Wiki source for EnsuringPrivacy
""
<html>
<head>
<title>Ensuring Privacy in your Personal and Professional Electronic Communications</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body bgcolor="#ffffcc" text="#000000">
<p align="center"><font size="6">Ensuring Privacy in your Personal and Professional
Electronic Communications</font></p>
<p align="left"><i>In the past, if the government wanted to violate the privacy of
ordinary citizens, it had to expend a certain amount of effort to intercept and
steam open and read paper mail, or listen to and possibly transcribe spoken
telephone conversations. This is analogous to catching fish with a hook and
line, one fish at a time. Fortinuately for freedom and democracy, this kind of
labor-intensive monitoring is not practical on a large scale. Today, electronic
mail is gradually replacing conventional paper mail, and is soon to be the norm
for everyone, not the novelty it is today. Unlike paper mail, e-mail messages
are just too easy to intercept and scan for interesting keywords. This can be
done easily, routinely, automatically, and undetectably on a grand scale. This
is analogous to driftnet fishing-making a quantitative Orwellian difference to
the health of democracy.</i>-- Phil Zimmermann, Creator of Pretty Good
Privacy (PGP)</p>
<p align="left">
Phil Zimmermann wrote that in the mid 1990's and it is even more true today in
this post September 11th world. In this day when civil liberties are more
readily being given up in an attempt to gain more security against terrorist
threats the FBI is more likely to use tools like <a href="http://www.fbi.gov/hq/lab/carnivore/carnivore2.htm">
Carnivore</a>. One of the more worrisome statements comes directly from the
FBI's description of Carnivore: "The Carnivore device works much like
commercial "sniffers" and other network diagnostic tools used by ISPs every
day...". Your communications may possibly be intercepted by any number of
individuals and corporations on it's way to it's final destination. Email
experts describe the medium as being more like a postcard than a letter. With a
postcard the very honest people do not read it, but even the honest people get
curious and are tempted. The new <a href="http://www.epic.org/privacy/terrorism/hr3162.html">
Patriot Act</a> passed in October 2001 gives the FBI the ability to tap
into your electronic communications<a href="http://www.eff.org/Privacy/Surveillance/Terrorism_militias/20011031_eff_usa_patriot_analysis.html">
even if you are not targetted by an investigation</a>.
</p>
<p align="left"><font size="4"><b>But, I have nothing to hide...</b></font><br>
While that may be true, it is entirely possible you are breaking the law
without even knowing it. Many times innocuous things we do everyday might be
unlawful without you even knowing it. For example trading MP3s is a very
popular activity, but we all know it's illegal. If you were to admit to
possessing illegally copied music over email it is conceivable that would be
enough evidence for the FBI to get a search warrant. Even so, we frequently
think of the communications we have with our friends, family and coworkers to
be private and would like them to remain so. We often speak differently in
private than we would in public. We often forget that emails, like postcards,
are not private and can be read by any number of individuals. Another issue is
your email can be stored or copied at any of the servers it passes through on
it's destination. This leads to emails lasting much longer than intended. Lets
take an example.
</p>
<p align="left">Lets say you sent a personal email to your best friend with an
off-color joke. If you sent this email from work it is entirely possible that
email was searched and logged. Even if you sent it from home it is still
possible that your ISP or any of the servers that handled the emails packet's
could read the email. Lets say you realized afterward that the email could be
considered innapropriate and you asked your sibling to delete the message and
you deleted it from your "sent messages" folder. The problem is that message
continues to live on. That message can be living in a database somewhere
forever. You don't know where it is and cannot ask for it to be deleted.
Someday it could be brought up against you by your boss or in a court of law.
</p>
<p align="left">This issue of an uncontrollable message lifetime is the biggest
problem. I have said things in the past that I wish I could have taken back or
not said at all. This might be from youthful naivity or hightened emotions. In
any case I would hate that in those occasions that my words had been
permanently saved for posterity.
</p>
<p align="left"><font size="4"><b>What do I do to protect the privacy of my e-mail?</b><br>
</font>The best protection is to encrypt your email. Encryption is the act of
rendering your message unreadable to anyone but the intended recepient.
Remember the decoder ring that came in the box of cereal? That was a type of
encryption. Hopefully we'll be using stronger sorts of encryption on our
emails, but you get the idea.
</p>
<p align="left">One type of encryption is symmetric encryption. That means it works
both ways. I encrypt a message to you using a password. You have to know the
same password to decrypt the message. The problem is how to communicate the
password securely between the two parties. I cannot just send the password
along the message because anyone could use to read the message. I would have to
meet with the other party in person to tell them the password. This is usually
not very convenient.
</p>
<p align="left">The solution to this problem is public key encryption. This uses a
one-way encryption algorithm. I encrypt things in a manner that only a
different key can decrypt it. So what I do is generate two keys. The key that
can encrypt messages I give to everyone. The key that can decrypt them I keep
only for myself. Anyone who wants to send me a message just encrypts it using
the key I gave out (my public key) and only I can decrypt it using my private
key. They would give me a private key so I could send them messages.
</p>
<p align="left">Without my private key, anyone intercepting messages intended for
me would be completely unable to read them. This still leads to one problem.</p>
<p align="left"><font size="4"><b>Nobody can read my mail, but how do I securely know who
sent it to me?</b></font><br>
There exists a group of algorithms called hash algorithms. They are a function
that takes some input and generates a value that represents the input, but the
input cannot be recreated from the hash. Secure hash functions are functions
that take an input (your message) and generate a unique output value (the hash)
that uniquely identifies the message, but the message cannot be recreated from
the hash. So now we have a unique way to identify the message. Finally we need
a way to secure the generated hash. Since both the public and private key are
one way ciphers anything encrypted with the public key can be decrypted by the
private key (as in the above example). The reverse is also true. Anything
encrypted with a private key can be decrypted by the public key. So here's a
complete example:</p>
<p align="left">I write a message to a friend. Upon completion I digitally sign the
message by taking a secure hash of the message. I then take this hash value and
encrypt it using my secret key. Now anyone who has my public key can use it to
decrypt the hash and make sure it matches their independently generated hash
value. By doing that they can be sure I wrote it because<br>
1) Only I have my secret key and therefore I am the only one that can encrypt
something that my public key can decrypt<br>
2) Since the hash uniquely identifies the message then the message is exactly
as I wrote it.<br>
At this point anyone can determine that I was the author of the message and the
message is exactly as I wrote it. It is the perfect digital signature. The last
thing I do is encrypt the message with my friend's public key and send it to
him.
</p>
<p align="left"><font size="4"><b>What tools should I use?</b></font><br>
Encryption tools for military and commerical uses have been around for the
longest time. Only in 1991 when Phil Zimmermann decided to release PGP did
individuals have a tool. Sadly marketing privacy to individuals has turned into
a profitless venture so Network Associates has stopped offering PGP. Network
Associates always offered a free version for individual use and those versions
are still available:</p>
<p align="left"><a href="http://www.pgpi.org/products/pgp/versions/freeware/">International
PGP Homepage</a> - (Choose "Windows 2000" if you have Windows XP)</p>
<p align="left">A new tool is Gnu Privacy Guard. Created to provide an open source
alternative to PGP it conforms to the OpenPGP standard. Like most open source
software it is not as easy to use as it's closed source cousin. However it is
more powerful because it supports more encryption algorithms (like the new
Advanced Encryption Standard, AES). Also since it is still being worked on it
will support new operating systems. Whichever platform you download from be
sure to get the IDEA module to maintain compatibility with PGP.
</p>
<p align="left"><a href="http://www.gnupg.org/">GnuPG homepage</a><br>
</p>
<P align="left"><FONT size="4"><STRONG>Windows:<BR>
</STRONG></FONT><FONT size="3"><STRONG>Email/File encryption:<BR>
</STRONG></FONT>
<DIV align="center">
<UL>
<li>
<DIV align="left"><a href="http://www.gnupg.org/download.html">GnuPG Download Page</a>
- Download GnuPG first
</DIV>
<li>
<DIV align="left"><a href="http://www.winpt.org/download.html">WinPT</a> - A helper
application for managing keys and easy encryption/decryption
</DIV>
<li>
<DIV align="left"><a href="http://www.winpt.org/gpgoe.html">GPGOE</a> - A plugin
for Outlook Express that greatly simplifies sending encrypted email
</DIV>
</li>
</UL>
</DIV>
<P align="left"><STRONG>Instant Messaging:</STRONG></P>
<UL>
<LI>
<DIV align="left"><a href="http://www.trillian.cc">Trillian</a> - A multi-protocol
(AIM, MSN, YahooIM, ICQ) instant messager with a SecureIM option. <a href="http://www.ceruleanstudios.com/download.html">
</a><img border="0" align="top" src="http://www.trillian.cc/images/Trillian-MiniPromo1-B.gif"></a>
</DIV>
</LI>
</UL>
<br>
<P></P>
<p align="left"><FONT size="4"><STRONG>Macintosh:</STRONG></FONT><br>
<FONT size="3"><STRONG>Email/File encryption:<BR>
</STRONG></FONT>
<ul><li><a href="http://macgpg.sourceforge.net/">MacGnuPG Homepage</a> - GnuPG for Macintosh along with various OS X tools for key management and integration into OS X mail</li></ul>
<P align="left"><STRONG>Instant Messaging:</STRONG></P>
<ul><li><a href="http://www.epicware.com/fire.html">Fire</a> : A great multi-proticol (MSN, AIM, Yahoo) open source instant messager that uses GnuPG for secure messaging</li></ul>
</p>
<p align="left">Other Resources:<br>
Singh, Simon. <b>The Code Book</b>. New York, 1999. Anchor Books. <a href="http://www.amazon.com/exec/obidos/ASIN/0385495323/qid=1027310847/sr=8-1/ref=sr_8_1/002-8969609-4650428">
Buy it on Amazon </a>
</p>
<P align="left"><b>-- Clinton Chadwick<br>
-- cchadwick AT valleypond.net (replace AT with @ and remove spaces)<br>
-- <a href="cchadwick.txt">PGP Public Key</a></b></P>
<P align="left"><STRONG></STRONG> </P>
<P align="left"> </P>
<hr>
<div align="left"><br>
<font size="-2">Copyright 2002, Clinton Chadwick </font>
</div>
<p align="left"> </p>
<p align="left"> </p>
</body>
</html>
""
<html>
<head>
<title>Ensuring Privacy in your Personal and Professional Electronic Communications</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body bgcolor="#ffffcc" text="#000000">
<p align="center"><font size="6">Ensuring Privacy in your Personal and Professional
Electronic Communications</font></p>
<p align="left"><i>In the past, if the government wanted to violate the privacy of
ordinary citizens, it had to expend a certain amount of effort to intercept and
steam open and read paper mail, or listen to and possibly transcribe spoken
telephone conversations. This is analogous to catching fish with a hook and
line, one fish at a time. Fortinuately for freedom and democracy, this kind of
labor-intensive monitoring is not practical on a large scale. Today, electronic
mail is gradually replacing conventional paper mail, and is soon to be the norm
for everyone, not the novelty it is today. Unlike paper mail, e-mail messages
are just too easy to intercept and scan for interesting keywords. This can be
done easily, routinely, automatically, and undetectably on a grand scale. This
is analogous to driftnet fishing-making a quantitative Orwellian difference to
the health of democracy.</i>-- Phil Zimmermann, Creator of Pretty Good
Privacy (PGP)</p>
<p align="left">
Phil Zimmermann wrote that in the mid 1990's and it is even more true today in
this post September 11th world. In this day when civil liberties are more
readily being given up in an attempt to gain more security against terrorist
threats the FBI is more likely to use tools like <a href="http://www.fbi.gov/hq/lab/carnivore/carnivore2.htm">
Carnivore</a>. One of the more worrisome statements comes directly from the
FBI's description of Carnivore: "The Carnivore device works much like
commercial "sniffers" and other network diagnostic tools used by ISPs every
day...". Your communications may possibly be intercepted by any number of
individuals and corporations on it's way to it's final destination. Email
experts describe the medium as being more like a postcard than a letter. With a
postcard the very honest people do not read it, but even the honest people get
curious and are tempted. The new <a href="http://www.epic.org/privacy/terrorism/hr3162.html">
Patriot Act</a> passed in October 2001 gives the FBI the ability to tap
into your electronic communications<a href="http://www.eff.org/Privacy/Surveillance/Terrorism_militias/20011031_eff_usa_patriot_analysis.html">
even if you are not targetted by an investigation</a>.
</p>
<p align="left"><font size="4"><b>But, I have nothing to hide...</b></font><br>
While that may be true, it is entirely possible you are breaking the law
without even knowing it. Many times innocuous things we do everyday might be
unlawful without you even knowing it. For example trading MP3s is a very
popular activity, but we all know it's illegal. If you were to admit to
possessing illegally copied music over email it is conceivable that would be
enough evidence for the FBI to get a search warrant. Even so, we frequently
think of the communications we have with our friends, family and coworkers to
be private and would like them to remain so. We often speak differently in
private than we would in public. We often forget that emails, like postcards,
are not private and can be read by any number of individuals. Another issue is
your email can be stored or copied at any of the servers it passes through on
it's destination. This leads to emails lasting much longer than intended. Lets
take an example.
</p>
<p align="left">Lets say you sent a personal email to your best friend with an
off-color joke. If you sent this email from work it is entirely possible that
email was searched and logged. Even if you sent it from home it is still
possible that your ISP or any of the servers that handled the emails packet's
could read the email. Lets say you realized afterward that the email could be
considered innapropriate and you asked your sibling to delete the message and
you deleted it from your "sent messages" folder. The problem is that message
continues to live on. That message can be living in a database somewhere
forever. You don't know where it is and cannot ask for it to be deleted.
Someday it could be brought up against you by your boss or in a court of law.
</p>
<p align="left">This issue of an uncontrollable message lifetime is the biggest
problem. I have said things in the past that I wish I could have taken back or
not said at all. This might be from youthful naivity or hightened emotions. In
any case I would hate that in those occasions that my words had been
permanently saved for posterity.
</p>
<p align="left"><font size="4"><b>What do I do to protect the privacy of my e-mail?</b><br>
</font>The best protection is to encrypt your email. Encryption is the act of
rendering your message unreadable to anyone but the intended recepient.
Remember the decoder ring that came in the box of cereal? That was a type of
encryption. Hopefully we'll be using stronger sorts of encryption on our
emails, but you get the idea.
</p>
<p align="left">One type of encryption is symmetric encryption. That means it works
both ways. I encrypt a message to you using a password. You have to know the
same password to decrypt the message. The problem is how to communicate the
password securely between the two parties. I cannot just send the password
along the message because anyone could use to read the message. I would have to
meet with the other party in person to tell them the password. This is usually
not very convenient.
</p>
<p align="left">The solution to this problem is public key encryption. This uses a
one-way encryption algorithm. I encrypt things in a manner that only a
different key can decrypt it. So what I do is generate two keys. The key that
can encrypt messages I give to everyone. The key that can decrypt them I keep
only for myself. Anyone who wants to send me a message just encrypts it using
the key I gave out (my public key) and only I can decrypt it using my private
key. They would give me a private key so I could send them messages.
</p>
<p align="left">Without my private key, anyone intercepting messages intended for
me would be completely unable to read them. This still leads to one problem.</p>
<p align="left"><font size="4"><b>Nobody can read my mail, but how do I securely know who
sent it to me?</b></font><br>
There exists a group of algorithms called hash algorithms. They are a function
that takes some input and generates a value that represents the input, but the
input cannot be recreated from the hash. Secure hash functions are functions
that take an input (your message) and generate a unique output value (the hash)
that uniquely identifies the message, but the message cannot be recreated from
the hash. So now we have a unique way to identify the message. Finally we need
a way to secure the generated hash. Since both the public and private key are
one way ciphers anything encrypted with the public key can be decrypted by the
private key (as in the above example). The reverse is also true. Anything
encrypted with a private key can be decrypted by the public key. So here's a
complete example:</p>
<p align="left">I write a message to a friend. Upon completion I digitally sign the
message by taking a secure hash of the message. I then take this hash value and
encrypt it using my secret key. Now anyone who has my public key can use it to
decrypt the hash and make sure it matches their independently generated hash
value. By doing that they can be sure I wrote it because<br>
1) Only I have my secret key and therefore I am the only one that can encrypt
something that my public key can decrypt<br>
2) Since the hash uniquely identifies the message then the message is exactly
as I wrote it.<br>
At this point anyone can determine that I was the author of the message and the
message is exactly as I wrote it. It is the perfect digital signature. The last
thing I do is encrypt the message with my friend's public key and send it to
him.
</p>
<p align="left"><font size="4"><b>What tools should I use?</b></font><br>
Encryption tools for military and commerical uses have been around for the
longest time. Only in 1991 when Phil Zimmermann decided to release PGP did
individuals have a tool. Sadly marketing privacy to individuals has turned into
a profitless venture so Network Associates has stopped offering PGP. Network
Associates always offered a free version for individual use and those versions
are still available:</p>
<p align="left"><a href="http://www.pgpi.org/products/pgp/versions/freeware/">International
PGP Homepage</a> - (Choose "Windows 2000" if you have Windows XP)</p>
<p align="left">A new tool is Gnu Privacy Guard. Created to provide an open source
alternative to PGP it conforms to the OpenPGP standard. Like most open source
software it is not as easy to use as it's closed source cousin. However it is
more powerful because it supports more encryption algorithms (like the new
Advanced Encryption Standard, AES). Also since it is still being worked on it
will support new operating systems. Whichever platform you download from be
sure to get the IDEA module to maintain compatibility with PGP.
</p>
<p align="left"><a href="http://www.gnupg.org/">GnuPG homepage</a><br>
</p>
<P align="left"><FONT size="4"><STRONG>Windows:<BR>
</STRONG></FONT><FONT size="3"><STRONG>Email/File encryption:<BR>
</STRONG></FONT>
<DIV align="center">
<UL>
<li>
<DIV align="left"><a href="http://www.gnupg.org/download.html">GnuPG Download Page</a>
- Download GnuPG first
</DIV>
<li>
<DIV align="left"><a href="http://www.winpt.org/download.html">WinPT</a> - A helper
application for managing keys and easy encryption/decryption
</DIV>
<li>
<DIV align="left"><a href="http://www.winpt.org/gpgoe.html">GPGOE</a> - A plugin
for Outlook Express that greatly simplifies sending encrypted email
</DIV>
</li>
</UL>
</DIV>
<P align="left"><STRONG>Instant Messaging:</STRONG></P>
<UL>
<LI>
<DIV align="left"><a href="http://www.trillian.cc">Trillian</a> - A multi-protocol
(AIM, MSN, YahooIM, ICQ) instant messager with a SecureIM option. <a href="http://www.ceruleanstudios.com/download.html">
</a><img border="0" align="top" src="http://www.trillian.cc/images/Trillian-MiniPromo1-B.gif"></a>
</DIV>
</LI>
</UL>
<br>
<P></P>
<p align="left"><FONT size="4"><STRONG>Macintosh:</STRONG></FONT><br>
<FONT size="3"><STRONG>Email/File encryption:<BR>
</STRONG></FONT>
<ul><li><a href="http://macgpg.sourceforge.net/">MacGnuPG Homepage</a> - GnuPG for Macintosh along with various OS X tools for key management and integration into OS X mail</li></ul>
<P align="left"><STRONG>Instant Messaging:</STRONG></P>
<ul><li><a href="http://www.epicware.com/fire.html">Fire</a> : A great multi-proticol (MSN, AIM, Yahoo) open source instant messager that uses GnuPG for secure messaging</li></ul>
</p>
<p align="left">Other Resources:<br>
Singh, Simon. <b>The Code Book</b>. New York, 1999. Anchor Books. <a href="http://www.amazon.com/exec/obidos/ASIN/0385495323/qid=1027310847/sr=8-1/ref=sr_8_1/002-8969609-4650428">
Buy it on Amazon </a>
</p>
<P align="left"><b>-- Clinton Chadwick<br>
-- cchadwick AT valleypond.net (replace AT with @ and remove spaces)<br>
-- <a href="cchadwick.txt">PGP Public Key</a></b></P>
<P align="left"><STRONG></STRONG> </P>
<P align="left"> </P>
<hr>
<div align="left"><br>
<font size="-2">Copyright 2002, Clinton Chadwick </font>
</div>
<p align="left"> </p>
<p align="left"> </p>
</body>
</html>
""
