I’m smart, right? I’m technology-savvy. Hell, you might even call me an expert on some of this crap. But none of those descriptors seemed to matter when I dipped my toes into the murky pool of encryption – the one and only technology that promises to keep out the NSA – or at least slow it down – besides, apparently, typewriters.
While many of you may claim to have nothing to hide, I actually did – well, I thought I did anyway. I am currently working on a story that involves passing along some potentially sensitive information with some pathologically privacy-minded individuals. Through the course of my reporting, one of my contacts requested that we communicate via encrypted email, using an encryption standard known as PGP, or Pretty Good Privacy. Great, I said. Let me just figure that out real quick and I’ll get right back to you.
Wrong! Turns out, using PGP is more complicated than building a national park on the Moon.
Cryptography is necessarily complex – if it weren’t, it wouldn’t be secure.
As a Mac user, I opted for GPGTools. The download is straightforward. The creators were even kind enough to provide a handy tutorial for how to get started – one of the few PGP tutorials not written exclusively for computer geniuses with Asperger’s.
PGP basically works like this: A piece of software (in my case, GPGTools) generates two PGP encryption keys. One of these keys you keep private. The other, your “public key,” you share with whomever you want to send secret messages.
This sharing of keys is where things start to get overly complicated. Most people who use PGP upload their public key to a key exchange, which makes your key searchable (as long as the person doing the searching knows what you’ve named yourself on the the key exchange). Or you can share you public key some other secure way – snail mail, maybe? Carrier pigeon? Long-range ballistic missile? Maybe you could just meet up in the basement of some parking garage, Deep-Throat style. The possibilities here are virtually endless – and they all kind of suck.
To send your friend an encrypted email, you use his public key to encrypt the message. He then decrypts the message with his private key. For him to send you an encrypted message, he uses your public key to encrypt, and you decrypt with your private key. Are you still with me?
Or you can share you public key some other secure way – snail mail, maybe? Carrier pigeon? Long-range ballistic missile?
Now, there are some more user-friendly options out there. The Mailvelope plugin, for example, is actually a bit easier to use than GPGTools, but still comes with all the other complications inherent with PGP. Another option, SecureGmail, is a simple-as-pie browser plugin for Chrome or iOS. But it uses something called symmetric encryption (as opposed to PGP, which is a form of asymmetric encryption), and relies on you to come up with a quality password to protect your emails – something we all know ain’t gonna cut it – and then to share that password with your contacts in a way that makes the whole exercise futile.
None of my bickering is meant to dog on the clearly brilliant minds working to build these encryption tools. Cryptography is necessarily complex – if it weren’t, it wouldn’t be secure. But using it needn’t give you an aneurism. Fortunately for the rest of us, there are people currently working very hard to solve the usability problem, including the teams behind the plugins listed above, The Pirate Bay guys behind the new Heml.is app, and many others.
Until these developers get it right, most people just won’t go through the trouble of figuring this stuff out – especially since encrypting your communications can reportedly make you more of a target for the NSA. That’s not to say doing so is an impossible riddle or not worth the effort – strong encryption really is the best option we have. But the barrier to entry here is some “Game of Thrones”-level nonsense.
At the end of the day, my contact and I just decided to talk on the phone – what he had to tell me was far less sensitive than he first made it out to be. So, theoretically, anyone could have listened. I can only hope that I have this PGP thing figured out by the time I actually have something to hide.