How to contact me securely

Updated 2/22/16 to add Ricochet and change a Jabber address 

This page explains how to reach me privately, using the best available security tools. Best available does not mean perfect, but surveillance of these channels is costly, difficult and far less likely than the usual alternatives.

If you are a beginner, or if too many choices make your head hurt, I'm happy to choose for you. Clear your browser. Find another computer, away from home and work, perhaps at a library or cafe. Then browse to my SecureDrop page and follow instructions there. A blank thumb drive may come in handy.

I do suggest you give some thought to what you want to keep private, who might try to listen in, and how much you care. The Electronic Frontier Foundation's Surveillance Self Defense can help. If the risk you face is an angry boss, in an ordinary sort of angry boss scenario, any of the channels here should protect you. (Just make sure you do not use a device or Internet connection controlled by said boss.) If someone's safety or freedom are at stake, consider your options more carefully. Some risks are worth taking. I hope you find a way to get in touch.

PGP

There are easier tools, but PGP (also known as OpenPGP, GnuPG and GPG) is still the gold standard for email encryption. The EFF guide or this one will get you started.

My PGP key, as of July 10, 2015, is here and on all the usual keyservers.

Fingerprint:
5FFB 9661 E80B EEAC F60A F439 9402 6C02 F396 3B70

There are other keys still listed for me, but I will use this one exclusively from now on. I have no reason to think the old ones are compromised, but I have marked them as expired. For now, I will not revoke them. That is all you really need to know, but experts can find the gory details below.

MORE OPTIONS

All the tools on this list will encrypt the contents of your message. SecureDrop, Ricochet and Pond will also keep you anonymous, concealing your physical location and the Internet address of your device. Some of the others can be used anonymously, but that adds a level of complexity I will not try to cover here.
  • For maximum protection, take a blank thumb drive to a public computer located some distance from home and work. Download and install Tails on the thumb drive. Tails is a portable operating system that can start almost any computer. It was central to the methods I used to communicate with Edward Snowden. Many of the best privacy and encryption tools are built in. Anything you do with Tails will be as anonymous as technology can make you on the Internet.
  • Using Tails is also the safest way to reach me on my SecureDrop, a channel designed to shield your identity (even from me) as well as the content of your message. Use Tails to boot a computer you do not usually use, at a location you do not usually visit, and start here.
  • If Tails feels like overkill, you can just use a public library computer.
  • For smartphone text messages and (when the audio works) voice conversation, Signal Private Messenger for iPhone and Android is the best there is for encryption. No one else can read or hear what we say. Be aware that with enough effort a government can probably discover that we are in contact. If we decide to use Signal, we'll exchange mobile phone numbers. Then you should verify my digital fingerprint, so you know it's really me on the other end.

           05 be 92 ac 93 49 d2 e2 22 bf c3 e0 56 d7 35 37 b5 ae 99 44 d3 b5 f3 b9 cc bf f9 da 15 95 8d a9 4f

  • (New) I have discontinued use of Peerio, which I previously listed here.
  • (New)For anonymous, encrypted live chat, I have become a big fan of Ricochet, which is easy to use, very well designed and recently passed a security audit. To find me there, add this contact: ricochet:3zc7amugtgne3g6o
  • A longer-established tool for secure (but not anonymous) live chat is Jabber, which uses a form of encryption called OTR. It can be made anonymous, but that requires more steps and more advanced skills. (Anonymity is built in to Ricochet.) On Jabber I am (New handle)b4rt@jabber.otr.im or b.g.@dukgo.com. Those look like email addresses, but they're not. Tails has a built-in Jabber app called Pidgin. Here are how-to pages for using Jabber on Mac and Windows.
  • Pond is strictly for nerds. I barely qualify, but I can use it. The author, Adam Langley, cautions that Pond is still in beta, and we should take that seriously. Even so, Langley is the brains behind Google's web encryption infrastructure. I'm inclined to trust his beta code more than most people's version 2. We will need to exchange Pond addresses in person, or on another secure channel.

THE OLD FASHIONED WAY

Postal mail can be a good choice for confidential material. The government scans the outside of every envelope, but a warrant is required to open and read what's inside. You can use a boring, fake return address, or leave it blank. You can address it to me, or to someone else at one of my places of business, with a second envelope inside addressed to me. A postal address and people I work with are not hard to find at tcf.org. For an extra layer of protection, you could snailmail me the link to an encrypted message on pastebin.com or the server of your choice.

SSH KEYS

If you are technically minded and control a server somewhere, you can give me secure access to one of your directories by adding my SSH public key to the remote host's .ssh/authorized_keys file. Here is my key:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmp8b7bopuNkHtybH8OWo3zCBY1cM+h
x/AXtD/MlhAzwieFLyIOR6CTQV3Ffco5c1bZ7UP5Jpo6vZ0ZPN+7ZA1hYOwK3
em0OmZ/MssYa+YFaaXVvyGtR2Ko9/C09yLOzP4nGJpppDE0CI5KFZH7LjEXjo
fg11BZkZoykN3tl/QWNM2473uyI8EM3xjJMEsWp2Q2pNzXfJstj9FVwEvhJe9
phQOSgNUcXAnPbqxrUHAzO+9lhxa3+Mm/STfjyDuPw0lKeG9z17mt6ZzXf3q3
9YIPMCGf6J7DmXv1eQ5yFZmxFmfMIbxvxM7a+6anEt3OWkX6TB+CPgC2GP6E+
D5AE2++MG0lg5lsE4z2ZNP8mFPv7hb4yYVC6sZK5H8VAs4Hx069OBpliXOlR0
j3KX0kX6mPPZvpHxkyobple0hcCmN9hkNPrO9rHO2lcd7s9gclEAuoa36PTpk
G4F0V35GWLlr6mRn/2lHHX0crzRj+kWlw6nqEwUGZoD20rMjAHiI3PU=COMMENT

WHY I CHANGED MY PGP KEY

Over the years I accumulated a drawer full of email addresses and keys. It was time to consolidate. I took the opportunity to upgrade my security, creating the new key on an offline computer and storing it on a smartcard token. Two tokens, actually, as described below.

My new key is tied to the following email addresses:

  • bart@gellman .us (my main address going forward)
  • bart.gellman@washpost .com (for Washington Post business)
  • gellman@tcf .org (for Century Foundation business)
  • bgellman@princeton .edu (for Princeton University business)
If you have any other email address for me, please delete it. I have either stopped checking it or will stop soon.

HOW DO YOU KNOW THE NEW PGP KEY IS REALLY MINE?

Important question.
  • I list the key on Keybase, with multiple proofs of identity
  • I link to this page in my verified Twitter profile, @bartongellman
  • I signed the new key, and each subkey, with my previous keys

THE GORY DETAILS

I followed Tom Lowenthal's admirable guide, with minor adjustments, to generate new keys and put them on smartcards. One card, in cold storage, holds the master key. Another has my signing and encryption subkeys for everyday use. I screwed it up the first time, but it all worked out.

I settled on 3072 bit RSA keys because [UPDATE: I wrongly thought] they were the maximum size supported by the OpenPGP smartcard.

[UPDATE: As Kevin Gallagher reminds me, I could have made 4096 bit keys because I used GPG2 to generate them on my computer, not on the card itself. I'm content with RSA 3072 for now.]

Fingerprints for the subkeys:

Encryption: 6DEE 1EA3 FADA 61B1 558C E1AB CA33 428B B052 42A2
Signature: 1635 3886 42FC 561E 07DE 98EE EA20 47BA 097E 4D40
Authentication: 3CE1 BD6A 1934 D10B 75AB C74B 59B5 79B5 2E9C B3DD

If you are comfortable with the command line, download my key with:
gpg --recv-key 0x94026C02F3963B70

THREE REQUESTS

Please protect my privacy, as well as yours. Don't give my email address to a social network (Facebook, LinkedIn) or an invitation service (Evite, Paperless Post). If you want to share a link with me, send it yourself instead of clicking the "email" button on the web site.

Write to me on one email account only. I get mail from all accounts on every device. Nobody wants four copies of the same note.

No matter how good the cause, do not add me to any kind of mailing list. These email addresses are for individual correspondence only. If you put me on a list, I will probably nominate your domain for my company-wide spam filters. I may make fun of you on Twitter.

QUESTIONS, COMMENTS?

Send an email to (only) one of the addresses above, or find me on Twitter.