The NSA Prism scandal and how VPN can and cannot help

11 June 2013

Let’s start by prefacing this article with a disclaimer. The US National Security Organization (NSA) is almost certainly one of (if not the) most technologically sophisticated, well-funded and secretive organizations in the world. As such, who knows what it is capable of, if it’s out to get you? The security measures discussed below should help to obfuscate your on-line activities, making them difficult to track, log and trace, but they can by no means guarantee your privacy or anonymity should the NSA decide to become interested in what you are up to.

Another disclaimer is that the scandal is fast evolving at the time of writing, with many details still remaining unclear (perhaps the most important of which is the level to which the US internet giants’ involved in the scandal are complicit in its implementation).

What is the problem?

We are sure that by the time you read this article on a VPN website blog, you are aware of the basics of the situation. On the 5 June the UK’s Guardian newspaper released documents, leaked to it by Edward Snowden, an independent contractor working for the NSA and that were verified to be authentic, which proved that the NSA was involved in the mass blanket surveillance of every phone call, email, website visited, instant message, chat and text carried out by almost every one of its own citizens. Even further, a great deal of information was also collected on non-US citizens, which was often promptly handed over (with often very dubious legality), to those individual’s governments.

Although many have suspected (or even assumed) that the NSA has been involved in such activity for some time, both the scale of the revelations (confirmed by the US government), and the fact that hard evidence has come to light, has hammered home to many ordinary people the extent to which most us now live in a secretive and unaccountable ‘police state’.

The US government has been extremely keen to avoid terms such ‘blanket’ or ‘warrantless’ surveillance, as this would violate the Fourth Amendment’s prohibition against seizures and searches ‘without probable cause’.  However, with over 200 million Americans affected, these terms would indeed seem to apply. In addition to this, the untold millions of non-US citizens who use the services of the globe spanning US internet giants, and whose activity has also been logged and recorded, have no such protection.

Who was involved?

The surveillance program, known as ‘Prism’ involves monitoring of not just the United States’ telecoms companies data (most notably Verizon who have 98.9 million customers) , but also of some most popular, widely used, and highly respected giants of the internet, including Microsoft (the first to be included back in 2007), GoogleYahoo!, Facebook, YouTube, Skype, AOL and Apple.

A big question mark still hangs over the issue of whether these companies knew their data was being monitored, and if they actually co-operated with the NSA in supplying it to them. The initial report leaked by Mr Snowden clearly alleged their involvement in the program, and it seems almost unbelievable that the NSA could have carried out such sweeping surveillance without the companys’ knowledge and involvement. However, all the companies involved have very strenuously denied that they knew anything about Prism, stating that they would have refused to co-operate if they had.

In addition to this, it is unclear as to the extent that governments in the EU (and most notably the UK) were aware of Prism, and benefited from information that was obtained about their own citizens through the program.

Can VPN protect me against NSA spying?

To a certain extent…

When you use a VPN service you create an encrypted tunnel between your computer and a server run by your VPN provider. Your ISP cannot ‘see’ what data is being transmitted (i.e. what you are doing), but can see that you are connected to your VPN server, when you are connected, how much data is transmitted, and usually also the fact that you are using encryption.

Anyone watching traffic on the internet can easily trace the IP of website visitors back to the VPN server. The VPN provider can then connect a user with the traced IP if it keeps logs of such activity.

So in the normal course of things, if you do not volunteer personal details to an internet website or service, and you are using a VPN service that keeps no logs, then VPN will do a good job of maintaining your anonymity.

Giving the game away yourself

One of the most shocking things about the scandal is not that the US government spies on its own citizens, but that pretty near all of the leading US tech companies, who in many ways form the backbone of the internet, are complicit. This means for example, that if you usually stay signed in to your Gmail account (and thus into Google), all your internet searches using the Google search engine are likely to be harvested by the NSA. Similarly, there is little point having a secure connection to the Skype servers, when these servers are wide open to NSA monitoring.

The simplest solution is to cancel your accounts with, and not use any of the affected services. In fact, given the reach of the NSA, we would suggest not using any US based internet service. However, for many this is not a realistic option, as most of us rely too heavily on these services for our day-to-day internet life.

Even if we are willing to go to the hassle finding alternative, more secure services (see below), these also generally rely on the person at the other end of the line having the will and tech savvy to cooperate. There is no point in having a secure, PGP encrypted email set-up if you’re Granny, who has a Gmail account, can’t even program the microwave! Similarly, for the tens of millions of users out there to whom Facebook is the internet, and whose friends are all on there and have no intention of leaving it, simply leaving Facebook is not an option.

A graduated response

Although various radical methods of evading NSA spying have been suggested on the internet, these range from inconvenient (e.g. PGP encrypting all your email) to downright paranoid (using multiple disposable phones paid for in cash)! Not only are these methods too extreme for most, but if the NSA (or other similar organization) really was that keen on identifying you or your behaviour, they would likely to able to do so. For example, PGP encrypting you emails is very secure against brute force attacks, but key logger viruses could be used to infect your computer and record your emails as you type them.  Similarly, even if using disposable mobile phones paid for with cash, metadata analysis (i.e. recording time and location of calls) can be used to identify a caller.

For most us who are not terrorists, paedophiles, whistle-blowers or gangsters, but who believe in privacy and don’t want to have every online move we make tracked and recorded by sinister government agencies (and maybe want to download the odd music track or movie on the side), there are concrete steps we can take to obfuscate our online activity, and ‘slip under the radar’.

  • Use a VPN – as long as your VPN provider does not simply hand over its logs to the NSA, or have a device or software installed (overtly or covertly) that does this automatically, then VPNs are a very effective way to mask you identity and activity on the internet. You can even pay for many VPN services with Bitcoins, which if you are careful makes tracing your VPN account to you as an individual through the payment process very difficult
  • Do not log on to any Goggle service when using its search engine – if this is too inconvenient, then use a different service (such as Bing) for web searches.  Although these search engines are also likely monitored (Bing, owned by Microsoft certainly is!), as long as you are connected to a VPN service then the search engine will only be able to identify the VPN server’s IP address, not yours. If doing this this you should also disable cookies from that search engine (see below). Alternatively, you can use an anonymous search engine such as DuckDuckGo, the default search engine for the Anonymous hactivist group Anonymous.
  • Assume all email, social networking and chat messages are monitored and recorded, and behave accordingly. You have to accept that there is only so much you can do, particularly when communicating with others who do not share your dedication to privacy. When communicating with those who do, a number of tools are available (see below). Just remember that communicating with customers using PGP encrypted email will not only likely baffle them, but also looks very suspicious!

Beware US based VPN services

Faced with the sweeping powers afforded to government agencies (such as the NSA) by the post 9/11 Patriot Act, and to copyright enforcement bodies by legislation such as the Digital Millennium Copyright Act 1998 (DMCA), most US based VPN providers do not make any real pretence at protecting their customers privacy or identity.

A few, most prominently Private Internet Access, do claim to provide high levels of security by keeping no logs ‘whatsoever’, and by using shared IP addresses, which in theory makes identifying an individual user with any internet behaviour impossible. However, the following points should be considered:

  • All US VPN companies are subject to the Patriot Act, and if the NSA is able to monitor all data collected by the likes of Google, Microsoft and Facebook, then it would be foolish to assume they cannot, or do not, monitor the servers of VPN companies such as PIA (who as we noted have a high profile)
  • All VPN companies are subject to the Stored Communications Act (SCA)which can force a provider to keep logs on the activities named individuals without alerting them to the fact
  • All traffic that passes through the US communications backbone can be monitored, so any traffic that passes through a US server can, at least in theory, be monitored by the likes of the NSA. Although the contents of encrypted traffic will remain hidden, the NSA can collect metadata of a similar nature to that obtainable by ISPs.

The paranoid should therefore avoid any company even remotely related to the United States. However, we think that companies such as Private Internet Access are genuinely committed their customers’ privacy and anonymity, but have little faith in their ability to guarantee this on US soil (and PIA’s statement reproduced in this article would seem to confirm this). Using their overseas servers should be ok though, as US laws and organisations have neither the means nor jurisdiction to prevent logs from being discarded form servers outside the United States.

Other US based VPN providers, such as ExpressVPN and IPVanish also claim to keep no logs, but given the wording of their Terms of Service (ToS), we have much less faith in them than we do PIA.

Other tools and tips for securing on-line privacy

If you want to go further towards protecting your online privacy than was covered in ‘A graduated response’, the following are a good place to start.


The Tor anonymity network is currently the most secure and anonymous way to access the internet. We discuss Tor in more detail in this article, but basically your data is re-encrypted multiple times as it passes between random ‘nodes’ scattered across the internet,  before exiting through a volunteers ‘exit node’. Although highly secure, as no-one can see the full journey taken by your data, Tor is very slow compared to VPN, and you cannot use it for P2P downloading (well, you can, but it is considered very rude because not only does it slow the whole system down evemfurther, but it can cause problems for volunteers who host ‘exit nodes’, as they may be falsely identified as copyright infringers).

If your internet use has life-threatening implications, then use Tor rather than VPN, but VPN is easier, quicker and more flexible for everyday use.

Search Engines

Most commercial search engines store the following information:

  • Users IP address
  • Date and time of query
  • Query search terms
  • Cookie ID – this cookie is deposited in your browser’s cookie folder, and uniquely identifies your computer. With it, a search engine provider can trace a search request back to your computer

If you connect via VPN then the search engine can only see your VPN server’s IP address, not your real one, but it can still trace you using the cookie ID. It is therefore best to turn off cookies in your browser (at least for your chosen search engine website), or to use a search engine that doesn’t use them.


There are numerous email PGP encryption tools out there, but one of the best is the open source and free TrueCrypt. A great setup guide for it is available here.

Chat / telephony and text messaging

Both conventional telephone networks (landline and mobile) and VoIP services (such as Skype) are vulnerable to tapping and interception by agencies such as the NRA, as are conventional mobile phone text messaging and internet messaging services.

Silent Circle is a commercial enterprise that offers a set of encrypted solutions for a monthly fee ($10), and which cover most major platforms. The software itself is open source, and has been audited by the American Civil Liberties Union to ensure that it contains no ‘back doors’.

A free alternative, also providing end-to-end encryption, is Redphone and Secure Texts from Whisper Systems, but these apps are only available for Android.

Of course, these encrypted solutions require that all parties be using the same software.

Social Networking

Ha, ha, ha, ha!


The entire scandal, while hardly surprising to those who have paid attention to the murky world of government surveillance, has dramatically highlighted the sickening levels of intrusion unaccountable governments have into ordinary law abiding citizens daily lives.

The response from many commentators worried about maintaining privacy in the face of such an all-encompassing and powerful assault on civil liberties has largely been a wail of despair at the impossibility of it. After all, even your friends could all be NSA spies out to get you, and any attempt to even try and maintain your privacy is simply a ’tin hat’!

While it may be true that complete anonymity in the face of direct attention from the NSA might be nearly impossible, for most of us there are effective ways of obfuscating our online behaviour that make it very difficult and time consuming for anyone (the NSA included) to uncover what we are doing.

To recap, the main steps to avoid casual intrusion into your privacy are:

  • Always access the internet using VPN (one which keeps no logs and using servers based outside the US). Alternatively use Tor
  • Never ‘log on’ to a search engine service you use, and disable all cookies for that service. Alternatively use a secure search engine instead
  • Be aware that most communications methods are open and monitored. If you want keep communications secret, then use encryption.

Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage

11 responses to “The NSA Prism scandal and how VPN can and cannot help

  1. It is Stupid, aka Egotistical, or Dumb, aka Being Conditioned, to merely believe that somehow but don’t know how, there is Truth/Benevolence, within UnTruth/Malevolence.

    For the likes of The Already Perfect and the self-certified Asses aspiring to Donkeyhood like “John”, aka The Number Oners, Nazis, Fascists, or even “Amerikans”, leave them be because when Energy Construction, aka The Unconditional, morphs into Energy Destruction, aka The Fully Conditioned, conditionally and “infinitely removing” those who are Good for More Than Everything Relative [because they are Good for Nothing Real] is what those who are Addicted to self-Damage will call Regret.

    This is because “Relativity”/”Relativism” is the state when one’s Reality is dependent on Another’s Reality, Existence being when Truth is able to become Love and thence Bliss in order to implement “Evolution”, said Evolution being when Cosmic Dust, which had ZERO Consciousness, are able to express “Divinity”. Afterall, without The Deliberation called The Periodic Table, there could be ZERO Asses, Donkeys, The Already Perfect, The Number Oners, Dem SupaDupa Spooks, etc., etc..

    Especially those who are able to change Complete Outfits within the confined space of some Telephone Booth before heading-off to destroy those pesky incoming “Russian Mafia” [MIRV-ed] IntaKontinetal Ballistic Missiles such that Humanity, Animals & Vegetation [aren’t they KUTE and NO, Eyes do not eat ’em] and The Material Cosmos would, once again, be saved. Phew ……

  2. I have tried HMA but they’re not providing best customer support, i had to wait way too much. Their dialer is tricky. I prefer purevpn reasonable, good for streaming and they don’t keep logs

  3. Just some thoughts:
    Imagine all the time being spent on collecting and reading data. That’s tax payers money unnecessarily spent. Doesn’t this present a problem for the lawmakers? For example, (lose the thought about intrusion for now….and ask yourselves) “Is there an employment procedure for these guys about time being wasted?” Whoops. If they are reading this, they will get this changed. Poor Granny who thinks her little messages to Timmy are safe. Poor little Timmy who wants to go to the 7 Eleven and buy an ice cream and decides to ring his pal on the way but is intercepted and for what? He happened to be a witness to a robbery. (Timmy is fictional by the way) What a crazy world we live in. Better for everyone to get off the grid. It would sure be healthier. But website owners would then have to have a bricks and mortar store. Is this so bad? People would talk to people again. Whoops, what does that mean? But shops’ rent is expensive these days. It depends on what local council you are in and how much they put up your commercial rates. By the way, local councils spy on your emails. Get off the grid. 🙂 Get to know your neighbours for security measures. Who are you living next door to?
    All the best to you all.

    1. Hi jason,

      Yes. I’m afraid VPN does not prevent websites you have signed into (with a real profile) from tracking you, but signing out of Facebook or YouTube (not just closing the browser tab) does stop tracking. Alternatively, browser extensions such as Disconnect or the EFF’s Privacy Badger prevent tracking, or you can use a separate browser just for accessing fb and YT (websites cannot track you across browsers).

  4. Thank you for some other fantastic post. The place elsee may anhone get that type of info
    in such an ideal method of writing? I’ve a presentatin next week, and I am on the look for such information.

  5. Hello,

    I would just like to point something out that you might find interesting.
    I have a bit of insight into what you are talking about due to my job.
    I suggest you do a quick search for the term USSID SP0018 and get a general feel for that document. It might help you to understand why employees of the NSA and related military really cannot collect or query on US persons without serious repercussions.

    Why would workers in the NSA break federal law (become felons) and lose their job doing something like collecting on US persons when the FBI can do it legally? Just food for thought. The NSA is dedicated to collecting on foreign targets (ie terrorists in Afghanistan). The FBI is dedicated to collecting on domestic targets (ie suspected US criminals).

    1. Hi John,

      Well, the vast weight of evidence (courtesy mainly of Mr Snowden) points to the fact that regardless of USSID SP0018, the US Constitution, and sundry other US laws, the NSA et al. is spying on just about everything every US citizen (and everyone else) is doing online. You are of course entitled to believe what you like, but I for one do not share your blind confidence in US law (or the FBI’s good intentions)…

      1. John you are either employed by the nsa or suffer from quixotica idealista, a disease borne from naivete and fallacious logic. If X is Y, and Z is not Y, then X could neeevvveeerr be Z.

        If the NSA were to spy on our searches, they would be felons! HAHA, that’s rich. Yeah, I’m sure the local police chief would march on over to Mr. NSA and say: You sir, Mr. NSA, have violated the US constitution document USA001P011FUCKINGSTOPLOOKING, Article PRETTYPLEASE, line number 21:

        “boss of good guy shalt not look at good guy through peep hole….No matter what!
        -Yours truly,
        T.J…..G.W….Jimmy M. + The other shmucks who wrote the US Constitution.

        P.S. You better not look…..or…..or….or ELSE.

        P.P.S. I swear, you better not.

        Oh MY GOD! Will you please read a bit more, John boy. Figure shit out. For the love of god, figure your shit out!

        Mr. Crawford, your post was read and heeded. I am very appreciative of writings like this, as it has prompted me to immediately download DDGo. I am grateful for the knowledge you gave me, which only further cemented my need to be more covert….

  6. I most likely by contacting you with this comment, I will be on the profile list of the NSA. It is every freedom loving American individuals duty to revolt to Big Brothers (NSA) to fight these STASI / KGB methods of spying on decent US citizens. Believe me I know what it will lead to. I lived in communist East Germany.
    To fight these NSA-Stasis every citizen should use wording in their digital communication which will put them on the suspicious profile list, like bombing, assassination, infrastructure and other behavior, which now will put me on their list. Securing, inscriptions or purchasing with cash etc. only make you more suspicious. Every free American who believes in the Constitution should be on their profiling list.
    PS: The Berlin Wall (The largest jail in the world) was build to protect their citizens from the evil capitalists.

Leave a Reply

Your email address will not be published. Required fields are marked *