Suppose you need to exchange messages with someone and be really, really sure that nobody else reads them. Here’s how I’d do it.

Background · To keep this simple, let’s call the person you’re trying to communicate with “Elvis”, and the people wanting to invade your privacy “The Firm”. This discussion assumes:

  • Neither you nor Elvis are a high-value target, for example Ed Snowden or a big-time weapon smuggler.

  • You have a trustworthy device. For most of us a personal computer, properly set up, is acceptable. In my opinion, the same is generally true of modern mobile devices.

  • The Firm can watch the Internet and know, most times, which servers are being connected to and where the connections are coming from. They can capture your traffic but they can’t see into an HTTPS session.

  • The Firm might be able to get access to your cloud-resident messaging with an exploit, a National Security Letter, or blackmail. But they can’t decrypt OpenPGP-encoded messages.

  • The Firm would find it highly suspicious if you and Elvis suddenly switched from plain-text to all-encrypted communication.

That last point illustrates a key principle, worth its own section.

Avoid attention · This is super-important. Once The Firm decides you’re a high-value target, the dynamic becomes amateur-vs-professional, where you’re the amateur and thus probably toast. So privacy tech is good, but being boring’s better.

This World of Ours (PDF) by James Mickens makes this point forcefully and humorously. He classifies all adversaries as Mossad or not-Mossad; the point is that if the Mossad is really after you, well, too bad.

The recipe ·

  1. Don’t do this at home. Go somewhere that isn’t one of your usual haunts and where lots of people connect from. Don’t go to the same place all the time.

  2. Use only your trusted device.

  3. Get yourself a “burner” email account. I typed “burner email account” into Google and saw lots of interesting options. I thought MailDrop looked pretty good.

    But I wouldn’t use one of those, because that could attract attention. The crucial thing is thing is that there’s no server-side link between the burner and any of your real accounts. In my case, I rarely (as in never, basically) connect to the Microsoft cloud. So if I wanted a burner I’d probably go get an Outlook address. Yahoo might work for you, or AOL or something. Remember, you’re going to be connecting from shared-access spaces, and with any major provider, your traffic is going to blend right in.

  4. Find a public key for Elvis. One really good way is meet Elvis and have him give it to you, or point you at a reliable place to download it from. I think that once services like Keybase.io become more widely used, this will be easy.

  5. Here’s a tricky one: Figure out a safe way to send your burner address to Elvis. Best thing is face-to-face; failing that (since you’re not already high-value targets) maybe write it on a piece of paper, invest in a stamp, and drop it in a postbox. No, a physical one, with a little metal flap you lift up to put the letter in.

    Or maybe, just once, send Elvis a regular email including an OpenPGP-encrypted message containing your burner address.

    Once Elvis knows that address, he can start things up by emailing to it from his burner account.

  6. Encrypt all your burner-to-burner traffic. There are decent options for almost any software platform. If you’re on Android I recommend OpenKeychain; that recommendation is totally biased since I’m a contributor to the project.

    This doesn’t require that your burner email client support encryption; in fact, you totally don’t want that kind. You want to do the encryption yourself in code running on your device, then cut/paste the encrypted text into and out of the mail client. On an Android device, the Share menu is a convenient cut/paste replacement.

You’ll note that I didn’t recommend using Tor. For this scenario, I’m unconvinced that there’s a value-add. The Firm can detect Tor traffic, and so using it feels to me like waving a bright red “Secrets here!” flag.

This is a little subtle: The Firm might be able to convince the email provider to open up your email for them, but it’s much less likely that they can look at everything to see who’s using encryption; and the HTTPS encryption that Webmail providers use these days hides the OpenPGP encryption in your email payload.

Is it perfect? · Not even close. But it makes it really expensive for The Firm to find out what you’re up to and figure out how to work around it. Unaffordable, unless they have reason to believe you’re seriously bad. There are situations where just using encryption might be such a reason for your local flavor of The Firm. But if you’re careful and not unlucky, they might not even notice.



Contributions

Comment feed for ongoing:Comments feed

From: David Magda (Nov 17 2014, at 07:45)

Regarding step 1, "Don't do this at home":

In addition to that, before you leave the house either turn off your mobile phone (if you're taking it with you) or leave it at home (a better idea). In addition to powering it down, taking out the battery or putting it in a Faraday cage/bag may be useful.

While you may be able to hide your computer in a crowded coffee shop, your personal cell phone can reveal your location as Petraeus and Broadwell found out:

https://www.schneier.com/blog/archives/2012/11/e-mail_security.html

In addition to burner e-mail address, a burner trusted device could probably be prudent. Remember that the MAC address is unique per device, and so if you visit your burner e-mail account and then your real account from the same system with-in short order, the two can be linked (cf. Petraeus and Broadwell).

TL;DR: OpSec is hard.

[link]

From: Tom Purl (Nov 17 2014, at 12:44)

This is some really excellent, practical advice.

Personally, if I were a whistleblower trying to hide something from The Firm I would definitely use the Tor Browser Bundle for the following reasons:

* No one would be able to track the activity back to me.

* Even if The Firm knew that I was using Tor at the same time that someone sent an email message about them, they can't prove that *I* was the person who did it. They have no way of knowing exactly what I was doing on Tor.

Of course, this assumes that the traffic isn't blocked because it's using Tor (which it usually isn't in the US). If that's the case, then there's a very sophisticated bridge ecosystem available to help you circumvent that.

[link]

From: Taymon A. Beal (Nov 17 2014, at 12:51)

It might be advisable to spoof your MAC address, so that anyone who can see the coffee shop's local traffic doesn't see the same device connecting every time.

In fact, I think using Tails may be a good idea in this scenario. Tor itself may have both advantages and drawbacks for communicating secretly, but Tails has additional advantages beyond that: it hides your MAC address and a lot of other potentially identifying details about your identity, and prevents further information from being saved on your system that might be used to identify you.

[link]

From: Dan (Nov 17 2014, at 12:54)

Using the postal service in the US might expose you https://firstlook.org/theintercept/2014/10/28/youve-got-mail-government-reading/

[link]

From: len (Nov 18 2014, at 15:50)

Crime is hard work. Crime on the Internet is much harder unless you are stealing music, movies or the intellectual property of other nations. Then for some reason no one can explain it's trivial and unavoidable so we should all change our business models and accept it.

[link]

author · Dad · software · colophon · rights
picture of the day
November 14, 2014
· The World (115 fragments)
· · Life Online (267 more)
· Technology (85 fragments)
· · Security (35 more)

By

I am an employee of Amazon.com, but the opinions expressed here are my own, and no other party necessarily agrees with them.

A full disclosure of my professional interests is on the author page.