Security & Privacy: Encrypting Communications
Security and Privacy are two vitally important components of any successful society. Today’s connected world, where we carry computers in our pockets and share all our details on social networks, makes them even more so.
This section of Pocketnow is devoted to why security and privacy are important, how you can protect yourself in today’s connected world, and pitfalls to be aware of and avoid – with the objective of helping you and your loved ones stay safe in an ever-changing world.
In colonial America before the Revolutionary War, trouble was brewing. A growing number of colonists didn’t like the dictatorial meddling of King George and his cronies. They began working together to strengthen their communities against the far-reaching rules, regulations, restrictions, and taxation mandated by the Crown. This was seen as treasonous and laws were quickly enacted to tax, restrict, and in some cases even prohibit the possession of paper. With paper, one could send a letter to a “fellow conspirator”, write an essay and sent it to a sympathetic newspaper, a person could even (gasp!) advertise for a meeting! The atrocity!
General Warrants were issued to round up the troublemakers. These General Warrants didn’t identify the person, place, or things to be searched or seized – they just outlined the “crime” which had been committed, and protected those sent to gather evidence and enforce the law. As one person’s house, papers, or effects were searched, evidence implicating others was gathered. This then expanded the dragnet even wider, resulting in the ransacking of homes and offices, the detention and arrest of countless colonists, and ultimately lead to the creation of what is now known as the Fourth Amendment to the Constitution of the United States of America. This Amendment, modeled after an English sentiment which had resulted from the same abuses of power on that side of the pond.
Today we live in a technological world where our “persons, houses, papers, and effects” are very much digital. A thumb drive or microsd card can hold entire libraries worth of “papers”. A house may contain a number of computers, network attached storage devices, phones, tablets, set-top boxes, and “always listening” digital assistants. A person’s papers and effects now include emails, instant messages, text and MMS messages, phone calls, video chats, various forms of VoIP communique, and the meta-data behind all of them.
I’d argue that today, more than colonial America, the Right to Privacy and the Fourth Amendment are of the utmost importance.
So, how does one go about securing their communications today?
I probably read and write somewhere around one-hundred emails every day. Most of them are sent and received “in the clear” – unencrypted. More than “letters”, think of email as internet postcards. Anyone who handles the mail from the time you drop it in the mailbox, through the several states or countries in which it’s processed, to the postal carrier who ultimately delivers is can admire the pretty picture on the one side, and read your “wish you were here” message on the other.
Even worse is that under current U.S. Law, after 180 days, your email is considered “abandoned” and government agents don’t even need a warrant or National Security Letter to be able to read it.
There are some ways you can encrypt your email messages. x.590, PGP, and GPG come to mind. All three offer various themes on the same concept: you, the author, write a message to a person and sign it with your digital key; if you have their digital key (the public facing side), you can encrypt the message rather than just signing it. Once it’s set up, it’s pretty easy to do – but the major modern mobile email clients don’t include support for x.509 signing. PGP and GPG is even more spotty.
Google says they’ve got you covered with both Gmail and Inbox – but not really. The app (on your phone, tablet, or browser) communicates with their servers over an encrypted pipe – so far, so good. Their servers intercommunicate over an encrypted pipe, that way a snooper inside their network doesn’t have ready access to read your messages as they fly across the provider’s LAN or WAN – again, so far, so good. Where this system breaks down is that the message itself isn’t encrypted in such a way that only the sender (you) and the recipient (whoever you sent the message to) can read it. The provider, in this case Google, can still read it – and they do, but only by machines and only to serve you ads – pinky promise!
Then there’s the whole meta-data problem – you can’t escape it with email.
Thankfully, we have phone calls, and they’re pretty private. Aren’t they?
While calls placed over GSM networks are encrypted by default, the encryption standard is so old, and the implementation so poor, that basic GSM encryption doesn’t offer much privacy at all. Think of it like WEP encryption on your WiFi router, rather than WPA2.
Phone calls are also prone to the meta-data problem. Not only do carriers know who you called, they also know when you called them, how long you talked, and with a little bit of digging, they also know the general location from where the call was placed, and to where the call was made. Talk about a secret agent’s dream come true!
SMS & MMS
Texting via SMS is nothing more than pinging a cell tower with a little bit of extra information tacked on to the end of a packet. MMS is a little more advanced than that, but not by much. Neither is end-to-end encrypted, and the meta-data problem is just as bad as with phone calls,
To answer these very challenging problems, a person could hodge-podge something together (email with PGP encryption, phone calls using an encrypting SIP provider, never sending SMS or MMS, etc.), but doing so is not only hard to set up, it’s also difficult to find people with whom you can communicate. The setup is prohibitively difficult for casual use.
A better approach is one that a handful of companies are addressing today: secure communications clients. Signal, WhatsApp, Telegram, Allo, SnapChat, Facebook Messenger, and others all offer various levels of encryption. Some are end-to-end, some are more like Google’s Gmail approach to encrypting the system rather than the individual messages themselves. Some have encryption turned on by default, others have to use some sort of deliberately toggled “secret” mode.
Wire and Signal are examples of another kind of app – one that’s built on end-to-end encryption by design. You can’t turn it off. Just by installing and signing into either app, your communications to other users are automatically encrypted. It doesn’t matter if that communique is a text message, a voice memo, a voice call, a file transfer, or even a video call, the whole thing is encrypted in such a way that only the person on the other end has access to the contents of your message. At least that’s what they tell us.
My personal preference is Wire.
Wire is a modern, private communications tool offering free text, voice, video, pictures, and much more. Wire is available on iOS, Android and desktop. Wire conversations are end-to-end encrypted, ensuring all data is private and secure.1
You can get started with Wire through their website: wire.com.
No, Wire isn’t perfect. No solution is. Yes, everyone you want to talk to has to be using it. However, for my use, Wire answers the usability wants that I have while meeting the security concerns in an almost automatic fashion. My family and closest friends rely on Wire to communicate almost exclusively – even for voice calls.
Is Wire sponsoring this article? No. Will Wire work for you? Maybe not. Hopefully, by illustrating one solution that I am comfortable with using, and the context of why I’m using it, you’ll do your own research and find out what tool (or tools) meet your needs. Then, come back to this article and share your comments with us.
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Sure, the Fourth Amendment may say that a warrant specifically naming the place to be searched and the persons or things to be seized must be issued, supported by oath or affirmation, but that’s no longer the practice. So, until the government actually follows the rules We, the People set out for them, it’s up to us (individually and collectively) to secure our own persons, houses, papers, and effects.
Don’t wait. Go and do it. Then come back here and tell me how you did, and why.