Better late than never: here’s a report back from the “crypto party” hosted by Electronic Privacy Information Center (EPIC) and Public Citizen on Friday, October 25th in the offices of Public Citizen in connection with the “Stop Watching Us”rally against mass surveillance that weekend.
The evening was a pizza- and beer-fueled workshop on how and why to go about encrypting email and masking one’s Internet usage. Much of it was (or should have been) familiar to me and MCCRC readers via our own Bill Day’s posts on the subjects (see here for an overview).
But a refresher course with hands-on help never hurts. The email encryption workshop I joined led off with a clear, useful overview of the issues followed by excellent help from the experts on hand, via organizations like Access, Center for Democracy and Technology, Electronic Frontier Foundation, Free Software Foundation, National Democratic Institute (NDI), Open Technology Institute, Robinson + Yu, and Tor. (Simultaneous presentations covered TOR internet use anonymization and secure messaging and storage practices.)
Why to encrypt your email
Following the hands-on part of the workshop, security/privacy expert Bruce Schneier provided some useful context:
“One of the big lessons of the Snowden documents with regard to encryption is that it works. … What we’re really doing here is engaging in economics. We have fundamentally made surveillance too cheap, and the plan is to make it more expensive, and one of the primary ways to make it more expensive is encryption. …the NSA can grab lots of data off the backbone because it’s not encrypted. And if we can push them from that kind of wholesale surveillance to a more retail surveillance, into going into individual computers one at a time, we’re going to a lot of good forcing them to focus on the bad guys and not to collect on the innocents. “
What to think about in email encryption
Below are videos of the ~20 minute email encryption workshop slideshow presentation and discussion, led by Michael Carbone of Access and Joseph Hall of CDT. Among the numerous simple but valuable points:
- the most common encryption methods (PGP, GPG) don’t encrypt the subject line of an email — so keep sensitive information off the subject line
- ditto with attachments
- use levels of effort appropriate to the adversaries you consider realistic — e.g., journalists or activists overseas may face more determined adversaries and should exercise (even) more caution than most readers of this blog post.
The slideshow is also displayed below in embedded PDF format to make it easier for readers here to follow along.
It’s easy to get confused or bemused by the “public-private” key pairs involved — how the heck can *that* work? One solution is not to care, and just take for granted that you and your correspondents are using eachother’s public keys to encrypt messages to eachother that will require the recipient’s private key to decrypt. That means you need your recipient’s public key to send him or her an encrypted message, and he or she will need yours to reply in kind. For better discussions, see the Wikipedia “public key cryptography” entry, this lock box with a clockwise and many counterclockwise keys analogy, and/or this illustrative tennis-ball/padlock video.
How to encrypt your email
The basics of setting up encryption can be fairly simple, especially if you use the Mozilla “Thunderbird” email client:
- Install Thunderbird if you don’t already have it.
- Install GnuPG to your computer, following Mozilla instructions for your operating system.
- Add the “Enigmail” add-on to Thunderbird (Tools->Add-ons: search for and install “Enigmail.”)
- Generate a public-private key pair using the “OpenPGP” setup wizard you will now have available in Thunderbird. Likely best installation choices:
- “Yes, I want to sign all of my email”
- “No, I will create per-recipient rules” (since many of your recipients will not yet use encryption)
- “Generate certificate” of revocation in case your private key is compromised — e.g., TSA seizes your laptop when you return to the US.
- Upload your public key to one (or better yet more) “keyservers” where others can find it.
- Send your public key to the prospective encrypted email recipient; they must have an encryption-ready email client to be able to use it.
- Send your encrypted email to the recipient.
MCCRC email encryption public key
Montgomery County Civil Rights Coalition has now published its own public key for use in sending and receiving encrypted email via firstname.lastname@example.org. We invite and encourage other local civil rights and civil liberties groups to do the same — particularly in connection with the Rapid Response Network we advocate when freedom of speech, assembly, or association are endangered in our region.