Avoiding Surveillance

Tue, 17 Dec 2013

Please note that, although I primarily refer to the NSA in this article, unchecked, rampant surveillance is actually a worldwide problem.

The NSA has been in the news a lot lately, and for all the wrong reasons. It shouldn't be surprising to anyone that all of this is happening. It's been coming for years now and anyone had the ability to see it coming, if they were careful enough to pay attention. The question now becomes how to deal with it. It's a complex problem and, like many complex problems, requires a multi-pronged effort to address it.

In order to explain how to do that it's best to understand how we got here. To do that we must back up first and trace things back a few decades to the beginning of the Internet. Some felt that the Internet would be used as a tool to spread knowledge and information. It would empower the masses. Anonymity was easy. Censorship was impossible. Easy copying would destroy the traditional movie and music industries. Even bigger changes seemed inevitable. Many believed that the Internet was the tool that was going to be used to begin a new world order. It was going to be the start of a utopian age in our collective history.

To some extent this has happened but that utopian vision never really did fully materialize, but two other things did that were critical in making mass surveillance possible.

One is that, little by little, people started becoming dependent on the Internet. It is a fact that many of the Internet-using public place their e-mail, photos, videos, calendars, address books, search terms, messages, documents, and perhaps their entire lives into massive data collection silos belonging to companies like Google, Facebook, Apple, Microsoft, and others. The existence of such huge repositories of information makes a tasty target to anyone that is interested.

The second thing that happened is that people began to increasingly access their data using devices that they have ever diminishing control over: iPhones, iPads, Android phones, Kindles, ChromeBooks, and so on. Unlike operating systems made up of free software (such as GNU/Linux), these devices are controlled entirely by vendors, who limit what software can run, what they can do, how they're updated, and so on. Even desktop computers are heading in the direction of more vendor control and less of your control. The lack of control over their own computing devices meant that people were forbidden from knowing what was being done with their data and, even if they did know, were powerless to stop it.

With most of the Internet-using public reliant on software that they cannot study and using third party services that sell them out, it began to create the perfect storm that made mass surveillance possible. It seems somewhat ironic that the public actually helped with their own surveillance by using these things.

That is how we got here. The next question is what to do about it. For that, it's important to understand how things are being done. When the NSA wants information, they get it and they have several methods at their disposal. This is probably not exhaustive but what is known so far is:

  1. Cooperation - Some companies voluntarily give the NSA access to private information. Reports backed up by Snowden's leaked documents show that after September 11, 2001 a major American telecommunications company - rumored to be either AT&T or Verizon - voluntarily gave the agency access to its call records among other customer data. The NSA has invested a significant amount of time and money on personnel, software and equipment to sweep such data for important clues. Companies that choose this route are immune to prosecution, courtesy of the FISA Ammendments Act.
  2. Legal Compulsion - If the company or person won't cooperate voluntarily, Section 215 of the Patriot Act gives the NSA the power to force Americans and American businesses to give up private information that it has. There is a supposed restricted set of circumstances that would allow the NSA to act in this way. These restrictions were set in place to prevent abuse of power. Unfortunately, by law, companies cannot reveal the number of times that the NSA requests this private information from them or the type of information that is requested. According to Snowden, companies like Google, Facebook, Twitter, Microsoft, Apple and others have all been forced to give up this private information.
  3. Digital Splitters And Undersea Cables - Not every company is going to volunteer information to the NSA or their British counterpart GCHQ. There are times when of these governmental agencies, in their infinite wisdom, feel that it needs to resort to illegal methods in order to get information. According to documents released by Snowden from the second quarter of the year 2012, GCHQ has been tapping undersea cables. These cables move unfathomably large amounts of information around the world. This information is shared with the NSA, and together these agencies use the tools and resources they have to glean information from the stored data. The NSA has also resorted to installing digital splitters in company servers. These splitters allow the NSA to shunt communications traffic to the NSA.
  4. Spies - When everything else fails, nothing works like good old-fashioned spying. According to the Guardian, GCHQ has a team of operatives that they referred to as the Humint unit. This stands for Human Intelligence. This team has the responsibility of recruiting and placing agents in telecommunication companies around the world. Now, with this large network of spies, the NSA is able to get information from almost any source that it needs.
  5. Malicious Software - The NSA is not above using software and malicious applications to exploit software weaknesses. They can use the software to either extract, implant, or manipulate information. Stuxnet and Flame are two examples of the type of software that the NSA uses. They can deliver this either by using infected emails or other methods. They even intercept computers in transit to install malicious software, and some of their methods can survive hard disk replacement and operating system reinstallation. The idea is to make it easy to engage in long-term surveillance that is impossible to detect. It is reported that the NSA also has the ability to worm its way into devices that even use iOS, Android, and BlackBerry operating systems.
  6. Backdoors - One of the ways that the NSA uses to find its way in and around encrypted data is by cooperating with technology companies. These technology companies will build backdoors into hardware and software. These backdoors are designed to be absolutely invisible to the individual who was using the software and in some cases can't even be proven to exist even when you suspect they might be there. However, it will allow the NSA to have unprecedented access to the electronic device that they want to spy on. For instance, the global technology community suspects that the NSA may have somehow compelled the US National Institute of Standards and Technology to approve the deliberately flawed Dual Elliptic Curve Deterministic Random Bit Generator cryptographic standard.
  7. Brute Force Attacks - It is difficult, if not impossible, for the NSA to snoop on a information that is properly encrypted. So, they will find other ways to get at it. They may try brute force to decrypt the data. Even if the NSA cannot, they will store the information for up to five years. When the technology advances to the point that they can decrypt the information, they will.

That covers how we get here, and what's happening now. After hearing about all of the avenues that the NSA has at its disposal to do surveillance on people, it is easy for a person to think that there is nothing that they can do in order to avoid surveillance. However, this is nowhere near the truth. There are a lot of things that people can do in order to avoid surveillance, minimize what information can be obtained, and make it harder to obtain that. Some of these are regulatory while some are technical.

Those giant repositories of information made the NSA's job very easy by providing a form of one-stop shopping for them. Tearing down those data collection silos is an important step, so the first step anyone can do is move out of that silo and host your own data instead.

When it comes to centralized social networks I can only say one thing about them: Get rid of them. Close your Facebook, your Twitter, and all of your centralized social media accounts and never use them again. Social media networks are a treasure trove of personal information that the NSA and other government agencies can easily have access to. Use decentralized social networking instead:

  • GNU MediaGoblin is a replacement for sites like Flickr and YouTube.
  • XMPP is a replacement for things like Skype and AIM.
  • GNU Social can be used as a replacement for Twitter.
  • Pump.io can be used as a replacement for Facebook.

Don't use a cell phone. Surveillance is inevitable in this case: Whenever your phone is powered on, your cell phone company is able to record where you are, the phone calls and text messages sent and received, and what was accessed over the Internet, etc. If you do use one, you'll have to accept that surveillance is inevitable although there are still steps that can be taken to minimize it:

  • Use Replicant. It is a mobile phone operating system that is made entirely of free software.
  • Encrypt your text messages using TextSecure.
  • Encrypt your phone calls using RedPhone.

Don't use email. It is insecure. Look at something encrypted and decentralized like BitMessage. If you must use email, run it yourself on your own machine out of your own home and use GPG and SSL/TLS to communicate with the recipient, who should also be using their own mail server (or at the very least maybe arrangements could be made for them to use yours.) I have written about running your own server previously. Check the archive.

Don't store files in public cloud services. Going by Snowden's leaks, cloud service providers have been juicy targets for the NSA. Add to that the unresolved crisis that is Megaupload, and you can see why you should not store data in public clouds. NSA personnel do not necessarily need access to your cloud account - they can grab data as you upload your files. The same methods can be used to collect information from software-as-a-service applications like Office 365 and Google Drive. To protect yourself, store data in your own servers, encrypt your traffic, and limit communications.

Keep web browsing private - Avoid relying on the "Do Not Track" feature. It cannot prevent snooping. Use the Electronic Frontier Foundation's HTTPS Everywhere extension. It uses the popular Secure Sockets Layer encryption scheme to keep web browsing private but doesn't prevent the NSA from knowing what servers or people you're communicating with. To avoid that, an even better option is to use HTTPS Everywhere along with TOR.

Always use free software encryption. Unlike proprietary programs, they are less likely to incorporate backdoors and if there is one it can be removed by the people using the software.

Use free boot firmware. Most computers begin to run proprietary software as soon as you press the power button, in the form of the BIOS. Given that we know that NSA has BIOS exploits, it's more important than ever to use a free one. The Free Software Foundation recently certified a laptop to Respect Your Freedom, all the way down to the boot firmware. This can't be said of every machine running coreboot: It took specific hardware and a modified version of coreboot with proprietary software removed to pull this off.

Use 100% free software GNU/Linux distributions. The Free Software Foundation maintains a list of these at https://www.gnu.org/distros/. The combination of free boot firmware and a 100% free GNU/Linux distribution means that the people using these systems can be sure that their computers are working for them, and not against them.

These are just some ideas - there may be more. Please feel free to share your ideas with me so that I can update this. Ultimately, the methods I've mentioned will only serve as a way to make it more difficult for the NSA to collect information, but it will not be impossible. As it sits right now they have the full weight and power of the United States government behind them so if they decide that they want some information, they will find a way to get it. The only way that we are going to be able to protect our privacy is by demanding regulatory change. If you haven't already done so, start petitioning the relevant authorities.