Sent to you by Chris Hunter via Google Reader:
The internet is aflame with the news that the National Security Agency may be spying on phone calls and internet access of American citizens, and the possibility that they've partnered with some of the biggest tech companies in the world—Google, Microsoft, Apple, Facebook, Skype, and others—to request and access data directly whenever they want it. Let's take a look at what exactly is going on, how long it's been happening, and what—if anything—you can do about it.
First, if you read anything on the topic, check out The Atlantic's Government Phone Surveillance for Dummies piece, which puts the whole thing in clear, simple terms.
In detail, allegations arose this week that the US National Security Agency (NSA) has been spying on millions of Americans every day through unfettered tapping of telecommunications networks, and through massive data mining efforts performed wieth the help of major tech companies like Google, Microsoft, Apple, Yahoo, Facebook, Skype, and others. Journalist Glenn Greenwald, in an expose at The Guardian, exposed a secret court order that had been leaked to him, outlining the NSA's partnership with Verizon to collect the phone records of millions of Americans every day (you can read the full court order here, issued by FISA, the Foreign Intelligence Surveillance Court), and to hand over metadata and call logs (but not, as many have pointed out, call data, call recordings, or caller identities). If that weren't bad enough, The Washington Post uncovered a slide deck outlining an NSA program called PRISM, or a massive partnership going back to 2007 where the NSA has access to and has been working with major tech companies to mine their data for keywords, subjects of interest, and to make special requests of those companies in case there's something specific they'd like to look for. Wired has more analysis of the program here.
It's appalling, but to be clear, the NSA's domestic surveillance program isn't exactly new. In addition to the details released this week, the NSA has been wiretapping domestic communications for years—possibly decades. The infamous Room 641A, an interception room operated at AT&T at the behest of the NSA, as an example, opened its doors in 2003, and was only shut down after it was exposed in 2006. Inside, NSA and AT&T technicians captured communications flowing through AT&T's telecommunications networks, processed it, stored it, and transmitted it to the Agency for further study. When an AT&T technician confirmed the existence of the room, he let slip that similar facilities likely existed all over the country, and there was no reason to believe that AT&T was the only organization helping the NSA out—something we've seen proven out, since this latest revelation focuses on Verizon (which, for its part, has declined to comment on the issue, and every other company involved has denied involvement).
For its part, Room 641A was only shut down as part of a class action lawsuit brought by the Electronic Frontier Foundation, one that continues to this day. The EFF has a wealth of data on exactly how the NSA collects data on American citizens, if you'd like to read more. Keep in mind that this isn't just from direct access to service providers like Google, Microsoft, and Apple, but also by collaborating with internet service providers for access to their networks. That means that even if you decide to boycott companies that work with them, you'll have a hard time finding alternatives that will both get you on the internet and provide you services while you're online. You can check out the EFF's statement on the Verizon leak here, and a full timeline going back to 2001 here.
Plus, the news isn't getting better as the week goes on. More companies are being exposed as partnering with the program, and there are new allegations that the NSA collects records on every phone call in the United States, something that frankly, many people already assumed was the case. The Office of the Director of National Intelligence has gone on record saying The Guardian and The Washington Post reports are inaccurate and that their programs operate within the law. Essentially, it's a massive fishing expedition for anything the NSA may find interesting, and the data is stored, processed, and kept for an indeterminate amount of time. Is it personal, personally identifiable data? Very likely. Is it cause for concern? We think so, but that doesn't make you powerless. Ideally, you should get informed and get involved.
Can I Protect Myself?
In theory, yes, but it comes down to a combination of protection and security through obscurity. Even if the NSA is sniffing your ISP's networks and getting your private information from the service providers you use for email, social networking, and web searches (to name a few), there are a few things you can do. The problem with all of them is that they increase the complexity of your activities on the web exponentially with each one you embrace, and they fall down quickly if you're actually a real target for investigation.
This Wired article has some suggestions, like using disposable SIM cards and phone numbers. The problem here though is that you can use disposable numbers and phones as much as you want, but if the person you're calling is tapped and isn't doing the same, it's pointless, because those calls are still monitored. If your pre-paid number or SIM is with a carrier working with the NSA, it's also pointless.
The same applies to using disposable email addresses like Trashmail and Gliph. It doesn't take much effort to find the IP address of a sender, even if the message is from a disposable address or device, and you don't need the NSA's capabilities to do that. Plus, if you're emailing someone that isn't taking the same precautions, then the NSA will still have access to the emails you send them...so what's the point? They've outed you, no matter what you've done to obfuscate your identity.
Finally, let's talk about VPNs and private networks like Tor. They're probably your best option to keep your communications private, and we've talked about how to choose a good, trustworthy VPN before. Still, they're not perfect. VPNs and Tor will protect you from someone monitoring your traffic, but not someone monitoring the service you're using, which is the issue here. Encrypting your way to Google is great if someone's watching your communications to and from Google, but if someone's sitting at Google watching what you're doing, you're boned.
Besides, while using a VPN will encrypt your traffic from anyone sniffing your ISP's network, but if anyone has the capability to do deep packet inspection and peek into that encrypted traffic, it's the NSA. Plus, depending on the VPN you use, the encryption may not be that strong in the first place, or their DNS may be leaking all over the place. Then, after all that, the so-called "last mile" of traffic—where your communications are unencrypted by your VPN provider and sent to the actual site you're connecting to—could be tapped anyway. On top of that, if you're connecting to a service that works with the NSA, all that encryption is worthless anyway.
Tor is similar. While all of your communications are anonymized and relayed through private, volunteer networks (here's a primer on how Tor works, if you're not familiar), as soon as your data emerges from an exit relay, it's unencrypted entirely. Again, if someone's sniffing the network at your exit relay's location, you're exposed. If there's anything personal about the data leaving the exit relay—like you're connecting to Google, Microsoft, or one of the other companies that works with the NSA, you're exposed.
It's a pretty dismal picture, but that's the full story. You could take all of these measures to secure yourself and your data, and each one adds more complexity to everything you do online. Even so, if your friends and all the services you use, including your email provider, internet service provider, search engine, and more aren't as tinfoil-hatty as you are and don't take the same measures to protect and secure your identity, you're kind of screwed.
So It's All Futile?
Look, I grew up in the shadow of the NSA and even worked in places with close ties to the Agency. If there's anything I know, it's that the NSA is one of the biggest, most technologically advanced organizations on the planet, but it's still a government bureaucracy. If that makes you worried, you should be—right now, the entire scandal is still evolving, and is wrapped up in terms of government spying in order to protect American citizens from the threat of terrorism at home or abroad. The NSA has even said—as recently as two weeks ago—that everyone else is spying on American citizens too and that they're trying to prevent a major cyberattack against the United States. Some government officials have gone on record saying they tried to stop the program, and others are introducing bills to put a stop to it.
Other pundits are calling for people to stop the hysterics and calm down. After all, some are pointing out that every tech company implicated in the program has denied involvement, which means that their some piece of the puzzle is missing, or every single tech company involved is lying to our faces. The Washington Post this morning backtracked from its initial claim that tech companies knowingly participated in PRISM, which means either there's more to the story or the program was set up to give tech companies deniability. We mentionted that the Office of the Director of National Intelligence has gone on record saying the reports from The Guardian and The Washington Post "contain numerous inaccuracies." You should draw your own conclusions—just make them informed conclusions first.
So what can you do? Not much, honestly—the places that most consumer-level privacy and security tools fall down are the places that are well within the reach of an organization with the resources, computing power, reach, and manpower of the NSA. This is especially true given the unprecedented access the NSA had to popular service providers and ISPs.
However, just because you can't do everything to protect yourself doesn't mean you can't do anything. Consider donating to or joining the Electronic Frontier Foundation and other groups that work to preserve civil liberties on the Internet. As the situation simmers, representatives of all parties have stepped up to condemn the program and promise to investigate it. If yours has, reach out and lend them your support. If yours hasn't, get in touch with them and let them know that they should. The story is still developing, but this isn't an issue that will go away with the right technology. It will take the actions of ordinary people to resolve.