OPINION: PRISM (as I see it) and some privacy tools

iStock_prism

“You have zero privacy anyway, get over it.”

So said Scott McNealy, CEO of Sun Microsystems about privacy in the digital age back in 1999. At the time his comment caused outrage and indignation. I wonder if anyone would be so surprised today?

A few weeks ago a prism was just a transparent object used for splitting light into a spectrum. Ask most netizens today what the word evokes and I’m willing to bet the NSA is pretty high on the list. For those who have been living under a stone, inside a box at the bottom of the ocean for the past six weeks, here’s a massively compressed zip of the story so far:

On 6th June 2013 the Guardian and the Washington Post broke what will probably go down in history as one of the most important tech stories of the 21st century, publishing what they claimed were top secret documents revealing a huge, clandestine data mining operation by the US National Security Agency (NSA). The accusations were dealt by ex-agency employee, Edward Snowden, initially through two key leaked documents:

  1. A copy of a secret court order allowing the NSA to collect and keep telephone records from millions of US citizens, arbitrarily and without warrant or request.
  2. A Powerpoint deck describing an intelligence program called PRISM, which appears to tap into the internet traffic of some of the world’s biggest tech companies (Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube and Apple) collecting data such as audio and video chats, photographs, e-mails, documents and the like, all without anyone’s permission.

Pretty shocking news, especially when you consider the losing battle some governments have been fighting when it comes to passing snooping regulations through lawful channels. Since the original exposés there have been further leaks suggesting the UK’s own security agency, GCHQ, has been caught with its fingers in the cookie jar. The Guardian published this sensational story on 21st June which implicates the UK government in its own long-term mass-snooping program, code-named Tempora.

So let me get this straight; all the time we were fighting the controversial  ‘Snooper’s Charter’ in the public domain last year, our government was just collecting the data it wanted anyway? Am I alone in feeling cheated on by democracy here?

Since then the saga has run and run with countless comments and opinions being threaded in to a web of paranoia and deceit, nourished by a drip feed of on-going exclusives from the reporter responsible for breaking the PRISM story and the now infamous international fugitive currently holed up in a Moscow airport. It’s sounding more and more like a Robert Ludlum novel with every passing week and I’m sure someone in Hollywood will make a lot of money out of the story someday.

Now, I’m not going to go into all the claims and counter claims in detail here, partly because it changes daily; and if I’m honest partly because I don’t have time to verify the myriad reports myself and can’t really afford to fund a Crown Court defence right now. But thankfully there are plenty of great writers churning out plenty of amazing content, much of which you’ll find mounted behind the hyperlinks on this page if you care to bolster your own background knowledge. Or you can just type ‘PRISM scandal’ into any internet search engine – though maybe choosing Google would be a tad insensitive – and you certainly won’t be short of reading if you can filter the fact from the fluff.  In the end I had to stop obsessively cutting and pasting every story I came across into a master research document as I was in danger of needing a Utah data centre myself to store it in.

For me one of the most cogent and plausible explanations of where this story is rooted came from Steve Gibson in his Twit.tv podcast, Security Now episode 408 (the series is definitely worth subscribing to if you want a weekly update, though they can get pretty technically hard core at times). This episode explains how data could be syphoned off the internet using optical splitting technology placed on the fibre-optic cables just upstream from the servers of the companies targeted, in other words Google, Microsoft and the like. These splitters could slice off a band of light allowing the NSA to collect their own copy of whatever traffic was flowing through the cable (this theory has since been further validated with another leaked slide from Snowden). In the podcast Steve even links to a legal declaration recorded in May 2006 in which a telecoms employee talks about being privy to exactly this kind of technology apparently being deployed by the NSA:

“While doing my job, I learned that fiber optic cables from the secret room were tapping into the Worldnet circuits by splitting off a portion of the light signal. I saw this in a design document available to me, entitled “Study Group 3, LGX/Splitter Wiring, San Francisco” dated Dec. 10, 2002. I also saw design documents dated Jan. 13, 2004 and Jan. 24, 2003, which instructed technicians on connecting some of the already in-service circuits to the “splitter” cabinet, which diverts some of the light signal to the secret room. The circuits listed were the Peering Links, which connect Worldnet with other networks and hence the whole country, as well as the rest of the world.”

DECLARATION OF MARK KLEIN June 8, 2006

As Steve Gibson points out, this hypothesis would make sense of the name PRISM too, and would give us some leeway to believe the major tech companies when they claim to be innocent of any complicity – although as revelation piles up on revelation it’s becoming harder not to get the impression that this lack of culpability is only paper-deep for some.

So that’s the back story, and now for the million dollar questions; do we really need to worry about it? And is there anything we can do about it anyway?

I’ve frequently heard supporters of government surveillance programs say ‘if you’re not doing anything wrong then you don’t have anything to worry about’.  Foreign Secretary William Hague repeated this same mantra in a BBC interview not long after the PRISM story broke. Call me old fashioned, perhaps a little bit paranoid, but that assertion is so far wide of the point it’s in danger of leaving our solar system.

Let’s start with the collection of phone records. It’s been noted time and again in arguments both for and against these spurious activities that no actual conversations are recorded. The agency just collects the metadata, such as which numbers were connected for how long and in the case of mobile communications where the callers were located. It is information your phone company keeps for billing purposes anyway, and would readily be handed over in the event of a court order.

So what’s all the fuss about?

Well, the phone company only keeps this data for a limited amount time after which it is deleted from the server. By syphoning off this information and keeping it in perpetuity, the NSA is building a historic map of connections in which every call, no matter how long or the reason it was made, is logged and stored in a huge data centre out in the Utah desert. With this map they can travel back through time, tracking connections through a spiny web of digital filaments leading away from anyone who becomes the target of investigation. The data collected from internet traffic can be used in a similar way, building a digital map of your life and connections even if you take the time to encrypt communications so that they cannot be read by an intercepting party. If you carry a mobile phone with you many of them constantly ‘ping’ the network to confirm they are switched on and operational. It’s possible that even this data could be collected, recording a physical map of the places you’ve visited regardless of whether you make any phone calls there.

Again, I hear many ask (including my neighbour when we discussed this over a BBQ last night) why should this worry me if I’m behaving myself?

Paranoid, much?

I don’t recall ever having done anything I should worry about in terms of national security or criminal activity – though I will admit to once having cheated in a maths test by writing the 7-times table up my arm – but working on the ‘six degrees of separation’ theory, and the fact that I’m a tech journalist who regularly searches the web for news about online crime and such like, I wonder how long it would take to connect me to some really bad people if you looked hard enough? Even a wrong number could land you in serious shtick 20 years from now and it would boil down to your word against the metadata’s. I’ve heard surveillance supporters expound that the chances of this happening are so small as to be negligible – one-in-a-billion! After all it’s not like the US government would willfully misuse this data, is it? I have two retorts to that:

Even if the only mistakes that get made are rare and truly genuine, it terrifies me to think we might have slept-walked into a society where it’s OK to throw the odd innocent under the bus in the name of national security. What if it was you? Or your child? It’s not going to feel so ‘one-in-a-billion’ then, is it?

American cryptographer, Bruce Schneier, summed up the situation we now find ourselves in, in a prophetic article published back in March 2013; “The Internet is a surveillance state”. In it he said:

“So, we’re done. Welcome to a world where Google knows exactly what sort of porn you all like, and more about your interests than your spouse does. Welcome to a world where your cell phone company knows exactly where you are all the time. Welcome to the end of private conversations, because increasingly your conversations are conducted by e-mail, text, or social networking sites. Welcome to an Internet without privacy, and we’ve ended up here with hardly a fight.”

So that’s the ‘why should we worry?’, but how about the ‘what can we do?’?

There are some practical measures we can all take, though with every layer of security comes another layer of inconvenience so I imagine startlingly few internet users will actually bother to adopt them. I’ve included a selection of resources at the bottom of this article, many of which use encryption technology so that any data transmitted over the internet is scrambled and only decipherable if you have the key. It will stop people spying on what you say without the use of some fairly heavy-duty cryptography tools (or some pretty heavy-handed subpoenas), but it won’t stop them collecting your metadata.

I’m afraid when it comes to internet snooping the cat-5 cable is well and truly out of the bag and there is pretty much nothing you can do if the government is intent on knowing your business. If by some miracle you do find a secret squirrel hole, enjoy it while it lasts – because as soon as it becomes popular enough to register on the authorities’ radars you can bet your connection they will use the sledge hammer of regulation to force a back door into the system.

We shouldn’t be surprised. As Bruce Schneier’s article points out, we’ve done it to ourselves.

At least Faust gave up his soul for unlimited knowledge and worldly pleasures – we’ve done it for the sake of unified logins and an online shopping basket.

Go us.

Join the voices of dissent (at your own risk)

So, there is little we can do to remain completely invisible but please try not to be too paranoid! Short of turning our back on the internet, throwing away our credit cards, wearing a mask to hide from CCTV cameras in the street and ditching our mobile phones in a lake, state-sponsored snooping is here to stay (as is corporate snooping for marketing purposes, which is far more likely to affect you!). But that doesn’t mean we shouldn’t care. What many commentators, including myself, are saying is there needs to be more transparency and accountability, and in some ways this sensational cascade of leaks is already starting those wheels in motion, with some big hitting academics going on record about the legalities of assembly-line surveillance in an attempt to refocus the attention of the mainstream media on what really matters (which isn’t Edward Snowden’s shoe-size by the way). In the UK Theresa May is publicly rethinking the controversial communications bill and other European countries like France and Germany are talking about taking legal action – let’s hope it amounts to more than just talk.

If you want to make your own voice heard head over to Stopwatching.us and sign the petition – although the irony that you’re asked to hand over your private details to go on record as standing against the collection of your private details shouldn’t be overlooked.

If, however, you just want to mess with the system I rather like the idea behind HelloNSA, which provides randomly generated ‘innocent’ messages and status updates you can litter across the web to really give PRISM something to think about. Follow this path at your own discretion – I’ll not be held responsible for a group of men in dark suits whisking anyone away in an unmarked van with a potato sack over their head. I do wonder how long it would take to fill up 5-zettabytes of data storage in Utah though?

Privacy tools and resources

These resources are based on several different architectures that should prevent anyone intercepting your internet traffic from reading or altering it, but bear in mind that the metadata attached to each communication could in most cases still be collected and connection patterns observed or extrapolated. It’s also worth noting that on-going leaks suggest that the very act of encrypting your data or using privacy tools automatically puts you under suspicion from the NSA and they will pay extra attention to cracking your comms if you flit across their radar.

So it’s a ‘damned if you do or don’t’ scenario I’m afraid.

PRISM-Break This crowd sourced database of privacy tools has been put together by the Electronic Frontier Foundation. Split into open source and propriety solutions it focuses specifically on the kinds of tools you can use to keep government spooks out of your data.

Tor Project [UPDATE: SEE LINK POSTED IN COMMENTS BEFORE DECIDING TO USE TOR NETWORK] This free, open source network is well known in activist/freedom fighter circles as it allows users to make network traffic anonymous and hides where it is coming from by bouncing it around a distributed network of relays run by volunteers all around the world (and you can sign up to be one too on the website). You will have to make a few changes to your internet habits as a lot of the conveniences we’ve come to expect online won’t work, like plugins and add-ons. You also won’t be able to watch most Youtube videos, although admittedly some may see that as a bonus.

I2P For the seriously paranoid I2P provides an internet cloak that attempts to hide and mask every move you make online, but setting it up and using it is not for the technically faint-hearted.

Key Scrambler If you just want to cover your browsing activity this anti-key-logging software will make sure anyone snooping on you can’t read what you’re typing. It’s also good protection against phishing scams and identity thieves.  It will scramble your keystrokes but it won’t prevent a screenshot being taken, which is another common practise with malware designed to steal your information. The personal version is free for PC, Mac, iOS and Android and covers around 30 browsers. If you upgrade to the paid versions you’ll gain protection for email clients, password managers and even popular games – with the full monty covered if you go pro.

key scrambler

Silent Circle [UPDATE: see link in comments regards this company shuttering their encrypted email service before signing up! It seems to never end!!] This complete suite of communications tools creates a private platform for phone, text, email and video communications. If you’re contacting someone who is also using the platform the data is encrypted at both ends (end-to-end encryption), making it very secure from prying eyes (although that won’t protect against metadata being collected and your calling patterns being logged). It’s built on open source technology and has been described by Chris Soghoian, the chief technologist of the American Civil Liberties Union, not to contain any “back doors.” The service isn’t free but right now they are running a 50% discount for the annual subscription making it a very reasonable $120, and if you want to have secure communications with people outside the Silent Circle network there is a monthly subscription you can bolt on too.

silent circle layout

Hushmail This is an encrypted email service with end-to-end encryption when mailing to other users of the platform. Even if you’re sending an email to someone not using Hushmail you can encrypt the message with a secret question only the receiver will know the answer to and they must log onto the Hushmail server in order to decrypt your message.

threemaThreema This mobile messaging app also uses end-to-end encryption so only you and the intended recipient can read your messages. It’s free on iPhone and Android with sadly no plans to expand to other platforms according to the FAQ. I do like the super secure ‘three light’ verification level though, which means if you’ve physically paired your device with another person by scanning each other’s QR codes IRL™ the encryption between you is as unbreakable as it can be right now as no third-party is responsible for authentication – but to benefit from this level of security you have to have physically been together to swap keys.

Heml.is Pirate Bay co-founder Peter Sunde is working on an encrypted messaging service that hit its crowd funding goal of $100,000 a few days after the campaign was launched recently. Again, using end-to-end encryption the aim is to launch the service free on iOS and Android with premium features and other platforms to follow.

MediaGoblin This is a media hosting website just like Flickr or Youtube, but the content stays on your computer rather than being transferred to a central web-based server. This kind of hosting technology is known as ‘decentralised’ and it means your media remains locked behind your own personal security solutions and within your control, although the computer you have it stored on will need to remain connected to the internet for it to be available wherever you subsequently choose to post it.

ownCloud This is another decentralised ‘cloud storage’ solution that makes documents, images and other data available from your own computer’s hard drive. You can access it from all of your other devices wherever you happen to be connected to the internet as long as the host computer remains online.

Cloudfogger If you need to store private documents online you can use an encryption tool like this in conjunction with Dropbox to make them as secure as possible on these consumer cloud solutions.

Etherpad This is an open source environment that potentially replaces Google Docs, providing a platform for real-time collaborative work on your documents.

DuckDuckGo I reviewed this search tool with privacy at its heart a few weeks ago – you can check out the full review here. The makers of this service also run a microsite called Fix Tracking that lists various tools users can use to protect themselves from being tracked online by legitimate services as well as government spooks.

Bitcoin Bitcoin is a digital currency service that allows a person to transfer real money into a digital currency, and then spend it without being tracked. It’s a truly disruptive technology but has been in the news for good and bad reasons lately so exercise extreme caution.

Weusecoins If you’re interested in learning more about Bitcoin and possibly take the first baby steps towards using it this site contains a really simple guide together with tools and tutorials to get you started.

[UPDATE: Embedded the below video by Open Rights Group on 2nd August as it is definitely worth a watch for those still unsure what PRISM means]

For more news, reviews and useful tips sign up for our NEWSLETTER and order your copy of Working the Cloud here.

 

14 Comments

  1. Kate Russell says:

    If anyone has any thoughts or has found any other tools they want to add to the mix please leave a comment!

    Thanks :)

  2. Martin says:

    The problem here Kate is even if you try to protect your own data on-line there is no way you can control he data the state or other private organisations have on you.

    For example, the state can tap Amazon to find out what sort of books you buy or who you bought your second-hand mobile phone from. Amazon will happily hand that information over.

    I really don’t see a solution unless you simply want to live your life without existing, that would mean no driving licence, passport, NI number and so on.

    The on-line issues raised by Snowden and others is really not that important, yes if you’re searching for illegal content then perhaps that should be brought to the attention of the authorities, I guess the issue is who decides? Yes we can all agree child porn is disgusting, but what about someone searching for information on say homosexuality in a country where being gay is a crime or searching for information on say abortion in a country where that is illegal?

    I also doubt if it’s possible to have a web 3.0 which is totally private and run outside of the existing structure. Somewhere you will need servers and management systems and they will be in the control of the state or commercial companies somewhere along the line.

    To me it’s better to accept everything you say or do is being watched just as we are when we drive or walk the streets of any large city or town.

  3. A very well written article. I think more people should be pointed here to get a good primer and really understand what it is that may be happening.

    I would exercise some caution when using bitcoin as an anonymous currency though. Every bitcoin has a well logged ‘route of ownership’ because of the way transactions are verified by everyone in the network. Although difficult and somewhat unlikely, traffic comparisons could be used to match a real person’s identity to a bitcoin’s transaction log. Also, the bitcoin network is not truly isolated. Generally when you want to pay someone, you conduct that communication on websites, emails or instant messages before sending the bitcoins. These communications are generally more susceptible to prism-esque technologies. This is especially true if you purchased bitcoins through a currency exchange site. Ultimately, you have to trust the sites and communications systems to keep things secure just as much as you trust the bitcoin system. Sadly, this prism unmasking has made that a much more risky venture. Bitcoin encryption could also be redundant if the NSA has quantum computers cracking the codes.

    As I say, this is all somewhat unlikely, but in these prismatic times the unlikely doesn’t seem quite so far fetched any more.

  4. Colin Jervis says:

    This is a well-written and thoughtful article that summarises the situation nicely.

    I must say the suggestion that governments track digital traffic did not surprise me. I live in a part of London that has one of the highest concentrations of CCTV, so I can’t sneeze without it being recorded somewhere.

    At the moment, I think the main discriminator is the ability of any ‘big brother’ to analyse routinely the mountains of data. It is far more likely that they will invest scarce resources in transmissions that attract their attention – and using encrypted messages and evasive techniques is one way of doing that…

    Good article, thanks.

  5. Kate Russell says:

    This is worth a read – reminding the mainstream media that Snowden is NOT the story: http://www.guardian.co.uk/technology/2013/jul/28/edward-snowden-death-of-internet

  6. Kate Russell says:

    One of my twitter followers posted this link that suggests the TOR network is not as ‘safe’ as we thought…

    http://blog.erratasec.com/2013/08/anonymity-smackdown-nsa-vs-tor.html#.UgIB8JItrsE

    Bad news :(

  7. Kate Russell says:

    Yet another update to post as the fallout continues… this time Silent Circle, one of the tools recommended in this feature, has shuttered its email encryption to avoid the gaze of the NSA. See this link for more http://silentcircle.wordpress.com/2013/08/09/to-our-customers/

  8. Pi says:

    I think that everything posted was actually very reasonable.

    However, what about this? what if you added a little content?
    I ain’t suggesting your content is not solid, however what if you added a headline to maybe grab a person’s attention?
    I mean OPINION: PRISM (as I see it) and some privacy
    tools | Working The Cloud is a little vanilla. You might peek at Yahoo’s front page and see how they create post headlines to grab viewers to open the links. You might try adding a video or a pic or two to get people excited about everything’ve
    got to say. In my opinion, it might make your posts a little livelier.

    • Kate Russell says:

      I see what you’re saying, but in this case I was actually trying not to be too dramatic. My core target audience are those less confident with the Internet & tech in general.. I don’t want to instill unnecessary panic with sensational headlines…

Leave a Comment


two + = 5