So, You Want to Hide from the NSA? Your Guide to the Nearly Impossible
In the interest of preserving your freedoms and bolstering our fair nation, here is the full articulation of the deeply paranoid and complex life you must live in order to assure that the government leaves you alone.
Complaining about the government is a key part of being American, the first amendment to the Constitution. But it seems like a bit of a trickier proposition these days, with the government listening to everything you say online. In the interest of preserving your freedoms and bolstering our fair nation, here is the full articulation of the deeply paranoid and complex life you must live in order to assure that the government leaves you alone.
Before we begin, we'll note that technically the NSA isn't allowed to look at the stuff you do online. Thanks to the Patriot Act, it can (and does) store the metadata on phone calls Americans make every day—who was called, how long the call lasted, maybe some location data. The NSA also pulls in online content, but can't do so legally on targets in the United States. This is part of the PRISM program you may have heard about, in which the NSA can access data from an array of companies in near-real-time. In practice, the NSA's procedures are sufficiently lax that it does collect information (content) from Americans, of course. And until 2011, it collected metadata on emails, including subject lines and to- and from-addresses.
That is the worst case scenario. Yes, the NSA is definitely slurping up scads of information about your phone calls. It probably isn't storing your Facebook chats, emails, and Skype calls. Our goal with this guide is to detail exactly what you need to do to assure that it can't, even if it wants to. As you will see, it is a cumbersome process.
For assistance in fleshing out this guide, we spoke with Micah Lee, a staff technologist with the Electronic Frontier Foundation who has also written a guide to some of the tools mentioned below.
First, the really bad news.
The world learned about PRISM thanks to a series of slides leaked by Edward Snowden. Among those slides was this one.
On this slide, you can see the companies that participate in the program but also the data they offer the NSA, if the agency asks. Microsoft, Google, Yahoo (complete with trademark exclamation point), Facebook, YouTube, Skype, AOL, Apple. All of the logos smushed into the header of the slide. And all of the companies to be avoided if you don't want any chance that the NSA can surveil what you're doing.
Again: We are not saying that you should not use Facebook. What we are saying is that if you are desperate to prevent the NSA from knowing what you're doing, you shouldn't use Facebook. And there's nothing you can do to make using Facebook better—no encryption, no anything can make Facebook safe from the NSA. (We'll discuss this more a little later on.)
But it gets worse. These are the companies known to be participating in PRISM as of last October (when Apple was added). Since then, others may have been added; others may be added in the future. The truly paranoid, then, will have second thoughts about nearly any major Internet company.
And then it gets worse still, as Lee pointed out. "Any company that's inside of U.S. jurisdiction," he said, "can get government requests for data. Even if they're not listed in the PRISM slides, that doesn't mean the government isn't getting data from them." If the NSA wants your data, in other words, it can probably get it. It just might not be in real-time. (We'll get back to this, too.)
Before we continue, we should flesh out an important distinction. When you think of an email, what you generally think of is the content of the email, the message. In order for that message to get to you, though, the email also needs to contain metadata, a term loosely-and-not-entirely-accurately used to refer to information about the email message itself. For example: who it is addressed to, who it came from, what its subject is. (We have gone deeper into this before.)
That distinction is important because email operates like a letter sent through the post office. A letter, sealed in an envelope, can be hidden from the mailman. But the mailman needs to be able to read the address, or your letter won't get there. In this case, the metadata is what appears on the envelope; the content is the letter.
So there is a good way to hide the content of your email messages. A tool called PGP (short for "Pretty Good Privacy"), created by a man named Philip Zimmerman, offers a way to encrypt (encode) email messages between two parties using what's know as peer-to-peer encryption. That's an important property. It means that person A encoded the message and only person B is able to decode it. So as the envelope moves around the web, you can be sure it stays sealed until it gets where it's going. (How PGP actually works isn't important for our purposes. In short: It involves doing a math problem involving two very, very large numbers.)
How do you get PGP? PGP as a brand is now owned by Symantec, so you can give them your money and they will set you up. But there are also open source implementations of the technology. (If you're deeply knowledgeable about technology, you can establish your own PGP system—but if you can do this, we doubt you need a tutorial.) One such product is known as GPG (Gnu Privacy Guard), which comes in both Mac and Windows versions. This is not simple to implement, mind you, but the documentation is pretty thorough.
That's the tradeoff on this stuff. You can use a packaged product like, say HushMail, a program that gives you a free email account that can send encrypted messages. But when you sign up, you'll see a little notice that the company will work with law enforcement if you're using your account for illegal activity. And in the past, the company has done exactly that when ordered to do so. Easy to use, but not a guaranteed protection against the NSA—as the site's security page makes clear.
So you've got your PGP up and running and you're all set, right? Nope. Lee explains why. "PGP protects the content of your email," he says. "Specifically: Just the body, not the subject line. Even without the content of the email, it still doesn't protect the metadata." As recently as two years ago, the government was scooping up all of that metadata, reading all of those envelopes. PGP can't help with that. So how do you protect yourself from having your metadata read?
One way is to use email servers that employ a system called STARTTLS. This is complicated, but if two email servers employ STARTTLS, even the metadata information on emails is encrypted. So the NSA could see two email servers communicating, but not the To and From addresses involved.
An easier way to hide your metadata is to restrict your email to one domain. As Lee explains, if you're sending an email from someone at privateemail.com to someone at privateemail.com, that message never goes out on the Internet. Meaning that the government can't watch it zip around and pick up the metadata. It's like leaving a note for your roommate—the mailman won't see that.
Unless the mailman kicks in your door/the NSA subpoenas your email provider. Or if your email provider already has an agreement with the government—GMail or Outlook, for example—it may be easier than that. How do you solve that problem? Run your own email server and don't send email over the Internet.
Easier: send a letter. (Or maybe don't do that, either.)
The NSA also collects data on targeted individuals' web activity. To prevent them from snooping on your important web activity (if you're like us: reading The Atlantic Wire; looking at pictures of animals), you again need to worry about encryption.
In web browsers, that means using HTTPS. HTTP, hypertext transfer protocol, is the normal way content is shipped from a web server to your browser. HTTPS is the secure version of that, using encryption between the server and your browser, preventing those watching the traffic go past from seeing what's happening. The most important thing you can do, Lee suggests, is use HTTPS whenever possible. To that end, the EFF has a browser plug-in called HTTPS Everywhere, which will make web pages that support HTTPS use it by default.
As always, though, there's a weakness. Let's go back to the mail-sending analogy. If you seal up a package nice and tidy, write Joe's address on it, and send it off, Joe will get a nice, tidy package from you. But somewhere along the way, the NSA could have grabbed the package, opened it, looked at it, resealed it, and sent it on its way. That's what Lee called a "man in the middle" attack—literally someone stepping in between the sender and the recipient. In the case of web traffic, you might send an encrypted message to your bank which someone intercepts on the way, reads, re-encrypts and sends on.
The way web traffic avoids that problem is using signed certificates. (That's what they're called, but it's a metaphor.) Companies like Facebook go to a certificate authority and get a certificate for their encryption. When you send a request to Facebook, your browser checks that the security certificate is valid; if it is, all of the encryption happens without you even knowing. If the certificate isn't valid, your browser returns a warning. You've probably seen it. In Chrome it looks like this:
Generally, this system works well. If a certificate authority gets hacked and its signing key—the tool it uses to authenticate certificates—is stolen, that could be a significant problem, allowing the hacker to forge certificates for any number of websites. But it probably wouldn't go undetected. EFF also maintains what it calls the SSL Observatory, which keeps records of the certificates for websites and lets users compare the signed certificates they encounter on the web with the ones the EFF has on file. (It's done automatically, in case that seemed off-putting.) If the certificate for, say, Twitter were to change, the EFF would start seeing that change reflected in its toolkit. The organization could check with Twitter and see if there was a valid reason for the change and, if not, issue warnings to its users.
You may see the flaw here. If the government gets access to a signing key or uses Twitter's certificate, Twitter or the certificate authority may not be authorized to tell EFF anything out of the norm is happening. "If Facebook or any of these companies gives the NSA a copy of its cryptokeys, or if they obtain them some other way," Lee points out, "it would allow them to spy on traffic." But on the other hand, "Facebook could just give access to all of the users data," making the complexity of this somewhat unnecessary.
Besides encryption, there is a tool that will allow you to mask who you are as you travel the web—to some extent, anyway. Called TOR (short for The Onion Router), it establishes a system through which your requests to web servers travel through three other anonymous servers around the world first. It's like changing between three cabs on your way to your destination. Anyone trying to figure out where you came from would have a very difficult time doing so.
Particularly because the analogy is more like if you and 100 people shared that cab. The anonymous server through which you're traveling is someone else's TOR setup. You and many other people travel through each point, making the next destination of each hard to determine. Of course, if you use TOR to access your personal Facebook account, it's not going to keep the government from knowing what you're doing on Facebook. But if you visit a site with information you'd rather not be linked to, TOR can help sweep the path clean behind you.
If someone knew where literally every cab in a city was running and when, though, they could eventually figure out who started and ended where. This is the problem with TOR, as noted by Lee and TOR itself. The NSA surveils a massive amount of network traffic, both in the U.S. and with the help of its allies. Could it have an overview of the entire system of TOR traffic. It could. It probably doesn't. As the recent revelations about the UK's Tempora program revealed, some fraction of network data is currently being gathered—that could be a lot of data, but probably not all. Without a record of all of the stops, it's much harder to track those cabs.
For those of you dependent upon real-time chat with your friends, a few words of warning. First of all, the "off the record" sessions offered by Google Chat offer zero protection. Second, most other chat systems, particularly web-based ones, aren't much better.
You do have some options, though. IM protection works a lot like email, Lee points out, generally requiring end-to-end encryption using an external application. He recommends Off-the-Record Messaging, an app which, unlike Google's "off the record" mode, provides that sort of end-to-end encryption. It requires an external chat client, for which the group maintains a list.
Apple's iMessage isn't one of them. But it has apparently stymied law enforcement in the past thanks to its encryption, and the company insists that it has no access to your messages, which would mean that its involvement in PRISM wouldn't put your messages at risk. Some question whether or not that's the case. After all, if Apple software is creating keys to encrypt your data, it necessarily has access to those keys. Anyway, it would only work when communicating with another Apple device using iMessage.
Nor does that end-to-end encryption obscure the metadata — again, as with email. The government could know that you sent a message to someone, and to whom it was sent, just as it can know who was called from which phone number. And speaking of phones:
We'll start by distinguishing between two types of phones. There is the type of phone that makes phone calls (a "phone") and the type of phone that primarily serves as a crutch for those desperate to retain a connection to the internet while not near a computer (a "smartphone").
If your goal is to mask the phone calls you make using a traditional phone, you're probably out of luck. It's still not entirely clear which companies turn over bulk metadata on calls made, but there's absolutely no reason to think any large carriers don't. If you use a small regional phone company, the odds are better that your call records are not going straight to the NSA — that is, as long as you never call anyone who uses a larger phone company. Same goes for mobile phone providers. The smaller the company the less likely the NSA has gotten around to monitoring them, but don't bet on it.
Smartphones expand your options a little bit, but not much. "With phones, it's a lot closer to you not having a choice," Lee notes. Your options:
Voice over IP. VoIP is the term for using a machine's internet connection to transmit digital versions of voice communication. It's Skype, in other words. But of course you don't want to use Skype, since it's a PRISM company. Lee suggests Red Phone, an Android app that offers encrypted voice communications. It requires two Android phones, though.
Textsecure. Another Android app from the same company as Red Phone, TextSecure does what it says on the tin: end-to-end encryption over text message. Also as with Red Phone, TextSecure is Open Source, meaning that anyone can access the source code to the software. This helps explain questions like, "who might have access to my encryption key?"
TOR Browsers. You can also get TOR browsers for your iPhone or Android device. See above warnings / restrictions / hand-wringing.
(As it turns out, your smartphone is just a little computer, meaning that we're basically repeating the admonitions above. Who knew?)
And that's it. All of the ways you can protect yourself when you go online. Remember: no form of prevention is 100 percent effective. The only truly safe way to protect yourself is to abstain completely.
Top photo: Theodore Kaczynski's cabin in the woods of Lincoln, Mont., in 1996. (AP)