Dave's Big Brain

We all use e-mail now, and many of us use instant messaging services like YM or AIM.  Let's keep three things in mind:

1. Popular e-mail services like Yahoo Mail, Gmail (Google), and Hotmail (Microsoft) are free because the providers retain on their servers everything you send and receive.  This includes anything with personal data, such as resumes.  They data mine everything to create marketing profiles of their users, which they are free to sell, and the servers are vulnerable to exploitation by hackers.  Digital storage is cheap, so nothing ever goes away.  You might one day have something you wrote years ago used against you.
2. If you use wireless internet connections, plucking your data right out of thin air is pretty easy because you're broadcasting ordinary radio.  Anything not encrypted is plainly readable to interceptors.
3. The government of the United States of America has already decided to ignore the 4th Amendment by asserting that spying on citizens without warrants is necessary for our "security."

"Any society that would give up a little liberty to gain a little security will deserve neither and lose both." --Ben Franklin

Fortunately, we can all take some easy steps to protect our privacy.

Instant Messaging

Two completely free, open source pieces of software are the only things necessary to protect your IM conversations.  The first is Pidgin, a universal chat client.  The second is the Off-the-Record plugin for Pidgin.

Pidgin is an application, not a service.  It does not require you to register for anything.  Pidgin enables all your chats to run in one application.  For example, if you IM on YM and AIM, you don't need a separate program running for each of them.  Pidgin does it all, and more.  You can try it out without deleting your other chat applications.  Download Pidgin, and install it.

Once you're up and running with Pidgin, you've done 99% of the work necessary to secure your IM conversations.  Complete the process with these two steps:

1. On the "Logging" tab of Pidgin's preferences menu, disable logging if you do not have a need to be able to read past IM conversations.  It is on by default.  This step is optional, but encrypting your online conversations is less valuable if a complete transcript will be stored on the hard drive of any of the participants.
2. Download the Off-the-Record plugin (OTR) for Pidgin.  Read the instructions on the website, enable the plugin from Pidgin's "plugin" menu, and configure it.  Ubuntu users should note the OTR likely was part of the default installation prior to version 9.10.  You might need only to turn it on.

That's it.  Whenever you chat with somebody else using OTR, you will have the opportunity to encrypt your data transfers, including files sent between chat clients.  You will also find that many people welcome the opportunity to chat securely and are willing to download this software to do it.  You can continue chatting as normal with people who do not use Pidgin or OTR.

E-mail security with GnuPG

"Perhaps you think your e-mail is legitimate enough that encryption is unwarranted.  If you really are a law-abiding citizen with nothing to hide, then why don't you always send your paper mail on postcards?  Why not submit to drug testing on demand?  Why require a warrant for police searches of your house?  Are you trying to hide something?"  --from "Why I wrote PGP" by Phil Zimmermann

Encrypting and digitally signing e-mail using PGP, an open standard for encryption, isn't much more difficult than encrypting your IMs.  Read the Wikipedia entry about PGP to get an idea about how it works, and then follow the steps below.  Everything you need is free, but you will need to register for a new e-mail account if Yahoo Mail is all you have now.

1. Install, or verify you have installed, a mail client. For Windows users, I recommend Thunderbird, made by the company behind the popular Firefox web browser.  Linux users might have Evolution Mail, which also works well.  Outlook or Windows Mail do not integrate easily as described below.  Get Thunderbird, and save yourself the Microsoft hassle.
2. Configure your mail client with your e-mail account, and verify that you can send and receive e-mail using your mail client. Here is how to configure Gmail.  You'll have to search the Windows Live website maze to find the right setting for Hotmail (search for "POP3").  Yahoo Mail offers the capability to read mail with a mail client only to paying subscribers, which includes about nobody.  If you have your own website, your host should provide information about how to check your e-mail, including mail client settings.
3. Download and install Gnu Privacy Guard (GPG), the free, open source implementation of PGP.  Linux distributions, including Ubuntu, frequently come with Seahorse installed by default.  It you already have Seahorse and Evolution Mail, you have everything you need. (Windows, Mac, Linux)
4. If you installed Thunderbird, install Enigmail.  This binds GPG to Thunderbird so you can use them seamlessly.  If you're using Seahorse, read that program's manual pages.

That's all the software you need.  Read the directions associated with the various components, and generate a public-private key pair for your e-mail addresses.  That's it.

One downside is that you must have access to your private key to read mail encrypted with your public key, and you will probably only keep your private key on your primary personal computer.  This is usually not a big problem, but keep it in mind if you need to receive e-mail while travelling.  Encrypted messages will look like gibberish if you read them with a web browser.

Also keep in mind that having a secure connection (https) to your webmail is not the same thing as encrypting your messages.  Anybody with access to your mail provider's servers, including employees and governments, can read your unencrypted messages, as can anybody along the delivery path once your message goes out unencrypted over the internet to the recipient's mail provider.  Also, the recipient is not guaranteed to have a secure connection with his or her mail provider, which introduces yet another privacy threat.

That's It

Please comment if you encounter problems following the steps in this article.