Facebook Google Menu Linkedin lock Pinterest Search Twitter

Advertisement

United States

Jun 12, 2013

How to keep the NSA out of your email

What can you do to avoid the all-seeing eyes of the National Security Agency? Here are some tips, but the real answer is: not a whole lot.

User login status :

Share

hacking

The internet is awash today with handy click-magnet lists of software and tips to stop the National Security Agency spying on your online activities and phone calls after it was revealed the US spy agency had access to a vast amount of its citizens private data. This is not one of these lists. I’ll give you a list, sure, but then I’ll explain why it can only be the very, very beginning of your path to becoming the James Bond of your laughable fantasies.

Anyway here’s the list. Other handy hints can be found in Slate on Friday, The Washington Post, The Guardian and others.

  • Examine the privacy and security settings of every piece of software that you use. Methodically. Turn off everything that isn’t vital.
  • Encrypt your email. On the public internet, your communications passes through computers over which you have no control, and from which you can be monitored trivially. Use the commercial PGP software or the free GPG. It’s not a click-to-install, but there are tutorials for Windows and for Mac. Obviously everyone you email will need to use it, too.
  • Install privacy-protecting web browser and chat plug-ins, as detailed in the articles I linked to.
  • Use Tor to hide your internet protocol (IP) address. It bounces your data traffic all over the internet, making you harder to track (but not impossible).
  • Encrypt everything. Turn on the encryption tools on your computer and smartphone, so that the data can’t be recovered if they’re stolen. Encrypt your backups, too. Don’t upload anything to an online service without encrypting it first.
  • Check out Silent Circle, which offers encrypted end-to-end communication. Its servers are in Canada, where the US government can’t hit them with a warrant. (Disclosure: I’ve been drinking with Silent Circle’s chief technology officer.)
  • Always work on a software “virtual computer” that runs on your actual computer. Even if you have the best anti-malware (anti-virus and the rest) protection, a unique piece of malware that’ll pass straight through your defences costs just $250 on the black market. Delete your potentially infected virtual computer at the end of every session online and start again with a fresh one.
  • Remove your phone battery when you’re not using it, so your location can’t be tracked.

And so on.

The key problem with all of that? Imagining that security can be fixed by sprinkling some “magic security dust” technology, as infosec megastar Bruce Schneier puts it (he literally wrote a textbook on this, Applied Cryptography).

“Using encryption on the Internet is the equivalent of arranging an armoured car to deliver credit card information from someone living in a cardboard box to someone living on a park bench.”

No matter how well you encrypt the “data in transit”, every communication has two endpoints. Those endpoints are the way in. In his subsequent book Secrets and Lies, Schneier quotes another security megastar, Gene Spafford, on the pointlessness of this focus on data in transit:

“Using encryption on the Internet is the equivalent of arranging an armoured car to deliver credit card information from someone living in a cardboard box to someone living on a park bench.”

No matter how well you use tools like Tor, there will still be a record of your location somewhere. As American Civil Liberties Union chief technologist Chris Soghoian told the WaPo: “The laws of physics will not let you hide your location from the phone company.” And while Tor may help stop tracking via your web browsing, what about all the other software you use? And what about the people at the other end of your communication?

Even if you can’t be tracked constantly, the NSA doesn’t need much to identify you by cross-matching your movements with other records. Research has shown that fewer than a dozen time-and-location data points will do the job. Similarly, everyone has a unique pattern of communication with friends, family and colleagues.

So here’s a better list:

  • Learn about security. Not from the popular press, but from experts. Start with Schneier’s books Secrets and Lies and Beyond Fear, and then follow some the security blogs written by actual security experts.
  • Learn about who you’re up against. Start with the books by James Bamford, including The Puzzle Palace, Body of Secrets and The Shadow Factory, and work out from there.
  • Plan your defensive strategy. Publishing material anonymously but where it’s exposed is a different scenario from setting up hidden communications among a small group.
  • Switch to an open source operating system such as Linux. With Microsoft, Apple and Google’s operating systems, you’re relying on software that someone else has compiled. You’ve no idea what’s really inside. With open source software, you can look at the program source code and compile it yourself so you know it doesn’t contain any spyware or back doors.
  • Use only open source application programs too. Again, you need to reassure yourself that the software is safe to use.
  • Learn programming and systems administration. Otherwise you won’t be able to read that program source code, and surely you can’t trust someone else to maintain your technology.
  • Use “burner” phones and computers, just like on The Wire. Phones have unique IDs, as does much of the software on computers. Using the same device will quickly build a unique pattern.
  • Never buy anything on the internet. The global banking system logs everything, and they’re already looking for patterns that indicate crime and terrorist activities.
  • Never publish anything online. Everyone has a unique writing style. If you’re posting political rants anonymously, they can still be matched with what you’ve published under your own name. Consider hiring a ghost writer. Then kill the ghost writer.
  • Actually, never do anything anywhere. Who knows what data traces you’ll leave behind and how easily that might be analysed by the spooks?
  • Make sure that everyone and every company you ever communicate does all of this, too. Who knows what they log? Better kill them all too, and burn their offices.
  • Invent a time machine and use it. Because you’ve already failed to follow this list and your digital fingerprints are smeared all over the internet. They’re coming for you right now.

So you thought you could go up against the NSA — an organisation with an annual budget of maybe $8 billion, a 60-year heritage of developing secret high-tech snooping gear and vast supercomputers and tens of thousands of best-and-brightest employees, including the world’s largest collection of actual mathematicians — armed with nothing more than a list of tips from the Huffington Post and an adrenalin rush? Well done.

Stilgherrian —

Stilgherrian

Technology writer and broadcaster

Get a free trial to post comments
More from Stilgherrian

Advertisement

We recommend

From around the web

Powered by Taboola

9 comments

Leave a comment

9 thoughts on “How to keep the NSA out of your email

Leave a comment