Public until proven otherwise

secure apps?I once heard of a TV journalist who kept the names and addresses of his Syrian sources in a little black book, and all the video he shot of activists, complete with faces, on an open hard drive.

He was detained by the secret police in Damascus, which was scary for him, but worse for his contacts. In his easily accessible files he had neatly identified, catalogued and given phone numbers for a significant band of people the regime was trying to catch for daring to protest.

The journalist was freed, shaken but unharmed. The activists fared much less well. Despite frantic efforts to warn each other and flee, some were caught and haven’t been heard from since.

That all happened before the Snowdon revelations and is a reminder that, even if you’re unfazed by GCHQ and the NSA reading your less-than-riveting emails or tapping your boring phone conversations, issues of data security are often deadly serious.

As a blogger who sometimes works in regions were information too often has a horrible life-and-death quality to it, how can I, how can we, live up to the responsibility to protect ourselves and other people? We can only do it by protecting the data we share and safeguarding our communications.

It’s often said that nothing online is private and as the Snowden files have shown, this may well be true. Nonetheless, we have a duty to not simply resign ourselves to that sorry state of affairs. We must not roll over so easily.

Our responsibility is to do whatever we reasonably can to keep private and sensitive information exactly that – private.

Which is why at the moment, the issue of secure communications has become a bit of a hobby of mine, even if it can seem school boyish at times. Or amateur James Bond, with a touch of tin-foil hat.

It’s not just about wanting Yahoo and Google to stop profiling me via my email content. It’s not just about wanting my own government to stop archiving all my electronic transmissions.

The lesson from that true example in Damascus is that sometimes people need these tools to protect lives.

Let’s start with email. Email was never really designed to be private and anonymous. When it was developed 40 years ago the main focus was to share research data from one computer to another.

I doubt the words anonymity and security even crossed the minds of the geeks involved in its design.

Email headers and routing protocols show you who’s sending and who’s receiving. That’s just how it works.

I’m no expert in all of this and neither is 99 per cent of the population. But many are now fed up of governments snooping and archiving, companies scraping data in order to profile its users so it can serve more effective adverts. I’m all for the big wins big data can bring. But only when there’s the option to opt in or out

I’m inherently and, I’m sure, rightly, suspicious of any App or platform that say’s it’s secure. I’d hate to recommend anything with a confidence I can’t back up with irrefutable evidence. And that evidence would have to come from the experts and obsessed, people who have rolled up their sleeves and rummaged deep down and dirty in all the hard and software, picking it apart into digestible code and reassembling so they could totally understand how it ticks. How it talks.

A catch with that is, even if an App is declared safe by those qualified to do so, and the encryption algorithms have at least a few years headstart, what if someone has inserted malware onto the hardware, to log your keystrokes, or intercept your voice and camera data before it even hits the App?.

If i’d suggested that last year I’d really have been burnishing my paranoia credentials. Post-Snowdon – and the revelations are still coming remember – all this is a very real proposition and perhaps even old news to some.

Protecting against that is a tough call, short of setting up off-line ‘air-gap‘ computers in basements, as The Guardian has done.

True open source licensing is a crucial element here because it allows real scrutinisation. Thankfully more and more open source software solutions are gaining visibility. But we also need more open hardware if we are to really have confidence about securing our communications, short of that isolated laptop in a deep dark basement.

Nonetheless, there are more reasonable steps we can take to protect our data, and, in the case of the Syrian mukhabarat, to not merely do their spy work for them, however inadvertently.

We can make accessing private data time consuming or irritating enough to make a difference. A few more hours for the secret police to get into that data, for example, might have helped one more Syrian activists escape unharmed.

On a larger scale, if we care about the principle of privacy in our own societies, we have to make strong encryption normal practice, for everything. Not just a journalist and his Syria contacts, but you and your shopping list and everything in between.

Sure, these steps may not stop the shadowy agencies that like to listen in from listening in, but at least they’ll start to realise that we don’t want them to and that, if the law won’t protect us from unwanted intrusion, that we will do what we can to protect ourselves. Consider encryption an act of protest and dissent, one that doesn’t even require you to stand at a barricade or get teargassed.

The principle of privacy, if we want privacy, needs to be fought for at every level. It has become a terrible cliche to talk about George Orwell’s nightmare vision of 1984, but, well, read the book again and be reminded of the horror it depicts. And then realise how short a step it is from the telescreen to your iPhone screen.

If governments can peek through your webcam, so can the criminals. If governments can read your email. So can the criminals.

Sometimes they’re the same thing.


PGP, VPNs, or encrypted apps, If you’d like to know more about the tools I’m using, please ask me when you see me. This kind of information can date quickly.

If you’d like to share what you are using, please leave suggestions in the comments below. Or ping me on one of the channels listed on the top of my blog. My PGP keys are on the usual servers.

(A version of this article appeared in The Guardian)


  1. Paul Thompson says

    Really good article, but the word geeks sticks out like an unnecessarily sore thumb there.

  2. says

    Christian, spot on! Reminds me of the old adage: “Trust but Verify”. In this digital space, even that’s too loose, backwards. So the 21st Century adage in the digital space is: Verify then trust.

    • says

      Thanks Jeff. I’m not sure we can trust any comms passing through closed devices and networks. Let’s see how things change over the next few years.

  3. Evert says

    Good read and interesting topic.
    I’ve recently started using the various tools offered by the Guardian Project which are mostly based around TOR.
    They seem to offer a good level of encryption and security but as with all third party infosec tools there is always a niggling worry about a backdoor.

    • says

      True. it’s our closed devices i constantly thing about. We can be pretty sure they do have backdoors which renders all out our attempts to lock down data futile.