Jun 12, 2013

How to keep the NSA out of your email

What can you do to avoid the all-seeing eyes of the National Security Agency? Here are some tips, but the real answer is: not a whole lot.

Stilgherrian — Technology writer and broadcaster


Technology writer and broadcaster


The internet is awash today with handy click-magnet lists of software and tips to stop the National Security Agency spying on your online activities and phone calls after it was revealed the US spy agency had access to a vast amount of its citizens private data. This is not one of these lists. I'll give you a list, sure, but then I'll explain why it can only be the very, very beginning of your path to becoming the James Bond of your laughable fantasies. Anyway here's the list. Other handy hints can be found in Slate on Friday, The Washington Post, The Guardian and others.
  • Examine the privacy and security settings of every piece of software that you use. Methodically. Turn off everything that isn't vital.
  • Encrypt your email. On the public internet, your communications passes through computers over which you have no control, and from which you can be monitored trivially. Use the commercial PGP software or the free GPG. It's not a click-to-install, but there are tutorials for Windows and for Mac. Obviously everyone you email will need to use it, too.
  • Install privacy-protecting web browser and chat plug-ins, as detailed in the articles I linked to.
  • Use Tor to hide your internet protocol (IP) address. It bounces your data traffic all over the internet, making you harder to track (but not impossible).
  • Encrypt everything. Turn on the encryption tools on your computer and smartphone, so that the data can't be recovered if they're stolen. Encrypt your backups, too. Don't upload anything to an online service without encrypting it first.
  • Check out Silent Circle, which offers encrypted end-to-end communication. Its servers are in Canada, where the US government can't hit them with a warrant. (Disclosure: I've been drinking with Silent Circle's chief technology officer.)
  • Always work on a software "virtual computer" that runs on your actual computer. Even if you have the best anti-malware (anti-virus and the rest) protection, a unique piece of malware that'll pass straight through your defences costs just $250 on the black market. Delete your potentially infected virtual computer at the end of every session online and start again with a fresh one.
  • Remove your phone battery when you're not using it, so your location can't be tracked.
And so on. The key problem with all of that? Imagining that security can be fixed by sprinkling some "magic security dust" technology, as infosec megastar Bruce Schneier puts it (he literally wrote a textbook on this, Applied Cryptography).
"Using encryption on the Internet is the equivalent of arranging an armoured car to deliver credit card information from someone living in a cardboard box to someone living on a park bench."
No matter how well you encrypt the "data in transit", every communication has two endpoints. Those endpoints are the way in. In his subsequent book Secrets and Lies, Schneier quotes another security megastar, Gene Spafford, on the pointlessness of this focus on data in transit:
"Using encryption on the Internet is the equivalent of arranging an armoured car to deliver credit card information from someone living in a cardboard box to someone living on a park bench."
No matter how well you use tools like Tor, there will still be a record of your location somewhere. As American Civil Liberties Union chief technologist Chris Soghoian told the WaPo: "The laws of physics will not let you hide your location from the phone company." And while Tor may help stop tracking via your web browsing, what about all the other software you use? And what about the people at the other end of your communication? Even if you can't be tracked constantly, the NSA doesn't need much to identify you by cross-matching your movements with other records. Research has shown that fewer than a dozen time-and-location data points will do the job. Similarly, everyone has a unique pattern of communication with friends, family and colleagues. So here's a better list:
  • Learn about security. Not from the popular press, but from experts. Start with Schneier's books Secrets and Lies and Beyond Fear, and then follow some the security blogs written by actual security experts.
  • Learn about who you're up against. Start with the books by James Bamford, including The Puzzle Palace, Body of Secrets and The Shadow Factory, and work out from there.
  • Plan your defensive strategy. Publishing material anonymously but where it's exposed is a different scenario from setting up hidden communications among a small group.
  • Switch to an open source operating system such as Linux. With Microsoft, Apple and Google's operating systems, you're relying on software that someone else has compiled. You've no idea what's really inside. With open source software, you can look at the program source code and compile it yourself so you know it doesn't contain any spyware or back doors.
  • Use only open source application programs too. Again, you need to reassure yourself that the software is safe to use.
  • Learn programming and systems administration. Otherwise you won't be able to read that program source code, and surely you can't trust someone else to maintain your technology.
  • Use "burner" phones and computers, just like on The Wire. Phones have unique IDs, as does much of the software on computers. Using the same device will quickly build a unique pattern.
  • Never buy anything on the internet. The global banking system logs everything, and they're already looking for patterns that indicate crime and terrorist activities.
  • Never publish anything online. Everyone has a unique writing style. If you're posting political rants anonymously, they can still be matched with what you've published under your own name. Consider hiring a ghost writer. Then kill the ghost writer.
  • Actually, never do anything anywhere. Who knows what data traces you'll leave behind and how easily that might be analysed by the spooks?
  • Make sure that everyone and every company you ever communicate does all of this, too. Who knows what they log? Better kill them all too, and burn their offices.
  • Invent a time machine and use it. Because you've already failed to follow this list and your digital fingerprints are smeared all over the internet. They're coming for you right now.
So you thought you could go up against the NSA -- an organisation with an annual budget of maybe $8 billion, a 60-year heritage of developing secret high-tech snooping gear and vast supercomputers and tens of thousands of best-and-brightest employees, including the world's largest collection of actual mathematicians -- armed with nothing more than a list of tips from the Huffington Post and an adrenalin rush? Well done.

Free Trial

You've hit members-only content.

Sign up for a FREE 21-day trial to keep reading and get the best of Crikey straight to your inbox

By starting a free trial, you agree to accept Crikey’s terms and conditions


Leave a comment

9 thoughts on “How to keep the NSA out of your email

  1. paddy

    Loved the rising crescendo of that second list.
    Finished off by a beautiful summary in the last para.

  2. Elwood Johnson

    This is all very defeatest. You can do something you can let the government know that this kind of privacy invasion is not acceptible. Lobby for greater transparency of intelligence services and fight the government whenever they attempt to loosen the contraints on local intelligence gathering capabilities. If the government doesn’t listen vote for a government that will.

    Of course as a foreigner using US services none of this will stop the NSA tracking your every online move even if you succeed in convincing Bob Carr to care. So assuming the local intelligence agencies aren’t feeding our data directly into the NSA databases. It’s probably a good time to be (or become) an Australian cloud service provider.

  3. robinw

    Yeah, we’re pissing in the wind if we think we can circumvent such surveillance with a VPN or TOR or anything else. I know that with a VPN that you have to get out of it before you send an email which has made me wonder if that is really because of the need to have the sender’s IP there in the meta data, not the IP the VPN provider has supplied you that session.

    The only way I think we can overcome this creeping corporate fascism masked as governmental is to keep pressuring those meant to represent us to ensure that both the laws and the oversight are there in their fullest extent.

  4. Thomas McLoughlin

    I still like the list that makes the NSA bored with your email – via Gandhi – be open about your cause and be non violent. That still leaves a lifetime of activity to pursue.

  5. Mark out West

    The Americans love there Tech and are not interested in negotiating with anybody on anything cause they have the best SH*T.

    An Australian military adviser in Afghanistan (sorry can’t remember his name)stated that the Americans spent more on their brass bands than on military intelligence and building relationships.

    A French diplomat stated that he would start negotiating with Taliban, the next thing a drone would wipe them out, so there is no negotiation and it is now a fight to the death.

    The yanks treat their military like rock stars, they love love their SH*T.

    The chance of being blown up in America by a terrorist is smaller than being killed by bees.
    America will spend 20 billion dollars to ensure against this and in the process their citizens will become the most watched people on the planet.

    Could you imagine the hyperbole if this story was about the Chinese or Russians.

    Have I said, “the Americans love their SH*T cause they have the Best SH*T, they can even blow people up anywhere in the world via video games in the US, gotta love their SH*T.”

  6. Kfix

    Nice one Stil. I’ll second paddy – that list is almost poetic.

  7. TomM

    Or you could go off the grid John Connor (Terminator) style…and wait for SkyNet to startup (maybe the long lost son of PRISM?;)

  8. Dogs breakfast

    Beautiful work, Stilgherrian. Your only defence here is to never do, say or think anything remotely controversial.

    I now pay cash wherever I can for the sheer thrill of knowing that they don’t know who bought their stuff, or pay cash for one of those internet credit cards with a loaded value.

    Pathetic? Hey, I resemble that remark. 🙂

Share this article with a friend

Just fill out the fields below and we'll send your friend a link to this article along with a message from you.

Your details

Your friend's details