Edward Snowden says encryption works but, after attending an evening about protecting your sources as an investigative journalist, it was pretty clear to me that encryption works only for those technically adept enough to get it up and running. And that journalist must be communicating with people who are also geeky and determined enough to do the same.
The presentation, which was sponsored by Hacks and Hackers, featured Parker Higgins, freedom of speech activist at the Electronic Frontier Foundation, a place that knows better than most what the NSA is up to.
I approached the evening thinking that there I would find a solution to my journalism dilemma. I work with a number of sources who want to remain private but, in the age of universal surveillance, I can’t guarantee them that someone isn’t eavesdropping on us.
Parker said there were four basic tools journalists can use to shield themselves and their sources from surveillance, methods that will be encrypted, untraceable, verifiable, and private.
• OTR – secure instant messaging
• PGP/GPG – encrypted email
• TOR – anonymous browsing
• HTTPS – encrypts your communications with many websites
Each of them has advantages, and each has flaws.
With OTR, if both parties are using the protocol, the messages are encrypted, but the metadata (which shows who you communicated with and for how long) is still available. Therefore OTR doesn’t provide any deniability. This means it’s traceable and not really private.
With PGP/GPG communications are encrypted and secure, but again both parties must be using it and have exchanged encryption keys. One could download the encrypted message onto a thumb drive, move it to an air gap computer (one that has never been hooked up to the internet) and decrypt it using the key. But PGP/GPG is pretty hard to install, Parker said. If either partner fumbles any of the steps, the whole system won’t work.
TOR, in contrast, is simple to use and ensures that your communications ricochet around the globe eight or more times, thereby making them untraceable. The problem comes when these communications arrive at the destination. When they leave TOR and arrive in your correspondent’s computer, they are easily captured by whatever entity is watching you.
HTTPS is also an established and easy-to-use protocol, but it’s not always available and therefore you don’t always know if your communications remain private.
At the conclusion of his talk Parker said that if the government wants to get you, they’ll get you. You can use all these tools and tricks, but in the end, they have better tools available to them than you’ll be able to lay your hands on and have a big staff of skilled and determined specialists.
I left the evening understanding that I was looking for something that doesn’t exist: a secure communications bundle of software that I could install easily and provide to sources that would offer all of us freedom, security and anonymity. Parker said that doesn’t yet exist.
“If you want to get paranoid, you can get really paranoid,” he said.
I think most of us don’t want to be any more paranoid than we already are. We just want to be able to do our work and live our lives with a reasonable expectation of freedom, just like the constitution promises us we can.
Ah the constitution, that quaint little artifact of the pre-digital era.