As the resurgence of the EARN IT Act shows, we’re all in need of tools for communicating privately online.
As the resurgence of the EARN IT Act shows, we’re all in need of tools for communicating privately online.
With the Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act, two U.S. senators have reintroduced a surveillance bill that could have major impacts on privacy and free speech, turning the offering of encryption services into legal risk territory for service providers.
While the censorship of free speech is already flourishing on public platforms such as Twitter, the EARN IT act would enforce the transmission of all communication between users in plain text format, transforming our inboxes into searchable data mines. But here’s the good news: there are numerous ways to encrypt our communication by ourselves.
“Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather.”
–John Perry Barlow, “Declaration Of Independence Of Cyberspace,” 1996
The EARN IT Act, first proposed in 2020, seeks to amend section 230 of the Communications Act of 1934, which originally regarded radio and telephone communication, granting service providers immunity from civil lawsuits for removing inappropriate content.
The Communications Act of 1934 was first overhauled with the Telecommunications Act of 1996, which included the Communications Decency Act, aiming to regulate indecency and obscenity on the internet, such as pornographic material. Section 230 of the Communications Decency Act protects service providers from legal proceedings regarding content issued via their platforms by stating that service providers are not to be understood as publishers. It is this section which the EARN IT Act attempts to alter, putting more responsibility on website operators and service providers.
Under the guise of stopping the distribution of child pornography, the EARN IT Act would render the deployment of end-to-end encryption and other encryption services as punishable acts, which would affect messaging services such as Signal, WhatsApp and Telegram’s Secret Chats, as well as web hosting services such as Amazon Web Services, pressuring service providers to scan all communication for inappropriate material.
If the EARN IT Act is passed, our inboxes will turn into fully-searchable databases, leaving no room for private conversation. While it may be possible to forbid end-to-end encryption as a service, can the banning of the use of end-to-end encryption be deemed unconstitutional by infringing on our right of the freedom of speech, as encryption is nothing but another way to communicate with each other in the form of written text?
While it is unclear whether the EARN IT Act will pass at the time of writing, it is clear that the regulation of speech is a tedious and close-to-senseless endeavor on behalf of governments, as it is impossible to stop the spread of words without divulging toward a totalitarian superstate. We can all use encryption to stay private in our communication, ranging from easy-to-use cyphers to military grade encryption mechanisms.
Circumventing The Twitter Police With Cyphertext
Anyone who isn’t careful in their communication on public platforms such as Twitter has probably spent a fair share of time in the ominous “Twitter jail”: preventing them from posting on the platform for defined periods of time as a consequence of saying things the Twitter algorithm found inappropriate. An easy way to circumvent surveillance and, consequently, censorship by the Twitter police is ROT13 encryption.
ROT13 is an easy form of encryption which circumvents the readability of Twitter’s policing mechanisms by rotating letters by 13 places, initially used to hide the punchlines of jokes on Usenet.
Want to express your opinion on COVID-19 without getting punished by the Twitter algo? Rotate the letters of what you’d like to write by 13 places, making your text readable for anyone who knows that you’re using ROT13 encryption, while causing the Twitter algorithm to detect nothing but gibberish in what you wrote. For example: “COVID SUCKS” turns into “PBIVQ FHPXF.” ROT13 encryption can be translated via free online service providers such as rot13.com, or by hand via the board below.
While ROT13 is not deemed a secure form of encryption, as anyone may be able to decipher what has been written, it is a fun and easy way to get used to protecting one’s communication on the open internet. It is also possible to come up with one’s own encryption mechanisms, such as rotating letters seven instead of 13 places.
Circumventing Location Detection With Where39
When we communicate our location via unencrypted messengers such as iMessage or Telegram, we are also leaking our location to anyone who gets their hands on the contents of our inboxes. Services such as Google Maps automatically detect locations in our written text, and are able to form patterns of our movements. If you’d like to meet someone without revealing your location to Googlezon MacCrapple, you should obviously leave your phone at home, but need to find a way to communicate your meeting place without being detected as a meeting place from the get go.
Ben Arc’s Where39 is an easy way to encrypt meeting places in plain text communication by assigning every square meter in the world with four words. Originally building on the service What Three Words, Arc’s version uses the most distributed word list in the world which every Bitcoiner has heard of in one way or another, as it is also used to generate our passphrases: the BIP39 word list.
For example, if I wanted to meet a friend for coffee at Francis Place, on the corner of Edinburgh Drive near Clayton University in St. Louis, Missouri,, I’d text them “Rapid Thing Carry Kite.” My coffee date could then look up the location via the Where39 map, without the plain text being detected as an address.
Encrypting Messages To Dedicated Recipients With PGP
When texting with friends, we assume that our messages are only read by us as the senders, and our counterparties as the receivers. Unfortunately, when messages are sent via unencrypted messengers, anyone with access to the servers or one of the sending or receiving parties’ devices may read these messages as well.
As the EARN IT act makes it incredibly risky for service providers to offer in-app encryption mechanisms, this is where PGP comes into play for anyone wanting to keep their messages private: Military-grade encryption which can only be deciphered by those holding the private key to decipher communications.
PGP, short for Pretty Good Privacy, was invented by Phil Zimmerman in 1991, and has seen its fair share of government combating in the past. With PGP, we assign ourselves secret keys used to encrypt and decrypt messages, so that only those in control of the secret keys are able to read what we have written. This way, I can copy/paste an encrypted message into any unencrypted messenger, while keeping it unreadable for third-party adversaries.
Here’s an example of an encrypted message I have sent to a friend via Telegram, which is only readable for the person holding the secret key to decrypt it:
—–BEGIN PGP MESSAGE—–
—–END PGP MESSAGE—–
PGP will likely be the most powerful tool to circumvent the EARN IT act when it comes to keeping our communications private. To generate your own PGP keys, you first need to install the GnuPG software. This is most easily done via terminal on Linux, by running “sudo apt-get install gnupg.” Next, you generate your keys by running “gpg –gen-key” and adding an alias, like an email address to your key.
To check whether your keys have been generated, run “gpg –list-keys.” Next, you export your keys via “gpg –output public.pgp –armor –export [your alias, which you can find via gpg –list-keys]” and “–output private.pgp –armor –export [your alias, which you can find via gpg –list-keys].” Make sure to never share your private keys with anyone, and to keep the keys safely stored in a password-protected folder. Once you’ve lost access to your private keys, or to the passphrase you’ve been prompted to generate for your keys, you will not be able to access messages sent to you which are encrypted toward the keys in question.
Next, you should share your public key with people you’d like to communicate with via PGP, so that those parties can encrypt messages that are only readable by the person holding your private key (which is hopefully only you). The easiest way to do this is to upload your public key file to a public key server, such as keys.openpgp.org, via its web UI. You can also share the fingerprint of your keys in your social media profiles or on your website.
To find the fingerprint for your key, run “gpg –list-keys” again, and select the long string of letters and numbers appearing under the “pub” section. If the entire string is too long to share, for example in your Twitter bio, you can also share your short fingerprint, which consists of the last 16 characters of your fingerprint. People who’d like to send you an encrypted message can now find your public key via the terminal command “gpg –recv-keys [fingerprint].” But remember: A PGP key which you’ve retrieved online does not guarantee that this key actually belongs to the person you’re wanting to communicate with. The safest way to receive someone’s keys will always be in person.
Let’s use PGP to send an encrypted message to me. In your terminal, import my keys via “gpg –recv-keys C72B398B7C048F04.” If you’ve configured to access your keys via a different keyserver than openpgp, then run “gpg –keyserver hkps://keys.openpgp.org –recv-keys C72B398B7C048F04.” Now, run “gpg –list-keys” to check whether the key import was successful. To encrypt a message for me, run the command “gpg -ae -r [my alias, which you can find via gpg –list-keys]” and hit “enter.” Write whatever it is you’d like to share with me in plain text, such as “Hello PGP,” then end the message with “ctrl+d.” Next, a PGP message block should appear on your screen. Copy/paste this message including “BEGIN PGP MESSAGE” and “END PGP MESSAGE” into any public forum or messenger of your choice, sending an encrypted message over the open internet, only readable by its designated recipient. For example, you could now send this message to me via Twitter direct message, post it publicly on GitHub or share it in a public Telegram group of which I am a part.
Once I’ve received your message, I will send you a message back via PGP. For me to be able to send you an encrypted message back, make sure that your message includes your PGP fingerprint. The easiest way to do this is to include it in your encrypted message. When you receive an encrypted message back, you can decrypt it by running “gpg -d” in your terminal and copy/pasting the encrypted message, including “BEGIN PGP MESSAGE” and “END PGP MESSAGE.” The message should then be resolved to plain text. Et voila, you are now set to communicate in private with your counterparties over the open internet, giving law enforcement no chance to surveil the contents of your communication.
It can be assumed that our technocratic overlords will continue to increase pressure to deanonymize communication over the open internet in the years to come. Proposals such as the EARN IT Act will only be the first steps.
But as the cypherpunks had proven in the 1990s, encryption is speech and it is impossible to ban. As long as we resort to informing ourselves on the possibilities of private communication, there is no way for governments and big tech to stop us from cutting them out of the picture, and enacting our right to the freedom of speech across all communication channels.
Privacy notice: This article only gives an overview of encryption mechanisms for beginners. If you are dealing with sensitive data, it makes sense to inform yourself further on more secure handlings of PGP, such as managing GPG via Tor and encrypting and decrypting messages via air-gapped devices.
This is a guest post by L0la L33tz. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.