Keep Your Secrets Secret - The Reykjavik Grapevine

Keep Your Secrets Secret

Keep Your Secrets Secret

Published July 29, 2013

Oliver Schneider was wearing a green t-shirt with yellow print that read: Just because you aren’t paranoid doesn’t mean they aren’t after you! I told him I might need a photo of that and he laughed sharply. Oliver is a young, computer-oriented guy who came by to show me how to encrypt emails. Simply put: encryption is the process of converting data into ciphertext so that only someone with a key that decrypts the data can view it. You would send an encrypted email so that no one along the way could view or alter the content. We’re all a little paranoid. Some of us more than others. All with good reason. It’s actually not that complicated to carry on being paranoid – encrypting your emails is very simple, at least, the act of doing it is straightforward, though the actual science is not. That said, there is more than one way to encrypt and some avenues offer more security than others. The method of encryption I learned involves using an exterior plugin which is less secure than using a software toolkit. For instance, most plugins do not prevent webmail such as Gmail from saving unencrypted email drafts. If you want something that accounts for more, check out Tactical Technology Collective’s Security in-a-box, which was designed for human rights advocates. Research your options, but what follows is a guide for one simple way to encrypt your emails.
1. Oliver taught us how to encrypt in Gmail, so here’s a disclaimer: if you are using another email provider, the steps may be different. First, go to openpgpjs.org – “PGP stands for Pretty Good Privacy,” Oliver said. I couldn’t tell if that was real or a computer-people joke, but confirmed: it’s not a joke. OpenPGP is a website that simplifies the process of encrypting. You don’t have to download anything, which is nice. Once you’re at the website’s main page, pick from the list of icons under “Downloads/Plugins/Examples.” I chose Google Chrome, since that was the browser I was using. There are actually two Google Chrome icons—I went with the one on the left.
2. After you click the left Google Chrome icon it takes you to a page that says “Mymail-Crypt for Gmail,” which has information about what the hell you are doing and all that. Click on the top right button that says “ADD TO CHROME.” A little bar will come down: click “tools,” then click “extensions,” which should take you to a page called “mymail-crypt for Gmail options.”
3. Once you are at “mymail-crypt for Gmail options,” click on a tab at the top of the screen that says “my keys.” There add your name, email address, and passphrase. Emphasis on the term ‘passphrase,’ not ‘password’. You’re trying to protect your information here, so it’s better to go for something more complex. Don’t use only letters. Get funky. For the name box, type your name then something specific about you, just one word even, in parenthesis in the same box. For example: “Ryan Gosling (Feminist).” Do this because there’s probably someone else in the world that shares your name, and there’s no reason to get mixed up with anybody else. It’s also a good idea to click on the “options” tab and check the box that says “add myself as an encrypted recipient on all messages. Allows decrypting sent messages.” This will add you as your own friend under your “friend’s keys” tab and allows you to go back and read your sent emails without them being encrypted.
4. Go back to the “my keys” tab and have a look at your private key by clicking “show key.” So, that key you will obviously want to keep private. Oliver stressed that it’s very important to protect your secret key (be your own hero, you know), which is why a complex passphrase is necessary. If you then go to the “friends’ keys” tab, you’ll see your own key ID. If you click “show key” on that page you’ll see your public key. These keys are what allow people to decrypt one another’s encrypted emails. If Oliver wants to send me an email, he has to know my public key and I have to know my private key, and vice versa. If you know other people who have encrypted Gmail accounts, ask for their public key (which is a very long page of numbers and letters), and add them to your list of “friends’ key” by pasting their public key into the text box.  
5. Stay in Google Chrome and your Gmail inbox—you’ll probably see that at the bottom of every email is a box for a password (you’ll always use the password you used just moments ago to create a key for yourself through Mymail-Crypt) and three buttons: “Encrypt and Sign,” “Encrypt,” and “Sign.” “Sign” refers to your digital signature, which “is like your handwriting on a postcard,” Oliver said. It’s an indication that you are who you say you are. It’s rather nifty.
6. Now all you need is other people who are into encryption as much as you are. Exchanging encrypted emails requires that people on both ends of the email are involved in the encryption and decryption process. It’s not a one-man deal. If no one else you communicate with sends encrypted emails, then it’s pretty useless. Many people upload their public keys to public key servers like pgp.mit.edu—where I uploaded mine. That way if a friend wants to find your public key, you can give them your key ID and finger print (a long list of numbers and letters that make it even harder for your info to get mixed up with someone else’s) and they can find you on the server.
So that’s how it’s done. If you have any further questions, consult the Internet.
On a final note: what’s very interesting about encryption is that while it sounds mechanical and distant, it’s actually very interpersonal and requires people to be thoughtful about exchanging information and working together for the security of their data. In a larger sense, the aim is to “create a web of trust” between humans, as Oliver put it. “If someone I know has signed your key, then I have a certain level of trust in that key. So if I get something from you that is signed by you I can have a certain level of confidence that it is you.” Not everyone trusts PGP, but there are a lot of people who use it and a lot of people who do.
Oliver thinks that the argument of not protecting your information because you have “nothing to hide,” is a very weak one: “Someone says, I have nothing to hide, okay, so you can strip and I can take a photo of you, and show that photo to your neighbours and have all the rights to that photo?”
Oliver also mentioned that people have key signing parties where they exchange information and in turn strengthen the web of trust. I’m into going down to the beach, building a bonfire, and exchanging public keys while we sing.


Show Me More!