Global Policy Forum

Thai non-government organisations are to receive this month a strong encryption tool that will help them keep secret confidential information such as the names of whistleblowers. Martus is an extremely simple, yet extremely strong encryption program that runs on almost any computer and is for all intents and purposes uncrackable. It can also use Internet connections to store material far away and thus away from physical access by would-be spies, informants or sneaky government operatives.

As of this month, Martus is free to anyone who wants the program, and comes with a full explanation, tutorial and manual in Thai. Martus is a Java-language program based on Pretty Good Privacy. The public-key system used by PGP was banned by the US government for foreign distribution for years because it was beyond the ability of even most _ perhaps all _ US government agencies to crack it. "Technologically speaking it's hard to break," Martus project director Marc Levine told Post Database. "If someone copies the file, they can't read it. If someone steals the computer, they probably can't read it."

Technically, NGOs (and others) have had a capability of secrecy for more than a decade. In 1992, international workers helped Burmese democracy forces establish a security network that used PGP to allow opponents of the military dictatorship to communicate securely and keep confidential lists of their colleagues and allies. But PGP, like all secure encryption schemes, has a steep learning curve, is difficult to understand, and suffers huge security lapses because of user confusion. "Even a lot of technology people in Silicon Valley wouldn't use PGP because it was so difficult to set up and use," said Mr Levine. Levine is a natural crusader and geek, a combination that caused him to help to set up a non-profit Silicon Valley company called Benetech that produced PC readers for the blind.

Mr Levine said Martus grew out of a realisation of how vulnerable NGOs and their contacts had become to spies and government snoops. "I visited several countries in 2000 and 2001 _ Cambodia, Sri Lanka, Guatemala and Russia," he said. "It was very obvious that any encryption more difficult than email would not be possible. Not that people are incapable, but it has to be simple." That's easy to say. But Martus, the project that resulted, is based on the email system. You type or copy information into the program, and press a button to send it. With email, the information is sent to the recipient. With Martus, it is automatically encrypted and sent. The guts, nuts and bolts of Martus work behind the scenes and away from the user, who need only concern herself with the information that goes into and out of the program.

Encryption of sensitive information is handled automatically and, apparently, securely. Philip Zimmermann, who invented PGP itself, has looked into Martus and sees a secure program. In a test for Post Database, almost all parts of Martus worked smoothly and obviously. Information was easily encrypted, possibly incriminating files were automatically deleted, and sending encrypted files to distant storage servers appeared to be simple. The only possibly confusing steps with Martus occur when a user wishes to decrypt information sent to her from outside. Of course there are ways around, or brutally through, Martus. The program's encryption is close to unbreakable but Mr Zimmermann and Mr Levine warn of two ways determined snoops might break it _ particularly government snoops.

Mr Levine believes Martus is probably most vulnerable through clever infiltration of an NGO by, say, a government spy. "Martus is a layer of security," he told Post Database. "There are ways around it, mostly probably social engineering." Mr Zimmermann and others have long warned against "the 3am knock on the door," where agents of some of the more brutal governments around the world take a suspect to a prison and try to beat the required pass phrase and private key location out of him. This is precisely what the Martus project foresaw. "We have three servers, including in Manila and Seattle," said Mr Levine. All users of Martus has access to these storage areas.. In addition, "the University of Toronto has a project called Citizen Lab, and they have been very helpful."

This month, the Asia Foundation may be ready to disclose a large project in Thailand that will spread knowledge and use of Martus among the NGO community. "This is our first project in the social field," said Mr Levine. Martus is already available for download, including with a prototype Thai manual. Improvements are expected within weeks. All details and downloads are at the web sites maintained by the organisation, www.martus.org and www.benetech.org.