We live in a post-Snowden world. For many, that means assuming none of your digital assets are safe from surveillance.
There are ways, however, to use the internet and insane mathematics in your favour to ensure that no one can see whatever it is that you’re sending to someone else.
It’s called PGP, which stands for “pretty good encryption,” and it’s a way to encrypt your messages. Encryption, at its most basic form, is a way to cypher a message so that if anyone that sees the data in transit they have no way to know what the message says. OpenPGP is the most popular standard for digital encryption.
In fact, Edward Snowden first contacted journalist Laura Poitras to inform her of his trove of documents using PGP.
So let’s take a look at what PGP is and how easy it is to use.
Encryption is basically a way of jumbling digital data so that no one can see what it really says while it's being sent. For the purposes of this explainer, we're going to focus on what's called 'public key encryption' for email. This uses a multitude of cryptographic techniques to cipher every message using two factors that are constant to every person using PGP: a public key and a private key.
A public key is the information that is needed to encrypt a message. People wishing to receive encrypted messages make their public key readily available, as it's the only way for sources to begin the process of sending secure messages.
The problem with any non-random code is that it can always, in theory, be cracked. PGP, however, is known for being one of the safest standards. In fact, leaked NSA documents indicate that the authorities were in the dark whenever a PGP message was intercepted.
This is all to say, that it's one of the best ways to ensure security.
Public key encryption relies on two important things: public keys and private keys. A public key is usually quite easy to find. There are repositories online with people's public keys -- they exist so that people can indicate they are prepared to receive confidential emails.
Private keys, however, are not readily available. They are the password to any secret message you receive -- and they are necessary to decrypt a message.
Think of encryption as a safe deposit box with two keys: A person writes a message and uses the public key to open the box and put it in. When the message is in the box it is completely safe. But the only way to get the message out of the box is through another key, which only the recipient has.
The easiest way to get your own public key is to use a computer program that make the process much easier. GPGTools is a program that uses the OpenPGP standard (which is widely considered the best PGP standard) and is available for both Mac and Windows.
You can download it here. There are also other tools on the web that will work on other operating systems.
There are ways to do this using a web browser, but it's safest to use a tool that is well-regarded by the privacy community. GPGTools is trusted by many and creates an easy way to set up your own public key.
To create an encryption key using its app GPG Keychain:
Click 'File' and then 'New Key.'
Put in your name and email address.
Then choose a passphrase.
This passphrase is one of the most crucial steps. It's the 'public key' we've been talking about this whole time. Never share it with anyone, and never share it digitally. More, it should be long, random, contain numbers, caps, and symbols. In short, it must be insanely difficult to crack, so make it as complicated as possible.
You'll see a shortened sequence of bytes called the 'Fingerprint' in the GPG Keychain program. But if you copy a key and paste it in a textbox, you can see the entire public key (it will be longer).
Pretty crazy, right?
First, you must find the public key of the person you wish to send the message to. The GPG Keychain lets you look up keys. Once you find the key for the person you're trying to contact, click 'retrieve key' and it will be added to your keychain.
If you want to send a message in Gmail, simply type the message you wish to send in Compose.
Then highlight the text, right click, and press 'Encrypt Selection To New Window'
Then, using the GPG Keychain list of public keys you've imported, you decide whose public key you're sending it to.
You copy and paste that jumbled nonsense in place of the original message, click send, and you have just sent your first encrypted message!
If you receive an encrypted message here's what you do:
You do the same text highlighting, but instead right click and select 'Decrypt Selection To New Window.'
It will ask you to enter your secret passphrase to finish the decryption...
You have just sent and received your first encrypted message!
There are many websites that will do it for you. iGolder, for instance, has an easy web form asking for the public key, the message to encrypt, and will then perform the encryption to be copied and pasted into an email.
Vigilance is key. Many privacy experts will say that it's best to not compose a message in the compose box like Gmail's because it auto-saves, making it possible for a digital trail of what you're sending to made. For this sort of privacy, it's best write the message offline in a textbox and encrypt it within that.
A benchmark of operational security is sharing as little as possible. A way to do this is to avoid putting any unencrypted information online.