I am occasionally asked what all the encryption stuff on my Contact/PGP page is about. For some time I have been meaning to write about the importance of data encryption for researchers, but it is quite a daunting task to write a thorough blog post on such a topic.
Thankfully, someone else has done this! A colleague gave me a link to a blog posting by Jonatan Kurzwelly that covers questions of email and file encryption and much more, and I would strongly echo all of the points here:
I first encountered the issue of encryption in the mid-1990s, when working as a lobbyist for the UK churches on issues related to Israel/Palestine, Iraq and Sudan. Email was just beginning to be used in academic circles, but was not yet something that the UK churches used much. In fact, although I was based at the Church of Scotland offices, I was given an email address through the University of Edinburgh’s Centre for African Studies to help with the work on Sudan. Several of the informants for my human rights work in Sudan had access to email because they were attached to the university in Khartoum, and very quickly it became necessary to find secure ways to communicate if my informants were to stay safe. This soon also became an option used by Iraqi informants.
I was therefore one of the early users of Phil Zimmermann’s Pretty Good Privacy software, also known as PGP – in those days it was all command-line stuff in DOS and pretty complicated for a non-cryptographic specialist like me. However, none of my informants were endangered, and we were able to do some important work, lobbying in the Westminster parliament for the rights of disadvantaged people in these countries. I have continued to use PGP over the years as it has become simpler to use, and now it is available in easily accessible form through GPGTools etc.
I strongly encourage the use of GPGTools and all the other myriad security methods outlined in Kurzwelly’s blog posting. As the recent leaks by Chelsea Manning, Edward Snowden and others have shown, data is not secure unless you make it secure. You need to begin with the premise that ALL email and communications are being read (because they are, even if just by a machine) – and then the need for secure communications becomes immediately apparent. Data stored on servers etc. is also insecure, as Kurzwelly’s blog posting makes clear. Researchers are not exempt from this – particularly if their sources may be putting themselves in danger through what they reveal. No research outcome is worth putting other people at risk.
So that is what the PGP key data on my Contact/PGP page is about.
Secure your data!