This site uses cookies to improve your experience and to provide services and advertising. By continuing to browse, you agree to the use of cookies described in our Cookies Policy. You may change your settings at any time but this may impact on the functionality of the site. To learn more see our Cookies Policy.
OK
Dublin: 7 °C Friday 15 November, 2019
Advertisement

Column: How to protect your private data in a digital world

With Snowden, Prism and national security secrets in the news, it’s clear that technology has made privacy harder to ensure. Renaat Verbruggen gives a run down of how cryptography can protect your private information.

Renaat Verbruggen

WHILE EDWARD SNOWDEN plays his own version of “Where in the world is Carmen Sandiego?”, it is worth considering what the implications of his revelations are for our own communications.

Last year I was lucky enough to read Privacy on the Line: The Politics of Wiretapping and Encryption by Whitfield Diffie (one of the pioneers of public-key cryptography) and Susan Landau (Sun Microsystems). The book traces the ongoing battle between the US and other governments’ need for surveillance and the individual’s right to privacy. The overarching point is that such increased surveillance can in fact lead to decreased security as a lapse such as Snowden allows access to a large range of data.

To quote from the book:

Telecommunications are intrinsically interceptable, and this interceptability has by and large been enhanced by digital technology. Communications designed to be sorted and switched by digital computers can be sorted and recorded by digital computers. Common-channel signalling, broadcast networks, and communication satellites facilitate interception on a grand scale previously unknown.

And their additional line:

Laws will not change these facts.

One example was given where a large group of Greek Ministers had all their communications tapped through a government  central service and the perpetrators are still unknown.

The importance of privacy

Well, so much for foresight, what about now?  The argument of whether privacy per se  is enshrined in law either in the US or Europe I can leave to the legal eagles. However, it is obvious that with legislation such as the Data Protection Act and the Katz case in the US there is an acknowledgement of the importance of privacy in personal communications.

In an Irish context, the work of the folk at digitalrights.ie should keep you up to date. On the US side EPIC (the Electronic privacy information center) have set up a petition signed by Diffie, Bruce Schneier and others to get the NSA to suspend collection of data as they view it illegal under current US law.

The normal discussion on privacy relates to private conversation between two people face to face, their privacy can be ensured by “moving away” from others so that they cannot be overheard. Telephone made such privacy harder to ensure as the possibility exists for an eavesdropper to intercept the conversation while in transit hence the wiretap. Privacy now requires that the line is tamper-proof, and thus expensive, or that the communication is sent in such a way that even though intercepted it will be unintelligible therefore encoded.

Data protection in the digital world

On a related issue the classic postal system ensures its privacy through the use of a sealed envelope while the envelope protects the contents from scrutiny it also ensures that attempts to open and access the contents can be spotted. This latter “tamper-proof” envelope is something not yet available in the digital world.

Technology has made such privacy harder to ensure but there are some excellent tools available which can help.

One way to view the issue is in terms of what is it that you would wish to keep secret, once that is established then an approach can be taken which can rely on encoding through cryptography those essential parts of your communication.

So starting at the base level, if you wish the contents of a message to be secret then that will involve a form of encryption using a key and a sharing some form of key with the person with whom you are conversing.

What methods can I use?

Methods such as PGP (Pretty Good  Privacy) developed by Phil Zimmermann back in 1991 have gained a lot of popularity world-wide and are incorporated in both commercial and open source solutions. It allows for encryption of both the message and files of data that are resident on disks. It is effective and in legal cases has normally required access to the passwords to be cracked.

In the UK this is now included within the RIPA act and such passwords have to be revealed.  If you intend using it make sure you get it from a reputable commercial vendor such as Symantec who acquired the PGP corporation in 2010, or open-source sites based around OpenPGP and use versions post 1996. Also it requires that you engage in a key management approach to authenticate your receivers.

So, that will allow the content of the mail to be secret. But what is not secret about this email is interesting and the so-called meta-data mentioned so much lately.

Are my emails safe?

Your email-address, your IP address, your route to your correspondent by email, your correspondent’s email address and their IP, plus the size of the email itself, are all visible. So it is clear who are communicating with, when, and to what extent…

The availability of such data is itself giving a lot of information to the eavesdropper.

So how do you prevent this meta-data from being revealed? One approach is the use of the TOR network. TOR (The Onion Router) works by taking each step of the route your data takes and encrypting it and then sending it to another Tor server. So your data hops from one secure Tor server to another.

This requires setting up a Tor server available from torproject.org and following the instructions for its use. Tor certainly works and makes the route private, however because it only bounces off other Tor sites it will make the process slower than normal. Tor can also be used for private browsing and has been made infamous through the so-called ‘dark net’ or hidden network of sites  available through Tor for nefarious activities.

One caveat: while Tor is making the route private, if a set of servers at an end-point is compromised then some data can indeed be revealed. This happened recently in Austria where a set of servers acting as Tor exit nodes were searched and found to contain illicit material and the Sys Admin for the servers was arrested and is pending trial.

Treat email like a postcard

Any other solutions? Close to home CertiVox is a company who provide two-factor authentication that they call M-point. This uses simple short PINs and some contact details and removes the need for password storage. It is a solution based on a very strong encryption technique known as elliptic curve cryptography and offers a free community based service without support or a commercial licensing agreement with support.

So that is a brief, incomplete run through of some current approaches. The only advice I would offer is treat email like a postcard and only write what you don’t mind being read. If you go down the encryption route be careful of your passwords because with good systems they are one way and cannot be recovered from the disk.

My favourite story on this was told by a security consultant who was changing jobs and decided to encrypt all his previous personal work for his former employer. He then duly went for his holiday break and returned with no memory of his password except that it had something to do with Britney Spears. Data secured – forever!

Renaat Verbruggen is a lecturer in the School of Computing in DCU. He is also the Chair of M.Sc. in Security and Forensic Computing.

Read: Snowden applies for asylum in Ireland… and 18 other nations>

Read: Row over US ‘bugging’ of EU offices>

Read: Civil liberties groups claim PRISM breaches international human rights>

  • Share on Facebook
  • Email this article
  •  

About the author:

Renaat Verbruggen

Read next:

COMMENTS (15)