Ever since the Snowden revelations, more and more people have been educating themselves on how to use encryption. One of the first programs people might turn to is Pretty Good Privacy, or PGP, a version of which was thrust further into the public consciousness when it was explicitly credited in Citizen Four, Laura Poitras‘ documentary on the National Security Agency and her meeting with Snowden.
By Joseph Cox|MOTHERBOARD
But what users might not know is that messages encrypted using PGP leak a wealth of data about their senders and recipients, possibly allowing a well-resourced attack to map out who a target is sending secret messages to. In a talk at Usenix Enigma, a new security conference, Nicholas Weaver from the International Computer Science Institute explained the general technical details behind the NSA’s mass surveillance systems, and touched upon a number of problems with PGP.
“To be honest, the spooks love PGP,” he said. “It’s very chatty, gives you a lot of metadata, gives you the entire communication record.”
This is due, in part, to the fact that users’ PGP KeyIDs can be scraped from a message after it has been encrypted. For example, any message—perhaps one intercepted by a mass surveillance system, or that a nosy lover has found in your email account—can be entered into a PGP client. This program will typically provide the KeyID, the numerical code that identities the key the message was encrypted to. Armed with this info, an attacker could then attempt to find more information about who the message was addressed to, such as a corresponding email address or name.