Privacy on the Internet © 2007 by Michaela Merz ([email protected])

Privacy On The Internet

The Problems – Possible Solutions

Overview:

20 years ago the Internet was in its infancy, its members mostly academics and security was not really an issue. People knew each other, the number of users was limited and services like electronic banking were not available anyway. This is why some features and protocols were not invented with security in mind. Some of those protocols are still widely in use even today.

The modern Internet is something completely different. Highly personal data flows with confidential business information and other, less relevant bits and bytes. Governments and other organizations spend a great deal of money to listen into and to analyze data traffic not only to look for potential security threats, but also to fish for data that might be interesting for commercial reasons.

Computing power now makes it possible to listen into the major data highways and to collect all data like emails, WWW, chats into huge databases, keywords are extracted and all that data will be sorted and combined. This leads into profiles that will be further analyzed and, if possible, attached to a particular user identification and finally permanently stored, ready to be accessed by the intelligence communities and other authorities.

About The Author:

Michaela Merz, born 1960, is a successful entrepreneur, software developer, manager and IT specialist. Back in 1992, she founded the Free Software Association of Germany (FSAG) supporting the development and distribution of Free Software. In 1993 she invented a lot of functions and services today known under the expression Web 2.0 and launched the 'German Data Highway' a WWWbased community service. It was renamed 'germany.net' and became the second largest Online service in Germany. She sold her interest in 'germany.net' and moved to the US where she served as CEO and board member of several companies. She is now concentrating on IT related Research&Development and helps businesses in project development and as Interims Manager.

Content:

I) What Is Privacy On The Internet And Why Should You Care?

II) How To Create Privacy On The Internet: Email

1) Use Encryption

2) Use Temporary Email Addresses

3) Use Anonymous ReMailer

4) Mail And Other Email Providers

5) Other Ways To Send Secret Messages

6) Privacy, Anonymity And Criminals

7) Conclusion

III)How To Create Privacy On The Internet: Surfing The Web

1) A Closer Look At Cookies

2) The TOR Network

3) Use HTTPS Protocols

4) Webproxies

5) Remove Cached Data

6) Use Mozilla Software

7) Special Security

IV)References

V) How To Install Gnu Privacy Guard on Windows Computers

VI) Copyright, Trademarks,

I) What is privacy on the Internet and why should you care?

What would you say, if a copy of every letter, every postcard and a list of the content of every package you ever sent would be stored somewhere? If this data would be combined with all the recipients addresses and with all the names of the people you ever called. Of course, a transcript of all those phone conversations would be attached to this dossier as well. Would that be your idea of privacy?

I know, you have nothing to hide. But would you like to share the same database with, say, Osama Bin Laden just because you both like 'pecan pie' ?

This is a fictitious story but it might as well be true:

On the morning of April 2nd, 2007, NSA (National Security Agency) computer surveillance was routinely monitoring Internet traffic. A NSA computer stumbled upon a website in New Jersey that, it found, had links pointing to another website in Pakistan. This location, the computer was told by its database, had been a meeting point for terrorists sympathizers. So the computer started to get a closer look. In all the data it collected it found a statistically significant amount of references to 'pecan pie' – quite possibly a key word of some sort. It notified the operator who decided to make 'pecan pie' a search term for a broader surveillance.

Not knowing all this, Mr. Miller, a traveling sales man from Jacksonville, Florida, was searching the Internet for a 'pecan pie' recipe. His favorite search engine also displayed the link to the aforementioned website in New Jersey and, looking for a recipe, Miller clicked it. He found nothing of interest, so he continued his search and soon forgot about it.

Not the NSA. They collected all the IP numbers of all people who had visited the website in New Jersey and forwarded all the data to the national telecommunications companies and requested names and addresses. In addition, NSA asked for all of Miller's communication records from his phone company. No warrant or court order was ever obtained, but the phone company disclosed all of Miller's records anyway.

Going through Miller's private communication records, agents found a lot of emails sent and received from several foreign countries and phone calls to Munich, Germany as well as to London and Madrid, Spain. One email even contained the request for a 'walnut pie' (a 'pecan' like nut) recipe sent to Brussels, Belgium.

If they would have asked Miller, he would have explained that he is responsible for international sales of 'Organic Cane Sugar' produced in Florida, that he has a lot of customers in Europe (Europeans are especially fond of Organic Produce) and that he also likes to bake and cook. But they didn't ask. They covertly went through Miller's records, read his and his wifes email (she was using the same Internet access) and even tapped his phone. Every word was cross linked and referenced checked in rechecked.

Miller of course wasn't aware of anything. Nobody would ever tell him that he was a terrorist suspect, that his privacy had been taken away, that his emails were monitored and that maybe somebody was silently laughing about his thoughts sent by email to the pastor of his church.

Eventually, Miller was dropped from the list of potential terrorists. His privacy was stripped from him, his name disclosed to his phone company as a potential security risk, he was even temporarily placed on the notorious 'no fly' list. If he would have needed to go on a business trip, he would have been stopped at the airport, in front of his colleagues, interrogated, maybe even arrested.

Miller will now have his data stored away in some corner of the vast memory of NSA's super computers. Someday in the future and for whatever reason, it may become activated again. But Mr. Miller is not aware of all that. Nobody will ever tell him.

This was fiction. Here is the truth:

Reporting from every major American media outlet and undisputed whistleblower evidence show that AT&T and other phone companies were complicit in the NSA's warrantless surveillance. The companies participated in surveillance, handing over billions of their customers private communications and communications records without warrant or court order. This included the records and full content of the private domestic communications of millions of ordinary Americans. The President and the phone companies hid this information from Congress and the American people for at least six years.17

What is going to happen with all those records? Do you trust your government that it will never use that data against you or any of your loved ones? What if, by accident or by malicious intent, this file would get into the hands of some private organizations or criminals? Should you really trust anybody with safeguarding your personal communications?

November 29, 2007: Two lost Revenue & Customs CDs containing the personal and financial details of 25 million people in the U.K. could be worth $3.12 billion to criminals, says a member of Britain's Parliament.

APRIL 11, 2007 In the biggest loss ever of personal information compiled by state government, a computer disk containing data on 2.9 million citizens of the State of Georgia has been lost in shipping.

September 11, 2007: New Zealand's Security Intelligence Service (SIS) head Warren Tucker reveals that foreign governments have hacked into German and New Zealand Government computer systems. Government departments' websites had been attacked, information had been stolen and hard-to-detect software had been installed that could be used to take control of computer systems.

August 3, 2006: The U.S. Department of Veterans Affairs learned on August 3rd that a computer was missing from Unisys, a subcontractor that provides software support to the Pittsburgh and Philadelphia VA Medical Centers. The computer contained insurance claim data for patients.

December 30, 2004: Bank of America suffered the loss of five computer data tapes. These tapes contained personal information (names, Social Security account numbers, and addresses) and government travel card account numbers for 933,000 Department of Defense Bank of America government travel cardholders.

All your data on the Internet is fair game. Governments all over the world are actually analyzing, storing and matching all of your Internet email, your web surfing, your search engine requests and your voice over ip (VOIP) phone conversations. But not enough, companies are tracking every move you make, they install so called 'Cookies' on your computer and combine it with hidden images, so that the restrictions of cookies are no longer valid. They can now track every mouseclick and every keyword, even across different web sites, in order to learn more about you, your interests, your wishes, your secret desires – so that they can serve better advertising and sell more products1. Search engines like Google®® are remembering every search request you ever made2. They are able to combine all those searches – imagine what sorts of information you may already have disclosed – they probably know more about you than your parents, spouse and friends combined. All this data is available for any party wielding a subpoena, and, under special circumstances, even without. The New York Times reported on February 4th 20063, that AOL® is receiving more than 1,000 subpoenas each month seeking information about AOL® users. Although today the vast majority of those subpoenas are from law enforcement agencies, an increasing number are from civil litigants trying to dig up information about their adversaries

In the same year (2006), the Justice Department sent a subpoena to Google® demanding data to "assist the government in its efforts to understand the behavior of current Web users, to estimate how often Web users encounter harmfultominors material in the course of their searches, and to measure the effectiveness of filtering software in screening that material." The initial subpoena was breathtaking in scope every Web site address in Google®'s search index, as well as every search submitted over a twomonth period.

Google® resisted (and was dragged to court where they ultimately prevailed), but MSN®, Yahoo® and AOL® all complied with similar subpoenas after negotiating agreements with the Justice Department)4.

You, of course, have never Google®d or Yahoo®'d for 'britney nude' , 'no prescription pharmacy', 'avoid taxes' or 'free mp3 music' , but you may have searched for other terms. And yes, your search for 'moonshine' and 'distillery' was purely for scientific reasons. Are you willing to continue to share your personal data with government agencies and other interested parties?

Ask the founding fathers ...

Benjamin Franklin, (1706 – 1790), was a leading author, political theorist, politician, printer, scientist, inventor, civic activist, and diplomat. He was also one of the most important and influential Founding Fathers of the United States.

Image Credit: Wikipedia

They who would give up an essential liberty for temporary security, deserve neither liberty or security.

II) How to create privacy on the Internet: Email

There are a number of measures you can and should use in order to keep your communications private. Regular email is transported without any protection. If you send an email to a customer, family member or friend, it will be transported through multiple locations. Email not only includes the text, but also the emailaddresses of both, sender and receiver, sometimes even their 'real names' and technical data.

Return-Path: Received: from localhost.localdomain (localhost.localdomain by localhost.localdomain (8.14.1/8.14.1) with ESMTP id lDCA9A24Z012419 for ; Mon, 12 Nov 2007 03:10:03 -0600 Received: from localhost.localdomain [127.0.0.1] by localhost.localdomain with POP3 (fetchmail-6.3.5) for (single-drop); Mon, 12 Nov 2007 03:10:03 -0600 Received: from mail.sendersys.net (mail.sendersys.net [123.45.67.89) by your.mailhost.com (8.13.1/8.12.5) with ESMTP id lDCA8w6FW0124185 for ; Mon, 12 Nov 2007 02:58:07 -0600 Received: from mail-gw-1.somehost.net ([11.22.33.44]) by mail.somehost.net (8.13.8/8.13.8) with ESMTP id lDCA8ueME0201693 for ; Mon, 12 Nov 2007 09:56:40 +0100 (MET) Received: from ffm-hq.sender.net (esbanl-p2.sender.net [33.44.55.66]) by mail-gw-1.somehost.net (8.13.6/8.13.1) with ESMTP id lDAC8uaQs0154145 for ; Mon, 12 Nov 2007 09:56:38 +0100 (MET) In-Reply-To: <[email protected]> Subject: Your request for legal assitance To: "Your Name" X-Mailer: Lotus Notes Release 7.0.2 September 26, 2006 Message-ID: From: [email protected] Date: Mon, 12 Nov 2007 09:56:34 +0100 X-MIMETrack: Serialize by Router on FFM-HQ-SENDER/NewYork/Sender(Release 6.3.6|March 01, 2006) 12.11.2007 09:56:38 MIME-Version: 1.0 Content-type: multipart/mixed; Boundary="0__=4DAEF902DFA296128f9f8f93df948680919c4EBCF902DFD30611" Content-Disposition: inline

Hello Mr. Name, yes, I think you should take legal action. Please find all the requested documents attached.

Yours truly,

Harry Podd, Attorney At Law

This is a typical emailmessage including header. It contains not only the message, but your name ('Your Name'), emailaddress ('[email protected]') and the email address of the sender ('[email protected]') . It hopped through 5 different hosts (each of it may have copied and stored it). The mail is usually then hold at the final destination, usually your ISP (Internet Service Provider) until the receiver (you!) goes on line and retrieves it. I know of bored system operators (the people who are administrating the computer system) who passed their time by browsing through other peoples mail, reading it and sometimes even taking interesting attachments (like programs, audios) and use them themselves. Now that you are about to retrieve your email from your ISP, I need to tell you about another severe security problem. If you want to read your email, it must first be transmitted to your computer. The remote computer needs to identify you so that it can access your mailbox and send your email. The usual protocols that manage the identification and transmission process are called POP3 (Post Office Protocol) or IMAP (Instant Message Access Protocol). Your username and your password are sent over to the remote computer and it will send your new email back. Problem is: This communication is usually not encrypted – your username and password are in plain view for any listener to read. If somebody on the network is listening (maybe with a program called tcpdump20) he or she will be able to find this highly sensitive information.

This is a log from a tcpdump catching username and password from an IMAP session:

iZeG<94>^K^@6^@^@^@6^@^@^@^@^T<1F>[<13>v^@^ZVc^@E^@^@(' @^@@^F<8A>X<30>Â<1F><18>ÂW^@<8F>^K^G<5F>lM<2E>[ <12>P^P^V<0D><1D>^@^@iZeG<10>^K^@`^@^@^@^DÂ^@^@^@^T<1F>[ <33>v^@^Z<12>Vc^@E^@^@'@^@@^F<1E><98><0F><4A>Â<7F><10><1C>Â W^@^K^G<6F>lM<91>[P^X^VЅW^@^@* CAPABILITY IMAP4REV1 LITERAL+ IDLE UIDPLiZeG<96><11>^K^@W^@^@^@W^@^@^@^@^Z<2F>Vc^^@^T[<3B>^@E^@^ @I^TÛ@^@<80>^Fb+<01>Â^B^K^@<9E>[<24 >^FmEDCP^X<91><9F>z^@^@^@001H LOGIN "myusername" "secrect" iZeG<6A>^D^@`^@^@^@^@^@^@^@^T[v^@^X<2A>Vc^@F^@^@< E7>'Â@^@@^D

<1F><7D>^X<1C><8F><4E>^AZ^@^M^U<60>mE SC[<1C>P^Z^VXB^@^@001H OK [CAPABILITY IMAP4REV1 LITERAL+ IDLiZeG<1D>^K^@B^@^@^@X^@^@^@^@^F

If you are as lazy as most of us, you are using the same password over and over again. Who can remember thousands of passwords not only for email, but for the auction, the electronic banking, the shopping system, the news site ? Remember those snooping system operators I told you about in the previous page? They may already have your password and may try to use it for their own purposes. In anyway, you can never assume that your email went through the system unnoticed, unread or has not been copied somewhere. You can rest assured, that emails containing buzzwords like 'alqaeda', 'bomb', 'grenade' or even 'fbi' will most certainly make it into the NSA's (National Security Agency21) database for 'further reference'. But that is not a problem for you since you are not using those terms ? Well, neither do terrorists. They use keywords in exchange.

When a terrorist wants to write this:

Hello Hassan: Thanks for the money. We will use it to buy video equipment to get a clear picture of the target. We can show that to our holy fighters so that they know how and where to attack best. God Is Great Yussuf he actually writes this:

Hello my friend: Thanks for the kind words. They will help us to get a better understanding of our values. Our relatives will benefit from our understanding so that they know when and how to pursuit the true purpose in the best way. Greetings to Grandpa. Your cousin

The intelligence communities are of course aware of this 'veiling' of messages and adopt their lists of buzzwords accordingly. Maybe 'grandpa' is a trigger now, or 'cousin', even 'purpose' may ring the alarm bells. Nobody in the public knows the current list of trigger words.

And you may have already used a few of those words in your emails. In that case, your data may have been registered with the NSA's database and they may now actively looking for your emails in order to get a better picture. In other words: You might be a suspect. But not only the federal government is interested in your data. If you access, send or receive email in your school, university or in the office, you may be monitored by your boss or the IT department. Several companies have specialized in developing special software that monitors all communications.

From the FAQ of Awareness Technologies 'WebWatcher' 18: Question: Does WebWatcher record everything? Answer: Yes, WebWatcher records all emails, IMs, websites visited, and anything typed.

Explore Anywhere Software LLC offers the WebMail spy software19: WebMail Spy is the awardwinning email spy software that allows you to record all webbased email on your PC. This software makes email spying easy you can spy on MSN HotMail®, Yahoo®! Mail, America Online®, WebMail, Excite® Mail, ICQ® Mail and many others. This email spy can be configured to run in total stealth mode, so nobody will know that you're reading their email....

If the world would invest as much money and brain in fighting pollution as they do in spying on other people's communications, we wouldn't have to worry about 'global warming'.

But you can protect your email in multiple ways.

1) Use encryption

Encryption is nothing bad. Encryption allows you to put your message into a digital envelope. Comparable to a 'real letter', you protect the content of your email in a way that only the receiver is able to open and read it. Since the headers are needed to transport your message, they will not be encrypted. But your message is safe against eavesdropping.

This:

Hello Peter:

Thanks for your message. I hope cousin Winnie will leave the hospital soon. If I can get off work a little sooner, Grandpa and I will try to make it down and bring some pecan cake. You know he likes that stuff very much.

Talk to you later

Frank.

Becomes:

-----BEGIN PGP MESSAGE-----

Version: GnuPG v1.4.6 (GNU/Linux)

hQIOAyXNB39ra9WUEAf/XnfEfb4m85arueOIk1VTYAHCPwsVk4j8QauWrm9wpkZK

NE461PBfR9jDody/8mgjFdJPyF2H8IVAqY4pCruWfb/Noh6EJ9eDJRdLirtgQPR3

ol+FI7+Kq+uWT+DzRoBvYO66/4rJjVGMMEyoewWQyscqGg4Hvq59XjAFYnELkRIR

qWyU4/gw5it/qV6L4cpXacWYaBFOLSrlhVfB1tuEirk9hAAM71PTA4YnlCQrBFHc

zWxNox3edz55ilIgg7uXE7JGU8J0X4Dxg3eB2iHwBpzvahHmI/SIu73C/KEP6fmU

EL8zZt6iZvHwiol/yZFjesrG8SihlObWQfmJXPzzttW8o30P6BHh8PYcVUQ81cZz

zeQoW0uQDSGZaBIdBrLvnaotBe/E6FgyRYcrMyuaQX0IeLP4Mw==

=pow3

-----END PGP MESSAGE-----

Only Peter will now be able to read the message. It can hop through multiple hosts, curious operators can access it, nobody will know about cousin Winnie and his unfortunate hospital stay even though the messages contains the potential trigger words 'cousin', 'pecan pie' and 'grandpa'. The method used to encrypt email traffic is called 'Publickey cryptography' . Publickey cryptography, also known as asymmetric cryptography, is a form of cryptography in which a user has a pair of cryptographic keys a public key and a private key. The private key is kept secret, while the public key may be widely distributed. The keys are related mathematically, but the private key cannot be practically derived from the public key. A message encrypted with the public key can be decrypted only with the corresponding private key5. That sounds a lot more complicated then it is. Well, wait a minute – it is complicated. But that shouldn't bother you, since it is usually well hidden within your email program. Just go to: www.gnupg.org and get all information and software for almost all operating systems that enables you to use the GNU Privacy Guard . Tell all of your communications partners to install the software (it's free), exchange the public keys and your email privacy is safe and secure.

Image Credit: www.gnupg.org

More links: Set up GPG encryption on windows http://wolfram.org/writing/howto/gpg.html EmailSecurity for Windows http://www.gpg4win.org/ Mac GNU Privacy Guard http://macgpg.sourceforge.net/

... and, as always, Google® is your friend. Try look for 'gpg yoursystem', but don't forget to replace 'yoursystem' with the operating system you have (windows, vista, linux, commodore os, you name it). Public key cryptography is the 'de facto' standard for safe email. A lot of other people and companies use it already. More and more people are installing the necessary software and might even insist to receive protected email only. Sooner or later, you will have to install some form of public key encryption methods anyway. Why not now? Get yourself off the scope and protect your email.

2) Use temporary email addresses

While this is not practical in every day friend to friend communications, you should consider temporary email addresses whenever you register with unknown services, buy something from unknown Internet shops or want to forward an email address to a casual acquaintance. Temporary email addresses allow you to give somebody an email address that will expire after a certain amount of time. Until that time, all incoming email will be forwarded to your 'real' email address. Cool? Not only are you protecting your privacy, you make it impossible for others to use your data in spam email lists. Even if they publish, sell or forward the (temporary) email address, you don't have to worry. Because a few days later, all email will bounce back – the temporary email address has become invalid. And you simply generate a totally new email address and the game starts from zero.

I have created such a temporary emailaddress service. Go to my website at www.michaelamerz.com and look for 'decimail'. It allows you to register a free, temporary emailaddress you can use to protect your 'real' email data.

Image Credit: Michaela Merz All you have to do is to enter your real emailaddress, a password and my system will send you an authentication request. Click on the link provided in this email and you are ready to go. I will not reveal your emailaddress to anybody (unless ordered to do so by a court of law) and it will be deleted the moment your temporary emailaddress expires. How does it work? Use the temporary email address the very same way you would use your normal email address. However, email will be directed to my system, not yours. Once my system receives an email, it will immediately forward it to your 'real' email address. Your email will not permanently copied or stored it will be deleted after successful transmission to you. Since it is a free service, you have to understand that I am offering no guarantees as to the function, privacy, security or usefulness of this service. I can stop offering this service at any time and without notifying you. You use this service on your own risk. In addition, you agree to not use this service for any illegal activity.

3) Use anonymous remailers.

Anonymous remailers take instructions embedded in your email and change header fields in a way that the recipient doesn't know the original emailaddress. There are also web based remailers that allow you to type in your message 'Online' and forward it to the specified destination. In most cases, remailers are owned and operated by individuals, and are not as stable as they might ideally be. There are different type of remailers: Pseudonymous remailers simply exchange your emailaddress against another email address provided by the remailer service. Incoming mails are routed though and are changed back so that they can reach you. However, since this type of remailer keeps a database to be able to forward incoming mail back to you, it is possible to crack your identification be legal or illegal means. Type 1 or Cypherpunk remailer completely remove your address from the header. Usually one can not reply or answer to mails send via this type of remailer. Cypherpunk remailers are not keeping logs and allow the encrypted transfer of messages to the remailer. Type 2 and type 3 remailers are even safer, but usually require some software to be installed on your computer. Get more information about remailers at http://en.wikipedia.org/wiki/Anonymous_remailer

Just remember: Remailers are operated by volunteers. You have no guarantees and the service may go down or might become unavailable without warning. Always prefer remailers that don't ask for your real emailaddress or use a combination of temporary emailaddresses and remailers for even better privacy. Another way of sending anonymous email are webbased email systems. You just type your message on a webpage, provide the destination emailaddress and your email will be on it's way. Be sure to use privacy enhancing methods for WWW as explained in the following chapters. anonymouse.org offers such a services. In addition, you can use them to access websites without revealing your IP adress to others. See later chapter.

Image Credit: www.anonymouse.org

4) What about Google® or Yahoo® or other email service provider?

They can add 'some' privacy. Especially if you didn't register with your real personal data (which, by itself, might be a violation of their Terms of Usage). Using one of those email services will indeed hide your 'real emailaddress' from third parties. But are you willing to pay the price? Once you register with Google® or Yahoo®, they might now be able to combine your ipnumber and cookie information with your email account – not a good idea.

For this example, I told my Mozilla browser to remove all cookies. (Edit: Preferences: Privacy: Cookies) . I then logged into my Google® account and started some arbitrary search. A lot of Cookies now, most with unidentifiable data. My user name was also included within the 'GAUSR' variable. Though it will only be sent on encrypted connections and only when accessing certain areas of Google®. As long as we don't know the meaning of all those Cookie variables, we can't be certain that they don't contain references to our private data. So – user beware.

5) Other ways to send 'secret' messages.

There are plenty of other ways to send your information privately. Just one little example here. Steganography is the art and science of writing hidden messages in such a way that no one apart from the sender and intended recipient even realizes there is a hidden message6. Usually, people hide their messages in audio files or images. Those images will innocently be transported via email attachment or even displayed on websites.

Image Credit: Michaela Merz

The small picture of me has been embedded (and extracted) from the larger picture behind. By modifying the least significant bit (the least significant bit is the one bit with the lowest arithmetic value) of a pixel value, one is able to add additional information which will of course alters the master picture itself. Since the alterations are tiny, it is usually undetected.

However, modern methods are able to identify manipulated images. This is why modern steganography systems additionally encrypt the hidden data.

Links:

An Overview of Steganography for the Computer Forensics Examiner

http://www.garykessler.net/library/fsc_stego.html

Outguess and stegdetect, tools to create or to detect steganographic images

http://www.outguess.org/

6) Shouldn't we be happy that the government is scanning all messages to track down criminals and terrorists ?

There's nothing wrong with trying to find bad guys. But would you accept it, in the name of 'security', when government agents would open every of your letters and listen into any of your phone conversations just because you might be a criminal? Civil liberties are necessary for a reason. The Forth Amendment to the Constitution reads as follows: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Unfortunately, the founding fathers didn't know about email. But their intention is clear. Every person has the right to be secure, in their person and in their communications. By the way: Terrorists and criminals are already doing bad things. They simply use illegal ways to hide their communications. They hack into other peoples computers and use those computers for communications, hitch a ride on other peoples unprotected WIFI networks or steal cellphones and throw them away if they feel threatened. In other words: The only data in plain view is that of 'normal' people. And this data is what eventually ends up in governmental and private databases.

7) Conclusion: Protecting the privacy of your email communications

With so many threads and weaknesses, how can one possibly hope for or expect privacy? In addition, the implementation of safeguarding mechanisms or rules is complicated and only experienced computer people are able to protect themselves. Not true. A few simple steps go a long way.

1) Always use the latest available software to access your mail. Check for updates at least once a month. Don't rely on automatic update functions. 2) Use a professional (and regularly updated) virus scanner. 3) Ask your ISP to provide IMAP/POP3 email access with SSL23 (and activate this function in your email program. 4) Use a dedicated password for accessing your mail and change it at least every two months. Never store passwords on public PCs (in the office, school), on laptops or any other computer that is accessible to others. 5) Use anonymous remailers or temporary emailaddresses whenever you access unknown or new commercial sites. 6) Never access your email from public Internet terminals unless you can access it over encrypted WWW and you are able delete all of your private data after your session. See next chapter.

Those steps are easy even for people with no computer knowledge. They will not give you complete privacy but will make it harder to exploit your private data. Try to install the GNU Privacy Guard or ask a friend for help. Be sure however, that you generate your keys without your friend looking over your shoulder.

Please see Chapter V: How to install GNU Privacy Guard on Windows Computers.

III) How to create privacy on the Internet: Surfing on the Web

When ever you are surfing on the Internet, you are leaving digital 'foot prints' behind. Your IPnumber, your language, the name of the WWWapplication and your operating system are always transferred automatically.

Let's say you surf to the fictional address: www.myaddress.com Before the very first page is displayed (and with every new click you make), your computer will send the following data to the remote computer:

Language: enus UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98) RemoteAddress 123.45.67.89

The remote system now knows that you are using the English language, that you are running Microsoft®'s Windows 98 operating system, Microsoft® Internet Explorer and that your IPaddress is 123.45.67.89. Is that a problem? Yes it is. Malicious websites are spying for this data because, depending on the web browser and operating system you use, they are able to implement viruses or trojan horses. They can't install a virus for Mac OSX or Linux on a Windows operating system and vice versa. They have to install the right virus for the right operating system. You (your program) tells them exactly what they need to know. Databases are available on the Internet that match IPnumbers to geographical locations7. Before you even see anything from that website, you have already exposed vital information to the remote site: Your location, your language and the software and operating system you are using. It's like going into some store and, before you have started to look around, you have already been asked to disclose your language, your address and what car you are driving. Pretty odd? It gets even better. All of the data transfer is in the open. There's no encryption. Your data hops through multiple gateways, routers and systems that could easily read, analyze and store every byte of your communications.

If I surf to, say, www.somesite.com, my data packets are handled by numerous systems between me and my target:

1 mysystem.com (192.168.1.1) 0.968 ms 2.551 ms 2.992 ms

2 12.208.48.1 (12.208.48.1) 24.663 ms 25.105 ms 25.288 ms

3 171.235.81.1 (171.235.81.1) 25.468 ms 25.647 ms 31.504 ms

4 13.12.178.19 (13.12.178.19) 34.127 ms 34.480 ms 34.661 ms

5 tbr2.hs1tx.ip.att.net (12.123.134.46) 66.280 ms 66.664 ms 66.868 ms

6 tbr1.dlstx.ip.att.net (12.122.10.129) 67.622 ms 68.656 ms 68.027 ms

7 tbr1.la2ca.ip.att.net (12.122.10.50) 66.367 ms 52.838 ms 53.176 ms

8 12.122.82.141 (12.122.82.141) 52.714 ms 45.875 ms 43.958 ms

9 12.118.42.6 (12.118.42.6) 50.014 ms 50.365 ms 50.546 ms

10 59.18.63.45 (59.18.63.45) 209.462 ms 209.772 ms 214.472 ms

11 59.18.62.22 (59.18.62.22) 206.489 ms 208.356 ms 208.666 ms

12 218.145.44.74 (218.145.44.74) 210.555 ms 210.911 ms 211.074 ms

13 * * *

The way to a remote system can be made visible by using the 'traceroute' command. If you are using the Windows operating system, try the following:

1) From the Start menu, select Run... ; 2) In the "Open:" box, type cmd (Windows XP) or command (Windows 98/Me); 3) At the command prompt, enter tracert 'IP number' or tracert 'hostname'; where 'hostname' is something like 'www.system.com'. Your command should look like

tracert www.testsystem.com

Needless to say: We don't know what happens to our data on its way to the destination. And, mind you, the answer from the remote site will flow back pretty much the same way. Exposing the whole conversation to a listener among the way.

1) A Closer Look At Cookies:

Cookies are small pieces of information that a remote computer sends to you and your computer stores that information on your hard disk. Whenever you go back to the originating site, your computer will echo the stored data back. Let's take a closer look. You surf to 'someshoppingsite.net' for the first time ever and the remote site will send you a cookie with the following content:

MTItMDEtMDc=

This is nothing but the current date, translated into 'BASE64'8, a mechanism not to encrypt but rather to ensure a save transition through the Internet. Should you ever return to the site, your computer will echo the above data back and they know the date of your first visit. Should you buy something, you will have to enter your name, credit card number and other personal data. They will now send you something like this:

MTItMDEtMDc7Q3VzdC5JZDoxMjM0Ow==

If we translate that back into readable form, it is:

12-01-07;Cust.Id:1234;

As you can see, a reference to your customerid (1234) has been added. Should you ever return to their site, even if you don't register, they know who you are. Their database not only contains your personal data, but everything you have bought so far and even the products you just looked at. Sooner or later, they will send you emails offering products they know you might be interested in. If you bought a book about how to fix electrical wiring and you looked at other products like 'Plumbing For Dummies' and 'Landscaping The Right Way' they can be reasonably sure that you either just bought a new home or that you are remodeling. They now have a set of data about you that is mighty interesting for a lot of people. And yes, some sell or lease that data to others. Now you know how that insurance company got to know about the house you inherited from your grandpa.

But it gets even worse. Cookies are limited in the way that your computer only echoes the data to the originating site. If 'someshoppingsite.net' sends a Cookie to your computer, the computer will only send it back to 'someshoppingsite.net' . This is for privacy and security reasons. And it makes sense. But there are methods to circumvent this. And a lot of commercial sites are using this method to track your movements and actions all across the Internet.

This is how it works.

The participating sites include a small picture on their pages. The picture is usually just one pixel wide and transparent, so that you can't see it. The picture however will not be located on the site your are looking at, it will be located on some other site, let's call it 'traccme.net' . The participating sites will notify 'traccme.net' about what you did on their website, 'traccme.net' will store that information and send a Cookie to your computer. Since your computer will actually request that hidden image from 'traccme.net' it will also echo any cookie from 'traccme.net' to 'traccme.net'. This site collects all the data from the participating systems and shares it with them. If you bought a pair of gloves from merchant1.com, checked the flights to Europe on system2.net, looked at a few books about learning to ski on bookstore3.us and searched for vacation rentals in Austria on searchx.org – all of them know about your vacation planning and will start offering appropriate products. And you might start to receive 'Vacation Health Insurance' or 'Cheap Hotel' offers via email. But wait .. that's not all. The huge amount of data collected and stored by 'traccme.net' attracts the attention not only of commercial organizations, but also from governmental organizations and of course from criminals. Why do you think the cases of identity theft are skyrocketing? The Federal Trade Commission released a report on November 27th, 2007, showing that 8.3 million American adults, or 3.7 percent of all American adults, were victims of identity theft in 20059. Wait: They released a report in November 2007 about the cases of identify theft in 2005? Oh – sure, they are the ones that should protect us against those criminals. Maybe it's better you do something about privacy on the Internet instead of relying on trustworthy merchants, (unknown) third parties safeguarding your personal data or the sleeping beauties at the Federal Government.

How to surf in private: First a few general suggestions: Be careful with what you reveal about yourself . While it might be fun to communicate in systems like 'Facebook®', 'YouTube®' and other social networking sites, it is not a good idea to disclose too much about you. I know of cases where job recruiters checked potential candidates via social networking sites. In a perfect world, you should not be held responsible for what you do in your free time. Recruiters shouldn't care about your parties, your sexual preferences or about other interests of yours. But we don't live in a perfect world. The competition is brutal and recruiters, colleagues or superiors might use your own data against you. Even private detectives and the police are routinely scanning the Internet to collect information.

“Your honor, I have no idea how that joint came into my possession. Maybe somebody slipped it into my pocket without my knowledge” Well, the judge said, I might have believed you if the DA's office wouldn't have found that message you posted on the Internet in which you are discussing the advantages of marijuana over alcohol. It seems you have quite some experience with illegal drugs.

Whenever you are thinking of posting a message, a picture or anything else just remember the general rule of thumb:

If you wouldn't want your local newspaper to write about it, don't disclose it.

Not on the Web, in chats, message boards or in social networking environments. What is fun to post today, may come back and bite you in ten years. Whatever has been posted into the Internet will most likely be found forever. Be extremely careful with 'self help' sites on the Internet. Though they might not use your data commercially, most of them are not experienced in safe guarding your data. Imagine the damage if somebodies deepest secrets would be revealed. The Internet is a great place and most of us couldn't imagine a life without it. But this convenience comes with some dangers. And a lot of people aren't even aware of those problems.

Now let's look into mechanisms you can use to protect your privacy.

2) The TOR network

Tor is a software project that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security. Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: Image Credit: The TOR Project It prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.10 The TOR network encrypts and routes your data through multiple other computers so that nobody can trace or track you. Unfortunately the TOR network has a weak spot: The last of the TOR network relay decrypts your data and forwards it to the destination. The volunteer running this node might be able to monitor your data. But due to the fact that the relays switch all the time, this monitoring would only capture parts of your communications. The more TOR relays are active, the more your data will be bounced around and thus will make it harder and harder to monitor usable parts of your session. TOR clients are available for almost all operating systems. And is relatively easy to install TOR on your system.

Microsoft® Windows: www.torproject.org/docs/tordocwin32.html.en MacOS X® : www.torproject.org/docs/tordocosx.html.en General Information about the TOR network : http://www.torproject.org/

You should be aware that all those TOR relays are sponsored by volunteers. They not only donate their time to administrate their system, they also donate their bandwidth so that you and others can use a privacy protected environment. The Tor Project is a 501(c)(3) nonprofit based in the United States. The official address of the organization is: The Tor Project 122 Scott Circle Dedham, MA 02026 USA

You should be aware of a few disadvantages of TOR:

1) Connections via TOR might be slow(er) due to high traffic; 2) Some sites may refuse access if contacted via the TOR network;

If you have a good DSL or better connection, what about offering TOR services yourself? Think about it: What happens when you are not using your Internet? Why not let others use it? Whenever you go online, just disconnect TOR and you have your full bandwidth available. When you don't use your Internet, restart TOR and let others use it.

Become a volunteer : http://www.torproject.org/volunteer.html.en

Since 1990, The Electronic Frontier Foundation has championed the public interest in every critical battle affecting digital rights. Want to learn more? Goto www.eff.org

Image Credit: Electronic Frontier Foundation

3) Use HTTPS protocols

HTTPS encrypts your data so that nobody along the line is able to monitor your session. You probably know about HTTPS because your Online banking usually activates HTTPS. While this securely protects the flow of your data, the destination site will still be able to record your IPnumber and header data. But if you are communicating with 'safe' sites or those sites that need to verify your identity, HTTPS is much safer than unprotected HTTP. Most sites will not allow you to use HTTPS. Just try it out. If you surf to 'www.somesite.org', your complete address looks like this: http://www.somesite.org/

Now just replace 'http' with 'https' and your address looks like this: https://www.somesite.org/

Is it working? If so, your data is now protected. Some times, a message like this appears:

Most private websites will not buy commercial certificates and your browser will show a warning. You should not ignore this warning and proceed only if you are not trying to connect to your bank or other websites that require high security. If it is a private or small commercial website, you can proceed and your data transmission will be reasonable safe.

Keep in mind though, that the warning might also indicate a rare security problem called 'maninthemiddle' attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised. The attacker must be able to observe and intercept messages going between the two victims.11

Unfortunately, most websites don't offer HTTPS protection for you. But, of course, there are ways to use encrypt data even without the targets knowledge or support.

4) Webbased Proxy systems

Webbased proxies are simple, 'normal' websites. You just use your Internet browser to go there. No need to download or to install anything. Once you have connected to the webproxy, you just enter the address you want to surf to, and, voilà, it appears on your screen. How does it work? The webproxy fetches the requested data and delivers it to you. Since you are not directly accessing the page, neither personal data nor your ipnumber will be transmitted to your target. Just pay attention to scripts. Scripts are little programs embedded into a lot of websites to make it more 'interactive' . Some scripts are able to circumvent the proxy, other scripts can be malicious and even upload viruses to your computer. It's always 'safer' to disable scripts – though some websites (like www.weatherchannel.com) don't work without scripting enabled. Some webproxies allow you to access them with HTTPS enabled. Though the connection from the webproxy to the target is still not HTTPSencrypted, your connection to the webproxy is. And that's ½ the rent and better than nothing. A webproxies will not protect you against spyware, viruses or trojan horses, it will only partially enhance your privacy in regard to your Internetprovider or your company (if you surf at you place of work) if used in HTTPSmode, though the address of your target will be visible. Web based proxies are meant to protect your privacy only in regard to the target. A web proxy is only useful if you don't want the target to know about you. One word of caution: Use only such webproxies that don't log your data. Otherwise you would make the fox the guardian of the chickencoop. While you would be protected from leaving any traces with the target system, the webproxy provider is able to monitor and/or to log every step you take. If you you want to try it, go to my website and look for SafeSurf. I will NOT log any data.

5) Remove your cached data after your Online session

As discussed earlier, a lot of websites are using cookies and other mechanisms to track your movements. But you don't have to accept that. Just remove all of your cached data and cookies every time you end your browser or even in between. This will cause some inconvenience as you are losing a few abilities like staying 'logged in' without having to use a password with every new visit. The advantages might not be so obvious. But believe me: You will effectively stop those data collecting monsters from tracking you. And for me, that outweighs the few minor inconveniences.

Microsoft® Internet Explorer:

Click 'Delete Cookies' and 'Delete Files'. If you are sharing your computer with others (or if you are using a computer in the office), it's also a good idea to remove the history (it keeps track of the websites you have visited) by clicking the 'Clear History' button. Some WWW programs allow you to deny cookies so that the data will not be stored on your hard disk. This however cause websites not to display, leads to errors and plenty of popup messages. Let them store their cookies, they will be gone after your Online session anyway.

If you are using the Mozilla web browser (and you should, see below) , you can configure it to automatically remove all Cookies and cached files the moment you terminate the program.

6) Use Mozilla Software

I realize that you may have grown accustomed to your Internet Explorer or Safari WWW browser. I understand that the Look&Feel of the 'firefox' browser doesn't feel quite right, that, especially with Mac OS X, it's fonts are a bit weird and that it might not support all functions you are used to. But the Mozilla software is Open Source. Hundreds of people are volunteering their time and knowledge to build a 'better' and safer WWW program. The combined knowledge of all of Mozilla's developers makes it hard to sneak some hidden functionality into the very core of your communications technology. I don't say that there are hidden or secret 'back doors'12 in other browsers, but well – who knows?

Is Mozilla a more secure web browser? In some way, I think it is. Because Mozilla is open source and they don't want to make money selling their products. Other browsers are either commercial or a part of an operating system and they may want to hide flaws as long as they don't have a fix. And fixes might take some time. I don't trust any program I haven't analyzed myself. And it is nearly impossible to look into and to understand a huge project like a WWW browser. So I have to rely on the expertise of others. And, quite frankly, I much more easily believe the combined knowledge of Open Source programmers like myself. That is why I suggest to use Mozilla.

However, there are plenty of ways to compromise your system with malicious code embedded into web sites. A little common sense along with a good virus scanner is always necessary to keep your system safe. Whatever WWW browser you use, make sure you are always using the most current version (check for upgrades frequently) and don't only rely on automatic upgrade messages.

Mozilla Software : http://www.mozilla.org/ Safari Information : http://en.wikipedia.org/wiki/Safari_(web_browser) Opera Information : http://en.wikipedia.org/wiki/Opera_%28web_browser%29

7) Special Security

You can enhance your privacy and security even more. As a special example, I'd like to show you a few mechanisms to further protect your environment. Even if you follow all my suggestions to the point, you may still be vulnerable to malicious software that will be secretly installed on your computer without your knowledge. All it takes is a visit of ONE infected website and all of your security measures are useless, because a 'keylogger' has been covertly installed. It will capture your keystrokes and send them to a remote site. Such systems are highly useful for law enforcement and espionage—for instance, providing a means to obtain passwords or encryption keys and thus bypassing other security measures. However, keyloggers are widely available on the Internet and can be used by private parties to spy on the computer usage of others13. What can you do? Get a 'readonly' operating system that boots from a CD. The complete environment (including virtual hard disks) will be in your memory only. Whatever will be installed, downloaded or saved on your 'harddisk' will be gone the moment you turn your computer off.

Examples:

ReactOS14 is an advanced free open source operating system providing a groundup implementation of a Microsoft® Windows® XP compatible operating system. You can run ReactOS within a virtual QEMU15 environment on your Windows or Linux computer. Prepackaged downloads are available.

Damn Small Linux (DSL)16 is a complete Linux operating system that can be booted from a readonly CD, from a small USB stick but it can also run inside Windows. It offers much more than just a WWW browsing environment though it needs just about 128 Megabyte of RAM to run. It's also a fantastic way to learn about the Linux operating system. But Linux is not the focus of this document.

IV) References

1 http://philip.greenspun.com/panda/usertracking 2 http://battellemedia.com/archives/002283.php 3 http://www.nytimes.com/2006/02/04/technology/04privacy.html 4 http://www.eff.org/deeplinks/2006/02/subpoenasandyourprivacy 5 http://en.wikipedia.org/wiki/Publickey_cryptography 6 http://en.wikipedia.org/wiki/Steganography 7 http://www.michaelamerz.com/index.htm?id=310 8 http://en.wikipedia.org/wiki/Base64 9 http://www.ftc.gov/opa/2007/11/idtheft.shtm 10 http://www.torproject.org/ 11 http://en.wikipedia.org/wiki/Maninthemiddle_attack 12 http://en.wikipedia.org/wiki/Backdoor_%28computing%29 13 http://en.wikipedia.org/wiki/Key_logger 14 http://www.reactos.org/ 15 http://fabrice.bellard.free.fr/qemu/ 16 http://damnsmalllinux.org/ 17 http://www.eff.org/issues/nsaspying\ 18 ht tp://www.awarenesstech.com/MonitoringSoftware/Consumer/FAQs.html 19 http://www.exploreanywhere.com/emailspysoftware.htm 20 http://en.wikipedia.org/wiki/Tcpdump 21 http://en.wikipedia.org/wiki/Nsa 22 http://anonymouse.org/ 23 http://en.wikipedia.org/wiki/Secure_Sockets_Layer

V) How To Install GNU Privacy Guard on Microsoft®'s Windows

Download and install gpg4win1.1.3.exe from ftp.gpg4win.org . Make sure you mark the tick that will put a quick start icon on your desktop. After installation, doubleclick the WinPT icon. We will now generate your personal key.

Click 'OK' and enter your name and your valid email address. Be sure you enter an email address that will not become invalid soon. The public part of this key will need to distributed to all of your contacts, so if you don't want to send key updates, make sure your email address will not change in the near future.

You now need to enter a passphrase. This passphrase should be easy to remember, yet hard to guess for outsiders. Don't use a single password, use a whole sentence.

You will need to enter the passphrase again. Both path phrases have to match. Think about your passphrase before you click 'OK' – is it easy for you to remember? Would it be easy for others to guess ?

Your key is now generated. Please be patient. The system will ask you to backup your key. This might be a good idea – make sure you keep the copy at a safe place.

WinPT will always be accessible in your task list. If you reactivate it you see the 'KeyManager' overview screen. It should now contain your personal key.

The next step is to export your PUBLIC key. It is the part of the key you need to publish on your website or to communicate to all of your email partners. There is no need to protect the public key. It is meant to be shared.

Highlight the key and click KEY > EXPORT ..

Make sure you don't export your secret key.

Now save your public key (it will be named 'your_name.asc') . The content of the file should look like this :

-----BEGIN PGP PUBLIC KEY BLOCK-----

Version: GnuPG v1.4.7 (MingW32)

mQGiBEdlf4cRBADSTAAHZIhpT16rOLQGlBKW9Dlv6kRu31YmhtWR9Ckz/vc5J3Mk v1r0pDpa59WVH+AlKmIn5OuZIM95GEq9EF9lQa551CljSwcWdYd9TWKOoAnDFFAL BxEMaRGjrk/Shs8H9OpwdnlTcuhgqAXR+o2Y4AbIO58JVBsDIe+KOxG39dwRfgCI SBpfBAC/D0ElNA3CKQH2o3/i7b1DcNdHqBhBxSU1rnhUukuvz+Dry4GjiNNzXun2 x+XYMatVE3QV7mSQj0AyEWnfwtJIi1g57XehWyUc6KyhtwawpTGc5SU9S5jxy85d j54Ckl1+Vo6Cj7zq5Bvqv6Kt7ZyvNOu5OwLdBMyfyeQ4OWoa3rQbam9lIHNtaXRo VjpLSxQ8TCDWs4S9owc4e72ozFUHtwJHae9Wu2ESa7M9B7jTBGFtNFzTMVbUiFMA AwUH/Rc/WUci/Q1VTKJE1OcLojFIj32t5EVL2sOcpNbsPr/rKsHQn6iIPsCVjtpi QPhrIY8qrM2ke2MAl1C8xc/+z6EtEIFWLPJ2Fb/mXiDgM4uGAlK6CPeSu0TmqGiG S5F8dyTEnjv1G8OHOEJKnLWleGFl5rLe/hdnUDcZBBlt8G5uLEKNFjBhEmNgjnL9 BlzLpAW2Pxk8yC1XS87iz4+S4nQjHCM8HB20uUZSv0N/BDmDuA82WsFihlkwOsSb ZAVaRVFPBFZ6Y83noZhxcPIaBZzPhBRkU7qfxsTXUTJZm/8ve8eRm7WOYakSR4UD Talr/ZO0Ok/S7zZEfIrm1RriEHmISQQYEQIACQUCR2V/hwIbDAAKCRCcE8iAm61a npb4AJwPe2aeUzaj/Q/mfAPuaTFEAAnV3wCfXcm4OGfx7rMB0El2cwnWkzWjo2s= =OvLe -----END PGP PUBLIC KEY BLOCK-----

The data will look differently, just look that it says

-----BEGIN PGP PUBLIC KEY BLOCK----- and -----END PGP PUBLIC KEY BLOCK-----

Congratulations. You have now created and activated you personal GNU Privacy Guard keypair.

It is now time for a quick explanation of the basic functionality of the encryption technology we are planning to use.

You have already created a personal key. A personal key consists of two parts:

The secret key: Just think about the secret key as your key to your post office box. As long as you have this key, you are able to access whatever is inside that box. The public key: Assume the public key to be the number of your post office box. Whoever has the number to your box is able to send you a message.

Your passphrase protects your secret key so that only you can use it.

You can do three things with your personal key:

Encrypt messages: The content of the message is unreadable for anybody but the receiver. Sign Messages: This authenticates the message so that the receiver knows you actually wrote the message. You will have to enter your passphrase to sign the message. Sign & Encrypt: This should be your default. The message will be digitally signed by you and encrypted so that it is safe.

It should now be clear that in order to write a signed and encrypted email, you will need to use the 'public key' (the address of the receivers P.O. Box) of the destinations email address.

If you would like to write a secure email to me, go to my website and get my public key.

Copy and paste it into a file. You may want to call the file 'michaela_merz.asc' . Start WinPT (if it is not already running) and select

KEY > IMPORT

Select the file 'michaela_merz.asc' and you will see the following:

Click IMPORT and continue. The program will show additional information and after clicking 'OK' you should be able to see my key in your WinPT KeyManager.

Your are now ready to send your first secure email. Start the email program you are using.

Please Notice: During my testing, I found that some emailprograms have a problem when your encrypted email is sending an HTMLattachment. So, if you are using an email program that generates HTML (rich text), make sure you switch to plain text before sending the email.

Now simply write your message. When done, highlight all of the text and copy it to the clipboard (either by pressing CTRL+C or by selecting EDIT>COPY) . Now rightclick WinPT in your tasklist, select CLIPBOARD > SIGN & ENCRYPT Select my key (Michaela Merz) from the key manager (tick the little box on the left) and click OK. Since private keys are usually not signed (authenticated) the program might display a warning:

Just check if it is really my key and click 'OK'. Again highlight all of your text in the email, but now paste the clipboard back into the mail editor. Either press CTRL+V or select EDIT>PASTE. You should now see something like this in your editor:

-----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0

hQIOAyXNB39ra9WUEAf/Ujwxhmt9Fe//xIIb4Ae6X0/R0Tj3rwHUnd3wauAVIDM6 mqIfWQEhfRPBaP1NP0r0Kmp2O7a2akEyTGrvLnzsQc22R5d9A0Zr/3qnXSkn1g1i tSUjXjQM/OcgPCHVTZd3UVIGL5yzf5X4UkccrWy44kMDxEAQW86NXf3pN1yAWXFJ VaQJtRXJ9cf6Fi1xI11IDy1bp/0iwhTGjr5KtUDjcP8yazSfMy5fxPiraHhMCm76 9B7BEmznVt6KP+eF8J3f1b0HIGWMbm+hK/Iz/hBRdwlfmOESmRYwBKPy/Ohx/ZpL MFYlNcDJ+V/2ZwAr/iQXxjfVm4gL8t18qyEPdZMC6Qf9G+GSaMmac0UrbG5ZX50B CpZpqeUorqTjD6t2JowOE3QykYZpBpIzjeeHpvJsJVljvG1B2UVbtX6R/Qyx3HlC PbTrxBoD6XuOGABAwBJsUSV25kLENfj/k/wP6JcMZziFQQixgtuKOniTxZJdzD2A d11c+i1/unZcGuLhh5F/J6BYFj5066sMdSr/tuFg9xULuioAO71ZuQXD6ZinJ9Nz QTaVJD808Ug4+Ch5XoK0q5jqyGF/DHe/1tU13eu61CiJnX+0PTTIksNkUcsawK4u be8= =Vlaz -----END PGP MESSAGE-----

This is your encrypted and signed message. Make sure, that no part of the original (unencrypted) message is left in your email, then send the email to me.

Nobody will be able to read this mail on its way to me. I will have to enter my passphrase in order to read your mail.

Congratulations again, you have sent a perfectly save and protected email.

You decrypt your email the very same way. Highlight the complete block of data, activate WinPT, select CLIPBOARD>DECRYPT/VERIFY decrypt message and copy it back or access it directly with CLIPBOARD>EDIT.

Remember the basics of sending or receiving GPG email:

1) In order to send protected email, you need the receivers PUBLIC KEY; 2) In order to receive protected email, the sender needs your PUBLIC KEY, so you should publish you public key somehow; 3) Never publish or share your SECRET KEY; 4) Always send encrypted emails as plain text, disable rich text or HTMLtext when possible;

A document called 'Novice Manual' should have come with your download. You will find a lot more help and information in there. You will also find tips and tricks on how to install GNU Privacy Guard security into your normal emailenvironment.

IV) Copyright And Trademarks

You are free to: – to Share — to copy, distribute and transmit this document. – to Remix — to adapt the document. Under the following conditions: – Attribution. You must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work). – Noncommercial. You may not use this work for commercial purposes. – Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

More details under: http://creativecommons.org/licenses/byncsa/3.0/ This document has been created as a basic guideline to enhance the privacy on the Internet. I have tried to research all topics as good as possible and I am mentioning all companies, products, organizations or institutions without the intent to harm, offend or accuse. The document is not intended to be safe, complete or free of errors and the reader uses all information contained in this document on his or her own risk. Some methods explained or mentioned in this document may violate the law in your country or state. Do NOT rely on any of the information in this document to protect valuable or secret information. All trademarks mentioned in this document are either registered trademarks or trademarks of their respective owners in the United States and/or other countries. This document has not been endorsed or otherwise been supported by any of the mentioned companies. All domains and other names used in examples are fictitious. Any resemblance with active domains or names is purely coincidental. No animals have been hurt in the production of this document.

Page 42 of 42