Posted 8 months ago on July 10, 2013, 10:15 a.m. EST by LeoYo
This content is user submitted and not an official statement
So, You Want to Hide from the NSA? Your Guide to the Nearly Impossible
Philip Bump22 hours agoTechnology & ElectronicsInternetFacebookNational Security Agency
Complaining about the government is a key part of being American, the first amendment to the Constitution. But it seems like a bit of a trickier proposition these days, with the government listening to everything you say online. In the interest of preserving your freedoms and bolstering our fair nation, here is the full articulation of the deeply paranoid and complex life you must live in order to assure that the government leaves you alone.
Before we begin, we'll note that technically the NSA isn't allowed to look at the stuff you do online. Thanks to the Patriot Act, it can (and does) store the metadata on phone calls Americans make every day—who was called, how long the call lasted, maybe some location data. The NSA also pulls in online content, but can't do so legally on targets in the United States. This is part of the PRISM program you may have heard about, in which the NSA can access data from an array of companies in near-real-time. In practice, the NSA's procedures are sufficiently lax that it does collect information (content) from Americans, of course. And until 2011, it collected metadata on emails, including subject lines and to- and from-addresses.
That is the worst case scenario. Yes, the NSA is definitely slurping up scads of information about your phone calls. It probably isn't storing your Facebook chats, emails, and Skype calls. Our goal with this guide is to detail exactly what you need to do to assure that it can't, even if it wants to. As you will see, it is a cumbersome process. For assistance in fleshing out this guide, we spoke with Micah Lee, staff technologist with the Electronic Frontier Foundation.
The world learned about PRISM thanks to a series of slides leaked by Edward Snowden. Among those slides was one where, you can see the companies that participate in the program but also the data they offer the NSA, if the agency asks. Microsoft, Google, Yahoo (complete with trademark exclamation point), Facebook, YouTube, Skype, AOL, Apple. All of the logos smushed into the header of the slide. And all of the companies to be avoided if you don't want any chance that the NSA can surveil what you're doing.
Again: We are not saying that you should not use Facebook. What we are saying is that if you are desperate to prevent the NSA from knowing what you're doing, you shouldn't use Facebook. And there's nothing you can do to make using Facebook better—no encryption, no anything can make Facebook safe from the NSA. (We'll discuss this more a little later on.)
But it gets worse. These are the companies known to be participating in PRISM as of last October (when Apple was added). Since then, others may have been added; others may be added in the future. The truly paranoid, then, will have second thoughts about nearly any major Internet company.
And then it gets worse still, as Lee pointed out. "Any company that's inside of U.S. jurisdiction," he said, "can get government requests for data. Even if they're not listed in the PRISM slides, that doesn't mean the government isn't getting data from them." If the NSA wants your data, in other words, it can probably get it. It just might not be in real-time.
(There is some hope: Montana recently passed a bill that requires the governent to btain a probable cause warrant before spying on you through your cell phone or laptop. As Alexander Abad-Santos writes, "if you don't want the government to spy on you, move to Montana." Montana might be the safest state from cyber-spying in the nation, as it is the first to pass a comprehensive anti-spying bill, doing so even before the Edward Snowden saga broke out.)
Before we continue, we should flesh out an important distinction. When you think of an email, what you generally think of is the content of the email, the message. In order for that message to get to you, though, the email also needs to contain metadata, a term loosely-and-not-entirely-accurately used to refer to information about the email message itself. For example: who it is addressed to, who it came from, what its subject is. (We have gone deeper into this before.)
That distinction is important because email operates like a letter sent through the post office. A letter, sealed in an envelope, can be hidden from the mailman. But the mailman needs to be able to read the address, or your letter won't get there. In this case, the metadata is what appears on the envelope; the content is the letter.
So there is a good way to hide the content of your email messages. A tool called PGP (short for "Pretty Good Privacy"), created by a man named Philip Zimmerman, offers a way to encrypt (encode) email messages between two parties using what's know as peer-to-peer encryption. That's an important property. It means that person A encoded the message and only person B is able to decode it. So as the envelope moves around the web, you can be sure it stays sealed until it gets where it's going. (How PGP actually works isn't important for our purposes. In short: It involves doing a math problem involving two very, very large numbers.)
How do you get PGP? PGP as a brand is now owned by Symantec, so you can give them your money and they will set you up. But there are also open source implementations of the technology. (If you're deeply knowledgeable about technology, you can establish your own PGP system—but if you can do this, we doubt you need a tutorial.) One such product is known as GPG (Gnu Privacy Guard), which comes in both Mac and Windows versions. This is not simple to implement, mind you, but the documentation is pretty thorough. That's the tradeoff on this stuff. You can use a packaged product like, say HushMail, a program that gives you a free email account that can send encrypted messages. But when you sign up, you'll see a little notice that the company will work with law enforcement if you're using your account for illegal activity. And in the past, the company has done exactly that when ordered to do so. Easy to use, but not a guaranteed protection against the NSA—as the site's security page makes clear.
So you've got your PGP up and running and you're all set, right? Nope. Lee explains why. "PGP protects the content of your email," he says. "Specifically: Just the body, not the subject line. Even without the content of the email, it still doesn't protect the metadata." As recently as two years ago, the government was scooping up all of that metadata, reading all of those envelopes. PGP can't help with that. So how do you protect yourself from having your metadata read?
One way is to use email servers that employ a system called STARTTLS. This is complicated, but if two email servers employ STARTTLS, even the metadata information on emails is encrypted. So the NSA could see two email servers communicating, but not the To and From addresses involved.
An easier way to hide your metadata is to restrict your email to one domain. As Lee explains, if you're sending an email from someone at privateemail.com to someone at privateemail.com, that message never goes out on the Internet. Meaning that the government can't watch it zip around and pick up the metadata. It's like leaving a note for your roommate—the mailman won't see that.
Unless the mailman kicks in your door/the NSA subpoenas your email provider. Or if your email provider already has an agreement with the government—GMail or Outlook, for example—it may be easier than that. How do you solve that problem? Run your own email server and don't send email over the Internet. Easier: send a letter. (Or maybe don't do that, either.)
The NSA also collects data on targeted individuals' web activity. To prevent them from snooping on your important web activity (if you're like us: reading The Atlantic Wire; looking at pictures of animals), you again need to worry about encryption.
In web browsers, that means using HTTPS. HTTP, hypertext transfer protocol, is the normal way content is shipped from a web server to your browser. HTTPS is the secure version of that, using encryption between the server and your browser, preventing those watching the traffic go past from seeing what's happening. The most important thing you can do, Lee suggests, is use HTTPS whenever possible. To that end, the EFF has a browser plug-in called HTTPS Everywhere, which will make web pages that support HTTPS use it by default.