Want to Defend Your Privacy?
By Doug Hornig
Happy Independence Day to our American readers, wherever they might be.
While you're enjoying friends, family, and that charbroiled steak, perhaps this is also a good time to take stock of your own state of independence. To ponder your privacy, or lack thereof, and what you might do about it.
For the record, the word "privacy" doesn't appear in the Declaration of Independence, nor anywhere in the Constitution. It's difficult at this late date to divine whether the authors of those documents had any real notion of the term or thought it worth protecting. Nevertheless, we can draw some inferences from what they did write.
The Fourth Amendment declares that "the right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue but on probable cause." The Fifth Amendment adds that no person "shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty or property without due process of law."
An overarching right to be left alone certainly seems implied.
But what about personal electronic communications—a concept that could hardly have existed in the 18th century. Should they also be secure? That's the question before us as a society. It's been a big one for a long time now, even though it only makes the front pages when an Edward Snowden type appears.
Snowden might be the current flavor of the day, but many of his revelations are little more than yesterday's news. For example, investigative reporter Kurt Eichenwald, in his book 500 Days: Secrets and Lies in the Terror Wars, revealed how the NSA's questionable mass surveillance program—what he calls "the most dramatic expansion of NSA's power and authority in the agency's 49-year history"—was devised just days after 9/11, as an end run around the traditional requirements of the Foreign Intelligence Surveillance Act (FISA).
Formerly, FISA demanded that an individual warrant be obtained if the government wanted to monitor Americans communicating overseas. But the Baby Bush administration unilaterally swept that aside. The new presidential directive granted the NSA the power to gather unlimited numbers of emails and phone calls into a database for analysis, all without the approval of Congress or any court. (Not to put everything on Dubya—Obama has essentially doubled down on this encroachment.)
Moving the surveillance totally onshore was a breeze from there. Connections between a suspect email address abroad and anyone else—accounts that either sent or received messages, whether in the United States or not—would be subject to examination. At that point, a more detailed list could be constructed, ensnaring any email addresses contacted by the suspect, and then any addresses contacted by those addresses, and so on without end.
More specifics came from whistleblower William Binney, a 30-year veteran of the NSA. Binney, who resigned from the agency in 2012 because of the dubious nature of its activities, volunteered the first public description of NSA's massive domestic spying program, called Stellar Wind, which intercepts domestic communications without protections for US citizens. Binney revealed that NSA has been given access to telecommunications companies' domestic and international billing records, and that since 9/11 the agency has intercepted between 15 and 20 trillion communications. He further disclosed that Stellar Wind was filed under the patriotic-sounding "Terrorist Surveillance Program" in order to give cover to its Constitutionally questionable nature.
We also can't pretend to be shocked just because we now know PRISM's name. The government has long employed techniques which they hide behind euphemisms like "full pipe monitoring," "sentiment analysis," and "association mapping." These involve concurrent surveillance of both email and social media, in order to build a detailed map of how evolving movements are organized. Political protests receive extremely close scrutiny, with information about them shared among federal, state, and local law enforcement officials. This is what happened with the "Occupy" demonstrations, where everything participants did was watched, every communication was recorded, and all of it was filed away for future reference. Everyone involved is now the subject of a government dossier.
Even if you're not part of a political movement, heaven help you if get caught up in some vast fishing expedition that hooks everyone who has ever visited some "suspicious" website, or even merely typed in some alarm-bell keywords.
Nor has the value of this kind of information gathering been lost on politicians. In fact, the presidential race of 2012 will likely go down as the first one in history—and it won't be the last—that was decided by who had the better Internet sniffers. Both the Romney and Obama campaigns continuously stalked voters across the Web, by installing cookies on their computers and observing the websites they visited as a means of nailing down their personal views. CampaignGrid, a Republican-affiliated firm, and Precision Network, working for the Democrats, jointly collected data on 150 million American Internet users. That's a full 80% of the entire registered voting population, for those keeping score.
Cellphones are another rich source of user data, especially when it comes to apps. If you download one, you grant to the vendor the right to gather all sorts of personal information. But then, you knew that when you read the "Permissions" document—you did read it, right?—so at least you know you can opt out.
Forget about turning off your phone's location-tracking feature (which a mere 19% of us do, Pew says). Regardless of whether it's on or off, your wireless carrier knows (and keeps a record of) where your phone is at all times it's connected to the cell network. Carriers can be forced to surrender the information to law enforcement, not to mention that they've been rather less than forthcoming about what else they may be doing with this data.
Anyone who thinks the government's ultimate goal is not to intercept and archive our every digital message, oral or written—or that it doesn't have that capability—needs to be aware of what's happening in Bluffdale, Utah, AKA the middle of nowhere. There, NSA contractors (and only those with top secret clearances) are putting the finishing touches on a staggeringly huge decryption and data storage center. James Bamford, the country's leading civilian authority on the NSA, wrote inWired of the facility's purpose, which is no less than: "to intercept, decipher, analyze, and store vast swaths of the world's communications as they zap down from satellites and zip through the underground and undersea cables of international, foreign, and domestic networks."
Bluffdale will cost upwards of $2 billion and occupy a million square feet of space. Included will be four 25,000-square-foot halls filled with state-of-the-art supercomputers. The ultimate goal, Bamford says, is to construct a "worldwide communications network, known as the Global Information Grid, to handle yottabytes of data." (A yottabyte is a septillion, or 1024 bytes—it's so gigantic that no one has yet coined a colloquial term for the next higher order of magnitude.)
To gather up those yottabytes, the NSA has dotted the country with a network of buildings set up at key Internet junction points. According to William Binney, the wiretaps in these secret locations are powered by highly sophisticated software that conducts "deep packet inspection," which is the ability closely to examine traffic even as it streams through the Internet's backbone cables at 10 gigbytes per second.
Fortunately, the situation is impossible but not hopeless—because whenever technology gets too intrusive, the free market nearly always reacts with some kind of solution. And that's the case here. As the surveillers extended their reach, enterprising liberty lovers immediately began developing countermeasures.
Keep in mind, however, that the technologies outlined below can only lessen your shadow so much, catching a little less attention from the all-seeing eye of Sauron. No one solution provides perfect privacy, and when push comes to shove and a government official shows up with a warrant in hand, he or she will inevitably get access to anything needed.
The first area to consider addressing is the digital trail you leave when researching any topic that might be of concern to someone's prying eyes (or, for that matter, doing anything at all on the Internet which you don't want analyzed, packaged, and sold).
One option for dealing with this concern is Tor, which is free and open source. According to its website, the service was "originally developed … for the primary purpose of protecting government communications. Today, it is used every day for a wide variety of purposes by normal people, the military, journalists, law enforcement officers, activists, and many others."
Tor tackles the problem of traffic analysis head on:
"How does traffic analysis work? Internet data packets have two parts: a data payload and a header used for routing. The data payload is whatever is being sent, whether that's an email message, a web page, or an audio file. Even if you encrypt the data payload of your communications, traffic analysis still reveals a great deal about what you're doing and, possibly, what you're saying. That's because it focuses on the header, which discloses source, destination, size, timing, and so on…
"Some attackers spy on multiple parts of the Internet and use sophisticated statistical techniques to track the communications patterns of many different organizations and individuals. Encryption does not help against these attackers, since it only hides the content of Internet traffic, not the headers."
To combat this, Tor has created a distributed network of users called a VPN (virtual private network). All data packets on that network "take a random pathway through several relays that cover your tracks so no observer at any single point can tell where the data came from or where it's going."
One of the beauties of Tor is that it's packaged all up in single download. Just install the Tor browser—a privacy-tuned clone of the popular open-source Firefox browser—and it automatically manages all the networking for you. Surf in relative privacy with just a few clicks.
For more advanced users, there are options to route all kinds of activities through the network other than web browsing, such as Skype calls and file sharing.
Tor also offers Orbot, an Android application that allows mobile phone users to access the Web, instant messaging, and email without being monitored or blocked by a mobile ISP. It won't get you around those pesky data limits, but it will certainly reduce the amount of data your ISP can provide about you. If you find yourself in a region where access to certain services is restricted, it will open those options back up to you.
Cryptohippie is another site that utilizes the privacy capabilities of a VPN. According to the company, its subscription-based Road Warrior product "creates a strongly encrypted connection from your computer to the Cryptohippie anonymity network. From there, your traffic passes through at least two national jurisdictions, loses all association with your identifiers and emerges from our network at a distant location. But, even with all of this going on, you can surf, check your email, use Skype, and everything else exactly as you have been. Unless you reveal it yourself, no one can see who you are or what your data may be."
The service is well aware of the ever-present possibility of government interference with its operations. Thus Cryptohippie is truly international. Its only US presence is to authenticate connections to its servers in other countries. None of its servers are in the States.
(Of course, if you use Tor or Cryptohippie to log in to secured sites like Amazon or eBay, your activities at that end will still be logged to a database and associated with you, so don't delude yourself that such tools make you invisible. All they can do is keep your activity limited to the two parties involved—you and the computer or person on the other end—and keep outsiders from knowing that the conversation is taking place.)
These are highly sophisticated products. Perhaps you don't think you need that level of protection, but would just like to keep your browsing habits private. All of the major browsers, including Internet Explorer, Firefox, and Google Chrome, have a "clear browsing history" button. They also have "enable private browsing" functions that you can activate.
How much value these options actually have is questionable, but in any event they're not going to stop Google from archiving your searches, if that's the engine you use. (And who doesn't?) So if you don't want that, you can use a different search service, like DuckDuckGo, whose strict non-tracking policy is entertainingly presented in graphic form. Try it out in comparison to Google, and you'll find that the results are reasonably similar (although it seems odd at first not to have that strip of ads running down the right side of the screen). DuckDuckGo reports that it has seen a big increase in users since Snowden came forward.
Another area to consider addressing is your email. If you'd rather not have your email subject to daily inspection for "watchwords" our guardians consider inflammatory, one option is to use a foreign provider that will be less inclined to comply when Washington comes knocking with a "request" for user data. There are countless providers to choose from, including:
• Swissmail.org, which is obviously domiciled in Switzerland;
• Neomailbox.com, located in the Netherlands;
• CounterMail.com in Sweden;
• TrilightZone.org in the Netherlands, Luxembourg, Hong Kong, and Malaysia; and
• Anonymousspeech.com, which boasts over 600,000 subscribers and is unusual in that it has no central location. "Our servers," the company says, "are constantly moving in different countries (Malaysia, Japan, Panama, etc.) and are always outside the US and Europe."
Whichever provider you choose, just be sure they offer at least an SSL connection to its services at all times. That will stop someone from downloading your email right off the wire. Features like encrypted storage and domicile in a state known for protecting privacy are also nice features.
The latest entrant in the privacy space is Silent Circle, a company whose story is worth detailing, because it has placed itself squarely in the forefront of the clash between alleged governmental need-to-know and personal privacy rights.
Silent Circle's CEO is Mike Janke, a former Navy SEAL commando and international security contractor who has gathered around him a megastar cast of techies, including most prominently, the legendary Phil Zimmermann, godfather of private data encryption and creator of the original PGP, which remains the world's most-utilized security system. Also on board are Jon Callas, the man behind Apple's whole-disk encryption, which is used to secure hard drives in Macs across the world; and Vincent Moscaritolo, a top cryptographic engineer who previously worked on PGP and for Apple.
The team hit the ground running last October with the introduction of its first product, an easy-to-use, surveillance-resistant communications platform that could be employed on an iPhone or iPad to encrypt mobile communications—text messages plus voice and video calls.
In order to avoid potential sanctions from Uncle Sam, Silent Circle was incorporated offshore, with an initial network build-out in Canada; it has plans to expand to Switzerland and Hong Kong.
Silent Circle immediately attracted attention from news organizations, nine of which signed on to protect their journalists' and sources' safety in delicate situations. A major multinational corporation ordered some 18,000 subscriptions for its staff. Intelligence and law enforcement agencies in nine countries have expressed interest in using the company to protect the communications of their own employees.
As Ryan Gallagher wrote in Slate:
"The technology uses a sophisticated peer-to-peer encryption technique that allows users to send encrypted files of up to 60 megabytes through a 'Silent Text' app. The sender of the file can set it on a timer so that it will automatically 'burn'—deleting it from both devices after a set period of, say, seven minutes. Until now, sending encrypted documents has been frustratingly difficult for anyone who isn't a sophisticated technology user, requiring knowledge of how to use and install various kinds of specialist software. What Silent Circle has done is to remove these hurdles, essentially democratizing encryption. It's a game-changer that will almost certainly make life easier and safer for journalists, dissidents, diplomats, and companies trying to evade state surveillance or corporate espionage."
The burn feature is extraordinarily valuable. It can mean the difference between life and death for someone who uses a phone to film an atrocity in a danger zone and transmits it to a safe remote location. Seven minutes later, it disappears from the source, even if the phone is seized and its contents examined.
Additionally, Silent Circle "doesn't retain metadata (such as times and dates calls are made using Silent Circle), and IP server logs showing who is visiting the Silent Circle website are currently held for only seven days. The same privacy-by-design approach will be adopted to protect the security of users' encrypted files. When a user sends a picture or document, it will be encrypted, digitally 'shredded' into thousands of pieces, and temporarily stored in a 'Secure Cloud Broker' until it is transmitted to the recipient. Silent Circle ... has no way of accessing the encrypted files because the 'key' to open them is held on the users' devices and then deleted after it has been used to open the files."
The Silent Suite, a subscription to which costs US $20/month, covers the communications spectrum with four features:
Silent Phone works on iPhone, iPad, Android, Galaxy, and Nexus, and provides encrypted, P2P, HD mobile voice and video over 3G, 4G, Edge, and WiFi, "with almost no latency" and no possibility of anyone (including the company) listening or wiretapping. The cryptographic keys involved are destroyed at the end of the call.
Silent Text allows the user to send P2P encrypted material—business documents (Word, Excel, Powerpoint, Pages, Keynote, PDFs, CAD drawings, etc.), any file, any movie, any picture, map locations, URLs, calendar invites—and then delete them with its "Burn Notice" feature.
Silent Eyes allows for encrypted HD video and voice transmission using a laptop or desktop device. It's compatible with all Windows operating systems.
Silent Mail encrypts email with PGP Universal. It will run on smartphones, tablets, and computers using existing mail programs such as Outlook and Mac Mail. Absolute privacy is ensured with a silentmail.com email address and 1 Gb of encrypted storage.
This is not intended as an endorsement of Silent Circle, although we heartily approve of what the company is trying to do, and the other above references by no means represent an exhaustive guide to securing your communications. But they will point you in the right direction and perhaps spur you to action. A basic search will turn up dozens more options. Carefully study what each offers, read reviews from sources you trust, determine the service best suited to your particular needs, then just sign up.
However, we all have to accept the cold, hard fact of the matter, which is that this cat-and-mouse game is likely to be with us for a very long time. Those who believe they have the right to spy on us will develop ever more sophisticated ways of doing it. Those who believe we have a Constitutional right to privacy will fight tooth and nail to protect it.
It's possible that the one side eventually will develop an unstoppable offense or that the other will come up with a defense that can't be breached. But that's not the way to bet.
In the end, technology is completely neutral. It will evolve with no regard to how it is used. Expect those cats and mice to continue chasing each other, around and around and around. And make do with the best that is available to you at any given time.
