Tag Archives: email

Email campaign groups and charity

While there are no doubt many worthwhile causes that I agree with promoted by groups like 38degrees, there are some that I don’t agree with or don’t think are worth supporting.

The problem is how to decide which is which.

I’m not willing to blindly trust any organisation to decide on my behalf what is worth campaigning for by giving my support after only reading a brief email. I know we’re all inclined to believe simple ideas without much skepticism* if they align with our existing beliefs and I’m wary of making quick judgements that might reflect my existing biases more than careful consideration would.

The trouble is that I often find careful consideration of a new issue utterly exhausting. It requires time and a bit of intellectual effort. The volume of emails produced by most campaign groups, Avaaz, 38 degrees or others, are impossible to keep up with for anyone with a job, family, social life and regular exercise.

For me the same argument applies to charity cold-calling. I never sign up to anything on the doorstep or street. I already have regular charity commitments and make one-off donations to sponsor friends – should I change these when a representative of another charity knocks on my door? The answer depends on questions like how efficient the charity is, what they’ve achieved recently, if they’ve been involved in any scandals and how closely they align with my values. Not something I can judge in a five-minute or even half-hour conversation.

I admit that by refusing to consider every cause or charity that asks for my support I may be missing out on something I’d consider very worthwhile. I’m not saying I’d never explore new causes or charities, but the burden of choice means I’d prefer to start with a recommendation from a friend or trusted colleague or a subject matter I already know something about.

This might all be made simpler by having some independent reviewer of charities providing open and accessible comparisons of their finances and achievements. Until it becomes a lot easier to decide my default answer will be a simple, firm “No, thanks”.

 

* – I prefer Noah Webster’s “American” spelling of skepticism.

Why I want to encrypt everything

When I suggest to people that we should communicate using encryption, I get the impression they don’t take me seriously.

Am I paranoid? Do I think I’m interesting enough to be the subject of surveillance? Maybe I want to play at being a spy? OK, maybe the last one is partly true, but seriously, I think there are good reasons to encrypt all information by default.

To be completely clear, when I suggest we use encrypted communication:-

  • I don’t have any classified information to share
  • I’m not buying or selling anything illegal
  • I am not planning to have an affair with anyone
  • I’ve got no intention of overthrowing any governments or hacking anything

I don’t think I have anything to hide. However, I don’t want to have to think, every time I send a message to a friend, family member or whoever, about who might see it, now or in the future and what the consequences might be. Maybe one day one of us will be famous and our embarrassing utterances may be of interest to the masses.

I’d just like every message between us to be between us. It’s easy to unthinkingly assume that the messages we send are only read by the intended person or persons. I want that assumption to be reasonable.

Email is not usually encrypted and is easy to fake

For a popular example, email has often been described as about as secure as a postcard. In practice I think it’s a bit worse than that. Firstly, because it’s easy to intercept and read millions of emails automatically. Secondly, with a postcard you can probably recognise the sender’s handwriting which would take some effort to fake. Email senders can easily be spoofed. By default there’s no way to verify that the address in the “From:” field is the person who sent the email.

It shouldn’t take too much imagination to see how the insecurity of email could lead to problems. It’s already been exploited via a simple scam in the UK.

To summarise the link above… A couple had some building work done and had agreed with the builder to pay via bank transfer as many people, myself included, do regularly. They received an invoice from the builder via email which included his bank details. They duly transferred £25k to the account, but the builder never received it. The email appeared to come from the builder’s email address, but was in fact from a scammer who had sent their own bank account details in place of the originals.

This would not have been possible if the email sender’s identity could be verified and the email encrypted. Another solution would be to share the bank account details in person or, if you recognise the person’s voice and know their number already, over the phone. A phone number in an email could also be faked.

There are ways to improve on email security, in fact it’s fairly simple if both parties can use the same service. Other solutions get a bit more complicated.

Encryption is getting easier

The good news is that it’s getting easier to encrypt everything by default. Google are now encouraging all websites to be delivered via HTTPS (the S standing for SSL or Secure), making websites harder to fake and adding to the reliability of online data.

Many email services now offer some level of encryption and verification within their service. So a GMail user writing to another GMail user can expect their communications to be encrypted. Facebook messages are encrypted, as are WhatsApp. In some cases it may be possible for employees of those organisations to access clients’ communications, or to change the application for a user so that their data can be read.

For a higher standard of encryption people look to “zero-knowledge” solutions in which the service providers don’t have the ability to read user data or access their private encryption keys, even if they wanted to or were forced by law, blackmail, bribery, etc. Zero-knowledge email systems include Tutanota and ProtonMail. They’re not perfect. I won’t go into all the pros and cons here except to say that at the time of writing neither are securely interoperable with other email services, but can still be used for unencrypted plaintext emails to/from any address. Of course all this is pointless unless you have a good password.

For text messaging the most respected zero-knowledge solution is Signal, which is available for free on iOS and Android. WhatsApp also offers “end-to-end” encryption, but unlike Signal the code is not open source, so not subject to public scrutiny. Researchers have already shown that WhatsApp can allow Facebook and possibly others to read private messages. Furthermore there’s some controversy over the sharing of user data with Facebook.

Secure messaging is not paranoia, it’s good practice.