secret level
My blog on cryptography, security and privacy. I just try to write about things I find while solving puzzles and looking for secrets.
I only respond to messages signed with a private key or at least encrypted with my public key.
Using Proton Services For Privacy - Should You?
21/08/2022
I was thinking about what I wanted to write about here on this blog for a few weeks now. I was thinking of writing about hate crimes online and what kinds of privacy and security implications that kind of threat poses, given that OSINT is becoming a more and more viable way to find out things about people and now hate mobs are becoming a viable misinformation tool for foreign governments. I was also considering covering some interesting cryptography books I've been reading. I also thought about going to some of the things I've been reading about regarding analyzing leaked datasets.
I'll likely touch on those topics on a later date. I was starting a post on the state of PGP in 2022, and as I got to writing the post warped into a longer discussion on Protonmail and the nature of trust. So here it is!
In the interest of full disclosure, I'll admit I'm not a software developer, journalist, government official, or anyone who would be required professionally to use PGP (or GPG) for communication or email. I'm just a random guy who got into privacy and cryptography by reading upsetting stories online about privacy abuses. I'm coming into this as a person who, out of the blue, wants to start using encryption day to day, if even just out of principle. Usually, the first stop the suddenly privacy-minded end up at is ProtonMail. It's been advertising for years and is generally considered the go-to email company to choose if you want some kind of privacy and don't want your email provider scanning and reading your email messages. Proton advertises that encryption is end-to-end and messages are encrypted by default. It's a good start for sure. I started paying for Proton's premium service and use their email and VPN services daily. Proton, as it is now called, is likely one of the better contenders in the emerging Privacy as a Service model and as far as I have been able to tell, it has a pretty good reputation in general. People in your circle of friends have likely heard of it. It doesn't hurt that they offer a free tier for people just stumbling into this stuff for the first time as well.
Nothing is perfect of course. Proton mentions on their website that end-to-end encryption is only enabled by default only between Proton email accounts, however you can attach your PGP key to email messages by changing your account settings. To be honest, most people are likely not talking about things so sensitive that PGP encryption ought to be on and stay on, and to be honest, really just want to make sure the contents of their messages are not scanned to create ad profiles. It would be better though for Proton to mention this limitation more prominently when you sign up.
In 2021, Proton came under fire for giving up user information when facing a court order. I remember the concern I felt when this story was breaking. A lot of people were very angry that a company that is so openly basing their business on privacy would do something like this. Proton in their defense claimed that under Swiss law, that they are bound to as a Swiss company, they were forced to comply to a demand of a French court as their customers had committed crimes that are also crimes in Switzerland. They were forced to comply or face legal measures, effectively meaning that their servers could have been forcefully seized by the Swiss government.
I understand as a company they didn't have much leeway and had to compromise the privacy of their customers to survive. The company mentioned that IP-addresses and browser fingerprints are not stored "by default" but this case showed that they can be coerced to save this data through court orders. As the Wired article I referred to mentioned, a way to surpass this is by using the Tor browser but depending on your threat model even that may not be enough.
So what do I mean by threat model? Simply, it's just who you're hiding from. For instance, if you don't want your spouse or friends logging into your computer and reading your messages, that is your threat model, and in this case the appropriate actions to take would be to lock your computer when you are not using it and have a password to unlock your computer or phone. It's pretty much as simple as that. There are layers upon layers of threats you can try to counter, going from preventing your acquaintances from snooping on your messages, to stopping hackers from stealing your banking details, to hiding the fact that you buy drugs and you don't want the police finding out. Each scenario has it's own set of actions to keep your messaging private.
In my case for using Proton, what am I trying to achieve? In reality, I just want (1) my email provider not directly reading my email (2) create less data points for large companies to use to create a data profile on me. This leads to the question why I even care about those two points and that may require another blog post. (In short, it's because I don't know what that profile will be used for.)
Does Proton cover the points I mentioned? The answer is yes to the best of my knowledge. Until I am shown evidence to the contrary, I feel Proton's mail and VPN services help me keep up some privacy on these fronts. If I was doing something that would incur the wrath of the state, on the other hand, I would need to completely re-evaluate what a premium Proton account can offer me. If you're reading this and wondering what it would require to actually hide your communications from a nation-state actor, I'm telling you that it's going to require a whole lot more that just buying a service from a company.
Servers are physically always located somewhere and so fall into some justification somewhere and can be seized or searched through court orders. Although most of the time that isn't even needed as most of the information that is needed to track you is gathered by how you use your internet connection and what kinds of data you put out on internet services. The most concerning way you can be tracked is how the people you interact with use the internet. If your being surveilled by a big enough actor, you could encrypt your hard drive and use PGP all day but all it takes is the person you're talking to starts treating privacy as an afterthought and it's game over for you as well. You can be tracked using your internet connection, the computer you use, the browser you use to access the internet, they way you write, the list goes on and on. It's not many people who value their privacy to the point of using single-use burner laptops running Tails OS on Starbucks Wifi.
If you want to pull out the tinfoil, their are people in certain circles that claim Proton is run like a CIA honeypot. This is starting to turn into a conversation about how do you really trust programs written by someone else(in this case, servers run by other people) but I'll save that for later.
I'm not trying to convince you not to use Proton services, as I mentioned, this is a company I give money to every month and feel pretty comfortable using. What I am saying though is not to just assume that Proton, or any privacy company, is going to give you complete privacy if you pay them money. Privacy is a mindset. It's stopping to think what you share, on what platform, and with who, nothing more than that. If you are thinking of using Proton services, think about what you want to share using Proton email and with who. If you're writing to your friends, you're golden. If you are going to start talking to a whistleblower, you are going to need to think a lot more about how you are going to use Proton services, what computers you will use and especially how your counterpart is going to use Proton those very same Proton services. Otherwise, you might run into some serious problems.
Later I might write more about threat models as I think it's an interesting topic that a lot of people would benefit from. I remember reading one too many forum threads where people act as if an email company complying to a court order to get information destroys their trust in that company altogether. I would hope that Proton doesn't take a pro-active stance and starts scanning my documents for potential crimes I've committed but I also know that in reality, any government is going to have to resources to get their hands on information I put out there and it's in my best interests to try to keep that in mind. If at all possible, it's best to protect your privacy yourself and not outsource it to a company.
If you want to respond to this article or give me suggestions on what to write on, send me an email.
The News Upset Me
01/08/2022
So this is the first "actual" post on this blog. I wasn't going to write anything today but reading the headlines gave me the creeps, as if somehow my RSS feed knows that I've become a paranoid privacy nut.
The first thing that made me stop my scrolling in disbelief (or, rather, utter dread) was this article on Gizmodo: These Companies Know When You're Pregnant—And They're Not Keeping It Secret . This is the kind of story that really pushes me toward the idea that privacy solutions ought to be completely technological instead of mostly or purely legal. If you go back ten years, people would have called you an alarmist if you said that abortion rights in the US are not guaranteed and people need to protect themselves in the event that abortions become illegal again. Now laws have changed and women in the US are in a situation where their own internet history can be used to try to prosecute them.
I think that living with the mindset that you should encrypt as much of your internet activity as you can is going to make your life way safer than banking on the legal system to take care of your privacy on your behalf. Having your privacy rely on legal frameworks that can change any time in the future is in my eyes extremely short-sighted. If we could rely purely on legislation to protect our privacy, why would we need to encrypt anything at all? I understand that there are other reasons to encrypt communication that doesn't have anything to do with the government coming after you: encryption protects you from criminals getting your information to misuse, it protects you from third parties learning too much about you, and so forth. This is the very idea behind proposed legislation in the EU that would force messaging services to decrypt communications if issued a warrant. These kinds of laws would allow you to communicate privately with anyone you wanted and the government could only snoop on you if a court gave them the permission to. I mean, fundamentally this comes down to how much you trust government, but not only the current government but what the government could become in the next 5 to 10 years.
I find it funny how when election time comes around, there is a lot of talk about how important it is to vote, as if the will of the people will always reflect values of tolerance and respect. Then we get things like the 2016 US election or the recent Hungarian election happening and a lot of people end of facing the hard truth that there are large chunks of voters who would actually want more restrictive social laws and crave for a more totalitarian power structure. Any find of lingering hope I had in the "grand narrative" of society always progressing to some better future totally evaporated in 2016. It's only a matter of time before we face living in a society that really, really wants us to just stop complaining, stop protesting and quietly work to keep the status quo in place.
This leads nicely to the second news article I ran into today that got me reflecting on the importance of encryption. Just take a look at what one Western government, Australia, is doing to the more active groups in the environmentalist movement. There's a lot of talk about wanting to do more for the environment from governments around the world but if anyone actually tries to do something to upset the current way society functions and highlights the structural problems we face, you will get crushed and made an example of. If the article is to be believed, members of the group can no longer even like each other's posts anymore. This is a reality we might end of facing one day here in Europe too.
After reading these news stories and reflecting on them, I've come to realize that what I'm fundamentally concerned with is where the power to protect your privacy resides. Is it something that is granted to you by society through laws or is it something that you can ensure for yourself? As I've mentioned, I'm firmly of the opinion that at I want to be as personally responsible for my own privacy as I reasonably can. I realize that not everyone feels that way and I respect that. What I want is to be the one who decides what can be known about me. I don't want that decision made by someone else on my behalf.
A Start To A New Cryptography And Privacy Blog
26/07/2022
A sticker warning about automated facial recognition. The sticker was part of a street art campaign.
Around the beginning of the COVID-19 pandemic, so about the middle of March 2020 I saw a video, Let's Crack Zodiac, where David Oranchak introduced the unsolved Z340 that the Zodiac killer sent to papers years ago as a taunt. He and his team would later famously solve it about a year later. The way Oranchak talked about the study of ciphers and what kinds of things you can determine from them fascinated me. I wanted to know more about ciphers and wanted to crack some myself. I joined the American Crytogram Association and I am a member still today.
These kinds of "pen and paper" ciphers have an old-timey "doing the Sunday crossword" vibe to them. I like the idea of staring at jumbled symbols and letters and the answer locked inside them is just staring back at you, almost beyond my reach. Around the same time I started to want to know how modern cryptography works and it's a completely different subject that revolves around mathematics more than wordplay. I found a platfrom called CryptoHack that's made for learning modern cryptography. Solving cryptography challenges has been one of the harder things I ever tried to do. Finally solving a difficult challenge feels amazing, however I'm the kind of person to easily give up on a problem if I can't figure out an answer pretty much right away. When I hit a particularly difficult challenge my mind goes into a dark and self-defeating thought cycle along the lines of "why am I even doing this?", "I'm just not the kind of person that can do this kind of stuff" and "I could be focusing on something way more useful right now". It's a paralyzing feeling that makes me feel horrible. I have a lot of interests and despite really getting into something, my interest fizzles out and it feels like I haven't achieved anything and likely none of my interests will lead me to anything fulfilling.
Despite going back and forth with getting into cryptography and then something else and something else, the allure of cryptography just kept me coming back. I would find books and read more about it's arcane history and the people who dedicated their lives to it. The amazing thing about reading about the history of cryptography to me was that it felt like I had discovered this secret history that despite being out in the open, I had barely even heard about. Names like Whitfield Diffie and Bruce Schneier were familiar to me but who these people were or why they did what they did was something I never considered. This Machine Kills Secrets by Andy Greenberg got me thinking about the power of secrecy and how people involved in this field had amazingly strong moral convictions.
There's a passage in Crypto by Stephen Levy that really resonated with me. It's about Whitfield Diffie and why he was so interested in cryptography despite not having any professional connection with it at the start of his career. I have to say I feel the same way:
He had an unusual drive for getting at what he considered the bedrock truth of any issue. This led to a fascination with protecting and uncovering secrets, especially important secrets that were desperately held. “Ostensibly, my reason for getting interested in this was its importance to personal privacy,” he now says. “But I was also fascinated with investigating this business that people wouldn’t tell you about.” It was as if solving this conundrum would provide a more general meaning to the world at large. “I guess in a very real sense I’m a Gnostic,” he says. “I had been looking all my life for some great mystery. . . . I think somewhere deep in my mind is the notion that if I could learn just the right thing, I would be saved.”
Over the past year or so I've been reading a lot of books on privacy. I think it all started with stumbling upon The Puzzle Palace by James Bramford. It's an old book but it tells the story of how the NSA got started. It's a deeply creepy and fascinating book. It gave me this glimpse of a world I could barely see, a world where most of us are watched for any signs of abnormality or trouble. I hate the idea that there can be all this data on us being collected without our knowledge and this data is being used to determine out suitability to join a certain strata of society. To be honest, I started reading the book because of the cool name but it hooked me.
At parties and group chats I get labeled as a privacy extremist. People feel I've "fallen down a rabbit hole" and value privacy more than is reasonable or practical to. To me it feels like privacy is just something that ought to be the default. I don't like the feeling that there is a system surrounding us taking notes all the time and I'd imagine that most people don't like that either, but the more I talk about privacy the more I've come to realize that I need to be able to talk from experience and by using concrete examples. Even I know that arguing purely from a place of principle only gets you sidelined. Unless you give people reasons to care about something they profess to not really care about, you are just going to sound like a principled idiot.
To this end I've been trying to read more about the idea of privacy and the laws that ought to govern it. The best book I've found so far is Why Privacy Matters by Neil Richards. It not only gives plenty of examples of privacy violations that would deeply creepy out even the most jaded cynic, it introduces the legal frameworks that most western countries operate under and even discusses how the idea of "Privacy Is Dead" came about and how it was likely framed by the very people who harvest our data the most.
The reason I set up this blog is to have a place to write down some of the thoughts I have about cryptography and privacy and just make sense of it for myself. I would like to write reviews of some of the books I mentioned along with other books regarding cryptography and privacy. Now that I've been getting more into modern cryptography, I would also like to give some practical advice to how people could go about implementing cryptography in their own lives if they want to. I was surprised to see that there really isn't too many good tutorials on how to use PGP or encrypt data out there and I would like to try to write some easy-to-follow guides that take the mystery out of a lot of this stuff.
If you've just stumbled upon this blog, I hope you find some of the things here interesting. My public PGP key can be found in the "Who Is m4ra" page here if you want to send me a message. I don't have a public comment section on this blog but you are bound to find my email on the main site if you really want to reach out. That's all for now, I hope that I'll be writing something interesting soon.