[As ever, you can also read this on the BBC News website]
Like most journalists of my acquaintance I’m very sloppy about keeping my online communications secure.
I rarely encrypt email messages, leaving them to be read by anyone in the electronic chain between me and the intended recipient.
And I use public chat services like MSN Messenger and iChat, even though they send messages as plain text across the network.
Partly this is because the tools needed to make communications secure can be cumbersome and complicated, even for someone with a technical background.
Partly it is because I have not often been involved in researching stories that are going to bring me to the attention of those with the capabilities needed to tap even insecure online communications.
But you never know.
Each year I tell my students on the online journalism course at City University that they should take care to protect their files and emails.
And I point out that once someone emails them from a work address then that person can never be guaranteed anonymity in future, simply because it is so easy for employers or the police to get access to email traffic records.
They may not know what was said, as reading emails requires permission under the Regulation of Investigatory Powers Act, but they can find out that messages were exchanged.
In the past I’ve suggested that they get an account with Hushmail, the Canadian company that offers secure encrypted email for its customers.
But after revelations that Hushmail has been passing on details of supposedly secure emails to the Canadian police I think I’ll stop.
I like Hushmail because it works in your web browser. When you sign in it downloads an application written in the Java programming language, and this encrypts and decrypts your email using your secret keys.
Hushmail never sees your email, and so it can’t hand it over to the authorities even if they come with a warrant.
But the company also offers an easier to use service which does the hard work on its server rather than your computer. And when it does that it has to have access to your original message, at least briefly.
So when the Canadian police asked them for copies of emails sent and received by someone suspected of the illegal manufacture and distribution of anabolic steroids they couldn’t deny that they could read them.
The company has been open about what happened, although they don’t seem to have got around to mentioning it on their website yet.
But being open isn’t good enough, as the issue has highlighted a fundamental flaw in their security model, one that it will be impossible to get around. Even their more secure service could be undermined if the company agreed to add a ‘backdoor’ to their code at the authorities’ request.
The problem is that Hushmail, like other companies that store and process personal information, is bound by the laws of the country they are based in and sometimes those laws will require them to betray their customers.
A newspaper editor in the UK has to decide whether to go to court or hand over leaked documents; a manager at an ISP has to decide whether to allow the police to access email logs; and someone running a secure email company has to decide whether the privacy of a suspected drug dealer is worth a jail sentence.
Usually they do what is asked, and often they are not even allowed to tell users what they have done because of gagging orders.
The issue goes much wider than trying to decide who to trust with confidential or possibly incriminating data. It also has an impact on the tools we use to contact our friends or organise activities.
The National Union of Journalists is currently having an occasionally fractious internal discussion about the impact of new media on the profession, and the use of social network sites has been raised several times.
Some of the participants are simply opposed to these new-fangled technologies, a position that I have little sympathy with. I remember meeting Tony Benn, former MP and lifelong campaigner for socialism, and being pleasantly surprised at his enthusiasm for YouTube and the ways it could be used to amplify a political message.
But using commercial services for campaigning or organising raises the same sorts of issues as we see with Hushmail, because the interests of the owners are not the same as those of the users.
Trade union activist and online campaigner Eric Lee put it succinctly in a recent blog post when he noted that ‘Facebook is a poor replacement for a real online campaigning strategy for unions. And it makes us vulnerable to the whims of those who own the company’.
Hushmail seems to offer a good service, but its ‘simple’ service clearly offers no real security when it matters. Far better to install your own encryption software, like the freely available GnuPG, and take responsibility for your own security.
And Facebook may make it easy to set up a group, but it will never be as good as having your own server, your own code and your own security mechanisms in place. Organise a group on Facebook and it belongs to them; organise it on your own server and it belongs to you.
Of course doing this takes time, costs money and requires expertise that many campaigners simply do not possess. Perhaps the time is right for a co-operative social network site, one owned by its members and run in their interests.
It might never be worth $15 billion, but it could make the world a better place.
Bill’s Links
One effort, I recently discovered, intended primarily for campaigners is http://ngoinabox.org/?q=boxes
The Spiegel (as pointed out by StateWatch) had an interesting article on the impact of the EU directive on data retention on journos at http://www.spiegel.de/international/germany/0%2C1518%2C514872%2C00.html
br -d
Hello. Just read your article on Net Divide on the BBC website, don’t know if this is the right place to leave comments, but here goes.
A few years ago a similar problem was detected here where I live in the Basque countries.
In order to get more families on the NET, the regional government provided a 0% loan of upto 1200 Euros to buy a computer, requisites being it should have a modem and a basic internet connection. Max loan return period was 10 years, one went into any of the shops/chains (there were lots) which joined the scheme, picked a computer of choice, then took the paperwork to one of several banks, and that was it. Very simple paperwork and I took a payback time of 3 years, but that 10 year option meant that really anyone could afford it, although your income was not a consideration, just a limit of one per household.
That provided a big boost to Internet use. Also, temporary “computer schools” were set up everywhere, to sign up for FREE courses, taught or self-taught CDs with supervision, of internet or e-mail use. Govt…lots of people, especially elderly and many older women, found that a friendly introduction to the Net. It was very successful.
More recently, Spanish govt has come up with a similar scheme for any household with a Secondary or Higher education student.
Perhaps, UK govt. could come up with something along similar lines?