""
<html>
	<head>
		<title>Ensuring Privacy in your Personal and Professional Electronic Communications</title>
		<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
	</head>
	<body bgcolor="#ffffcc" text="#000000">
		<p align="center"><font size="6">Ensuring Privacy in your Personal and Professional 
				Electronic Communications</font></p>
		<p align="left"><i>In the past, if the government wanted to violate the privacy of 
				ordinary citizens, it had to expend a certain amount of effort to intercept and 
				steam open and read paper mail, or listen to and possibly transcribe spoken 
				telephone conversations. This is analogous to catching fish with a hook and 
				line, one fish at a time. Fortinuately for freedom and democracy, this kind of 
				labor-intensive monitoring is not practical on a large scale. Today, electronic 
				mail is gradually replacing conventional paper mail, and is soon to be the norm 
				for everyone, not the novelty it is today. Unlike paper mail, e-mail messages 
				are just too easy to intercept and scan for interesting keywords. This can be 
				done easily, routinely, automatically, and undetectably on a grand scale. This 
				is analogous to driftnet fishing-making a quantitative Orwellian difference to 
				the health of democracy.</i>-- Phil Zimmermann, Creator of Pretty Good 
			Privacy (PGP)</p>

		<p align="left">
			Phil Zimmermann wrote that in the mid 1990's and it is even more true today in 
			this post September 11th world. In this day when civil liberties are more 
			readily being given up in an attempt to gain more security against terrorist 
			threats the FBI is more likely to use tools like <a href="http://www.fbi.gov/hq/lab/carnivore/carnivore2.htm">
				Carnivore</a>. One of the more worrisome statements comes directly from the 
			FBI's description of Carnivore: "The Carnivore device works much like 
			commercial "sniffers" and other network diagnostic tools used by ISPs every 
			day...". Your communications may possibly be intercepted by any number of 
			individuals and corporations on it's way to it's final destination. Email 
			experts describe the medium as being more like a postcard than a letter. With a 
			postcard the very honest people do not read it, but even the honest people get 
			curious and are tempted. The new <a href="http://www.epic.org/privacy/terrorism/hr3162.html">
				Patriot Act</a> passed in October 2001 gives the FBI the ability to tap 
			into your electronic communications<a href="http://www.eff.org/Privacy/Surveillance/Terrorism_militias/20011031_eff_usa_patriot_analysis.html">
				even if you are not targetted by an investigation</a>.
		</p>

		<p align="left"><font size="4"><b>But, I have nothing to hide...</b></font><br>
			While that may be true, it is entirely possible you are breaking the law 
			without even knowing it. Many times innocuous things we do everyday might be 
			unlawful without you even knowing it. For example trading MP3s is a very 
			popular activity, but we all know it's illegal. If you were to admit to 
			possessing illegally copied music over email it is conceivable that would be 
			enough evidence for the FBI to get a search warrant. Even so, we frequently 
			think of the communications we have with our friends, family and coworkers to 
			be private and would like them to remain so. We often speak differently in 
			private than we would in public. We often forget that emails, like postcards, 
			are not private and can be read by any number of individuals. Another issue is 
			your email can be stored or copied at any of the servers it passes through on 
			it's destination. This leads to emails lasting much longer than intended. Lets 
			take an example.
		</p>
		<p align="left">Lets say you sent a personal email to your best friend with an 
			off-color joke. If you sent this email from work it is entirely possible that 
			email was searched and logged. Even if you sent it from home it is still 
			possible that your ISP or any of the servers that handled the emails packet's 
			could read the email. Lets say you realized afterward that the email could be 
			considered innapropriate and you asked your sibling to delete the message and 
			you deleted it from your "sent messages" folder. The problem is that message 
			continues to live on. That message can be living in a database somewhere 
			forever. You don't know where it is and cannot ask for it to be deleted. 
			Someday it could be brought up against you by your boss or in a court of law.
		</p>
		<p align="left">This issue of an uncontrollable message lifetime is the biggest 
			problem. I have said things in the past that I wish I could have taken back or 
			not said at all. This might be from youthful naivity or hightened emotions. In 
			any case I would hate that in those occasions that my words had been 
			permanently saved for posterity.
		</p>
		<p align="left"><font size="4"><b>What do I do to protect the privacy of my e-mail?</b><br>
			</font>The best protection is to encrypt your email. Encryption is the act of 
			rendering your message unreadable to anyone but the intended recepient. 
			Remember the decoder ring that came in the box of cereal? That was a type of 
			encryption. Hopefully we'll be using stronger sorts of encryption on our 
			emails, but you get the idea.
		</p>

		<p align="left">One type of encryption is symmetric encryption. That means it works 
			both ways. I encrypt a message to you using a password. You have to know the 
			same password to decrypt the message. The problem is how to communicate the 
			password securely between the two parties. I cannot just send the password 
			along the message because anyone could use to read the message. I would have to 
			meet with the other party in person to tell them the password. This is usually 
			not very convenient.
		</p>
		<p align="left">The solution to this problem is public key encryption. This uses a 
			one-way encryption algorithm. I encrypt things in a manner that only a 
			different key can decrypt it. So what I do is generate two keys. The key that 
			can encrypt messages I give to everyone. The key that can decrypt them I keep 
			only for myself. Anyone who wants to send me a message just encrypts it using 
			the key I gave out (my public key) and only I can decrypt it using my private 
			key. They would give me a private key so I could send them messages.
		</p>
		<p align="left">Without my private key, anyone intercepting messages intended for 
			me would be completely unable to read them. This still leads to one problem.</p>
		<p align="left"><font size="4"><b>Nobody can read my mail, but how do I securely know who 
					sent it to me?</b></font><br>
			There exists a group of algorithms called hash algorithms. They are a function 
			that takes some input and generates a value that represents the input, but the 
			input cannot be recreated from the hash. Secure hash functions are functions 
			that take an input (your message) and generate a unique output value (the hash) 
			that uniquely identifies the message, but the message cannot be recreated from 
			the hash. So now we have a unique way to identify the message. Finally we need 
			a way to secure the generated hash. Since both the public and private key are 
			one way ciphers anything encrypted with the public key can be decrypted by the 
			private key (as in the above example). The reverse is also true. Anything 
			encrypted with a private key can be decrypted by the public key. So here's a 
			complete example:</p>
		<p align="left">I write a message to a friend. Upon completion I digitally sign the 
			message by taking a secure hash of the message. I then take this hash value and 
			encrypt it using my secret key. Now anyone who has my public key can use it to 
			decrypt the hash and make sure it matches their independently generated hash 
			value. By doing that they can be sure I wrote it because<br>

			1) Only I have my secret key and therefore I am the only one that can encrypt 
			something that my public key can decrypt<br>
			2) Since the hash uniquely identifies the message then the message is exactly 
			as I wrote it.<br>
			At this point anyone can determine that I was the author of the message and the 
			message is exactly as I wrote it. It is the perfect digital signature. The last 
			thing I do is encrypt the message with my friend's public key and send it to 
			him.
		</p>
		<p align="left"><font size="4"><b>What tools should I use?</b></font><br>
			Encryption tools for military and commerical uses have been around for the 
			longest time. Only in 1991 when Phil Zimmermann decided to release PGP did 
			individuals have a tool. Sadly marketing privacy to individuals has turned into 
			a profitless venture so Network Associates has stopped offering PGP. Network 
			Associates always offered a free version for individual use and those versions 
			are still available:</p>
		<p align="left"><a href="http://www.pgpi.org/products/pgp/versions/freeware/">International 
				PGP Homepage</a> - (Choose "Windows 2000" if you have Windows XP)</p>

		<p align="left">A new tool is Gnu Privacy Guard. Created to provide an open source 
			alternative to PGP it conforms to the OpenPGP standard. Like most open source 
			software it is not as easy to use as it's closed source cousin. However it is 
			more powerful because it supports more encryption algorithms (like the new 
			Advanced Encryption Standard, AES). Also since it is still being worked on it 
			will support new operating systems. Whichever platform you download from be 
			sure to get the IDEA module to maintain compatibility with PGP.
		</p>
		<p align="left"><a href="http://www.gnupg.org/">GnuPG homepage</a><br>
		</p>
		<P align="left"><FONT size="4"><STRONG>Windows:<BR>
				</STRONG></FONT><FONT size="3"><STRONG>Email/File encryption:<BR>
				</STRONG></FONT>
			<DIV align="center">

				<UL>
					<li>
						<DIV align="left"><a href="http://www.gnupg.org/download.html">GnuPG Download Page</a>
							- Download GnuPG first
						</DIV>
					<li>
						<DIV align="left"><a href="http://www.winpt.org/download.html">WinPT</a> - A helper 
							application for managing keys and easy encryption/decryption
						</DIV>

					<li>
						<DIV align="left"><a href="http://www.winpt.org/gpgoe.html">GPGOE</a> - A plugin 
							for Outlook Express that greatly simplifies sending encrypted email
						</DIV>
					</li>
				</UL>
			</DIV>
		<P align="left"><STRONG>Instant Messaging:</STRONG></P>
		<UL>

			<LI>
				<DIV align="left"><a href="http://www.trillian.cc">Trillian</a> - A multi-protocol 
					(AIM, MSN, YahooIM, ICQ) instant messager with a SecureIM option. <a href="http://www.ceruleanstudios.com/download.html">
					</a><img border="0" align="top" src="http://www.trillian.cc/images/Trillian-MiniPromo1-B.gif"></a>
				</DIV>
			</LI>
		</UL>
		<br>

		<P></P>
		<p align="left"><FONT size="4"><STRONG>Macintosh:</STRONG></FONT><br>
		<FONT size="3"><STRONG>Email/File encryption:<BR>
				</STRONG></FONT>
			<ul><li><a href="http://macgpg.sourceforge.net/">MacGnuPG Homepage</a> - GnuPG for Macintosh along with various OS X tools for key management and integration into OS X mail</li></ul>
			
			<P align="left"><STRONG>Instant Messaging:</STRONG></P>

			<ul><li><a href="http://www.epicware.com/fire.html">Fire</a> : A great multi-proticol (MSN, AIM, Yahoo) open source instant messager that uses GnuPG for secure messaging</li></ul>
		</p>
		<p align="left">Other Resources:<br>
			Singh, Simon. <b>The Code Book</b>. New York, 1999. Anchor Books. <a href="http://www.amazon.com/exec/obidos/ASIN/0385495323/qid=1027310847/sr=8-1/ref=sr_8_1/002-8969609-4650428">
				Buy it on Amazon </a>

		</p>
		<P align="left"><b>-- Clinton Chadwick<br>
				-- cchadwick AT valleypond.net (replace AT with @ and remove spaces)<br>
				-- <a href="cchadwick.txt">PGP Public Key</a></b></P>
		<P align="left"><STRONG></STRONG>&nbsp;</P>
		<P align="left">&nbsp;</P>
		<hr>

		<div align="left"><br>
			<font size="-2">Copyright 2002, Clinton Chadwick </font>
		</div>
		<p align="left">&nbsp;</p>
		<p align="left">&nbsp;</p>
	</body>
</html>
""