By David Kasper
I don’t consider myself an expert on encryption methods and how they work, or even how effective they are in securing online privacy. But I’ve become concerned enough about government and corporate spying that I set out to explore how to keep prying eyes out of my email correspondence and web activity. I discovered that it is easier and more effective than you might think to send and receive email that is encrypted and decrypted on your own computer, making the ability to read it in transit impossible. By all accounts, the encryption standard called Open PGP is unbreakable, even by NSA’s cryptographers and super computers.
I’ve already started using it, and I’ve been encouraging others that I correspond with to use it as well. I know there are those who say that encrypting your correspondence will attract more attention from the NSA and increase the likelihood of being targeted. That may be true, but for many of us involved in media work, especially on controversial political subjects, the likelihood that government snoops can spy at will on our correspondence is worth protecting against.
The use of encryption has grown dramatically since the disclosures of NSA spying by Edward Snowden. Activists, lawyers, researchers and businesses rely on it to keep their communications private. So do many journalists whose government sources are drying up for fear of being identified and targeted for harassment and prosecution.
We may be heading for a time when most, if not all email on the Internet will be user-encrypted by default. You have to wonder why tech companies have not already built end-to-end encryption into their email programs, since the technology has existed for more than twenty years. Unfortunately, the prospect that anyone will reign in the NSA’s rampant abuses is tenuous and remote. In the meantime, encryption makes sense for anyone who doesn’t want their life to be an open book available to the government.
The Open PGP encryption system has become the most widely-used standard, because of it’s proven security and relative ease of use. The original PGP or “Pretty Good Privacy” was invented in the early 90’s by Phil Zimmerman so that he and other anti-nuclear activists could communicate securely. PGP was eventually sold to Symantec Corp. which adapted and re-named it to Symantec Encryption, now selling for $175+, a steep price for individual consumers.
Fortunately, software using the Open PGP standard is available for free download under the name GnuPG or GPG. It is compatible with Symantec or anything using the Open PGP standard. It is also designed to integrate with existing email software on Mac and Windows computers.
Without going into a lot of detail, here is basically how it works. After you install the GnuPG software, it will generate a pair of keys, one public key and one private key. The public key is not secret. In fact many users make it available to anyone who wants to look it up in an online directory. The private key is secret and known only to you. To send an encrypted email, you get the recipients public key by looking it up and adding it to your “keychain.” You click a button to encrypt the message and send it. Your recipient who has the corresponding private key is the only one who can see it. It all happens instantly in the background. Your recipient opens the message and it appears already decrypted.
If you’re using webmail, encryption is not so easy or effective. There are services such as Hushmail and Scramble that provide encrypted webmail, but the content can still be unlocked by them. When Canadian authorities demanded that Hushmail turn over user encryption keys, Hushmail complied under threat of prosecution.
Of course your computer is vulnerable if there is spyware or some other intrusion that allows a snooper to monitor your computer screen or log your keystrokes. There are also other issues to consider if you want to be fully protected, including how to keep all of your internet activity private. But making your email content completely secure while in transit closes the worst vulnerability.