it by carefully redefining papers, unreasonable, search, and seizure to mean whatever they want them to mean. They have repeatedly attempted to force businesses to build products that make it easy for government agents to listen in on your private conversations -- without you knowing about it.
Fortunately, PGP won that particular battle: It has no back doors and never will.
But many in the government continue to push for more and more power. Constant vigilance is the only way to slow down their power grab. I hope they will never succeed in their desire to outlaw privacy. I hope that if it ever does become illegal, then everyone will use it, because that is when we will really need it.
Unfortunately, the US Bill of Rights, and the Universal Declaration of Human Rights are not much more than two very elegantly printed pieces of paper -- unless we, the people, make our governments honor them. Encouraging everyone around you to learn about and regularly use end-to-end encryption tools like PGP is the best way we can regain some of the privacy we have already lost.
What have we covered?
- "normal" email is like writing your message on post card and asking your neighbor to pass it on until it gets to the addressee. Not private at all.
- "secure" email is like writing your message on post card and sending it through a magic tunnel directly to the post office, which passes it on until it gets to the other post office, and finally to the addressee. Better, but still not "private"
- end-to-end encryption is like putting your message in an envelope that can be opened only by the addressee. It still goes through the magic tunnels, but no one at the post office can steam it open to read the message.
- PGP is one program that can make and open these envelopes, and governments everywhere are terribly afraid that everyone will use it, because it works so well.
- Let me google that for you: pretty good privacy
- EFF Surveillance Self-Defense web site
- My own very humble blog.
- Send me e-mail.