Suppose you need to exchange messages with someone and be really, really sure that nobody else reads them. Here’s how I’d do it.
Background · To keep this simple, let’s call the person you’re trying to communicate with “Elvis”, and the people wanting to invade your privacy “The Firm”. This discussion assumes:
Neither you nor Elvis are a high-value target, for example Ed Snowden or a big-time weapon smuggler.
You have a trustworthy device. For most of us a personal computer, properly set up, is acceptable. In my opinion, the same is generally true of modern mobile devices.
The Firm can watch the Internet and know, most times, which servers are being connected to and where the connections are coming from. They can capture your traffic but they can’t see into an HTTPS session.
The Firm might be able to get access to your cloud-resident messaging with an exploit, a National Security Letter, or blackmail. But they can’t decrypt OpenPGP-encoded messages.
The Firm would find it highly suspicious if you and Elvis suddenly switched from plain-text to all-encrypted communication.
That last point illustrates a key principle, worth its own section.
Avoid attention · This is super-important. Once The Firm decides you’re a high-value target, the dynamic becomes amateur-vs-professional, where you’re the amateur and thus probably toast. So privacy tech is good, but being boring’s better.
This World of Ours (PDF) by James Mickens makes this point forcefully and humorously. He classifies all adversaries as Mossad or not-Mossad; the point is that if the Mossad is really after you, well, too bad.
The recipe ·
Use only your trusted device.
Get yourself a “burner” email account. I typed “burner email account” into Google and saw lots of interesting options. I thought MailDrop looked pretty good.
But I wouldn’t use one of those, because that could attract attention. The crucial thing is thing is that there’s no server-side link between the burner and any of your real accounts. In my case, I rarely (as in never, basically) connect to the Microsoft cloud. So if I wanted a burner I’d probably go get an Outlook address. Yahoo might work for you, or AOL or something. Remember, you’re going to be connecting from shared-access spaces, and with any major provider, your traffic is going to blend right in.
Find a public key for Elvis. One really good way is meet Elvis and have him give it to you, or point you at a reliable place to download it from. I think that once services like Keybase.io become more widely used, this will be easy.
Here’s a tricky one: Figure out a safe way to send your burner address to Elvis. Best thing is face-to-face; failing that (since you’re not already high-value targets) maybe write it on a piece of paper, invest in a stamp, and drop it in a postbox. No, a physical one, with a little metal flap you lift up to put the letter in.
Or maybe, just once, send Elvis a regular email including an OpenPGP-encrypted message containing your burner address.
Once Elvis knows that address, he can start things up by emailing to it from his burner account.
Encrypt all your burner-to-burner traffic. There are decent options for almost any software platform. If you’re on Android I recommend OpenKeychain; that recommendation is totally biased since I’m a contributor to the project.
This doesn’t require that your burner email client support encryption; in fact, you totally don’t want that kind. You want to do the encryption yourself in code running on your device, then cut/paste the encrypted text into and out of the mail client. On an Android device, the Share menu is a convenient cut/paste replacement.
You’ll note that I didn’t recommend using Tor. For this scenario, I’m unconvinced that there’s a value-add. The Firm can detect Tor traffic, and so using it feels to me like waving a bright red “Secrets here!” flag.
This is a little subtle: The Firm might be able to convince the email provider to open up your email for them, but it’s much less likely that they can look at everything to see who’s using encryption; and the HTTPS encryption that Webmail providers use these days hides the OpenPGP encryption in your email payload.
Is it perfect? · Not even close. But it makes it really expensive for The Firm to find out what you’re up to and figure out how to work around it. Unaffordable, unless they have reason to believe you’re seriously bad. There are situations where just using encryption might be such a reason for your local flavor of The Firm. But if you’re careful and not unlucky, they might not even notice.