Geartest.com - Columns - Secrets and lives

Home > Columns > Secrets and lives

Secrets and lives

We often fail to use the technological tools at our disposal to safeguard our privacy, even when lives are at risk

by Saleem Khan

A journalist's stock in trade is information. Most of the time our only consideration in safeguarding it is competitive: beating our rivals to a story. But sometimes the stakes are higher and the information we collect has potentially serious consequences for those who supplied it, those whom it is about, and those who seek it. That's why it is so surprising that few of us do more to protect that information than close our notebooks -- paper or electronic -- and lower our voices to deter prying eyes and ears.

I recently contacted journalists who have been threatened or attacked for stories they covered. None used technological measures to enhance their personal or information security (even when those technologies were free) and most were not even aware of any ways they could do so.

This is particularly astonishing after a leak of personal information about Journal de Montréal crime reporter Michel Auger was allegedly used to plot his shooting last September. Although the leak did not stem from any action or omission by Auger, it should remind us to take information entrusted to us seriously, and to take appropriate measures to protect it, and ourselves.

Zero Knowledge

Math is the bane of many journalists, but its application through cryptography -- the science of scrambling (encrypting) information in a way that makes it unreadable by anyone but its intended recipient -- is a boon when it comes to protecting information and lives.

"Journalists are being kidnapped, killed, raped, murdered," said Austin Hill, co-founder of Zero-Knowledge Systems Inc. "This is real."

The Montreal company makes communications, commerce and cryptography products designed to enhance privacy.

Last December Zero-Knowledge launched a new version of its flagship product, Freedom. The free program helps Internet users prevent identity tracking, leaks of personal information, and unauthorized access to their computers; enables users to anonymously or pseudonymously browse the Web, and send and receive encrypted e-mail. "Privacy technology can both help and hinder what journalists do," Hill said, adding "journalists are a

key partner in the discussion of privacy," who need to be involved to entrench their ability to tell important stories that might not otherwise be told.

Internet activity, including e-mail, can be monitored and tracked by individuals, businesses and governments, and readily available commercial and hacker tools can empower anyone to hijack your computer through the Internet. To counter this, Zero-Knowledge says Freedom is designed in a way that prevents even its creators from compromising your security.

Most of Freedom's privacy features are free to use. Anonymous Web browsing, chat and e-mail services are enabled by purchasing a license for pseudonymous identities -- "nyms" -- for about $50 US. Users can apportion the license however they want, from a single nym for five years through to five nyms for one year each. Licensees' Internet traffic is routed through Zero-Knowledge's Freedom Network servers, which "scrub" the data, rendering it untraceable. Tracing attempts lead to a dead end: the Freedom Network.

While Hill's privacy concerns do not focus on journalists, company spokespeople say Zero-Knowledge is interested in working with journalistic organizations to help protect press freedom. Maintaining secure communications between journalists and sources, and safeguarding sensitive information when connected to the Internet are obvious uses for the software.

Zero-Knowledge says Freedom uses strong encryption (the company estimates it would require the resources of a large spy agency to break it) but it is neither certified nor independently audited according to generally accepted security standards to guarantee it is as secure as they claim.

However, Hill points out that it is in Zero-Knowledge's interest to make Freedom as secure as possible since the reputations of his company and its prominent cryptographers are at stake. The company has publicly released Freedom's source code -- the software's instructions, as written by programmers -- for public inspection, peer review and free use in third-party applications, and has posted analyses of Freedom by security analysts on the company's Web site.

Encrypted e-mail

Regular (unencrypted) e-mail is the electronic equivalent of sending a postcard -- anyone can read or alter your message anywhere between the sender and recipient. Encrypted e-mail is the equivalent of sending a letter in a locked box that only you and the intended recipient can open.

Zero-Knowledge is not the only company that offers encrypted e-mail. Others include U.S.-based Hush Communications Corp., ZipLip.com Inc., ZixIt Corp., and Vancouver's PrivacyX.com Solutions.

All but ZixIt give users free, Web-based encrypted e-mail (ZixIt began charging an annual fee of $12 US in January). Hush and ZixIt also offer free software you can download to your personal computer to encrypt e-mail from your existing account.

PrivacyX.com's encrypted e-mail has a bonus feature. The company issues each user a free, anonymous digital certificate to electronically sign their e-mail messages, assuring recipients the message is authentic and unaltered. Digital certificates usually require an embedded, true legal name.

Hush recently added digital signature capabilities to its e-mail service, HushMail, but its approach differs from PrivacyX.com's. Instead of issuing digital certificates, Hush created a small computer program that lets people who don't use HushMail receive and read messages from those who do.

Hush says they did this to address a major barrier to widespread encryption use: the relative complexity of using the technology. Last August researchers at Carnegie Mellon University in Pittsburgh, and the University of California at Berkeley tested a group of university-educated e-mail users to see if they could encrypt messages using a common e-mail encryption tool, PGP. Nine of the 12 people were unable to complete the task properly.

By eliminating multi-step encryption and signing, Hush says its approach is more user-friendly than its competitors'.

"Hush Communications strongly believes that everyone has a right to communicate without fear of surveillance or interference," Hush CEO Jon Matonis said. "The number one thing Hush, and particularly HushMail, can do for journalists is to protect their sources."

The free, easy availability and usability of secure, signed e-mail services make it journalists' responsibility to routinely use them, especially when communicating sensitive information.

Files and phones

Encrypting files reduces the risk of an unauthorized person reading them, a fact recognized by Texas-based Entrust Technologies Inc. The security and encryption company offers its desktop and e-mail encryption program, Entrust/Solo, free for personal use. Entrust/Solo includes file encryption of any scale, from one file to your entire hard drive; e-mail encryption; secure deletion of files to prevent them from being resurrected; and digital signing capability, among other features.

Information stored on personal digital assistants (PDAs) like the Palm can also be encrypted. Certicom Corp. gives away copies of its Secure Memo Pad Encryptor for Palm-compatible PDAs.

No discussion of privacy and cryptography would be complete without mentioning the world's most widely used encryption software, PGP (Pretty Good Privacy). Volunteer programmers from around the world develop the free software, which comes in many forms including e-mail, computer desktop, Palm, and even Internet-based telephone encryption that enables journalists and sources to speak securely if both have a computer and microphone.

Hush Communications scored a coup last February by hiring PGP inventor Phil Zimmermann away from Network Associates. It was the cryptography world's equivalent of the L.A. Kings stealing Wayne Gretzky from the Edmonton Oilers. Zimmermann is now Hush's chief cryptographer and will concentrate on developing an advanced version of his PGPfone voice encryption software.

Regardless of any security measure's sophistication, nothing guarantees security against human error. The best way for journalists to maintain the integrity of sensitive information and protect their sources and themselves is to exercise care and good judgement.

Saleem Khan is a journalist who covers technology and international affairs. This column first appeared in the Spring 2001 issue of MEDIA magazine.