In the last few weeks, there has been a lot of discussion about the NSA peeping on people's packets. A lot of folks are understandably freaked – who wants Uncle Sam going through their digital unmentionables? But as it turns out, the NSA isn't the only government agency getting up in everyone's business. There's been a number of other countries that have recently been found to be implementing wide-ranging, often largely un-checked surveillance of Internet and phone traffic. In the last few days, India, UK, and Canada joined the list. But that's not it: Russia has been on the list of packet-peepers for years now, and Sweden’s FRA law has people equally twitchy, plus several other countries have been rumored to have their own surveillance systems with questionable levels of oversight.
In light of all this, people seem to be having one of two reactions: either sticking their fingers in their ears and humming to block out the news, or trying to do what they can to belatedly regain some sense of modesty. Because information is sparse (but then, when are leaked state secrets not?) and because a lot of this is fairly techie gobbledygook, there have been a number of unfortunately half-baked suggestions floating around. To help simplify this situation a bit, here's a list of things that are not quite as helpful as you might think:
- Using strange fonts
You’ve all heard of CAPTCHA, right? You know, that completely unreadable bit of text you have to decipher to sign up for new online accounts... The gist of it is that you’re reading text that would be difficult-to-impossible for a machine to read automatically. Except that CAPTCHA was busted years ago. Believing that using a CAPTCHA-esque font is useful belies a misunderstanding of the nature of data transmission. (Though the afore-linked article does bring up an interesting idea – I picture a revival of the handwritten letter, written in Paintbrush, sent via email. Or maybe you could just fax your friends a photo of typewritten text? Super handy!)
- Sending mail via post
So if governments are tracking everything sent via phone and Internet, maybe we should all go old-timey and start sending things via post? No, sorry. They’re monitoring that too. Delivery and postal services track things too. That’s how they’re able to catch those people sending ricin-laced letters to public figures.
- Using encryption
If governments are snarfing your traffic, the best thing to do is to encrypt your transmissions, right? In a word, No. From a security perspective, encryption is absolutely a good idea. Do it on disk, do it in transit, in a boat, with a goat, in the rain, on a train – just encrypt it! But while it will help keep malicious individuals from stealing your password or credit card info, don’t think it will keep governments from gathering useful info on you. Encryption doesn’t block gathering of metadata, which can be used to paint a very vivid picture about who you are, whom you associate with, where you are, what you’re up to, etc. Plus, if you’re using certain types of more unusual encryption, it may make you more likely to be targeted for surveillance.
- Removing the battery from your phone
Uh, well, if you remove the battery from your phone forever, this might work. But as soon as you put that battery back in, the tracking begins anew. If you really want to stay off the radar, you’d have to go all spy-movie and start using “burner” phones paid for in Bitcoins.
- Steer Clear of US Vendors
As you can see, the US is not the only country doing the snooping. And it may well turn out that several other as-yet-unknown countries are also snarfing traffic. You can get some additional measure of privacy by using lesser known software and services, or by adding privacy-related browser plugins, but that'll be better at protecting you from advertisers than from a sufficiently determined government entity.
Having said all that, I’m now going to sit in the fetal position in a corner and rock quietly. I count myself among the security-industry people that have suddenly realized that our view of the state of online privacy was not sufficiently paranoid. And given that we already sounded like members of a tinfoil-hat brigade… But the thing is, as upsetting as this is, we're not powerless and we shouldn't just roll over and play dead.
Protecting your privacy, however you choose to do it, is a good thing. Aside from being a peaceful act of standing up for ourselves, it can also help keep you from harm by malware writers. And the more of us are out there using privacy-protecting measures (especially encryption!), the more time-consuming and less cost-effective it will be for anyone to snarf data for any purpose. To me, that’s the best argument there is for taking steps to improve our privacy.
The single best thing you can do to protect your privacy from government surveillance is to contact your local politicians and register your displeasure at the level of unchecked surveillance that’s happening all over the world. It's no guarantee either, but the more individuals and government representatives who publicly object to this surveillance, the more likely we are to make lasting changes. In the US, a new privacy bill was announced this morning that aims to narrow the scope of existing orders that allow this surveillance, and add more oversight into new investigations. Hopefully this is a positive first step towards regaining protections for privacy.
- Are You Sabotaging Your Own Security Efforts?
- 8 Ways to Accidentally Infect Your Friends with Malware
- 6 Ineffective Ways to Protect Yourself Against Online Attacks