# I would like to mention that this article is non-technical. I first wrote this for my classmates. I then added a few extra things and here I am, sharing it with whoever is concerned about privacy and surveillance issues.
This article's main purpose is to give Internet users reasons to use the web in a privacy-preserving manner. Moreover, I gave it a try to raise awareness on the surveillance issues by sharing videos, papers, articles and leaked documents. A short interview with Werner Koch, creator of GnuPG is included, which I hope will change your perception about privacy. This is the Part 1 of this article. Part 2 will include technical information and focus on how we can combine them with the topics that will be analyzed here. I hope you enjoy this article as much as I enjoyed writing it.
The Tor project is nothing more than a network, called The Tor Network, constructed by volunteer-operated servers from all around the world. With the term "volunteer-operated" servers, we consider a fair amount of computers that by dedicating some of their computer power construct the Tor Network. The main purpose of Tor Project aka Tor is to allow people to improve their privacy and security on the Internet. Here is a brief explanation of how Tor works:
"Tor's users employ this network by connecting through a series of virtual tunnels rather than making a direct connection, thus allowing both organizations and individuals to share information over public networks without compromising their privacy. Along the same line, Tor is an effective censorship circumvention tool, allowing its users to reach otherwise blocked destinations or content. Tor can also be used as a building block for software developers to create new communication tools with built-in privacy features. " via Tor Project
Many people, from different groups, organizations and even countries use Tor for different reasons. For example, journalists use Tor to communicate with whistleblowers. Groups such as Indymedia use Tor to keep their members' online privacy secure and other people may use Tor to visit/create websites or communicate with others without leaving a trace of their real location.
In order to understand how Tor works a brief introduction to traffic analysis is required. In a nutshell, traffic analysis is a process of collecting, analyzing and reviewing traffic in a network. This can be used to infer who is talking to whom in a computer network. This can eliminate your privacy as it may reveal your origin to everyone who intercepts the network communications you participate in. This will occur even if the communication is encrypted. As Internet packets have two parts (the header where location, size, time and more are included and the data payload where whatever is being sent is included like a web page, images, emails and more), we can simply understand that whoever is authorized (or not) to intercept our communication will be also able to see the header and the data of the packet (encrypted or not). That is a problem for the privacy concerned people as the above action will reveal critical information. Moreover, most of the time, it is against human rights.
Here is where Tor came up.
It is a distributed, anonymous network where your requests are being distributed over several places on the internet (volunteer-operated servers) to make traffic analysis almost impossible. Instead of sending your request to the destination directly, your packets on Tor take a random path, passing through several relays that cover your tracks. The private pathway created by Tor is achieved by the user's software or client which builds a circuit of encrypted communication through the Tor relays. Each relay only knows the data source (the relay who gave tha data) and the destination relay. No single realy knows the full path that has been followed. Moreover, to assure that each hop can't trace the connections as they pass though, the client negotiates with a separate set of encryption keys for each hop.
If new connections are requested in the same ten minutes, the same circuit will be used. Once a connection is requested on a period bigger than 10 minutes, a new random encrypted pathway will be used to avoid linking earlier accounts to the new ones.
Finally, "The variety of people who use Tor is actually part of what makes it so secure. Tor hides you among the other users on the network, so the more populous and diverse the user base for Tor is, the more your anonymity will be protected. "
There are many ways and examples of how Tor has really helped with Internet censorship in real life. A characteristic incident is the one that took place in Turkey when Turkey's online censorship banned Twitter. A few days after Twitter's ban, a huge traffic was noticed in Tor network with more than 50.000 new nodes taking place.
As Tor is a service that provides anonymity and behind the mask of anonymity people can do many things (illegal or not), I decided to share an interesting pdf I found at EFF's website that mentions some myths and facts about Tor. Here it is:
It is expected more myths to come up as long as Tor continues to exist and becomes more and more popular."Tor is a service that helps protect your anonymity while using Internet [...]". It is available for everyone which means that it is almost imposible to avoid "alternative" use by some people. What I want to say is that Tor has helped people encrypt their communications during wars, reach their families and more. It is simply silly to judge the whole Tor Network because of some illegal activies that take place there. Simply because these activities can take place in real life too, without using Tor. So, let's ask ourselves, what is more important?
In a nutshell: GnuPG is a powerful free software developed by Werner Koch that allows to encrypt and sign data and communications by using a combination of assymetric and symmetric cryptography. It has many features and it also supports symmetric encryption algorithms (default: CAST5). It is a command-line replacement of PGP that supports many algorithms such as: DSA, RSA, AES, Blowfish and more. For example, I can use GnuPG to sign a message with my private key and forward it to my friend. Then, my friend, as long as he has my public key by using GnuPG he will be able to verify me as the original dispatcher. Here is the official GnuPG manual.
As I wanted to include the voice of an expert for this article, I decided to contact Werner Koch, the creator of GnuPG and hold a conversation with him about his tool and its history, his opinion about privacy and more.
Q: What is GnuPG? How did the idea about GPG come?
A: GnuPG is a free replacement of PGP, a software written in 1992 to allow for confidential communication over electronic networks and bulletin board services. PGP was not free because it was affected by at least two software patents and an unclear legal status. PGP's slogan was "encryption for the masses" in contrast to the fact that usable encryption was only available to governments and the military. GnuPG does the same as PGP but as fully free software and in way that it is better usable on Unix systems. In April 1997 a first patent on public key encryption expired and thus it was possible to deploy free software unaffected from patents in the US. The patent was only valid in the US. Now the US had some stupid rules on the export of cryptography software which were only lifted years later. The result was that an people in the US could not write any cryptographic software because that software would inevitable leak outside of the US and face the authors with criminal investigations. Thus it was required that non-US natives outside of the US had to take up this part. Importing into the US was never restricted. In autumn 1997 I attended a talk by Richard Stallman in Aachen/Germany where he asked the attendees to start working on cryptographic software because that is now possible and it needs to be done outside the US. Maybe due to Germany's wire tapping scandals in the 1970s, I have always been interested in systems to make this harder. Thus I found my self hacking on a PGP replacement in after that talks and finally released a first version by the end of that year.
Q: My classmates, friends and a large amount of people, even today, think that there is no reason to encrypt and sign their data and communications because they have nothing to hide or because nobody will ever intercept their communications. Are they correct?
A: I doubt that anyone can seriously state the latter after the Snowden revelations. Even before, in 2000, the Echelon spy project raised quite some attention on what secret services are doing and triggering hearings in the European parliament. Nothing to hide: They should think again about it. Taking notes about experiences with illegal drugs - should the police know about this? Stupid things one did in the past - should that be on the record for all time? How should journalists protect their sources - sure there are things to hide. Many people in Germany with lots of money won't like that the tax office gets notice that they have secret accounts in Switzerland (well that might actually be a counter-argument). Love letters all readable by others? Nothing to hide? We decide what to hide and what to publish. We and only we - not the state. For businesses it should be pretty clear that encryption is important. Commercial espionage has always been a major threat for many businesses.
Q: So, according to your previous answer, would you recommend everyone encrypts his/her communications/data?
A: Sure. It is a bit more work but we also put letters into envelopes for a reason. Well if you want to publish something you should of course not encrypt it. Thus most of _my_ mails are not encrypted because they are addressed to public mailing list. However, I encrypt all private and business communication if the recipient has an encryption key. If I have to send real sensitive data and there is no way to encrypt it, I resort to paper+envelope even if the recipient wants me to send it by mail.
Q: Yes, but as we saw on the paragraph above - about Tor - criminals, drug users/sellers and others use encryption tools to encrypt their communications. Will the Feds knock on my door if I use GnuPG to communicate with my friends for example?
A: Unless you are living in a police state the human right to keep communication private has always been held up. I am pretty sure that Greece is currently not a police state (although the Mrs. Merkel and her neo-liberal followers are working hard to change that); I am not so sure about some of the other high tech countries. To quote Phil Zimmermann: If privacy is outlawed only outlaws will have privacy. A bit more seriously: Encryption is a requirement of our economy and it can not be banned simply because that would bust the banks. They entirely rely on fast secure electronic communication. GPG is actually used by a lot of payment providers behind the scenes to protect web based payments.
Here I would also like to mention something. As said before, many people think that they have nothing to hide because they don't participate in illegal activities or because they simply don't care. Even if you have nothing to hide - which is a selfish argument - think of this: It is true that I may not be ill, it may be true that I am not blind, I still want to live in a world that has hospitals. I still want to live in a world where the street has accessibility for blind people. And it is also the case that I want to have a world where everyone has privacy and thus confidentiality and integrity in their daily lives without having to ask for it [...] - Jacob Appelbaum
Here are some nice sources that helped me create this article. I have included many useful videos, papers and leaked documents for everyone who wants to broaden his horizons, reload his knowledge.
This was Part 1 of the article. Part 2 will analyze the technical aspect of these topics. More papers, articles, videos, talks will also be included.
To be continued...
Thank you for reading,