NetAction Notes

Published by NetAction Issue No. 75 October 4, 2001
Repost where appropriate. See copyright information at end of message.

IN THIS ISSUE:

NetAction's Guide to Using Encryption Software
About NetAction Notes

NetAction's Guide to Using Encryption Software

Is there data on your computer that is strictly confidential? Do you send or receive email containing sensitive information about your organization's activities? If you answered "yes" to either question, you need encryption.

Encryption is a software tool that uses scrambling to make data unreadable to anyone other than the intended recipient. Internet users who make purchases online are undoubtedly familiar with one form of encryption, the Secure Socket Layer (SSL) technology used to safely transmit credit card account numbers to e-commerce web sites.

You may also have heard about encryption if you've been following developments in Congress since the September 11, 2001 terrorist attacks on the World Trade Center and the Pentagon. Along with the proposals for expanded government surveillance of suspected criminals, the attacks have prompted calls for restrictions on the use of encryption software by policy makers who fear its potential misuse by terrorists.

But encryption is useful for many legitimate purposes, and restricting its use is far more likely to cause harm than to thwart the plots of terrorists. For example, encryption is used to safely communicate information about human rights abuses in nations where other forms of communication are restricted. Also, a nonprofit organization may use encryption to maintain the privacy of personnel records, bank account numbers and internal memos stored on networked computers.

Moreover, Internet activists and nonprofit organizations are not immune to malicious hackers or unwarranted government surveillance, both of which are more likely in the aftermath of the September 11 terrorist attacks.

Since many Internet users are not familiar with encryption software, and consequently not using it when perhaps they should be, we have prepared a guide that focuses on its use in the context of Internet activism. NetAction's Guide to Using Encryption Software is available on the web at: http://netaction.org/encrypt/.

The guide includes a primer on how encryption software works, an introduction to the basic features of encryption software, a glossary of cryptography terms, and brief reviews of several free and low-cost encryption software programs that may be useful to nonprofit organizations or Internet activists. We also include links to numerous online sources of more detailed information on both the technical and policy aspects of encryption. The guide can be used online or downloaded and printed for easy reference.

Should you be using encryption? If the data on your computer is sensitive or confidential, it's simply prudent to protect it. If you can answer "yes" to any of the following questions and you're not already using encryption, our guide can help you get started.

Encryption software may be intimidating to Internet users who are not technically adept. Some software programs are definitely easier to use than others, and the reviews included in our guide should help you identify programs that best meet your needs.

All encryption software uses algorithms, which are complex mathematical processes, to scramble and unscramble data. Fortunately, you don't need to know anything about algorithms to use encryption software. Two factors are important in assessing an encryption program: 1) the number of "bits" and, 2) the type of "key."

"Bits" are strings of binary numbers, and the important thing to know is that higher numbers are better. Most encryption software tells you how many "bits" are used. For example, when you download a new Netscape web browser you have a choice of 56-bit or 128-bit encryption. If you chose 128-bit encryption, you get a stronger encryption program.

"Keys" are the passwords that you use to scramble and unscramble data, and the important thing to know is that encryption software can work with one key or two keys. Encryption programs with only one key are called symmetric-key encryption; they are easier to use, but less secure. Encryption programs with two keys are called asymmetric key encryption; they are are more secure, but also more complicated to use. (See the guide for a detailed explanation.)

Some encryption programs are useful for scrambling or hiding files that you store on your computer. Symmetric key encryption is fine for this use, since nobody else needs the key.

Other encryption programs are useful for sending and receiving scrambled email messages. Asymmetric key encryption is safer for this use because the sender needs a key to encrypt the data and the recipient needs a key to decrypt the data. It's possible to use the same key to send and receive encrypted email; it just won't be as secure because the sender has to give the key to the recipient, and it could fall into the wrong hands. (Again, see the guide for a detailed explanation.)

Until recently, the availability and use of encryption as a matter of public policy was primarily of interest to information technology professionals and privacy advocates. But the renewed calls for restrictions on encryption should be of concern to anyone who uses the Internet for activism because they pose a potential threat to the security of all online advocacy efforts as well as to any data stored on networked computers.

Our guide includes pointers to several excellent sources of information on the public policy aspects of encryption. A good starting point for up-to-date information is the Electronic Privacy Information Center's Cryptography Archive.


About NetAction Notes

NetAction Notes is a free electronic newsletter, published by NetAction. NetAction is a California-based non-profit organization dedicated to promoting use of the Internet for grassroots citizen action, and to educating the public, policy makers, and the media about technology policy issues.

To subscribe to NetAction Notes, send a message to: . The body of the message should state: subscribe netaction
To unsubscribe at any time, send a message to: . The body of the message should state: unsubscribe netaction

For more information contact NetAction by phone at (415) 215-9392, by E-mail at

, visit the NetAction Web site or write to:

NetAction * P.O. Box 6739* Santa Barbara, CA 93160

Copyright 1996-2003 by NetAction. All rights reserved. Material may be reposted or reproduced for non-commercial use provided NetAction is cited as the source.