Is encryption still worth the trouble? You bet it is

Photo: flickr/skittledog

Photo: flickr/skittledog

When the scale and methods of the NSA online espionage program was revealed, many people concerned with digital security were wringing their hands. The US information agency had broken the back of encryption and destroyed privacy. However, that’s not quite true, and for those who want their online communications more secure, encrypting them is still the way to go.

Encryption is a battle of wills – an arms race of sorts. It pits people who don’t want people reading their messages against people who want to read them. It results in ever-more-complex encryption methods and ever-more-cunning ways of figuring out what that scrambled information actually says.

Encryption is nothing new, of course. Codes and code breakers have been around for a long, long time. Last century, the Allies’ ability to decrypt Axis communications was an important step towards victory in World War Two.

But in the light of the revelations about by the massive spying program carried out by the NSA, the largest intelligence agency in the US, some have wondered if encryption had been brought to its knees. This has been especially worrying to dissidents, or journalists working under repressive regimes or trying to shed light on topics others prefer remain in the dark. Private, safe communication is essential for these individuals.

Graphic: flickr/Joe Pemberton

Graphic: flickr/Joe Pemberton

Reports came out that the NSA had been working with tech companies to install weaknesses into commercial encryption software that could later be exploited. The New York Times reported that one American tech company had agreed to insert a back door into a product before it was shipped to a foreign intelligence target. The Guardian reported that the NSA worked with company officials to get pre-encryption access to popular Microsoft services like Outlook, Skype and SkyDrive.

So why bother with encryption, was the resigned tone of many? But you should bother. Take it from one pretty reliable source.

“Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”

That source? None other than Edward Snowden, the former NSA contractor who blew the whistle on the agency’s enormous eavesdropping program. But he goes on, somewhat less optimistically:

“Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.”

So basically, if you’re in the sights of the extremely well-funded NSA, and it wants to read your mail, it’s likely you can’t do much about it. But most people aren’t, and even if other power agencies or groups are interested in your online communications, encryption can make it much more difficult for them to reach their goals.

One more quote from Mr. Snowden, from a New York Times interview:

“It should be clear that unencrypted journalist-source communication is unforgivably reckless.”

What to use

According to Security in a Box, a site devoted to digital security, and several others,
Pretty Good Privacy, also known as PGP or GPG, is a good encryption and decryption program that can be used with emails, text files, directories and disk partitions. It’s used by the Enigmail add-on to the Thunderbird email client, GPG4USB and APG for Android. It was developed way back in 1991, intended for use by peace activists in the anti-nuclear movement.

PGP is now a company that sells a proprietary encryption program by the same name. OpenPGP is the open protocol that defines how PGP encryption works, and GnuPG (GPG for short) is free software, and compatible with the proprietary version. GPG is more popular than PGP today because it’s free for everyone to download, and many people trust it more because it’s open source (see below). Somewhat confusingly, the terms PGP and GPG are often used interchangeably.

For messaging encryption, try Off The Record (OTR), which is used with Pidgin, a free and open source client where you can manage different IM accounts. Here’s a good overview. ChatSecure for Android and iOS are also simple-to-use encryption apps. Of course, to keep your conversations secure, those your chatting with also have to use an end-to-end encryption chat program.

For text messaging (SMS) that you’d rather keep private, check out TextSecure for Android devices or Wickr for Android and iOS. The same company also offers RedPhone, a free and open source solution for encrypting your phone calls, for Android now and coming for iOS.

Photo: flickr/kalebdf

Photo: flickr/kalebdf

When choosing a program or app, there are a few things you’ll want to keep in mind.

• They should be Free and Open Source Software (FOSS), and based on open standards. They’re not always the most user-friendly options, and not 100 percent secure, but they’re usually safer than the proprietary stuff. Check out this list from the Tactical Technology Collective of FOOS alternatives.

• They should rely on end-to-end encryption, which scrambles your content when it leaves you and keeps it scrambled until it gets to its proper destination. Many services like Skype and Hushmail promise end-to-end encryption, but often they themselves have the decryption keys. True end-to-end encryption means even your service provider can’t understand what you’re sending and receiving. So if they ever get pressured or be monitored by another party, you’re still safe.

• They should have a good track record with the digital-security community. Do some research.

The hassle

Unfortunately, these systems are not all that common or used by as many people as they should be. That’s because many of them require some work to install and use.

Glenn Greenwald, the Guardian reporter who broke the NSA story, initially couldn’t talk to whistleblower Snowden because Greenwald is no expert and felt PGP was too difficult to set up. But Snowden only wanted to communicate securely through PGP encryption. It’s not hard to see why.

In addition, the person you are communicating with also needs to use encryption software. Plus, using PGP for email encryption can be inconvenient since if you set it up on your computer but receive an encrypted email on your phone, you can’t decrypt it to read the email until you get to your computer.

So I was a little apprehensive about getting my system set up, being a tech-challenged myself. But then I heard that the open source GPGTools, which provides encryption and decryption for OSX, including for Mavericks, was relatively painless to install and use. I decided to brave my fears and take the plunge. I downloaded their GPG Suite which contains everything I needed to start scrambling my emails.

I was pleasantly surprised. I won’t walk you through all the steps, since someone else has already done it quite well. But within about 40 minutes, and following the directions carefully, I had a compose window in my Mac mail asking me if I wanted to encrypt. I did, and voilà, I had sent an encoded email to myself.

Screen Shot 3 PS

When I received it, I had to enter my passkey before I could see the contents. And it let me know I had successfully encrypted it.

Screen Shot 2When I tried to open the same mail in Gmail, all I got was a garbled mess.

Screen Shot 1

So for Mac users who use the Mail program, GPGTools is a pretty easy-to-install choice that won’t have you pulling your hair out. For Windows or Linux users, check out GPG4Win and GPA, respectively.

The downside is that compatible encryption managers require desktop email clients. So using GPGTools will only work for those using configured Mac or PC email software.

As mentioned earlier, another popular option is email client Thunderbird with the Enigmail add-on. They’re free and run on Windows, Mac, and GNU/Linux.

According to the Press Freedom Foundation, which has an excellent rundown of how encryption works and what you can use, PGP at this point is very difficult to use securely from a web browser. They recommend sticking to a desktop email client until the field of browser crypto matures. While it is possible to use PGP encryption with Gmail, the easiest way is to set up an email client like Thunderbird and run your Gmail account through it.

Author: Kyle James