Short of meeting face-to-face with a person you really know, it is sometimes impossible to know if the person you are communicating with is who you think it is.

In the 60s and 70s, the FBI took advantage of folks’ trust in what they read.  The FBI later became known, as part of COINTELPRO, to send anonymous, pseudonymous and forged letters and pamphlets in order to disrupt campaigns or incite intergroup violence.  As a striking example of the latter, the FBI distributed a cartoon supposedly by the United Slaves showing Black Panther Party members being assassinated. After observing interactions between the two groups, the FBI claimed success in instigating the deaths of two Black Panther Party members by United Slaves gunmen. (Pages 187–223 in Book III: Supplementary detailed staff reports on intelligence activities and the rights of Americans from the Church Committee Reports.)

Now that our communications largely take place online, such tactics can be automated — emails are very easy to forge and even photos and videos cannot necessarily be trusted. However, there are cryptographic tools we can use to certify that (1) a message has not been tampered with and (2) the sender is who you think it is — these are the properties of authenticity.  The ability to check authenticity is built in to many secure messaging apps, such as Signal, but to use these features it is necessary to perform a validation step in a manual or semi-manual way through a process called fingerprinting.

Assuring authenticity in the electronic world requires the use of a cryptographic key.  If you and your friend are trying to communicate privately, you need to exchange keys.  This is usually done using the same communication channel.  If a malicious third party (The-Man-in-the-Middle) is intercepting your communications starting with your first key-exchange steps, that third party could replace your keys with their own and you would never know it — this would allow them to intercept, read and change messages between you and your friend.  So you and your friend should compare each of your cryptographic keys by a separate communication channel (such as by a phone call, or in person, or by carrier pigeon).  This “out-of-band” comparison of cryptographic keys is the process of fingerprinting and validating that the key you have truly belongs to your friend is what guarantees authenticity.  (In Signal, you do this by comparing “safety numbers“.)

Stay safe out there.