Sign in. It’s quick, free and it’s up to you.
An account is an optional way to support the work we do. Find out more.
WHILE EDWARD SNOWDEN plays his own version of “Where in the world is Carmen Sandiego?”, it is worth considering what the implications of his revelations are for our own communications.
Last year I was lucky enough to read Privacy on the Line: The Politics of Wiretapping and Encryption by Whitfield Diffie (one of the pioneers of public-key cryptography) and Susan Landau (Sun Microsystems). The book traces the ongoing battle between the US and other governments’ need for surveillance and the individual’s right to privacy. The overarching point is that such increased surveillance can in fact lead to decreased security as a lapse such as Snowden allows access to a large range of data.
To quote from the book:
Telecommunications are intrinsically interceptable, and this interceptability has by and large been enhanced by digital technology. Communications designed to be sorted and switched by digital computers can be sorted and recorded by digital computers. Common-channel signalling, broadcast networks, and communication satellites facilitate interception on a grand scale previously unknown.
And their additional line:
Laws will not change these facts.
One example was given where a large group of Greek Ministers had all their communications tapped through a government central service and the perpetrators are still unknown.
Well, so much for foresight, what about now? The argument of whether privacy per se is enshrined in law either in the US or Europe I can leave to the legal eagles. However, it is obvious that with legislation such as the Data Protection Act and the Katz case in the US there is an acknowledgement of the importance of privacy in personal communications.
In an Irish context, the work of the folk at digitalrights.ie should keep you up to date. On the US side EPIC (the Electronic privacy information center) have set up a petition signed by Diffie, Bruce Schneier and others to get the NSA to suspend collection of data as they view it illegal under current US law.
The normal discussion on privacy relates to private conversation between two people face to face, their privacy can be ensured by “moving away” from others so that they cannot be overheard. Telephone made such privacy harder to ensure as the possibility exists for an eavesdropper to intercept the conversation while in transit hence the wiretap. Privacy now requires that the line is tamper-proof, and thus expensive, or that the communication is sent in such a way that even though intercepted it will be unintelligible therefore encoded.
On a related issue the classic postal system ensures its privacy through the use of a sealed envelope while the envelope protects the contents from scrutiny it also ensures that attempts to open and access the contents can be spotted. This latter “tamper-proof” envelope is something not yet available in the digital world.
Technology has made such privacy harder to ensure but there are some excellent tools available which can help.
One way to view the issue is in terms of what is it that you would wish to keep secret, once that is established then an approach can be taken which can rely on encoding through cryptography those essential parts of your communication.
So starting at the base level, if you wish the contents of a message to be secret then that will involve a form of encryption using a key and a sharing some form of key with the person with whom you are conversing.
Methods such as PGP (Pretty Good Privacy) developed by Phil Zimmermann back in 1991 have gained a lot of popularity world-wide and are incorporated in both commercial and open source solutions. It allows for encryption of both the message and files of data that are resident on disks. It is effective and in legal cases has normally required access to the passwords to be cracked.
In the UK this is now included within the RIPA act and such passwords have to be revealed. If you intend using it make sure you get it from a reputable commercial vendor such as Symantec who acquired the PGP corporation in 2010, or open-source sites based around OpenPGP and use versions post 1996. Also it requires that you engage in a key management approach to authenticate your receivers.
So, that will allow the content of the mail to be secret. But what is not secret about this email is interesting and the so-called meta-data mentioned so much lately.
Your email-address, your IP address, your route to your correspondent by email, your correspondent’s email address and their IP, plus the size of the email itself, are all visible. So it is clear who are communicating with, when, and to what extent…
The availability of such data is itself giving a lot of information to the eavesdropper.
So how do you prevent this meta-data from being revealed? One approach is the use of the TOR network. TOR (The Onion Router) works by taking each step of the route your data takes and encrypting it and then sending it to another Tor server. So your data hops from one secure Tor server to another.
This requires setting up a Tor server available from torproject.org and following the instructions for its use. Tor certainly works and makes the route private, however because it only bounces off other Tor sites it will make the process slower than normal. Tor can also be used for private browsing and has been made infamous through the so-called ‘dark net’ or hidden network of sites available through Tor for nefarious activities.
One caveat: while Tor is making the route private, if a set of servers at an end-point is compromised then some data can indeed be revealed. This happened recently in Austria where a set of servers acting as Tor exit nodes were searched and found to contain illicit material and the Sys Admin for the servers was arrested and is pending trial.
Any other solutions? Close to home CertiVox is a company who provide two-factor authentication that they call M-point. This uses simple short PINs and some contact details and removes the need for password storage. It is a solution based on a very strong encryption technique known as elliptic curve cryptography and offers a free community based service without support or a commercial licensing agreement with support.
So that is a brief, incomplete run through of some current approaches. The only advice I would offer is treat email like a postcard and only write what you don’t mind being read. If you go down the encryption route be careful of your passwords because with good systems they are one way and cannot be recovered from the disk.
My favourite story on this was told by a security consultant who was changing jobs and decided to encrypt all his previous personal work for his former employer. He then duly went for his holiday break and returned with no memory of his password except that it had something to do with Britney Spears. Data secured – forever!
Renaat Verbruggen is a lecturer in the School of Computing in DCU. He is also the Chair of M.Sc. in Security and Forensic Computing.
To embed this post, copy the code below on your site
I read this article just as I’m uploading photos of my breakfast and ones of me acting the maggot. I might have to reconsider changing my status to not telling people where I am every 7 minutes.
There is also a distro for this, and it’s irish. https://tails.boum.org/
Tor is good, but key point is here this is great anonymity tool, not privacy tool. So your data still needs to be encrypted before using Tor if you need whole package. Also this is all safe only as long as we can trust Tor. For example how do you know they don’t share information they log with 3rd parties. Gladly, unless you do real dodgy stuff in the Internet you don’t need to worry about any of these, governments or secret agencies are hardly interested in your holiday pics or that collection of movies you pulled from torrent site.
It’s like walking on wet sand on a beach, it’s impossible not to leave a footprint that others can see, and the more you walk the more there is to see.
Tor may be compromised not because of sharing log data (no data passes through tor servers so what log info do they have?) but because if enough of the nodes are controlled by the NSA they can piece together the origin and exit of each connection.
Barry that’s what I meant. They can pinpoint from where to where.
Until the tide comes in.
Delete history.
I’m afraid that wont do Adam. That’s only deleting data after the fact on your local machine :). Invest in a VPN service
5 mins for sec specialist to restore it Adam and it’s about your traffic in Internet being captured without even touching your laptop so they don’t actually take that info from your laptop history at all. Deleting history is only good enough for basic security, hiding away stuff from your wife maybe lol but not defence for real deal guys trying to spy you out there.
Was joking guys lol
You’d have to delete Cookies too
Microsoft also log a copy of your history on a file which is only accessible using DOS .Its strange as it has your entire web history. Every page you go onto is trying to log your data. Download ghostery to stop that.
Oops!… I Did It Again
I use fakeblock privacy app
have your say