What follows is a PGP signed message, updating my public encryption keys and talking a little bit about why I have done this.
There is nothing to worry about. This has nothing to do with the encryption on my websites. No data has been compromised.
For most of you, this will make no difference whatsoever because our communications are not PGP encrypted. I have also released a video to my Telegram channel, stating that I would be doing this, so there is no doubt that I am authentically the one sending this message.
TLDR unsigned version; I have updated the encryption key in my ProtonMail account out of an abundance of caution.
Separately, I have created another PGP key for use outside of ProtonMail.
That key is;
—–BEGIN PGP PUBLIC KEY BLOCK—–
—–END PGP PUBLIC KEY BLOCK—–
You can also download the .asc file here ChristopherCantwell_0x567E2481_public
If my key changes, I will post that update to https://ChristopherCantwell.net/pgpkey
To verify the signature on this message, or to begin using PGP yourself, Windows users can check out GPG4Win at https://gpg4win.org/about.html
—–BEGIN PGP SIGNED MESSAGE—–
I’m going to rattle off a lengthy description of a security situation, and what I am doing to improve it. For those of you who might find some of this difficult to understand, I should just begin by stating that there is nothing to worry about. What I am describing pertains to my ProtonMail account, and has nothing to do with the encryption on any of my websites. Most of us communicate either via GMail or my domain email, which is not full encrypted anyway, so our communications are no less secure than they were yesterday. You already know that we’ve not communicated about anything that could get you in trouble with the law, obviously, and for those of you who have trusted me with personal information, your information remains as secure as your payment method permits.
For those of you who understand what I am about to say, this message will, far from causing alarm, give you greater confidence that I go to rather extraordinary lengths to keep information secure, and to keep you informed about those measures I can, when such disclosures do not diminish the security of the measures taken.
My other motivation for disclosing this information, is to help you all think about the security of your own communications, by demonstrating what could fairly be described as an extreme level of caution, given the utterly mundane contents of the data under discussion.
I just finished backing up my ProtonMail account. Subsequent to this, I marked as compromised the PGP key previously associated with it. Though compromised is likely an exceedingly strong word to describe this situation.
I am doing this, in part, because as I have been going through my data, I noticed that I had backed up my ProtonMail encryption key to my computer on an unencrypted drive that was in the possession of the FBI subsequent to my arrest. Note that this is only the backup of the encryption key, not a backup of my emails. No such backup exists, save for the one I have just created, which is password and I will take all other appropriate measures to secure.
The aforementioned key backup is likewise password protected, and there is no indication that the password has been compromised. I also have always had two factor authentication on my ProtonMail account, and though the FBI did decrypt my cell phone while I was locked up, there was not much time between the moment they did so and the moment the 2FA was switched to a different device.
The backup key password differs from my ProtonMail account password, and there is no indication that the account password was compromised either.
To access my emails, an attacker would need one of these combinations.
1. The encrypted emails, the key, and the key password, simultaneously.
2. The ProtonMail account password, and the 2FA, simultaneously.
ProtonMail stores its client emails on their servers in such a fashion that the company cannot read them. That is largely the purpose of the system. Even if terrorists seized the building where ProtonMail was located, and put a gun to the head of the CEO, he could not decrypt my emails without the key, and to use the key backup on my computer, he would also need the backup password.
To access even the encrypted emails, without the password and the 2FA, the attacker would require the cooperation of the ProtonMail company, which is based in Switzerland and thus outside the jurisdiction of the United States.
My alleged offense conduct that led to the FBI seizing my devices, had nothing to do with ProtonMail, there was never any dispute about whether I had said the things I was accused of saying, and the course of a routine law enforcement investigation would therefore have given them no justification to dedicate the effort that would be required to even attempt to access my ProtonMail. Were the emails accessed, by law I should have been notified in discovery, and no such notification was made.
However, we of course know that we are dealing with intelligence agencies, who merely use law enforcement as a cover, and habitually break the law themselves, with notoriously political motives. So, it is prudent that I take extra security precautions. But, I stress that, without the password, even possessing the key and the 2FA device, and having obtained the cooperation of ProtonMail, they would not be granted access to the emails.
For those of you who use ProtonMail, the change of keys should be completely transparent. You will not need to do anything. For those of you who use other encrypted email services that communicate securely with ProtonMail, I expect this to be just as seamless, but it may come to pass that you are notified that my encryption key has changed. If that occurs, you should not be alarmed. This is expected as a result of me taking these precautions. If you send emails to me which are encrypted with the old key, I can still decrypt them, so there is no risk of lost data.
As an added layer of protection going forward, I am publishing along with this signed message a PGP Public Key I just generated on my Windows computer. This key is published to a public directory. It can serve both to positively identify me, and to send me encrypted messages on unencrypted platforms. It is a separate key from the one ProtonMail uses natively.
However, be aware that, since the public key has been published, were I to be subpoenaed or otherwise coerced, it is conceivable that I could be compelled to decrypt messages received with this key. I am also, at time of writing, subject to the terms of Supervised Release under the jurisdiction of the United States Federal Government. Among the terms of my supervision are that I must submit my devices for search upon demand, though such demand may only be made should there be probable cause that I have violated the terms, which I have no plans on doing. Even then, the search may only by law extend to the devices suspected of playing a role in the violation, and within them only extend to data pertaining to the nature of the suspected violation. So, if I were suspected of, say, traveling outside the district of New Hampshire without permission, this would not permit US Probation to demand access to all of my emails or my customer data.
Also, since I generated the key on my Windows computer, am storing the private key on my unencrypted Windows computerS (plural), and intend to store a copy on my Android phone, the key is only as secure as those systems, plus my password to the key. Were I to communicate clandestinely, I would necessarily seek to generate and store different keys on a fully encrypted device using entirely open source software, and would not publicly publish them under my real name, nor make any other public acknowledgement of them. Though, nor would I lie to you, and I will state plainly that I do not, at time of writing, possess such a device, and have generated no such keys, as I have no need to communicate clandestinely.
One positive aspect of publishing the key to a public server is that, since I have also generated a revocation certificate, I can notify the general public in the event it is compromised, or I lose access to it for some reason. If a PGP signed message appears from me, and you attempt to verify the signature using connected software, that software can check to see if the key has been revoked, in which case the message should be deemed untrustworthy.
I have passed this revocation key to a trusted associate in a passworded archive. I have also passed this associate the private key in another passworded archive with a different password. This associate does not have the password to either archive, but I have them memorized, and should it come to pass that I need the key revoked while I cannot access a computer, or that I want this associate to use my private key, I can tell my associate the password to either or both and this associate may act according to the circumstance.
All of which is to say, that while I appreciate what little is left of my privacy more than the average citizen, you should not take my excessive caution for an opportunity to confess crimes to me, nor to involve me in any illegal behavior of yours. Should you do so, my encryption keys will be the least of your problems, since I will assume you are a malicious actor attempting to get me jammed up with the law, and I will act accordingly. I secure my communications for mundane and lawful reasons, namely that I have responsibilities which require both the appearance and the reality of discretion.
None of this will be of very much use to you if you do not use secure email or know how to use PGP. I’ll endeavor to write up a guide on it at some point, but for now I will leave you with some helpful links.
This will guide you to a page on my website describing the benefits of ProtonMail and containing my affiliate link thereto. From there you can get a free or a paid account with the service, and should you at any point decide to pay for the service, I will get a cut of your recurring payments. It might go without saying, but your information will not be passed to me on account of this exchange of funds.
This will guide you to a page on my website describing what a “Virtual Private Network” is and providing my affiliate links to several VPN providers. If you sign up for any of them, I will get a cut of those sales as well. It might go without saying, but your information will not be passed to me on account of this exchange of funds, either.
Here I have published a message not unlike the one you are presently reading, and included there my PGP public key for future reference. Should the key change or become compromised, in addition to issuing the revocation, I will endeavor to update that page.
Though sparsely populated at present, this is a project I am working on which I hope to make a more useful resource in the near future.
—–BEGIN PGP SIGNATURE—–
—–END PGP SIGNATURE—–