You should not get a false sense of security from using encryption

Caspar Bowden

But experts say citizens should not get complacent if all they do is use encryption to protect the messages they send because the technology has vulnerabilities that can be tricky to close.

Others fear that because encryption software can be tricky to use many citizens will be put off using it.

Echelon exposed

This week saw the publication of a long-awaited European Commission report on the Echelon electronic eavesdropping network.

The report confirmed the existence of the network, which is operated by intelligence services in US, UK, Canada, Australia and New Zealand, and revealed that it had the ability to routinely tap phone calls and faxes as well as almost any type of net-based communication.

The report recommended that citizens and businesses routinely use encryption technologies to scramble electronic messages to ensure that if Echelon captures them it will be unable to decipher them.

Menwith Hill:part of the Echelon network

But some experts say that adopting encryption should not be seen as the only action concerned citizens have to take.

"You should not get a false sense of security by using encryption," said Caspar Bowden, director of internet thinktank the Foundation for Information Policy Research, "but that's not a reason not to use it routinely."

Mr Bowden said encrypting e-mails will confound Echelon-like surveillance in which intelligence services casually trawl through datastreams looking for "suspicious" activity or messages containing key words.

Although encryption scrambles the contents of a message, it does nothing to hide who it is being sent to, so intelligence agencies can still track who is communicating with whom.

But, he said, it is unlikely to protect people if they attract the undivided attention of intelligence services because they would be able to exploit vulnerabilities in the software on a machine despatching e-mail messages.

Mr Bowden said that many software packages that do protect e-mail messages are hard to use for people who are unfamiliar with computers.

Encryption confusion

Last year two US researchers from Carnegie Mellon University asked 12 test subjects to try to send an encrypted e-mail message using PGP 5.0 - one of the most popular encryption programs available.

Privacy options

Groove.net Pretty Good Privacy Hushmail GNU Privacy Guard Freedom ScramDisk FreeS/Wan Rubberhose StegFS Cyber-rights Moot Lokmail PrivacyX Zixit

Of the 12 subjects who underwent the 90 minute test, three failed to properly encrypt the message they were sending, seven used the wrong keys to encrypt it and one was unable to work out how to send the message at all. All those taking part were college undergraduates and very familiar with e-mail.

The test subjects struggled because they did not fully understand how the encryption system of PGP works. It uses a technique known as public key cryptography to scramble messages.

Public key encryption uses two keys to scramble and decipher messages. One key is known as a public key and is widely distributed; the other, the private key, is held securely by an individual.

Messages are protected by scrambling them with the public key of the person you are sending a message to. Mathematics ensures that only the private key held by the person you are mailing can decrypt the message.

Encryption warning

But the Carnegie Mellon researchers said this concept proved tricky for their subjects to grasp. They concluded: "It does not make public-key encryption of electronic mail manageable for average computer users."

Mr Bowden said changes to e-mail and Web software were likely to make it easier for people to use encryption and stop their online activity being tracked routinely.

Privacy Tips

Choose random collections of letters as passwords Use anti-virus software Use a personal firewall Delete unsolicited commercial e-mail messages without opening Limit the personal information you pass on to websites Don't let websites gather cookies on your browsing habits Install and use an e-mail encryptor

"It's only a year since cryptography export controls on US software were eased," he said. "So software designers are at an early stage of integrating encryption seamlessly."

Certainly the number of secure software packages and web-based systems that attempt to make encryption easier to use are increasing. Now citizens can use websites like Groove.net, that lets people collaborate securely over the web, and Hushmail that routinely encrypts mail messages.

However, British citizens should be aware that the controversial Regulation of Investigatory Powers (RIP) Act gives law enforcement agencies the right to demand decryption keys from anyone, and it imposes prison sentences on those that refuse to hand them over.

The RIP Act also forbids people, under threat of prison, from telling anyone that they have been asked to hand over their key. In at least two reports legal experts have condemned these decryption powers as a breach of human rights.