11 June 2013
Let’s start by prefacing this article with a disclaimer. The US National Security Organization (NSA) is almost certainly one of (if not the) most technologically sophisticated, well-funded and secretive organizations in the world. As such, who knows what it is capable of, if it’s out to get you? The security measures discussed below should help to obfuscate your on-line activities, making them difficult to track, log and trace, but they can by no means guarantee your privacy or anonymity should the NSA decide to become interested in what you are up to.
Another disclaimer is that the scandal is fast evolving at the time of writing, with many details still remaining unclear (perhaps the most important of which is the level to which the US internet giants’ involved in the scandal are complicit in its implementation).
What is the problem?
We are sure that by the time you read this article on a VPN website blog, you are aware of the basics of the situation. On the 5 June the UK’s Guardian newspaper released documents, leaked to it by Edward Snowden, an independent contractor working for the NSA and that were verified to be authentic, which proved that the NSA was involved in the mass blanket surveillance of every phone call, email, website visited, instant message, chat and text carried out by almost every one of its own citizens. Even further, a great deal of information was also collected on non-US citizens, which was often promptly handed over (with often very dubious legality), to those individual’s governments.
Although many have suspected (or even assumed) that the NSA has been involved in such activity for some time, both the scale of the revelations (confirmed by the US government), and the fact that hard evidence has come to light, has hammered home to many ordinary people the extent to which most us now live in a secretive and unaccountable ‘police state’.
The US government has been extremely keen to avoid terms such ‘blanket’ or ‘warrantless’ surveillance, as this would violate the Fourth Amendment’s prohibition against seizures and searches ‘without probable cause’. However, with over 200 million Americans affected, these terms would indeed seem to apply. In addition to this, the untold millions of non-US citizens who use the services of the globe spanning US internet giants, and whose activity has also been logged and recorded, have no such protection.
Who was involved?
The surveillance program, known as ‘Prism’ involves monitoring of not just the United States’ telecoms companies data (most notably Verizon who have 98.9 million customers) , but also of some most popular, widely used, and highly respected giants of the internet, including Microsoft (the first to be included back in 2007), Google, Yahoo!, Facebook, YouTube, Skype, AOL and Apple.
A big question mark still hangs over the issue of whether these companies knew their data was being monitored, and if they actually co-operated with the NSA in supplying it to them. The initial report leaked by Mr Snowden clearly alleged their involvement in the program, and it seems almost unbelievable that the NSA could have carried out such sweeping surveillance without the companys’ knowledge and involvement. However, all the companies involved have very strenuously denied that they knew anything about Prism, stating that they would have refused to co-operate if they had.
In addition to this, it is unclear as to the extent that governments in the EU (and most notably the UK) were aware of Prism, and benefited from information that was obtained about their own citizens through the program.
Can VPN protect me against NSA spying?
To a certain extent…
When you use a VPN service you create an encrypted tunnel between your computer and a server run by your VPN provider. Your ISP cannot ‘see’ what data is being transmitted (i.e. what you are doing), but can see that you are connected to your VPN server, when you are connected, how much data is transmitted, and usually also the fact that you are using encryption.
Anyone watching traffic on the internet can easily trace the IP of website visitors back to the VPN server. The VPN provider can then connect a user with the traced IP if it keeps logs of such activity.
So in the normal course of things, if you do not volunteer personal details to an internet website or service, and you are using a VPN service that keeps no logs, then VPN will do a good job of maintaining your anonymity.
Giving the game away yourself
One of the most shocking things about the scandal is not that the US government spies on its own citizens, but that pretty near all of the leading US tech companies, who in many ways form the backbone of the internet, are complicit. This means for example, that if you usually stay signed in to your Gmail account (and thus into Google), all your internet searches using the Google search engine are likely to be harvested by the NSA. Similarly, there is little point having a secure connection to the Skype servers, when these servers are wide open to NSA monitoring.
The simplest solution is to cancel your accounts with, and not use any of the affected services. In fact, given the reach of the NSA, we would suggest not using any US based internet service. However, for many this is not a realistic option, as most of us rely too heavily on these services for our day-to-day internet life.
Even if we are willing to go to the hassle finding alternative, more secure services (see below), these also generally rely on the person at the other end of the line having the will and tech savvy to cooperate. There is no point in having a secure, PGP encrypted email set-up if you’re Granny, who has a Gmail account, can’t even program the microwave! Similarly, for the tens of millions of users out there to whom Facebook is the internet, and whose friends are all on there and have no intention of leaving it, simply leaving Facebook is not an option.
A graduated response
Although various radical methods of evading NSA spying have been suggested on the internet, these range from inconvenient (e.g. PGP encrypting all your email) to downright paranoid (using multiple disposable phones paid for in cash)! Not only are these methods too extreme for most, but if the NSA (or other similar organization) really was that keen on identifying you or your behaviour, they would likely to able to do so. For example, PGP encrypting you emails is very secure against brute force attacks, but key logger viruses could be used to infect your computer and record your emails as you type them. Similarly, even if using disposable mobile phones paid for with cash, metadata analysis (i.e. recording time and location of calls) can be used to identify a caller.
For most us who are not terrorists, paedophiles, whistle-blowers or gangsters, but who believe in privacy and don’t want to have every online move we make tracked and recorded by sinister government agencies (and maybe want to download the odd music track or movie on the side), there are concrete steps we can take to obfuscate our online activity, and ‘slip under the radar’.
- Use a VPN – as long as your VPN provider does not simply hand over its logs to the NSA, or have a device or software installed (overtly or covertly) that does this automatically, then VPNs are a very effective way to mask you identity and activity on the internet. You can even pay for many VPN services with Bitcoins, which if you are careful makes tracing your VPN account to you as an individual through the payment process very difficult
- Do not log on to any Goggle service when using its search engine – if this is too inconvenient, then use a different service (such as Bing) for web searches. Although these search engines are also likely monitored (Bing, owned by Microsoft certainly is!), as long as you are connected to a VPN service then the search engine will only be able to identify the VPN server’s IP address, not yours. If doing this this you should also disable cookies from that search engine (see below). Alternatively, you can use an anonymous search engine such as DuckDuckGo, the default search engine for the Anonymous hactivist group Anonymous.
- Assume all email, social networking and chat messages are monitored and recorded, and behave accordingly. You have to accept that there is only so much you can do, particularly when communicating with others who do not share your dedication to privacy. When communicating with those who do, a number of tools are available (see below). Just remember that communicating with customers using PGP encrypted email will not only likely baffle them, but also looks very suspicious!
Beware US based VPN services
Faced with the sweeping powers afforded to government agencies (such as the NSA) by the post 9/11 Patriot Act, and to copyright enforcement bodies by legislation such as the Digital Millennium Copyright Act 1998 (DMCA), most US based VPN providers do not make any real pretence at protecting their customers privacy or identity.
A few, most prominently Private Internet Access, do claim to provide high levels of security by keeping no logs ‘whatsoever’, and by using shared IP addresses, which in theory makes identifying an individual user with any internet behaviour impossible. However, the following points should be considered:
- All US VPN companies are subject to the Patriot Act, and if the NSA is able to monitor all data collected by the likes of Google, Microsoft and Facebook, then it would be foolish to assume they cannot, or do not, monitor the servers of VPN companies such as PIA (who as we noted have a high profile)
- All VPN companies are subject to the Stored Communications Act (SCA)which can force a provider to keep logs on the activities named individuals without alerting them to the fact
- All traffic that passes through the US communications backbone can be monitored, so any traffic that passes through a US server can, at least in theory, be monitored by the likes of the NSA. Although the contents of encrypted traffic will remain hidden, the NSA can collect metadata of a similar nature to that obtainable by ISPs.
The paranoid should therefore avoid any company even remotely related to the United States. However, we think that companies such as Private Internet Access are genuinely committed their customers’ privacy and anonymity, but have little faith in their ability to guarantee this on US soil (and PIA’s statement reproduced in this article would seem to confirm this). Using their overseas servers should be ok though, as US laws and organisations have neither the means nor jurisdiction to prevent logs from being discarded form servers outside the United States.
Other tools and tips for securing on-line privacy
If you want to go further towards protecting your online privacy than was covered in ‘A graduated response’, the following are a good place to start.
The Tor anonymity network is currently the most secure and anonymous way to access the internet. We discuss Tor in more detail in this article, but basically your data is re-encrypted multiple times as it passes between random ‘nodes’ scattered across the internet, before exiting through a volunteers ‘exit node’. Although highly secure, as no-one can see the full journey taken by your data, Tor is very slow compared to VPN, and you cannot use it for P2P downloading (well, you can, but it is considered very rude because not only does it slow the whole system down evemfurther, but it can cause problems for volunteers who host ‘exit nodes’, as they may be falsely identified as copyright infringers).
If your internet use has life-threatening implications, then use Tor rather than VPN, but VPN is easier, quicker and more flexible for everyday use.
Most commercial search engines store the following information:
- Users IP address
- Date and time of query
- Query search terms
- Cookie ID – this cookie is deposited in your browser’s cookie folder, and uniquely identifies your computer. With it, a search engine provider can trace a search request back to your computer
If you connect via VPN then the search engine can only see your VPN server’s IP address, not your real one, but it can still trace you using the cookie ID. It is therefore best to turn off cookies in your browser (at least for your chosen search engine website), or to use a search engine that doesn’t use them.
There are numerous email PGP encryption tools out there, but one of the best is the open source and free TrueCrypt. A great setup guide for it is available here.
Chat / telephony and text messaging
Both conventional telephone networks (landline and mobile) and VoIP services (such as Skype) are vulnerable to tapping and interception by agencies such as the NRA, as are conventional mobile phone text messaging and internet messaging services.
Silent Circle is a commercial enterprise that offers a set of encrypted solutions for a monthly fee ($10), and which cover most major platforms. The software itself is open source, and has been audited by the American Civil Liberties Union to ensure that it contains no ‘back doors’.
A free alternative, also providing end-to-end encryption, is Redphone and Secure Texts from Whisper Systems, but these apps are only available for Android.
Of course, these encrypted solutions require that all parties be using the same software.
Ha, ha, ha, ha!
The entire scandal, while hardly surprising to those who have paid attention to the murky world of government surveillance, has dramatically highlighted the sickening levels of intrusion unaccountable governments have into ordinary law abiding citizens daily lives.
The response from many commentators worried about maintaining privacy in the face of such an all-encompassing and powerful assault on civil liberties has largely been a wail of despair at the impossibility of it. After all, even your friends could all be NSA spies out to get you, and any attempt to even try and maintain your privacy is simply a ’tin hat’!
While it may be true that complete anonymity in the face of direct attention from the NSA might be nearly impossible, for most of us there are effective ways of obfuscating our online behaviour that make it very difficult and time consuming for anyone (the NSA included) to uncover what we are doing.
To recap, the main steps to avoid casual intrusion into your privacy are:
- Always access the internet using VPN (one which keeps no logs and using servers based outside the US). Alternatively use Tor
- Never ‘log on’ to a search engine service you use, and disable all cookies for that service. Alternatively use a secure search engine instead
- Be aware that most communications methods are open and monitored. If you want keep communications secret, then use encryption.