Even when we think we're communicating in private, whether by email, text messages, private messages on social media etc, the fact is that a bunch of 3rd parties, like tech companies, governments, ISPs and advertisers, all see that data too. And it's not just that they can see it, they're actively collecting and analyzing all of it.
One of the downsides of encrypting messages and emails to combat this, is that since so few people are doing that, you will stick out like a sore thumb to anyone who is monitoring the data, and probably will receive closer scrutiny. For example, it'd be pretty easy to filter out all messages that contain PGP headers.
What if we could still encrypt the data, but make it look like ordinary plain text, made up of dictionary words? If it was done in a dynamic way, so it was different for every person, it would be hard to detect using passive data mining techniques. That would allow us to use existing services like gmail, twitter, facebook, reddit etc on the clearnet, while still protecting our message content.
I found an awesome little command line script called Asemica on Github, and it does just that.
It takes a message like this:"Yeah, sure my phone number is 1234567890. Be there at 3pm"
The script requires three main things to run. First it needs a source message that you wish to obfuscate. The second is a corpus source, which is a large piece of text like a book, and this acts as the basis for what words are used, and how they're arranged. This can be local, or called from an external server. Finally there's the output file for the ciphertext../asemic enc -i message.txt -c corpus.txt -o cipher.txt
You can even go a step further by piping the source message through openssl to encrypt it, meaning anyone wanting to decrypt would need the correct password.
And that's not all. You go further still, by adding PGP encryption into the mix too, meaning the message can only be read by a specific recipient.
The output from this script is a little too long for some social networking sites like Twitter, but you could include pastebin or twitlonger type links when you're communicating, so outsiders would have no idea what's happening.
I think it would also work well for private messaging on reddit etc, perhaps even in the comments on subreddits where the mods know what's going on.
The script also has an option to format the output like an email. When you combine that with the extra PGP encrypted message step, it gives you an option to send secure private messages on any email service.
The thing that ties this all together is Keybase, allowing you to look up people, and find their verified email address, public key, and social media accounts.
The public profiles also contain two extra fields - an about you section, and one for you location. These could be used to store a link to your current corpus source, perhaps a large text file from archive.org or even a long html page, and the other could store your current decryption password for public posts.
You could change these as often as you like, meaning unless someone was actively tracking your profile and messages, then your message history would remain private.
Decentralized protocols like Identifi could eventually fill this role too in the future, so you wouldn't have to rely on a centralized website.
And there's always the option to use no external service, if you and the recipients have pre-arranged your corpus source and keys. This would be the most secure, and untraceable.
This process is a little complicated and involved, but what if it could be streamlined? A browser extension could perform these tasks at the click of a button, although the browser might not be the most secure method.
Another option would be a background process that runs on your system, which can encrypt and decrypt any selected text, with certain key combinations.
I think this kind of thing is a stopgap solution. Ideally, all these services would be decentralized and encrypted as standard, but that's not the world we currently live in.
This method does, however, give you a way to keep using the vast infrastructure of existing services, without the massive downside of your data being automatically mined and spied on. What do you think?