Did you know you have a power? It's a kind of force that is completely nonviolent. It hurts nobody. Your grandparents did not have it, but you do. Did you know that?
The force is called by many names -- "numerical complexity," "strong cryptography," but you can just call it "math" -- yes that stuff that made your head swim in high school.
Math is based on simple rules. To many it seems to exist in this far-off land completely detached from reality, full of baskets full of unknown numbers of apples and oranges and more letters and symbols than a bowl of alphabet soup (unless it is made in Greece.) But math is very real, and has real world effects.
Read on to see how that alphabet soup belies the basis of the FISA legislation, and can be used to restore your privacy by force, since our government no longer cares to protect it. Learn to "whisper" in the digital age.
I'm going to do something rare here. I am going to explain something called "public key cryptography" without using any fancy symbols or words, in plain english. After that, we'll discuss the political implications.
Did you know?
There are some people both in and out of the United States who can talk to each other without any fear of Alberto Gonzales listening in on them. No, they don't have to call each other on pay phones to meet at a public restroom in a shopping mall, bar the door, and turn on all the water faucets. They can do it while sitting in their own home.
They can do this because they possess some very powerful numbers, called "keys." Each one of them has two keys, a "public key" and a "private key." With the help of a computer, internet access, and about half an hour of "clueless computer user" time, you could get your very own set of keys.
Who has these keys?
In fact if you are reading this, you already have some keys -- but they are weak keys. Your web browser uses them whenever the little lock icon on the screen closes.
Lots of people have strong keys. A lot of computer geeks do. Spies probably do. So do, most assuredly, many terrorists. So why not you?
How do the keys work?
To put things very simply, you can take one of your two keys and use it to create a message that can only be read by someone who has a copy of the other key. One key can read messages made by the other key, but you cannot open a message with the same key that locked it. That may seem strange, but you'll have to trust me on that, because otherwise I'd have to break out my can of greek letters in a reduced tomato base.
So you give out copies of one of the keys to whoever wants them. That one is the "public key." The other one, you keep very safe. You only take it out when you need to use it.
So if someone has a copy of your public key, they can send you a message that only your private key can unlock. And if you have a copy of their public key, you can reply to them. As long as you both keep your private key safe and your keys are strong enough, nobody can spy on you. That's the force of math. That's real, solid power there. How does it feel?
If everyone has a copy of your public key, though, how do you know if a message you get is really from the person you trust? Well, because they can do one other thing with their private key -- they can sign things, so that anyone who has their public key can tell they are really the person who sent it. They can even post a message to a public discussion board which everyone can read without unlocking it, but sign it so anyone with their public key can check that they really wrote it.
So first they sign it with their private key, then they lock it with your public key, then they send it to you. You unlock it with your private key, and then you check the signature with their public key.
Can I trust the software?
Who knows what is in commercial software these days? We know the government has been busy making the big companies put back doors into their software. Luckily, there is open source software, which is proofread by anyone who knows how it works and wants to take the time. It would be very hard for a back door to be placed there. So use the free software instead of any product from a large company. It's called GnuPG.
But is it easy to use?
A plugin to Firefox will allow you to use your keys on any web page, including your email account, with some simple mouse menus. It even installs buttons for some more popular email services (well for now just one, gmail.) It's called FireGPG. See the screenshots link.
So why didn't you sign this dkos post then?
Because I, like most of you, don't use these powerful keys. It's not that I don't know how, and it's not that I do not want to. It's that if I suggest using them to the people I talk to, they look at me like I'm from another planet. Or maybe Greece.
And that brings us to the politics, and why acceptance of these new tools for "whispering" needs a shot in the arm.
This same technology can also be used to lock up Internet telephone calls. Remember when I said terrorists probably already have this software? Well, if and when a terrorist decides they really want to do something top secret, no amount of wiretapping is going to help the intellegence people if these people decide to use the right technology. And they can download it from the Internet just like you.
Which means in the long run, as the intelligence infotech arms race heats up, AGAG can only listen in on the people who don't use this technology. That is to say, you.
It also means that many of the companies currently being forced to wiretap or add back doors, or doing so willingly, have a lot to lose. If people realize that maybe it's easy to set up VoIP instead of using a telephone, and instead of picking a big company that may have put in back doors in their software, they just download some open source software to do so, and because they can't really trust a computer running Windows they should maybe try something open source, guess who loses business?
Yep, companies.
And who does congress actually listen to? Yep, company lobbyists.
There could come a day when the loss of legal protections against wiretapping spells ruin for hundreds of billions of dollars worth of venture capital in the IT industry. So if you want those Vonage and Virgin and Verizon and Cisco and Microsoft and whatnot lobbyists to be yelling at your representatives to ratchet up the legal protections and restore public confidence in their privacy when using company products... well you know what to do.
Afterthought: are there any important precautions?
Well, make sure you don't get a crappy set of keys. Keys are rated by their "modulus." You want a modulus of 4096 to be very safe.
Also you should be careful not to export any of the software used to use the keys from the United States to another country. That's illegal. You can import the software legally, though, and once you are in another country, you can get it from someplace inside that country. It's everywhere.
On an ongoing basis, you have to be able to do two things to use these keys safely.
First you have to make sure nobody ever gets a hold of your private key, and that you do not lose it or allow anyone to change it. This can be a bit difficult because it is a really long number which you cannot just memorize or type in when you need it, so you have to store it on a computer. You usually use a password to "lock your key", and that helps (as long as there is no spyware on your PC watching your keystrokes.) Some people go so far as to keep their "private key" on a thumb drive and only insert it into the computer when they need it. For people that need to take it to extremes, there are actually microchips you can hide your key in that never let it out, but allow you to use it inside the microchip.
Second, you have to be able to keep all the public keys of your friends. These are easy to get, but you have to make sure they don't get changed by anyone who is up to no good.
In order to make the second part easier, there are things called "fingerprints." A fingerprint is a shorter number that you can read to someone in person or over the phone. Sometimes they can be called a "SHA1" or "MD5" or "hash". Once they have a copy of your public key, they can take its fingerprint and personally check to make sure it matches what you told them.
The second thing that makes this all easier is that once you have a keys from some people you trust,they can use their private key to sign other people's keys that they trust. So if your trusted friend Joe send you Bob's public key, and signs it, you know you have the right public key for Bob, just as long as you know you can trust Joe.