Minds of the Movement
An ICNC blog on the people and power of civil resistance
Featured image: Flickr user EFF Photos, CC by 2.0.
If the police came and took your computer, would they be able to read all your documents and gain access to your activist contacts? If you’re using the public WiFi in a coffee shop, can someone else read the email you’re writing to organize your next nonviolent action?
Encryption is what keeps our data private on the network and in our hard drives. Without it, everything you send through the Internet is right out in the open for anyone to see, like the words on a picture postcard from your last vacation. It’s fine to say, “Hi! I wish you were here!” on a postcard, but you wouldn’t want to send a list of undocumented immigrants who need assistance like that. Encryption is like a sealed digital envelope that allows your information to travel across the network without anyone reading what’s inside.
Encryption can also be like a locked file cabinet in your office. Unencrypted documents on a server are like letters sitting face up on your desk after you’ve left the office, only easier and less expensive to access. It makes sense to lock everything up using encryption on the server.
We call these two types of encryption “encryption in transit” and “encryption at rest.” Both are important for any information about nonviolent organizing that you want to keep private.
If you’ve ever noticed a Web address that started with “https” instead of “http,” you’ve seen a webpage that was encrypted “in transit” from the server to your browser. These days, there are many sites that use “https” by default, including Facebook, Twitter, Google, and even many news sites like The Washington Post or The Guardian. You can use a plugin like HTTPSEverywhere to make sure that you always go to the secure version of a site. But not even a webmail site using “https” ensures that the message you are sending is encrypted all the way to its intended recipient. That mail is just encrypted from your browser to the Web server. If you want encryption all the way from you to your colleague, you need something called end-to-end encryption.
The most secure form of end-to-end encryption is something called “public key encryption.” Imagine that your friend sends you a special lock box that you can use to send them packages. Only they have the key to open that box. You put your package into the box and then you can send it by postal mail or simply leave the box sitting in an agreed-upon public place. No one will be able to open the box without the key your friend has. In public key encryption, the lock box is the “public key” and the key is the recipient’s “private key.” PGP is a kind of public key encryption that people use for email and also to secure documents at rest.
Password Management
Today, there are many tools that use encryption in such a way that you, the user, don’t need to know anything about the existence of the keys, how they are created, or where your key is hidden. You use your password to log in to an application, and that gives you access to your keys.
LastPass is a tool that keeps all your passwords and secure notes encrypted for you so that you don’t have to remember them all. You just need one long and very secure password to unlock the whole vault in your browser or on a mobile device. You can make it even more secure using two-factor authentication, so that it requires both a password (something you know) and a code sent to your telephone (something you have) to gain access to your password vault. This program, and others like it, make it easy to use a different, highly secure password for each and every account, and also secures other private notes on security keys, door codes, organizational bank accounts, etc.
As an activist, it is especially important to make sure that your passwords are unique so that an unfortunate breach of one account does not give anyone access to any other accounts. (The list of companies and even government agencies that have had their entire password databases stolen is too large to list here.)
Open Source Encryption Methods
Security experts nearly all agree that the best encryption comes from open source encryption methods because they can be audited and tested. Ostensibly, there will be added security (or added profit) with closed source encryption, but there is no guarantee that the builders haven’t put in a backdoor or created an accidental vulnerability that a determined attacker could exploit.
The protocol for https and the software that makes it work on a server is open source. Other open source encryption tools you may have heard about include Signal for text messaging and voice calls, PGP for email, and Veracrypt for encrypting a directory of documents or whole drive.
In case you missed it, check out my previous post that looks more deeply at options for secure email for activists and movement allies, from special services to open source tools you can use anywhere.
NB: Recently we heard news about a vulnerability found in the PGP tools used in connection with most email readers. If you use PGP to encrypt emails, please read the EFF notice about the vulnerability, and check with the tool you use to encrypt your emails to see if they have fixed this bug in their software.
