In the wake of the recent (October 2014) activities in Ottawa, I’ve been asked by a few journalists to help explain how people communicate secretly and securely. Their actual request was to explain how terrorists might be communicating to coordinate activities in different locations, though the technology is the same no matter the reasons for communications. Please keep in mind that there are at least as many (if not a lot more) valid reasons to communicate securely as there are bad reasons, so condemning technology for how it’s used is similar to condemning the use of cars because some people use them to harm others. I could use the analogy of firearms and the line, “guns don’t kill people, people kill people”, though there’s enough debate and controversy on that topic already.
One of the simplest ways that secure communications are likely to occur is via voice. There are secure traditional phones that integrate encryption, Voice over IP (internet) phone lines that use encryption (ZRTP being one of the most common technologies), and simple messaging that records an audio clip (usually 30 seconds to one minute) then sends it to someone else using one of the many different methods of encrypting files (PGP via email, ZIP/RAR with a complex password, or simple SSL with a client program). There are even companies that offer very easy to use services for encrypted voice calling such as Silent Circle and their iPhone / Android apps that take care of everything for you. The cost for setting yourself up to securely communicate via voice ranges from free (provided that you have an hour or two to spend) to a few dollars per month (I believe that the most costly plans tend to be in the area of $20 / month).
Instant messaging platforms offer a lot of options to communicate securely. While it’s very easy to assume that some agency is monitoring everything that goes through a given service, in practice it’s a lot more trouble to intercept some of them. If we take for example Facebook messaging, anything that you type is going to be stored on the Facebook servers, analysed, and very likely used for targeted advertising and the like. For most people, this doesn’t make a difference – though for those interested in securing their communications (good or bad) Facebook is one of the last methods that should be used to chat. If we consider Apple’s iMessage service, communications are encrypted on your device (iPhone/iPad/Mac/etc) and are only decryptable by the recipients devices. There are of course methods to enable lawful intercept, though they require that the appropriate team working at Apple add an “authorized device” to the accounts of source and destination so that interception software can read anything that is sent or received. In this case, iMessage is a lot more secure, and law enforcement (or some such agency) would need to identify the persons (or accounts) of interest to be able to intercept these communications. There are also custom developed applications that are used by specific actors (people or entities) that pass through their own servers (that they control), so the likelihood of having these compromised is very very low.
Web pages can also be used to communicate securely. Setting up a secured (SSL) web site is very simple these days, and configuring a password protected forum or discussion board can be done in a matter of minutes. Only people who know the URL (web site address), have a password for the site, and have their own account (username and password) would be able to log in. Rather than a forum or discussion board, software such as Cryptocat or FlashChat could be used for real time discussions via a web browser.
The use of document management, email, and other publicly available (and free) internet services are an interesting way to exchange information and communicate in near real time. It is very simple to set up an email account at a free service such as Hotmail, Yahoo, or GMail. If multiple people have access to the account (each from their own computers or mobile devices) then they could all edit a draft message without it ever leaving the mailbox (and being subject to interception from the systems that could read any incoming or outgoing message). Services for storing notes such as Evernote, file sharing such as Dropbox, and document editing such as Google Drive could also be used for the same purpose with every participant seeing the text that the others write.
In order to further secure any of the above described methods, the communications could be passed via a secured virtual private network (using VPN software), or a public variant such as TOR or I2P. These serve to hide the real (geographic and logical) locations of the clients (people using the services) and servers (that run the hosting services for web sites, messaging platforms, or even voice chat).
Being as computers (specifically the operating systems and all the extra software that is likely running on them) are usually going to be the weakest link in the multiple layers of security, there are USB keys that can be set up to boot into a secured environment that can then be used for secured communications. There are even USB keys that are automatically encrypted and (relatively) tamper proof such that they will automatically erase themselves if someone tries to break them open or crack the encryption. To use one, a person simply plugs it into a computer and restarts the computer booting from the USB key instead of the computer’s normal hard disk. A customized operating system is then loaded with all the tools and programs required for secured communications, be they voice, instant messaging, email, or secure web browsing to the public internet, semi private networks such as TOR, or private dark nets. In a case like this, software that normally runs on computers intended to intercept encrypted or otherwise secured communicates is rendered ineffective.
Regarding law enforcement and various government agencies being able to intercept these communications, while it’s always possible, the likelihood of them doing so varies based on the method used. In order to decrypt most communications there would need to be a vulnerability in the method used for encryption. This could be in the program that is used, the underlying technology and algorithm, or simply the device (computer, smart phone, tablet, or other) having a piece of malware (virus, trojan, or other) that copies the information before it can be encrypted.
If anyone would like a more detailed explanation of one or more of the technologies named above (or elsewhere), please let me know and I’ll be happy to do so.