Notes from workshop on Privacy

author: SuZQ - 03.09.2002 00:07
http://www.all4all.org//2002/09/328.shtml

A workshop was held this afternoon at the Boerhavalaan, where ASCII's squatted internet cafe and the independent media center.

A workshop was given today on computer privacy and the use of encryption, held right after the workshop on surveillance. This is a summary of what was said.

The totalitarian ideal is to watch all people all the time, and through fear of the repercussions of what is seen during this omnipresent surveillance, to control them. Currently, telephone service providers keep logs on hard drives of all internet and telephone use, communications and transmissions. Law enforcement agencies sift through these logs looking for certain keywords (Al-Quaida, WTO, child pornography...) They use systems such as Carnivore and Infopol to surveil communications. Certain people are also tracked: if you have been to five or more demonstrations, your correspondance is probably under surveillance.

It is the responsibility of the telephone service providers to store and pay for all these transmissions, which drains their profits, so it is not in their best interest to do it well; this is an angle that those who wish to resist surveillance can exploit.

Methods of resistance include "Say hi to Echelon" signatures for email: posting a list of keywords that are sought after by Law Enforcement Agencies at the bottom of every inane, banal email, thereby swamping their search engines with false hits. You can also test the police surveillance of you by planning a false action over email or over cell phones, then not doing the action but hanging out nearby to observe from a distance and see whether or not the cops show up.

There are two elements to communication self-protection: anonymity and privacy. Cell phones provide neither. If you use a credit card in your own name, your movements and transactions are also tracked.

One solution is to buy a prepaid cell phone for one-time use during a demo or action, and then to lose the phone afterwards. This offers anonymity but not privacy. It is also possible to create a self-encrypted SimCard for your cell phone, but you cannot call or be called by anyone who does not have the same encryption on their cell phone.

No email is truly secure, but some are even less secure than others. Information sent in plain text over telnet, for example, is very easily read in transit. American servers such as Hotmail and Yahoo have agreements with the US government that grants law enforcement agencies open access to all their server logs. Using hotmail, you might as well send your emails via skywriting for all the privacy it offers.

PGP (short for Pretty Good Privacy) and GPG (Gnu Privacy Guard) are forms of asymmetric encryption. They works like this. You download some software from www.gnupg.org onto your home computer. This software generates, on your home computer, a private decryption key that is known only to you. It also creates a public decryption key that you can give to all your friends or post freely. Your public and private keys are connected to each other by a passphrase that only you know. Other people, who also have PGP or GPG software, then write an email to you on their home computer. They encrypt their message using the combination of their private key and your public key. They send it to you, and you decrypt it with your public key and your private key, and as long as nobody has access to your private key or to your home computer, only you can read this message. Of course, it is still possible for the law enforcement agencies to decrypt your messages, but it will take them a while. Therefore, if you have encryption software and so do your friends (both correspondants must have PGP or GPG in order for it to be effective) you should send EVERYTHING, even the most banal, via encrypted messages, so as to create extra work for them.

At first, it was illegal to export encryption technology from the USA because encryption keys were considered military-grade weapons. Now the laws are a little looser.

Other encryption forms include SSH (Secure Shell), which generates a new decryption key every time you wish to access your home server from abroad, and HTTPS, which is a more secure way of accessing web pages. Sometimes, using an internet server on another continent makes surveillance a bit more difficult, because of the difficulty coordinating between governments. (Although within Europe, police cooperation is almost total.)

However, no transmission is truly secure. It is not as though, once a message is encrypted, it is safe. You should be constantly vigilant as to the encryption technology you are using, the security of your computer (Windows computers that are connected to the internet can be easily entered by intruders from a distance) the security of your hardware (not sending passwords etc. from a computer that logs keystrokes or which keeps cache files of the different web pages you have viewed).

If you use encryption technology, do not accept it from a corporation, because they will probably have put "back doors" in it to make it possible for them to access your files. The best is to accept encryption software that comes from open-source code, because this has been reviewed by a community of volunteers from around the world who have no interest in hiding anything from you.

To find out more about internet security, check out:

www.tao.ca/security (The Anarchist Organization)
www.gnupg.org
www.cryptome.org (info about law enforcement agencies)
www.riseup.net (an activist email server)
www.so36.net


European PGA Conference Leiden | www.agp.org | www.all4all.org