How To Talk So The Government Can’t Listen. Part 1: how to encrypt your e-mail in Gmail with GPG (for use with Gmail or other web mail interfaces on Firefox in Windows)

Fellow counter-economists,

Let’s suppose that you want to send somebody an message that contains sensitive information which you want only the person getting the message to see — say an important password or an account number or a transaction that you’d rather keep on the down-low, for no particular reason worth mentioning.

The problem is that e-mail sent over the Internet is normally sent in plain text. Like anything else on the Internet, it passes through several different servers and routers on its way to its final destination. If one of these servers or routers is compromised by a snoop (your ISP, a malicious hacker, the Federalis, No Such Agency…) they can easily set up the computer to keep a copy of your e-mail for the snoop to read at his or her leisure. This is a how-to guide for one way to solve that problem: setting up and using encryption for your e-mail (specifically OpenPGP double-key encryption). In particular, I’ll show you how to set up encryption using GPG (the GNU Privacy Guard) for Gmail, in the Firefox web browser, on a computer running Windows XP or Vista.

The good news is that, while encryption used to be something of a nerd pastime and a hacker dark art, new tools have been developed which make encryption relatively easy to set up and painless to use even for casual computer users. Practically speaking, this is a very important development for anyone who occasionally needs a secure channel for sharing sensitive information. (For example, as a web developer I’ve already guided a few of my friends and business contacts through setting up GPG so that we can safely exchange user login credentials.) If you know where to go for thse tools, you no longer need technical expertise, or even a great deal of patience, to get up and running with an easy-to-use setup for double-key encryption of your personal e-mail. You just need a bit of guidance, and that’s what this is for.

I’ve chosen to walk you through the set-up for a very specific software environment because that helps keep things simple and concrete, and because this particular software environment is one that a lot of people — including a lot of my friends — happen to use. But if you don’t use exactly this software set-up, you can still get something from this how-to by changing out one or more of the steps.

A bit of background. PGP (Pretty Good Privacy) is a system for double-key encryption. Double-key encryption works by generating a paired set of encryption keys. A message that’s encrypted using one key can only be decrypted using the other, but someone who has the one key can’t use it to generate the other key. The practical upshot is that you can use one key as a public key, which you give out to everyone, and the other as a private key, which you guard as a secret.

Any message that is encrypted using your private key can be decrypted and read by anyone with access to your public key (meaning, effectively, everybody), but — since only you have access to your private key — it guarantees that only someone with access to your private key (meaning, hopefully, only you) could have written the message. So it acts as a secure form of electronic signature, verifying that it was really you who sent the message.

Any message that is encrypted using your public key could have been generated by anyone with access to your public key (anyone). But it can only be decrypted and read by someone with access to your private key (only you).

And, similarly, if you’re communicating with someone else who uses PGP, and whose public key you have access to, you can (1) encrypt the message using your own private key, and then (2) encrypt it again using their public key — guaranteeing that only your intended recipient can read the message (since only they have access to their own private key), and that only you could have written the message (since only you have access to your private key).

Nowadays, most people who use the technology behind PGP actually use a program called GNU Privacy Guard (GPG) which is an open-source implementation of the same technology. For Windows users, there is a version of GPG called Gpg4Win.

GPG itself is a set of command-line utilities that will generate keys, manage a keyring, and encrypt any text that you pipe in to the program. You could in principle do any encryption you needed to do just by learning how to use these command-line tools, then cutting and pasting to and from text files. But it’ll be far less awkward to manage your keyring through WinPT, a graphical tool that comes with the Windows GPG package. WinPT will allow you to create your own key pair, to upload your public key to a key server so that your friends can find it, and to download your friends’ public keys so that you can encrypt your e-mails to them. Then, if you use Firefox, you can install an add-on that will integrate GPG with the Gmail interface; at the moment, I’d recommend FireGPG.

So here’s a step-by-step guide for getting up and running:

  1. Install GPG and WinPT from http://www.gpg4win.org/

  2. Launch WinPT from the Start Menu. A small icon of a key should appear in your system try. Meanwhile, you should now see a First Start dialog box:

    Choose Generate a GnuPG key pair and mash OK. You’ll be asked for a name and e-mail address; fill in the primary e-mail address that you’ll be using to send and receive encrypted e-mail. (If you have more than one e-mail address that you’ll want to use, don’t worry; we’ll come back to that later.)

You'll be asked to choose a passphrase for securing your private key. Choose one that's secure -- preferably both long and easy to remember without writing it down. You can include any characters that you can type, including spaces, numbers, punctuation, etc.
The passphrase is used as a cipher on your private key, to increase security, so that you can store it on your computer, or even on a shell account, without having to worry that someone who uses your computer for a few minutes, or has a shell account on the same machine, will be able to compromise your identity by copying the keyring file: only someone with *both* the keyring file and your passphrase will be able to use your private key. You'll need to be ready to enter this passphrase whenever you want to send a signed message, or to read an encrypted message sent to you.

After you've entered the passphrase a second time (to make sure there were no typos), WinPT will churn for a while as it generates a key pair for you.
Once WinPT announces that your key pair has been generated, it will suggest that you make a back-up of your keys on a CD-R, USB drive, or some other external storage, to guard against the day when your hard drive fails (as all hard drives eventually will).
You should probably take their advice: if you lose the local copy of your private key and don't have a back-up, there is no way whatsoever for you to recover it. If you're worried about saving a copy of your private key, remember that your private key is protected by your passphrase.
  1. Now that you’ve created your key pair, it should appear on your keyring: double click on the key icon in your system tray to look at the Key Manager with your newly-minted key pair in it.
If you have more than one e-mail address that you'd like to associate with the same public key, you can associate secondary e-mail addresses with your key pair by right-clicking on your key pair and selecting Add --> User ID.... Then follow the instructions in the dialog box.
Next, you'll want to make it easy for your friends to access your public key, so that they can verify your signature and so that they can encrypt messages for your eyes only. (Remember, you can pass out a *public* key to absolutely anyone; that only allows them to *encrypt* messages *to you*; it doesn't allow anyone to *decrypt* the messages you're receiving.) To do this, right-click on your key pair and select <q>Send to Keyserver,</q> then click on each keyserver in the submenu.
  1. Now you’ll want to import public keys for people who you might want to send encrypted e-mails to. To start grabbing public keys, click on the Keyserver menu entry. A dialog box should immediately pop up; enter your friend’s e-mail address and then mash Search. For testing purposes, you can grab my public key, for feedback@radgeek.com (minus quotes).
When a key (hopefully) pops up for the e-mail address you entered, highlight the key and pull it in to your keyring by hitting <q>Receive.</q>
If everything goes well, you should see the new public key imported into your keyring.
If you have any trouble getting your friends' public key from a key server, you can always just ask them to send you a copy by e-mail, copy the block of gibberish they send you onto the clipboard, and then Import the public key from within WinPT. Alternatively, if you can call up a copy of their public key in your web browser (through webmail or from your friend's web page), you can use FireGPG, the add-on I discuss below, to directly import the public key from your web browser.
  1. Now, start up Firefox and go to http://getfiregpg.org. Then install the FireGPG add-on.
Once you've clicked through the dialog boxes, and successfully installed FireGPG, restart Firefox.
  1. After you’ve restarted Firefox, go to Gmail and try composing a new message to me at feedback@radgeek.com. There should be some new buttons available for when you send the message.
Hit <q>Sign, encrypt and send.</q> You should be asked to select a public key from a list. You should select *two* public keys: one for the e-mail address you are sending the message to, and one for yourself. This will encrypt it so that only you and your intended recipient can read the message. (You want to select your own public key in addition to your recipient's so that you can read the saved copy at a later date if you want to; if you choose *only* your recipient's key, then not even you will be able to read the message.)
To select multiple addresses, hold down the <kbd>Ctrl</kbd> button as you click each one. Once you've selected the right public keys, mash <q>OK.</q>

Next, you'll be asked to select a private key to use in signing the message. This should be your own key. Highlight the key and mash <q>OK</q> again.
Then enter your passphrase if FireGPG asks for it.
If all goes as it should, your message should be encrypted so that only I can read it, and sent on to me; when I receive it, I should be able to decrypt it using my own private key, and thus verify that you've got a working GPG installation.
  1. If I receive your e-mail and I’m able to import your public key from a keyserver, I can then send you an encrypted message so that you can verify things on your end. If you get a GPG-encrypted message, what you’ll generally see is a bunch of alphanumeric gibberish encased in a distinctive block.
FireGPG should recognize an encrypted message and automatically give you the option to <q>Decrypt this message.</q> Click through (and enter your passphrase if requested) to view the original message.
  1. FireGPG offers a number of nice features for direct integration with Gmail, but you can also use it to encrypt, decrypt, sign, or verify text in any other webmail service or any other online form. For example, to sign and encrypt text outside of Gmail, ust select the text, right-click, and choose FireGPG —> Sign and encrypt from the pop-up menu.

FireGPG will ask you for the public key to encrypt with and the private key to sign with, as usual; when you’re done, the selected text should be replaced with an encrypted block that only your selected recipient(s) can read.

Before I go, I’d like to note a few things.

First, as with any computer how-to, your mileage may vary. In particular, as of press time, Gmail has recently introduced a new interface, and FireGPG seems to be doing an imperfect job of coping with it; if you have trouble using FireGPG under the new interface, try flipping over to the old interface (or vice versa), or restarting Firefox. If nothing works, contact me with as much information as possible about what you’re trying to do and what’s going wrong, and I’ll see what I can do to ferret out the problem or point you in the right direction.

Second, let’s be clear about what GPG will do for you and what it will not. GPG provides point-to-point encryption; it ensures that even if a snoop can intercept your e-mail en route, she or he can’t tell what’s in it. It does not conceal the fact that you’re writing to the person you’re writing to. It also does not conceal the fact that you’re writing something you chose to encrypt. If you’re worried about people snooping on what you say, you should keep in mind that they may be able to get a lot of information just by being able to identify who is talking to whom. (If y’all find this how-to helpful, let me know, and we can discuss some techniques for addressing these other issues.)

Finally, remember, no defense against snoops in the middle will do you any good if the intended recipient of the message chooses to turn the information over to a snoop. Technology can secure the line between so that you can say what you want to somebody that you trust, without the danger of a third party overhearing. But no technology substitutes for knowing who you can trust and what you can say to whom.

If you have any questions, contact me or drop me a line in the comments. Let me know how it works for you. Consider this my contribution, to the extent that it works out for you, to revolutionary agorist praxis. Enjoy your privacy!

Update 2008-10-29: Since this is written for Google, I’ve made some minor revisions for the purpose of clarity and informativeness.

See also:

  • Configuring GPG (Mac OS X) explains how to get GPG up and running on Mac OS X, and explains integration with several OS X mail readers. If you use web mail, then you can use these instructions to get GPG running, and then follow my instructions to set up Firefox with FireGPG, which should be more or less the same on Windows or on a Mac.

  • Beginners Guide for GnuPG in Ubuntu explains how to getGPG up and running under Ubuntu Linux (or any other flavor of Linux that supports apt-get). Again, you can use these instructions to set up GPG and then follow my instructions to set up Firefox with FireGPG, which should be more or less the same on Windows or on Linux.

  • If you use a desktop e-mail reader rather than webmail, many popular programs have add-ons, plugins, or other ways to integrate GPG painlessly with the e-mail program. For example, I use Mozilla Thunderbird, and an excellent add-on called Enigmail. Similar tools exist for Microsoft Outlook and Outlook Express.

Advertisement

Help me get rid of these Google ads with a gift of $10.00 towards this month’s operating expenses for radgeek.com. See Donate for details.

15 replies to How To Talk So The Government Can’t Listen. Part 1: how to encrypt your e-mail in Gmail with GPG (for use with Gmail or other web mail interfaces on Firefox in Windows) Use a feed to Follow replies to this article · TrackBack URI

  1. Xaq Fixx

    Great Article! I posted a Podcrash a few weeks ago on the same subject, but in less detail, please have a listen: http://bureaucrash.com/node/podcrash-16-computer-privacy-on-and-offline-why-and-how

  2. bosco

    I just want to let you know that I liked your article and added a link to it in the Counter Economics section of libertyactivism.org. I hope you’ll do an article on anonymous web browsing in the future.

  3. chris-acheson

    Thanks for writing this. I was planning to run a skill-share on PGP a while ago with some local lefties and anarchists, but I’ve since gotten sidetracked. I think I’ll start working on it again, and include your guide with the other handout materials.

  4. mark

    -----BEGIN PGP MESSAGE-----
    Version: GnuPG v1.4.7 (MingW32)
    Comment: http://getfiregpg.org

    hQIOA515mBi6oJ88EAgAuEZIhkXy716NcTe9w+usyTm1i37t61dFS6B/S4I5QQ3b 1PXGbfR8/NRrLlRBrvHtwyQfnrVieNYDiqEY5B23aJ26fA5+l2+vsbsBiwLLumKy 7Md2HF61s9yQzjDkWlHA3eCValO3m6IZXMrvDl6ElGHAW74ajF7OrtSbdqKHxS6n hxmu4rpyTwCwhQS0J6wUawMYKX94m+HU4bd2xb0grw/JM2vksUdetUCRFyDR4h4D NZ+Ld+qN1wUMRIjdOZrAL0YauEaCSHzQROgECG6+5tZRElUNv1yJycXwfoQOvK9e WMGYE65llv8yaN4mKOSOro1nb79vvtWLuRSsXDImqgf+MY2XAoXFRgSpXt4T7Dxb 67sS6wUTVAd4afrR+R80YKQF8M5FQWSoMRVdxwSLlBtKfFvnIbjYxNu72UIH41UJ h3Kxg5kQY5rD1xD3ehO5j2TQuHKtzqj6RkQ/yuzeqPepYBtEc1xkz4+jYk1OXO01 UVVoTY96OGY2zt11HjbaIom43IMwpsqexrBmx5FMoniRX87ZkeqxOGMuFL442fq6 41hqp4O0O2u5A+H7soCaJQ8ffL36y+RjBVoTGgYIEtP98G0qHipdGNoXisgCPSmh n4XLnRqXu+ZNo8sSH6/8LXWk4Gu9SN16xesQxAOsTfi/0pm40CeJ4rVhWgKjXQHa 4YUCDgMxp1q/vPX7TxAIAIaOSKoGTKP0Bn2PqNkrEobRE3HYh31o/HGdVRmxdtY6 lLeTSwc39C5fDG50RoIS5msUmZHMpv4oKM2B+WGrqn5ohnGzp1jUnCrrT77+45M3 Tc+Ko6mG2cgjkfNWwM100xV6mBeGNM82apbMzcRzDFUVKEPdjmdiGrm58xojq6qG Z3+Frj9I2rPtVeYRCe0LXS/TMHLKsigl3Of8onZKnxBXutXMHc3fkxULS8q0rmCD rTI9xm5NPOZoR7ffcyO+pyVIpFsS+dS03/pMA6Or+BZV261/VBhBDiKBHqzkv92J sJxM/7MJ3y66VrvbprClND3A1niwX8Qcb3ASJEthfEoIAJ8DUpYqLSE2Iogg8CuL cYWORf5ZEMwE5Y8Oi6s0m0r4KAqVVtU2B+Da5EMpKna7YuW2/oNua/c5EqGbRsYo slY+Zs/24JOzZMxrrKC2jkz3iv1kiIy44uIQQWpUpu1bumlJL8rSOX5SYjEWahfL VdUoW2JdqKw2Jz+ZWPu0QUQ1kIRyMD7RKo15bwx3PvREJQl6Czb5xK+/o6wpcqxl 8A7jioNRMhCITImRehcyVVwnSjxArVXSieeOE26vanB9VBRJ2A+kaLwxGFUPED6U flMI0PAO4g6j+L7aUxzPAco8h46wy0sEsDWYTSp5IHV39VHGzinav2OUp2VCtxrW lw7SjgGgCz6wDarh0wTtJy2PtO3U2gZHvk4Ye+SfaACuqrTtGwmdw20QoU8JTiTF PbwRP1v1jyuz00B5Qy7SY1kWiP4kmsQ18TeE23RNEL+gQA4vwAsGu5PBsyDgqqhU 3Sm2ouqqOv8EQVDP6Huwj5gEC5vRyvqIILb6PozF4ON7RaugPV+YcAfTA8Ep8gxL hWo= =PIMS -----END PGP MESSAGE-----

— 2009 —

  1. milgram

    Do you have your GPG key fingerprint up on your website anywhere?

  2. Rad Geek

    Milgram,

    Good question. I do now: my public key is available on the Contact Me page. Hope this helps.

  3. Aster

    I have an informed friend who is strongly of the opinion that it isn’t wise to use encryption. He claims that encrypted text automatically attracts state scrutiny, which defeats the purpose. Better to simply develop personal habits of security.

    I don’t like this answer, as habitual suspiciousness is painful, repressive, and unattractive- but given our times this approach might unfortunately be necessary, and then the rational course of action would thenbe to seek out models for the least suboptimal possible combination of secretive authenticity, and emulate them.

    Do you have any opinion of this?

    At any rate, thank you for taking the time to make this kind of information more widely available to non-specialists.

    I increasingly warm to the idea of agorism and counter-economics, altho’ not if this blurs into a kind of soft-collectivism hostile to, if not to markets as a matter of politics, then to the profit motive as a matter of ethics. I greatly distrust moralism against abstract economic action, or a politics which privileges integration into local society. Individualism is among other things about living what one knows, concludes and creates, regardless of what other people think- and ‘getting to know your neighbours’ doesn’t feel like liberation if you see your neighbours as the ultimate source of, not the defense against, the most visible institutions of oppression (whether this is the case or not depends on where you are in the world and in the class system). The popular fury against ‘banksters’, which conflates hostility to the established financial complex with hostility to the profession of banking as such, bothers me for similar reasons- it’s about “how dare your loyalties be ‘impersonal’, or outside our community”- the term conflates that which is economic without being civic with the criminal. Theories of decentralised economics too often attract people who yearn for this ‘everybody knows everybody’ way of life, with its inevitable dishwater collectivism. I suspect that this is why left-libertarianism has often tended towards a populism close to conservatism, and why contemporary anarchism attracts so many unhappy altruists who find their purpose in life in the moral scrutiny other people’s use of restroom tissue.

    I similarly would distinguish between two strains of decentralism which could be attached to agorism- economic decentralism as a consequence of a desire to re-establish individual autonomy within markets seems like a great idea; decentralism that begins in a desire to increase the power of local communities seems like a terrible idea. I think if decentralism means ‘all power to the individuals!’ then it’s a great thing, and a powerful reason to tear down corporations and such as well as states. But if decentralism means ‘all power to the locaties’, or that people should be connected to and share solidarity with whose geographically and socially close to them, then it’s dangerous idea. Thinking people reject consensus and usually feel more distant from their family, culture, tribe, community, place, and time of origin. The networks, friendship, and communities formed by such people centre form on the basis of chosen convictions, objective areas of concern, and genuine common enjoyment. They differ in kind from the inherited identities and ‘little platoons’ praised by conservatives and communitarians. A decentralism based on voluntary and chosen networks reaching out across the world (and the internet) is progressive. A decentralism valourising immersion in local place and time is regressive. The first connects individuals to individuals and breaks through establishment, prejudice, and formality; the second immerses individuals in the tribe by cutting them off from alternatives.

    Nevertheless, I think the strategy of setting up a second economy, and working with people you trust on terms you choose, can be enormously liberating- and for more reasons than escaping taxes (not that I wish to do anything but honour tax evaders). I find that the same work which is miserable to perform for a boss in a might-as-well-be-the-state corporation can be inspiring and enjoyable if done for one’s own pleasure and profit, in a manner one wishes, with others one respects and cares about and likes working with. And it is increasingly necessary when the mainstream economy is half-crazy and doesn’t work, or is hostile territority for anyone who pays attention to reality above other people or thinks for themselves. And if the philosophic principles implicit in the old libertarian economics are true- if the individual human mind is the source of human value, and organisation which empowers the individual human mind is thereby practical- then agorism done well should also be rewarding- thus providing both incentive and falsifiability for a liberatory politics.

    Are there any agorist forums for the mutual exchange of economic information?- I do not mean communal economic restructuring projects, but something in the spirit of the old libertarianism, which respected individual self-interest and the profit motive. If not, then I think it would be a great idea to start one.

    If activism has taught me anything, it’s that (1) no enterprise succeeds which does not deliver some kind of utility to its participants and (2) building institutions sometimes changes things; trying to influence others only changes you, and for the worse.

  4. Rad Geek

    Aster,

    It is true that if you close your blinds, a snoop will still learn something — that you wanted your blinds closed. And if you send an encrypted message, that will stop a snoop from being able to read your email, but the snoop will still know something — specifically, who you sent the e-mail to, and the fact that you wanted the message (whatever it is) to be opaque to snoops. Depending on your personal or legal situation, this may be of interest and use to the snoop. (Remember that, for example, the Bush administration put an awful lot of effort into compiling secret phone databases which revealed only who called whom and when — even though they didn’t know the content of the calls, they considered the information of interest.)

    I don’t think that the solution to this issue is not to use encryption, though. Encryption is not so much of an actionable red flag that it’s likely to attract state scrutiny just by itself, and any other factor that draws the scrutiny of the state is likely to be present whether or not you’re encrypting your e-mail, so I doubt that there is any security to be gained from sending in the clear. Of course, you should not let e-mail encryption foster a false sense of security or make you forget basics about knowing whom to trust and what to let out when and to whom. Those are more important than knowing how to encrypt your e-mail. But I don’t think that dropping encryption makes people significantly more likely to cultivate other personal security habits, so, I think there are really three other solutions to adopt, and which is the best will depend on the situation. The first two involve adding yet more technical kung-fu. The last is much simpler, and involves social adaptation.

    1. You can conceal the fact that you are using encryption. This can be done by hiding the encrypted message in an innocuous covertext using steganography (for example, interlacing your message into photos of your cats). There are two possible hitches to keep in mind. First, unfortunately, the tools for this are not as well developed for end-users, so it’s still something more of a dark art than encryption is. But that’s a technological problem, which will presumably be fixed eventually. The second is that you do need at least one prior contact with your intended recipient, so that you can establish the fact that you’ll be sending them encoded messages.

    2. You can detach the message from e-mail contacts and deliver it through other means. One of the interesting features of double-key encryption is that, since you can produce messages that only a single recipient can read, regardless of who sees it, you can work out all kinds of crazy delivery mechanisms other than a simple point-to-point e-mail. (As a simple example, note Mark’s message above; it’s encrypted so that only I can read it, so even though it’s posted on a public website, it’s effectively a private message being delivered in public.) So, if both you and your recipient generate key-pairs that aren’t connected to any real e-mail address (when WinPT asks, just give it a nom de guerre and a dummy address — v@fate.net, whatever) and then exchange public keys by some means that won’t tie back to your identities, you can use all kinds of indirection to get messages to each other without a traceable point-to-point e-mail message — for example, by using anonymizing re-mailers or by posting encrypted blocks to public websites that your contact knows to look at (use Tor to conceal your IP; go down to the nearest public library; whatever).

    3. But the most important, and the simplest thing, is simply to mainstream encryption. The more people use encryption for innocuous purposes, the less of a predictor it is for the Stasi-statists, and the more people using it for any purpose, the more swamped they are to single out any one person. As a matter of fact, I have my GPG tool set up to encrypt anything I send to people I have a public key for, regardless of whether or not the subject-matter is sensitive — because it makes it harder for me to forget to encrypt something that is sensitive, and because it increases the noise-to-signal ratio for anybody snooping. Part of my aim in publishing this tutorial is not only to help other folks out by showing them how to use these tools for their own benefit, but also to help myself and my friends out, by making our own use of encryption less peculiar, and therefore less likely to attract any unwanted attention.

    On agorism: I certainly don’t think that there’s anything wrong with a profit motive. Agorism is typically hostile to the establishment economy (hence counter-establishment economics), but not because people operate on a profit motive in it; rather because their profits and losses are regimented by the State, often profit from State plunder, and in any case are surveilled and policed by the State. But one of the chief points of Konkin’s presentation of agorism is that counter-economics is different from traditional activism precisely because counter-economics is based on a profit motive, rather than just the hopes and the good intentions of the activist. Building the counter-economy is a matter of taking on the risks of detection and retaliation by the State in return for the rewards of avoiding taxes, avoiding regulation, avoiding the degenerate state-capitalist workplace, and making an honest living while undermining State power as a byproduct of self-interested action. As for the embrace of the informal sector, neighborhood networks, and the like — I agree that this is very far from being a panacea. It will not work perfectly for anyone and it will not work much or at all for some people. That’s something that agorists need to take into account in our strategy and our practice. But of course the point of comparison here can’t be an idealized picture or frictionless model of the formal sector or of official public institutions; when we say things like Call your neighbors, not the cops, it’s not because neighbors are perfect but rather because, in any given social situation, the odds are that, however bad neighbors may be, the cops will probably be worse; if there’s no way to scratch together the money that you need through person-to-person connections, it’s unlikely that official-sector bankers are going to be more solicitous. (These things aren’t true of every conceivable situation, but they are true of most, and for systemic reasons having to do with the positions that cops and official bankers, for example, are in.) And as you mention, there is an important and a growing role for informal connections that don’t depend on accidents of geographical proximity, or shared workplaces, or shared schooling, but rather can be based on non-geographical communities, on communities of philosophical or political affinity, or, hell, on all liking the same show about spaceships blowing each other up. That’s an informal sector no less than your neighborhood is, and one which I believe people will — if we work at it — be more and more able to work within, and to find an honest living, and friends, and comrades, and some meaning and joy, too, through these non-geographical forms of association.

    As for forums: I dunno; I’ve been a bit out of the loop as far as forums go. Do you mean a place to make actual connections for the purpose of trade, or a place for general discussion and swapping stories, strategies, etc.? In either case, I don’t have much of an answer handy, so I’ll throw it open to the audience: do any of y’all know of good places to go?

  5. Soviet Onion

    Charles,

    I wanted to ask you ask a minor question about FireGPG that could indicate a major defect. Since Gmail automatically saves drafts of messages you plan on encrypting, any sensitive information within the draft will be temporarily stored on their servers and visible to someone at the other end, without already being encrypted. I don’t know of any way to deactivate this; I’ve also checked on forum communities dedicated to PGP and no one there seems to know either.

    This isn’t a huge compromise, because once you send the message the draft is erased and saved as an encrypted “Sent” message. But it does create a window of vulnerability for however long that draft is there, and if anyone happens to already be watching you …

    It’s for that overly paranoid reason that I prefer to use the Enigmail plugin for Mozilla Thunderbird for encrypting messages, while FireGPG is more convenient for signing my regular ones (and has a much better looking interface).

    An easier but less perfect solution is to simply type your messages out in some other word processor, and then copy, paste and send in short order.

    You’re much more experienced with this than I am, so I can’t imagine something like this slipped your mind. Is there a way to deactivate the autosave feature in Gmail?

    Aster,

    I’ve been thinking about these myself recently; the subtle divide between a liberatory and unliberatory ethic of community and collective action, and how anarchists (“social” and “market”) are too eager to pander the wrong kinds of populism while being incapable of even recognizing how this constitutes a problem, or how principles are being compromised in the process.

    I want to give a more thoughtful response, but I have a job interview this morning. You know how it is.

    For now, if anyone’s looking to start their day on an optimistic note, I’d recommend taking a look at this video from, of all people, the Wall Street Journal, and seeing Ms. Pilaporne’s little bit of beautiful entrepreneurship at work.

  6. Nick Manley

    How exactly would one organize such a thing in an age of sweeping powers of surveilliance? I talk freely on the net already and suffer no repurcussions — I assume I could be on a list somewhere, but I don’t go to any major demos or am involved in any visible organizations.

    I mean, the fact that Aster, Charles, and Soviet are talking about this on a well known radical forum illustrates my point. Is there really any encryption powerful enough to withstand the CIA or NSA’s or FBI’s most concerted effort? In America, we know that the line between civil policing and national security snooping has been severely eroded. My political views already mark me as a terrorist. I’d honestly rather work aboveground then risk prison time — not that I wouldn’t protect the secrecy of those who choose otherwise.

  7. Chris Acheson

    Nick-

    Cracking a single message takes such a ridiculous amount of computing power that I have doubts about even the alphabet soup’s ability to do so in a reasonable amount of time.

    The encryption algorithms are not the weak point. If they’re serious enough to try to crack your message, they’re also serious enough to just black-bag you and torture you until you give up your passphrase.

    That said, I do agree with you about the aboveground/underground distinction.

  8. Nick Manley

    Good to know its powerful. I was told that the best software is criminalized though. I don’t even remember my passphrase lol.

  9. chrisacheson.net

    Nick-

    There used to be export restrictions on strong cryptography, back in the 90s, as it was classified as “munitions”. International versions of Netscape and Internet Explorer used weak cryptography (easily crackable by the US government) because of this.

  10. Soviet Onion

    I can’t imagine those restrictions stopped anybody who really wanted the stuff, unless simple possession was also criminalized by the home countries. When email is outlawed, only outlaws will send emails.

    Was this a big part of impetus behind the development of open source alternatives?

  11. chrisacheson.net

    Soviet Onion-

    The Export of cryptography article on Wikipedia gives a decent summary. The US government was concerned about foreign governments acquiring strong encryption technology, but didn’t restrict its use domestically. Other governments have imposed domestic restrictions on strong cryptography, but it’s also possible to use weak encryption to mask your use of strong encryption.

    I’ve heard that Phil Zimmerman and friends skirted the export restriction by publishing the PGP source code in books, which were then exported and OCR’ed.

Post a reply

By:
Your e-mail address will not be published.
You can register for an account and sign in to verify your identity and avoid spam traps.
Reply

Use Markdown syntax for formatting. *emphasis* = emphasis, **strong** = strong, [link](http://xyz.com) = link,
> block quote to quote blocks of text.

This form is for public comments. Consult About: Comments for policies and copyright details.