The key to privacy

Do you trust the net enough to e-mail your bank details? The answer is probably no, but Charles Arthur says that you could. He explains how
Click to follow
The Independent Online

A few weeks ago I realised that I really had a pressing need to use cryptography for my e-mails. I wanted to examine the household finances for the past year in detail, but our online bank doesn't show more than a couple of months of transactions from our account. What I really wanted was for the bank to e-mail me a copy of all my transactions for the past 12 or 15 months in a spreadsheet-friendly format, so I could just squirt them in and start budgeting.

A few weeks ago I realised that I really had a pressing need to use cryptography for my e-mails. I wanted to examine the household finances for the past year in detail, but our online bank doesn't show more than a couple of months of transactions from our account. What I really wanted was for the bank to e-mail me a copy of all my transactions for the past 12 or 15 months in a spreadsheet-friendly format, so I could just squirt them in and start budgeting.

However, sending a plain e-mail is like sending a postcard – you can't be certain it won't be read. And the internet isn't like the Post Office; nobody has taken any pledges not to read your mail.

Obvious solution: get the bank to encrypt the data before sending it. Anyone who intercepted it would simply see a collection of garbage (such as 3]¡Ï=¢Ó""°(check)flÍ#„Eâí6ɼÛM±sÛç‚L, a sample from a file I encoded recently).

The means to do this are already widely available. Called Pretty Good Privacy (PGP), it's available for free for all platforms (including Windows, Macintosh and Palm), and lately in beta form, via PGP Corporation, which puts a corporate face on encryption methods.

If you're new to computerised encryption, your head will start spinning soon after you begin reading about "public keys" and "private keys". Don't sweat it. The essence is: your computer and PGP create an individual electronic padlock, which you upload to some servers on the net. If someone wants to send an e-mail that only you can read, they download a copy of your padlock from a server, use PGP to lock the data, and send it to you. (Confusingly, the padlock is called a "public key". But it doesn't unlock anything.)

On your computer is your "private key". Only this can unlock your particular padlock. It is protected by two things: it's on your machine, and it needs a password to operate it, which only you (should) know.

So for my bank to encrypt my household accounts, it would have to find my "public key"(think: padlock) online, use it with PGP to encrypt (lock) the data, and e-mail it to me. Anyone intercepting the data midway without my private (unlocking) key couldn't read it. (With multiple "padlocks" you can also encode for multiple recipients, who will each be able to decode the file with their individual private keys.)

PGP works for all sorts of files, including those with pictures embedded, and it doesn't bloat them; I found that a Microsoft Word file with a pictureactually shrank from 1.2Mb to 1.1Mb after being encrypted – and the picture and file came out the same at the other end. You can also "sign" unencrypted e-mails with PGP, to confirm that it hasn't been tampered with en route – useful if you fear being misquoted.

I think the time is ripe for PGP to take off. It's good for safeguarding data, and building up trust in what you read online. It could even be a weapon against spammers if more people refused unencrypted e-mail from people they don't know. It's worth pursuing – especially as it's freeware, so you can't lose financially.

www.pgp.com. What's your take on the need for encryption? Tell us at network@independent.co.uk (public key under "Charles Arthur, The Independent, Network editor" from ldap://keyserver.pgp.com)

Comments