Home » Protection Manual for Human Rights Defenders » Chapter 12: Security, communications and information technology

Encryption: Questions and Answers

‹ Basic safe emailingupA guide to safer office and information management ›

The following is a list of frequently asked questions and answers. Feel free to ask us anything else you want to know by contacting the NGO Privaterra through http://www.privaterra.org

Q: What is encryption?

A: Encryption means scrambling data into a secret code that cannot be deciphered except by the intended party. Given enough time and computing power, all encrypted messages can be read, but this can take huge amounts of time and resources. In simple terms, encryption is a way for you to secure your files and emails from spying eyes. Your files get translated into code – an apparently random collection of numbers and letters - that makes no sense to anyone who sees it.. To encrypt a file, you "lock" it with a key, represented by a pass phrase. To encrypt a message, you lock it with a key pair using your pass phrase. It can only be opened by the intended recipient, using his or her own pass phrase.

Q: Why should human rights groups use encryption?

A: Everyone should use encryption, because digital communications are inherently unsafe. However, human rights workers are much more at risk than most people and their files and communications are more sensitive. It is imperative for human rights workers to use encryption to protect themselves and the people they are trying to help.

Digital technology is a benefit to human rights groups, allowing them easier communications, greater efficiency and more opportunities. However, with any benefits come certain dangers. Just because you wear a seat belt doesn’t mean you are expected to have an accident every time you drive. Driving in a more dangerous situation, such as a race, makes you even more likely to use a seatbelt, just to be safe.

Human rights workers are known targets of surveillance. Since unencrypted emails can be accessed and read by almost anyone, it is almost inevitable that your unencrypted emails will be accessed at some point. Your messages may already be monitored by your opponents and you will never know. The opponents of people you are working to help are also your opponents.

Q: Is it illegal to use encryption?

A: Sometimes. It is perfectly legal to use encryption in most countries of the world. However, there are exceptions. In China, for example, organisations must apply for a permit to use encryption, and any encryption technology on your laptop must be declared as you enter the country. Singapore and Malaysia have laws requiring anyone wishing to use encryption to report their private keys. Similar laws are pending in India. Other exceptions also exist.

The Electronic Privacy Information Center (EPIC) provides an International Survey of Encryption Policy discussing the laws in most countries at http://www2.epic.org/reports/crypto2000/. This list was last updated in 2000. If you are concerned check with Privaterra before using encryption in a particular country.

Q: What do we need to keep our IT systems safe?

A: It depends on your system and your activities, but generally everyone should have:

  • A firewall;
  • Disk encryption;
  • Email encryption that also does digital signatures such as PGP;
  • Virus detection software;
  • Secure back-up: Email all materials to a secure site and do weekly back-ups to CD-RW. Then store it at a separate, secure location;
  • Passphrases that can be remembered but not guessed;
  • A hierarchy of access – everyone in the organisation does not need access to all files;
  • Consistency – none of the tools will work if you don't use them all the time!

But having the right software is not the whole solution. Individuals are usually the weakest link, not technology. Encryption doesn't work if individuals don't use it consistently, if they share their passphrases indiscriminately or make them visible, for example, on a sticky note pasted to their monitors. Back-up software won't save you in the event of a fire or raid if you don't keep the back-up copy at a separate, secure location. Sensitive information must be treated on a need-to-know basis instead of being shared with everyone in organisation, so you need to create hierarchies and protocols. In general, it's important to be conscious of privacy and security in your everyday activities. We call this "healthy paranoia".

Q: How do I choose which encryption software to use?

A: Usually, you can ask your friends - and confirm with us. You need to communicate with certain people and groups, so if they are using a specific encryption system, you should use it too to facilitate communications. However, check with us first. Some software packages simply don't do a good job, while others are honey pots. Honey pots lure you into using free and seemingly excellent software provided by the very people who want to spy on you. How better to read your most vulnerable communications than by being the overseer of your encryption software? Still, there are many reputable brands of both proprietary software and freeware - just remember to investigate before you use it.

Q: Won't using encryption put me at a greater risk of a crackdown?

A: No one will know you are using encryption unless your email traffic is already being watched. If so, your private information is already being read. That means you are already involved in a crackdown by those doing surveillance on you. There is a concern that those doing surveillance on you will use other options if they can no longer read your emails, so it is important to know your colleagues and implement safe back-up policies and consistent office management at the same time as when you begin to use encryption.

(Note: We have no information from cases in which the use of encryption software has caused problems to defenders. However, consider this possibility carefully before starting encryption, specially if you are in a country with a heavy armed conflict –military intelligence could suspect that you may pass relevant information from the military point of view- or if very few defender use encryption –this could attract unwanted attention on you).

Q: Why do we need to encrypt emails and documents all the time?

A: If you only use encryption for delicate matters, those watching you or your clients can guess when critical activity is taking place, and become more likely to crack down at those times. While they cannot read your encrypted communications, they can tell whether files are encrypted or not. A sudden rise in encryption may trigger a raid, so it is a good idea to start using encryption before special projects begin. In fact, it's best to ensure all communication traffic flows smoothly. Send encrypted emails at regular intervals, even when there is nothing new to report. This way, when you need to send delicate information, it will be less noticeable.

Q: If I've got a firewall, why do I need to encrypt my email?

A: Firewalls prevent hackers from accessing your hard drive and network but, once you send an email into the internet, it is open to the world. You need to protect it before you send it.

Q: No one is breaking into my office, so why should I use privacy software?

A: You don't know if someone is breaking into your system or leaking information. Without encrypted communications, physical security or privacy protocols, anyone can be accessing your files, reading your emails and manipulating your documents without your knowledge. Your open communications can also put others at risk in places where politically motivated raids are more likely to happen. If you lock your doors, you should encrypt your files. It's that simple.

Q: We don't have internet access and have to use an internet café. How can we protect communications sent from an outside computer?

A: You can still encrypt your emails and your files. Before going to the internet café, encrypt any files you intend to email and copy them in encrypted form onto your floppy disk or CD. At the internet café, sign up for an encryption service such as www.hushmail.com or an anonymity service such as www.anonymizer.com, and use these when sending your emails. Make sure the people receiving your communications have signed up for these services too.

Q: If it is that important to secure our files and communications, why doesn't everyone do it?

A: This technology is relatively new, but its usage is spreading. Banks, multinational corporations, news agencies and governments all use encryption, seeing it as a sound investment and a necessary cost of doing business. NGOs are at greater risk than companies, which most governments welcome. NGOs are more likely targets of surveillance and therefore need to be proactive in implementing the technology. Human rights workers are concerned with protecting persecuted individuals and groups. To do so, they keep files which can identify and locate people. If these files are accessed, these individuals can be killed, tortured, kidnapped, or “persuaded” not to assist the NGO anymore. Information from these files can also be used as evidence against the NGO and their clients in political prosecutions.

Q: One of our principles is openness. We are lobbying for greater government transparency. How can we use privacy technology?

A: Privacy is consistent with openness. If the government wishes to openly request your files, it can do so through proper and recognised procedures. Privacy technology stops people from accessing your information in a clandestine way.

Q:We follow all the privacy and security protocols and our information is still leaked – what's going on?

A: You may have a spy within your organisation or someone who simply cannot keep information confidential. Rework your information hierarchy to ensure fewer people have access to delicate information – and keep an especially watchful eye on those few people. Large corporations and organisations routinely disseminate different bits of false information to specific people as a matter or course. If this false information leaks out, the leak can be tracked directly back to the employee who was given the original, false information.

Dos and don'ts of using encryption

  • DO use encryption consistently. If you only encrypt sensitive material, anyone monitoring your email traffic will know when something important is about to happen. A sudden increase in use of encryption might lead to a raid.
  • DON'T put sensitive information in subject lines. They are usually not encrypted, even if the message is.
  • DO use a pass phrase containing letters, numbers, spacing and punctuation that only you can remember. Some techniques for safe pass phrase creation are using designs on your keyboard or random words strung together with symbols in between. In general, the longer the pass phrase, the stronger it is.
  • DON'T use a single word, name, popular phrase or an address in your address book for your pass phrase. These can be cracked in minutes.
  • DO back-up your private key (the file that contents your private key for encryption software) in a single secure place, such as encrypted on a floppy disk or on a tiny, removable "keychain" USB memory device).
  • DON'T send sensitive material to someone just because they’ve sent you an encrypted email using a recognisable name. Anyone can "spoof" a name by making his or her email address sound like someone you know. Always verify someone’s identity before trusting the source – communicate in person, check by phone, or send another email to double-check.
  • DO teach others to use encryption. The more people are using it, the safer we will all be.
  • DON'T forget to sign the message as well as encrypting it. You want your recipient to know whether your message has been changed in transit.
  • DO encrypt files sent as separate attachments. They are generally not automatically encrypted when you send an encrypted email.
»