An encryption technology first introduced more than 20 years ago is gaining new attention following revelations about the NSA’s sweeping intelligence gathering operation.
It’s called PGP (short for Pretty Good Privacy), and was originally developed in 1991 by software developer Phil Zimmerman. Zimmerman designed the software so that individuals could communicate securely with one another through publicly accessible computer bulletin board systems (BBS’s) that were popular at the time. The software and its source code were made freely available to users.
The system quickly became popular in the BBS scene, and the PGP software was uploaded from one BBS system to another as interest in the project spread. When the software became available outside the U.S. through some posts on the early Internet, Zimmerman was placed under investigation by the U.S. Justice Department in 1993 for allegedly violating laws related to arms trafficking. At the time, strong encryption technology was considered to be a “munition” under U.S. law. He was later cleared in 1996 following a tremendous uproar from free-speech and open technology advocates. It’s also likely that Zimmerman found a loophole in the weapons export law by publishing the PGP source code in a printed book, thus moving his software under 1st Amendant protections.
Zimmerman later went on to create a commercial company that was acquired by software giant Symantec. But a version of PGP is also freely available through OpenPGP.
How it Works
PGP encryption creates what is essentially a ‘locked’ string of text that can only be unlocked by a private key retained by the recipient of a message. It does this through “key pairs,” which are tiny files that the PGP software uses to encode or lock messages into encrypted gibberish.
The PGP software guides the recipient through the creation of a public key that can be safely sent in the clear to the sender or even stored in a public key directory online. At the same time it creates a private key that remains on the recipient’s computer and is protected by a password. The private key can be made so complex that even government agencies with seemingly limitless budgets may need years to “brute force,” or guess, the components of the key in order to decrypt a message.
Someone wishing to send the recipient in our example an encrypted message will use the recipients’ public key to lock the message. The sender can then transmit the encrypted text (which appears to be a random string of text and numbers) to the recipient, who then uses their private key to decrypt the message and convert it back to a human readable form.
All of this encryption takes place before the plain text ever goes out onto the Internet, shielding the content from hackers and government subpoenas. This makes protecting the private key and keeping it off cloud services extremely important. Although the private keys are protected by a password that must be typed in before any decryption takes place, it is much easier to “guess” the password and unlock the key if the hacker or agency has access to the private key file.
And because private keys are unique, it’s impossible to replicate one should it fall victim to a hard drive crash or stolen laptop. In other words, if the private key is lost nobody can gain access to the encrypted information.
Free PGP Tools
PGP hasn’t always been easy to use for non-techies, but progress is being made.
GPGTools on the Mac integrates nicely with Apple’s Mail application, and even has an intuitive way to query PGP key directories to find public keys for recipients. GPG4Win for Windows offers similar integration for PCs. On mobile, iPGPmail for iOS integrates with most mail apps to encrypt and decrypt communications. Android users can try out APG, but it doesn’t appear to have been updated in awhile.
But for those using web-based services like Gmail, Mailvelope is an excellent tool that integrates nicely through a browser extension that runs in Google Chrome. A Firefox version is promised soon. Mailvelope manages keys and will automatically detect encrypted messages that appear on webmail services. Keys are stored locally and the extension provides its own text input panel to prevent unencrypted text from being stored on a remote web mail server.
Big Brother Is Still Watching
Despite strongly encrypting the contents of an email, the government still has the ability to see who is talking to whom through its meta data collection efforts. Unlike phone records, however, both the meta data and the contents of a message are sent along in the same packet on the Internet. This means that if the government is collecting sender and recipient, they’re also getting the content. Strong encryption like PGP will make it more difficult for someone to extract the contents of the message as it’s coming over the wire.
A recent disclosure from the NSA revealed that the government does like to retain encrypted data. So be warned that although they may not be able to easily read it today, they may hold onto it until a quantum computer or something similar makes it easier for them to take a look at the data in the future. Encrypted data from the early days of the Internet is much easier to crack now, given how much faster today’s computers are compared to their counterparts 20 years ago.
More to Come
Data encryption software likely will be the biggest growth area in the industry in the months ahead, as big tech companies work to regain the trust of their users. Encryption tools will undoubtedly become more prevalent and easier to use.