--ABSTRACT
Critique:
EA does not use encryption. This is bad, though how bad is up for debate. However, cost of changing that (creating + publishing + using encrypted communications) is extremely low.
Specific, realistic action:
You should invest about 2 hours to research how to set up a GPG-key. Then invest another 30 Minutes to publish your public key. 2+0.5 hours are my worst-case estimates. If e.g. you use Linux with Thunderbird, it can be done in 5 minutes, just read on.
What would change my mind?
Reasonable expectation of negative value resulting from published keys. I ran all plausible (and implausible) scenarios in my head and couldn’t find any. I don’t have a good value for expected positive result, so any negative value doesn’t have to be super high. (time lost due to encryption is not sufficient and once drawbacks are brought to my attention, I’d try to get actual estimates of positive value first.)
Or finding out that large parts of EA already publish their keys on some service/url I couldn’t find. In that case, my criticism would transform to: That service is hard to find and you should publish keys more accessibly.
Importance:
The moment you absolutely need encryption, it’s already too late to establish secure channels. Encryption is infrastructure and has to be built, used, kinks worked out before it can be relied on.
Even in case you personally never need a secure channel, by using encryption you participate in this infrastructure. Maybe your setup actually is more difficult: think of documenting, discussing solutions and implementing them as fixing a pothole. Say you never travel that road, someone else will and thanks to you can drive safely.
On the other hand, it’s just 2.5h of your time (most likely less!) to build a safety-net in case you ever need it. Do you really have to weigh the pros vs. cons here? (if convinced, jump to HowTo )
--DETAILS
The pitch:
How about you (even you, dear reader!) provide a truly private channel? That allows you to publish your email-address anywhere completely spam-crawler-safe? That protects contacts in high risk environments, because no unencrypted copy exists anywhere? We call it GPG. Or PEP. Or e2ee. It was a weird decade.
The Critique:
EA/rationalists/AI-safety-advocates are a unique community in their handling of information and communications. Infohazards are taken seriously. The need to protect identity is acknowledged and often tried to accommodate. Participation from politically spicy countries is actively encouraged.
All of these are very good ideas/goals/points, but the implementation is lacking. For instance, the anonymous contact option most often used is google docs. That’s like whispering on a talk show.
And though Admonymous seems better (I did not do a deep-dive on their implementation), there is still a plain text copy sent, stored and remembered.
So? (Importance)
First up, it is simply impossible to “contact someone securely”. The receiver has to offer an encryption option first. Since we don’t know who would want to contact us tomorrow and how sensitive their message might be, we have to publish GPG-keys today.
Roko’s Basilisk (Don’t google that one!): The internet does not forget. Anything you type into a browser today, even stuff you never sent, is stored on some computer. An AI getting access to e.g. google would have a prefect record of who was talking behind it’s back, even before it was born.
It’s quite likely that people on the ground have ideas on how to help. What about a Chinese citizen with a good plan to help Uighur families? Or Russian citizen addressing LGBTQ+ issues? If those two examples dared to contact EA today, they would have send plain-text messages from their devices, exposing them to law-enforcement. This scenario has to good ending, either they tell their ideas and expose themselves, the project and potentially their contact-person, or we never get to hear a good idea. I guess the second option is more common and admittedly, offering encryption requires some technical knowledge. (Not a lot, as I will demonstrate. But when electricity is scarce, encryption isn’t a priority.)
Let’s say I have found a way to train AI magnitudes more effectively. I could send an email to the next best @gmail account. Two days later Google somehow has a magnitudes more effective AI. Better yet: at the brink of sentience, Google still analyses mails (to display ads) with AI, it finds the description, is able to implement it itself, pushed over the edge and already lightyears ahead of what we could build. Bummer.
How about something simple: I want to discuss perfectly legal nootropics advice with an online-friend. Five years from now laws change, the government clamps down on nootropics hard. Now a message-scraper is required by law, finds these messages and I get visits from law enforcement. (If that sounds far fetched, consider that it is already required by law to scrape all photos for child-pornography when they are uploaded to any server/cloud.)
All these examples are of course speculations. We don’t know what we are missing. But that is my point: There might just be a pot of gold at then end of (at max) 2.5h setting up GPG-keys.
Another reason I personally find convincing is distinguishability. If only people with sensitive information use encryption, it’s easy to pick them out and focus on them. The more encrypted communication is out there, the harder it is to guess who said anything important.
To summarize: Encryption is a necessary corner stone of resilience. That includes AI-resilience (messages can’t be used to train AI, even future AIs can’t read encrypted messages, AI-improvements can be discussed truly covertly), resilience against shifting governments (what’s innocent today is a crime tomorrow, what’s secret today can be searched tomorrow) and resilience against dangerous sociopolitical situations already in place.
I want EA to be a resilient community. For its own sake and to be a light in the dark for people to reach (out to). Whether it’s resilient against all the turmoil we call reality or resilience against order faltering due to [insert favorite apocalypse here], encryption is an essential part of resilience.
What are we talking about?
The specific problem is missing end-to-end encryption. This basically describes systems where only two people know the content of a message. “People” usually means only the end-user-computers those people use. An online-service (e.g. Tutanota, ProtonMail) does not count, since they decrypt mails for you. (Technically it’s a bit more difficult, but those services have many downsides in any case, so I discourage using them all the same.)
I suggest providing GPG-keys to encrypt emails and will provide a rough guide on how to do so. However, I believe using strong cryptography in general is a good idea, so I endorse using Signal messenger or Threma. Telegram is also an option, but be aware that Telegram does NOT encrypt by default! For that you have to start a “secret chat”. GPG has the big advantage of providing a point of contact without sharing any personal data, such as a telephone-number.
How does (end-to-end) encryption work?
Generally, whoever wants to receive an encrypted message randomly picks a very large number with certain properties. A simple transformation of this number provide a new number that can be published as “public key”. Spreading this key far and wide and making it easily accessible is an essential step in allowing people to encrypt messages and does not any way reduce it’s security.
Anybody who wants to contact the receiver can take that public key and use a mathematical transformation to scramble their message. That scrambled message is sent to the receiver. Only the receiver knows the original large number and can use that number to unscramble the message. Side-note: It is prohibitively expensive to deduce the original number based on the public key, an similarly to unscramble a message.
Isn’t encryption bad/evil/criminal?
No. Encryption itself is not criminal. There are some regional restrictions on what encryption services can be offered, but to my knowledge you are free to encrypt in your own free walls to your hearts content. (There are some countries where it is legal to force you to hand over any passwords and that includes decryption-keys. If that applies to you, be sure to backup your keys with a passphrase you remember!)
Encryption got a bad rep in some areas/media because encryption can be used to subvert law enforcement. When we talk about dissidents in dictatorships, it’s considered a good thing, whereas in the respective home country it’s considered bad. But there are many more prying eyes encryption protects from. Since I’ll talk mostly about email encryption, whoever owns the server emails are stored on can read them, analyze them and use them to train an AI.
In the end, encryption is a tool. I can use a hammer to build houses or drop it on my toes.
Can’t people harass/stalk me by encrypting?
No, they can’t. At least not better than before. Anybody sending you an encrypted email is hiding its content from anybody else, they can’t hide anything from you. Similarly, they still need to send emails, so blocking contacts works the same as before.
What can be done? (action)
Depending on your setup, it’s best you google your email program and one of “GPG”, “PGP” or “PEP”. If you use webmail, I strongly recommend installing some local email client to read and send encrypted messages.
I believe the simplest way to get encryption going is with Thunderbird, as it even works in windows. I haven’t found a tutorial specific for windows though, so I hope this looks similar enough: [archive of tutorial] (If you use windows and run into problems: Use those 2h estimate to google a solution and share it in the comments!)
The important step which should look the same in windows is Step 5 / Generate Key Pair. Take special care to select “ECC” in advanced settings. This enables the Exceptionally Complicated Cipher which … is magical math with extra ferry dust. Current consensus is this is better, the only downside being there are old programs in the wild that don’t support it. A practical advantage is the very large numbers I mentioned are much smaller. The public key is small enough to generate a QR-code, an option I personally quite enjoy.
Brief note on key-expiring: This is up for debate, so my opinion on this should not be taken as wisdom or recommendation. An expiring key will refuse to encrypt/decrypt after it expired. This is a security-feature. I don’t believe a personal key is worth the effort of generating new keys and risk of missing an expiry.
You can ignore the part “Import your key pair” for now, it will be relevant if you have to restore your secret key from a backup.
If you follow this guide, you also need to
PUBLISH your PUBLIC key!
In Thunderbird, navigate to Tools -> OpenPGP Key Manager -> [select you key and right-click] -> Export keys to file
This file can be uploaded to keyservers, e.g. openpgp.
These keyservers keep a copy of your key and index them by your email. If you don’t want to publish your key anywhere else, this enables people to find your key if they only know your email address.
However, much more fun is to put a copy of your key on you profile, homepage, bio, …
The best way to do that is to publish a text-version of your public key.
In Thunderbird, navigate to Tools -> OpenPGP Key Manager -> [select you key and right-click] -> Copy -> Public Key
The clipboard now contains a bit of text you can put everywhere text is accepted and people can send you encrypted email. Bonus: Publish this instead of your personal email! It contains your personal email but is completely impervious to spam-crawlers.
In some places, it’s not possible to publish the full key, e.g. twitter. If you want people to know your key via twitter, you can publish your key-id on twitter:
In Thunderbird, navigate to Tools -> OpenPGP Key Manager -> [select you key and right-click] -> Copy -> Key ID (or fingerprint, which is “more unique”. Don’t ask.)
The key ID is a unique identifier for your key. That means if I find a public key somewhere on the internet, Thunderbird (or whatever we use for cryptography) tells me that key’s ID. If it matches with what you posted on twitter, I know it’s yours.
But I can’t directly compute your key from the key-ID alone, so linking some place where you uploaded it is a good idea.
And finally, whenever you write an email to somebody, you can place your public-key as attachment. This is a good way to establish contact with people who’s key you can’t find and want to talk securely.
Limitations:
GPG encryption perfectly hides the *content* of messages and nothing more. It addresses practically no privacy or surveillance concerns. If you need to hide more than content (e.g. your location), look towards TOR (again, super simple to use) and dig a little deeper. Similarly, encryption does not protect you from hackers and should your computer be hacked, they might gain access to your decrypted messages or even private keys. If you are exposed to (government?) hacking, you should invest some more time to research GPG with smartcards, master- and subkeys and probably a different operating system. (I recommend Qubes)
I could write a whole different critique of EA’s use of google as go-to provider of everything. Or the general lack of privacy-awareness. I won’t, because I don’t feel I can offer solid advice apart from “don’t do that!”. Well actually, here is a good google-docs alternative.
So I hope using encryption and experiencing the ease of it magically brings some awareness for other data-security topics as well. At the very least, they shouldn’t be too intimidating anymore.
And here are my contact-details:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEYwudARYJKwYBBAHaRw8BAQdAalDRO60rHVzj39qUG5zXSwKSTw4/QIZV2Men
fuBYS/W0KHJhbmRvbSB0YWxraW5nIHRyZWUgPGRvZXNudC53b3JrQGdteC5hdD6I
kwQTFgoAOxYhBG4qWXPE3WqBNhXEYx0qF5iM7czBBQJjC50BAhsDBQsJCAcCAiIC
BhUKCQgLAgQWAgMBAh4HAheAAAoJEB0qF5iM7czBfs8BAIBTVm+6CXpPIzRfLLL5
8142oty4v9H1grUPy1E3DhrpAP9Aek7XlWcLHU+iVTySY43ltgtvkeSNY1Xgj9kf
evIYD7g4BGMLnQESCisGAQQBl1UBBQEBB0C/NYPKzf6nHxBTKTnTSs9zDs8haDxj
ilFasv6VuY3IVwMBCAeIeAQYFgoAIBYhBG4qWXPE3WqBNhXEYx0qF5iM7czBBQJj
C50BAhsMAAoJEB0qF5iM7czB0dcA/iVAlfckmx4Ude0BNDjSOKdcdd9SM9ZLG+02
He7QfcOQAP9im2QycvH/Ec767WmZjuwOEOhyWpugvLsam0hxlRcZCg==
=FOFG
-----END PGP PUBLIC KEY BLOCK-----
Send me an encrypted mail and I'll try to respond! (offer expires whenever I don't feel like it.)
--ADDENDA
--aside on annoyances in Thunderbird
When importing keys, Thunderbird will ask you whether to trust them. It is very important to click one of the two yes-options! (out of the blue, use the option “Yes, but I have not verified that it is the correct key.”)
This is because Thunderbird is very cautious and won’t even provide an option to use a key you don’t trust. If you ever send an email and get an error that it can’t be encrypted, make sure the corresponding key is trusted!
The rules on when to encrypt are still iffy. If you usually use a different email-client, I suggest setting Thunderbird to always encrypt. It will annoy you whenever you try to write unencrypted. This way, you have a good cognitive barrier between unencrypted, publicly readable emails (your original client) and safe, encrypted, private messages (Thunderbird). If you want to use Thunderbird for everything, I don’t want to recommend anything, gauge your threat-level and act accordingly. “Always encrypt” won’t accidentally send out something dangerous, but will annoy you every time you write an email. Or less annoyance with a chance of sending out secrets unencrypted.
--aside on encryption with other email clients/operating-systems/encryption technology
You want to make sure your email client supports PGP and has very clear visual distinction between PGP-encryption and other methods of / no encryption. (S/MIME is floating around to encrypt emails in transit and especially popular within governments. S/MIME can, but generally does not encrypt emails on the mail-server, so even gmail offers “encryption” via S/MIME.)
Overgeneralizing a bit: apps that hide keys are to be avoided. If you can’t open and look at a key, it’s harder to share, harder to confirm authenticity, and a sign keys are not stored on your device.
If a local email client is not an option for you, there is a browser-plugin to do encryption. By their very nature, browser-plugins are more vulnerable to attacks and accidentally sending unencrypted emails.
Smartphones are an area where I can provide little help. Openkeychain supports encryption for a range of apps in Android. For iOS pgpro is the only non-hiding app I could find. I never tried any iOS app though so feedback/others are welcome. (e.g. there is "privacy" which looks slick to the point where I believe it hides keys. Might be wrong, I never tried it. Missing documentation and source code are not encouraging in any case.)
Don’t use “gateways”.
That describes setups where you send plain-text to a server (the gateway) which then handles encryption. This is bad.
--aside on encryption and privacy
While privacy and encryption overlap a lot, they are two very distinct concepts. In fact, a very common and important application of encryption is proving your identity to another person. Similarly, a good way to stay quite anonymous is to block all tracking-software (though that’s not a surefire way), no encryption required. I’m mentioning this so nobody reads this with the idea they can disappear by using GPG encryption. If you are truly in a situation where you need strong, reliable anonymity, please have a look here:
The TOR project - a protocol/network to hide your IP address
whonix - a split operating-system to enforce TOR-usage
QubesOS - an OS booting multiple OSes to hide their content from each other
However, I do hope this brief introduction to cryptography gave you perspective on how easy it actually is to use modern security tools to your advantage. If security generally interests you, maybe start by looking into security concepts.
--aside on encryption in general
Encryption technology is ubiquitous. Any update, website (served via https), and most operating systems use encryption with different properties for different purposes.
An update is easy to read for any computer, but encryption provides a mathematical proof it came from the manufacturer and nobody else.
An operating system requires at the same time a very fast decryption and very strong encryption, so it uses two types of encryption: a very fast encryption with a very long, random passphrase and a rather slow but very strong process to encrypt that random passphrase. When your phone unlocks it’s hard-drive, the random passphrase has to be decrypted only once, then the passphrase can be used to decrypt the hard-drive quickly.
https is most similar to GPG in that it publishes a websites public key for any browser to contact it. However, these public/private key encryption algorithms take up a noticeable amount of time. So instead, this initial handshake is just used to agree on a session-key. That again is a random number both parties know. Encryption algorithms based on shared secrets are generally much faster.
GPG / email encryption is of course only one option. Signal is a decent option, Matrix-chat doesn’t look too shabby as well, but it’s meaningless if encryption is fractured across thousands of networks/protocols. I wanted to provide a crystallization-seed and believe GPG is the overall best choice. This may be wrong, but a choice was required.
Published my public key here, as well as some contact details here.
Awesome! Might I suggest linking it on your landing page as well?
And for all those with a personal homepage, supplying your key-id/fingerprint in header/footer/contact-details is good practice to advertise the key and avoid confusions later.
It seems that it is not possible to do what you're suggesting using (say) Gmail's web interface or phone app. I expect that having to give up on the features provided by these would be a noticeable ongoing cost for me - for example, I expect Thunderbird to do much worse at automatically categorising my incoming mail. Does that seem right?
Also, the specific upsides you mentioned don't seem that compelling to me, and the general "you don't know why it might be useful but it might" applies to too many things to be worth the costs.
Thank you for asking. Allow me to emphasize: I'm not suggesting you should replace your current setup and switch to use encrypted channels, I'm saying you should add the capability to receive encrypted messages to your portfolio.
You could generate GPG-keys for your gmail account in any GPG-capable app, even thunderbird. Keep using Gmail's webmail to your hearts content. Should an encrypted email arrive, pull out the app you chose and decrypt that one email, possibly answer / store / sing a song about it, and forget you even have that app until the next encrypted mail arrives. Or you want to send one yourself.
Regarding specific upsides: Those should read "I know several precise upsides, though I don't want to argue how likely they are to occur." Could you suggest improvements to my post to reflect that more clearly?
Thanks for explaining, I hadn't realised that, and it makes it much more attractive to follow your advice!
You mention that reliance on Google is bad - I'd be interested to hear more about why you think that's true. (I agree that EA relies on Google services a lot.)
It seems that if we can trust Google, then the in-transit encryption that Gmail provides is good enough.
Uhm. This would take another very long post.
Suffice to say I don't interact with EA all that much mainly because I will not provide personal information to a google-docs form.
In line with previous remark: using google is perfectly fine. Once (nearly) all lines of communications rely on google there might be some problems, e.g. you won't hear a lot from me.