3. “Encryption works. Properly implemented
strong crypto systems are one of the few
things that you can rely on.”
-Edward Snowden
4. What is encryption?
Encryption is the process of encoding
messages or information in such a way
that only authorized parties can read it.
End-to-end encryption means that you
hold the key to decrypting your message,
so that no other party can look at your
communications.
5.
6. In short...
• We each have two keys.
• One is public (anyone can have a
copy).
• One is private (only I have a copy).
• I send you an item with your public
key, but you can only unlock it with
your private one.
7. Maybe you’ve heard of…
• PGP (Pretty Good Privacy)?
• OTR (Off the record chat)?
• TextSecure?
• ChatSecure?
• RedPhone?
8.
9. “Everyone is guilty of something or has
something to conceal. All one has to do is
look hard enough to find what it is.”
-Aleksandr Solzhenitsyn
10. Encryption is for everyone, and
everyone should encrypt!
• We don’t know every law on the books
• Metadata leaves enormous clues
• Governments change
• Even if you don’t have something to hide,
someone you know probably does
11. But how do I do it?
• https://pressfreedomfoundation.org/encryp
tion-works
• https://securityinabox.org/en
• https://ssd.eff.org
(new version coming soon!)
Raise your hand if you use encryption in your every day lives.
A month ago, at re:publica, I gave a talk with Jacob Appelbaum arguing that we need a strong mainstream movement for encryption. We argued that a strong movement must look to the past. It must be borne out of both compassion and inclusivity, and it must meet people where they are. It also must be honest – encryption is important, but it’s not perfect. Whenever you see a tool that says “NSA-proof,” it’s a good idea to run in the opposite direction.
The talk you just saw demonstrates precisely why we need encryption – we’re under surveillance, and being under surveillance means being under attack.
The Snowden revelations have made us all more aware of the NSA’s surveillance, and the GCHQ’s, but I can’t stress enough that this is, and will become increasingly, a global phenomenon. The NSA might be capturing the most information, but for us, the consequences aren’t nearly as steep as they are for individuals elsewhere in the world. And in any increasingly global society where we communicate with individuals outside the US on a daily basis, that’s something we must consider.
Surveillance is not just about our privacy. Surveillance chills speech. It makes us think twice before signing a petition or joining an organization. It makes us think twice before using the Secret app, or sending that email.
Surveillance requires a four-pronged strategy: We must tackle it through legal means, through policymaking, through cultural education, but there’s only one way that you can take personal responsibility: technology.
Edward Snowden said it himself: Encryption works. Now, I will be the first to admit that many of the tools we have at hand are difficult to use, or to look at. We have a long way to go in terms of development, but the tools are truly getting better. Five years ago, I didn’t use encryption at all. I’m not a technologist. And now I do. And so can you.
Encryption is the process of encoding, or scrambling information in a way that only authorized parties can read it.
End-to-end encryption, specifically, means that only you hold the key to decrypt your message, so that no other party can look at your communications.
So just to quickly differentiate: When you’re using Gmail, or other sites that utilize SSL (HTTPS), those communications are encrypted and can’t be accessed by your ISP or the government, or a malicious hacker, but the provider (e.g., Gmail) holds they keys and can still see the content. In fact, they scan it for advertising.
Using end-to-end encryption means that even the provider can’t see the content.
Imagine I have a box with two locks – one for putting content in, and another for taking it out. I might share that first lock’s key with friends, or maybe even with the public, but I don’t want to share the key to my personal lock with anyone – that’s just for me. So, if you want to put something in wmy box, you can use that first key that I’ve shared with you, but only I can open the box to take the content out.
In short, that’s how end-to-end encryption works.
These tools are getting talked about a lot over the past year. This is in no particular order – in fact, if I’d ordered them, I would’ve put TextSecure first…it’s one of the newest tools in the bunch, and one of the easiest to use – the developers actually think about the user interface alongside the security. That’s important if we want to build a mainstream movement and meet people where they are.
So – I know there are at least a few of you sitting there in the audience thinking “Well, I have nothing to hide.” Raise your hand if that’s true for you.
This argument bothers me a lot.
First: Raise your hand if you’ve read every single page of law out there. No? Nobody? Okay then. I bet that everyone in this room has broken a law in the past week, either knowingly or unknowingly. In the surveillance state, that’s all on the record.
Metadata leaves enormous clues. These great examples come from my colleague Kurt Opsahl:
They know you rang a phone sex service at 2:24 am and spoke for 18 minutes but they don’t know what you spoke about.
They know you spoke with an HIV testing service, your doctor, and your insurance company in the same hour, but they don’t know what you spoke about.
Third, as we’ve seen from the European elections that took place recently: Governments change. Sometimes quickly. You may not think that’s possible here, but remember what got us into this mess in the first place.
Finally – even if you don’t have something to hide, you probably know someone who does. That person might be a source, if you’re a journalist. They might be an activist in another country whose own government is the one doing the surveillance. They might be a Muslim in America – we all know how the police of this city targets the Muslim community. In other words: IT’S NOT JUST ABOUT YOU.
I showed my mom this slide deck the other day to see if it made sense (it did) but she said one thing was missing: “Where do I go to learn the tools?” she asked. So, these are my top three resources. The first comes from the Freedom of the Press Foundation – it’s short and sweet and geared toward people who already know they want encryption.
The second is from the Tactical Technology Collective, and goes into more depth.
The last – I’m proud to announce – will soon be launching from EFF. There’s an older version up there right now, but in a couple of months we plan to unveil a multi-lingual website dedicated toward educating people about surveillance self-defense.
Remember: this is harm reduction. Think of encryption like safer sex – condoms will protect you 99% of the time, but you have to understand them and use them properly. It’s worth taking the time to get to know the tools, practice them. Attend a cryptoparty. Can’t find one? Make your own!
Still have questions? I’m happy to answer them, or if I don’t know the answer, happy to help you find someone who does.