Ever since we learned that the NSA and FBI are archiving metadata from America’s mobile phone and email providers, we’ve become increasingly interested in encryption services. There is a vociferous subculture of cypherpunks (those who advocate broad use of strong cryptography) and dozens of for-profit and free products guaranteeing to keep communications secret. Yet, most members of the general public don’t know where to start. This is a bad thing. Here’s what to consider when cloaking communications.
Although the U.S. government only claims to be monitoring select communications from noncitizens, that should be taken with a grain of salt. One of the recurring themes of the Ed Snowden NSA and FBI revelations has been the lack of oversight of America’s Internet surveillance regime. NSA chief Keith Alexander basically admitted before a congressional hearing that secret court warrants are rubber-stamped. For all we know, that means contractors and NSA employees have a green light to engage in insider trading, snoop in explicit emails, and listen in on celebrities’ phone conversations. The NSA has shown a marked disinterest in disclosing the parameters of the surveillance regime and uses clever weasel words to hide the scope of their program and what they do with it.
There have been a host of op-eds written on many platforms about the dangers of thinking government authorities should be able to monitor your communications if you have “nothing to hide.” Two of the best are by danah boyd of Microsoft Research and Rebecca Rosen of The Atlantic. But legal scholar Daniel Solove wrote the best argument way before Snowden’s disclosures became public knowledge. In a nutshell, if the government can be believed to store electronic communications in perpetuity and refuses to tell the public what their grounds for using them are, it’s a safe bet to assume the government and contractors will misuse your personal data.
If there aren’t worries about being snooped on by the government, there are always worries about being snooped on by private parties. Are you a businessperson working on a sensitive deal? A parent going through a difficult divorce? A minor in the closet about your sexuality? Do you work with prominent public figures? Encrypting your email and phone communications might not be the worst idea.
It’s important to note that there are also degrees of encryption. While some cypherpunks and security activists might vociferously disagree, different users have different security needs. A platform whose messages can be decoded with some difficulty might be appropriate for many users. The aforementioned parent going through a difficult divorce likely has different encryption strength needs than, say, a Chinese or Bahraini dissident.
You don’t think parties besides the government love snooping in on phone calls? Just give a quick thought to that News Corp hacking scandal.
A quick caveat: Encryption and security developers have done a horrible historic job of implementing easy-to-use interfaces and creating engaging products. Whether because of the difficulty of making encryption products work or because security-product developers frequently assume others have their level of technical expertise, many encryption tools on the market are difficult to use for novices. Predictably, many of the easier-to-use ones cost considerable money as well.
The Tor Project runs a secure, anonymous network that is extremely hard to monitor and is beloved by free-speech activists worldwide. Tor is also filled with drug dealers and undercover law enforcement officials on the network’s many hidden sites, but that’s a whole other story. When used with conventional Internet sites, Tor adds a robust layer of anonymity. The downsides are that Tor slows down Internet speeds considerably and requires some technical knowledge to use. With that said, although footprints on Tor can be traced by intelligence agencies and others, it’s the best free solution on the market.
For Android users, RedPhone is a drop-dead simple app that allows users to make encrypted calls and little else. Based around the ZRTP encryption protocol, RedPhone’s genius is its ease of use: When callers on both ends have RedPhone installed, making encrypted phone calls is a snap. As a measure of good faith in RedPhone’s encryption, their developers also made the software behind it open source on GitHub.
Cryptocat, much like RedPhone, is extremely easy to use. The open-source product encrypts users’ online conversations and plugs in to popular Web browsers. Despite early hiccups, Cryptocat has acquired a large user base. However, Cryptocat is good for conversations only—separate products are required for discreetly using the Web and visiting other sites. But sometimes encrypted instant messengers are all a user needs.
Silent Circle, a pay smartphone app that Fast Company has written about previously, is also based around ZRTP for phone calls. Unlike RedPhone, it also allows users to send text messages and secure emails. While the company has made portions of its source code available on GitHub, other portions have not been made open-source yet—raising concerns from some privacy activists. Users of Silent Circle have to pay a stiff subscription fee, but the platform is the easiest way of putting mobile encryption in place within an enterprise setting with multiple users.
People love to talk on the Internet. Even with the furor over NSA surveillance, people share intimate information over Facebook and Instagram that they would never voluntarily share with the government otherwise. OPSEC (Operations Security) is a military concept that has also carried over to portions of the financial sector. At its root, OPSEC involves not putting sensitive information in places where other people can see or infer it. Even the best protected encryption platform can be hacked—for truly sensitive information, keeping it off the Internet and not discussing it on the phone is still the best bet.
[Image: Flickr user Woodleywonderworks]