Our Pretty Good friend, Phil Zimmerman
Phil Zimmerman, the author of “Pretty Good Privacy” was in the news recently, talking about the usage of consumer email and the threats posed by the collection of vast amounts of metadata.
First of all, what is PGP?
PGP stands for “Pretty Good Privacy,” an email encryption program that has two uses. “First, it is an encryption system that uses public-key cryptography. Each user has a public key and a private key. In simple terms, you can encrypt a message using someone’s public key and they can decrypt it using their private key. (A one-off session key is actually involved.) If the private key has been kept truly private, no one else can read the message. More commonly, PGP is used to create a digital signature based on the contents of an email. This enables the recipient to verify that the message has not been changed, using the sender’s public key.” (Schofield, J. 2007 May 24 – Pretty Good Privacy with PGP, The Guardian)
Average consumer email, however, does not have these security protocols to protect the privacy of those in communication with each other. In fact, anyone with the technical know-how has the ability to obtain passwords and read any and all of someone’s email without anyone knowing.
But all they’re collecting is the metadata, right?
Well, maybe. But even though metadata (technical definition: data about data) doesn’t reveal the details of particular conversations, just the metadata itself, collected in large amounts, paints an overall picture of who you’re talking to and when, how often, how long, and more.
Here are the types of information that’s being collected by the companies that host these services, and the governments that these companies operate under:
- Sender’s name, email, and IP address
- Recipient’s name and email address
- Date, time, and time zone
- Unique identifier of email and related emails
- Mail client login records with IP address
- Mail client header formats
- Subject of email
Metadata associated with mobile phones:
- Phone number of every caller
- Serial numbers of phones involved
- Time of call
- Duration of call
- Location of each participant
- Telephone calling card numbers
Metadata associated with Facebook:
- Username and profile bio information including birthday, hometown, work history, and interests
- Username and unique identifier
- User subscriptions
- User location
- User device
- Activity date, time, and time zone
Metadata associated with web browsers:
- Activity including pages the user visits and when visited
- User data and possibly user login details with auto-fill features
- User IP address, internet service provider, device hardware details, operating system, and browser version
- Cookies and cached data from websites
As you can see, the aggregate of these parts of information gets pieced together into a whole, as simply as a computer-generated puzzle. This is especially important in some areas such as corporate communications and journalism, where the privacy of sources is essential to inform the public of the things they need to know about to make informed decisions in their everyday public and private lives.
These risks to privacy and the security that is so vital to business and personal conversations led Bugged.com‘s friend Phil Zimmermann “to develop a new feature for his Silent Phone app, encrypting conversations earlier in the call process. Dubbed “tunnelling”, the feature hides the knowledge of who is talking to who from any eavesdroppers. Zimmermann had the idea for the feature ‘quite a few months before the Edward Snowden revelations’, but its upcoming release will be timely.” (Hern, A. 2013 Sept 30 – Email surveillance could reveal journalists’ sources, expert claims. The Guardian)