13

I'm highly uncomfortable with the recent news surrounding government snooping in the UK.

If we define a typical user to mean somebody who:

  1. Browses web sites such as BBC News and Stack Overflow
  2. Uses "web applications" like Twitter and Facebook
  3. Sends and receives email using something like Gmail or Hotmail
  4. (more advanced) Manages some kind of small personal server

What should that user be concerned about with regards this level of government interference? And what could that user do to improve their online privacy?

In terms of first steps, I have installed the EFF's HTTPS Everywhere extension and am considering encrypting my email sent via Gmail by following a guide like this, though I'm aware this is hardly a lot. I'm looking for the "best" trade-off between convenience and security, though obviously that is subjective.

alexmuller
  • 1,061
  • 1
  • 9
  • 13

5 Answers5

14

Unfortunately, HTTPS is about as good as it gets in a situation like this. Encryption will help you prevent someone from viewing your messages in transit, and HTTPS is the correct tool for that in this case. However, the real security hole here isn't transmission of data, it's who you're sending it to.

Whenever you visit BBC News or Stack Overflow, they obviously know that you visited them. You can hide who you actually are with Technologies like Tor, but having an account on a website will still allow them to keep track of you.

Twitter and Facebook, on the other hand, are going to leak information about you no matter what. In fact, that's the whole purpose of the two sites. Twitter and Facebook are frameworks communicating with others, and both of them favor making information available publicly instead of privately. Additionally, because they are bound by laws to cooperate with government agencies, even information that you ask to have stored privately can still be made "public." The moral of this story is this: if you give information to Facebook or Twitter, the government will also have access to that information regardless of how you transmit it to them. To only way to keep information private in this case is to stop using Facebook or Twitter, or at least cut back to only posting information that you are OK with anybody and everybody seeing.

In the case of managing a server, the trust is put on the company managing that server. If you have access to the hardware and software of the system, you can take some steps like Full Disk Encryption to prevent the management company from snooping on your data. Unless you can prevent the management company from physically accessing the machine while it is running, however, any data that is usually stored in RAM is not safe including Secret Keys. Again, the weak point is in the person you are sending the data to, not the method you are using to send the data.

The only real way to protect yourself in the case of a government entity snooping on you is to throw out all of your electronics and go live in the woods. Since that's not really a realistic or desirable solution, you are never going to be able to totally mitigate all the risk of your information being made available. HTTPS will probably take care of about 80% of the risk. Modern encryption is so strong that nobody except you and who you are talking to will be able to see the data being sent over an HTTPS connection. The last 20%, however, is filled with all the stuff that doesn't have an easy answer. The more you use Facebook, Twitter, GMail, etc, the more risk you will have.

TwentyMiles
  • 869
  • 5
  • 8
  • Nice, accurate and strictly to the point answer. +1 :) – tftd Apr 03 '12 at 23:19
  • Given that most small and medium users have a virtual server, is FDE a solution at all? – Legolas Apr 04 '12 at 06:25
  • FDE will help prevent sensitive data from being recovered from backups of the server or after the server has been powered off. As mentioned though, if your management company is in the business of scanning your memory while the system is running, you're pretty much screwed no matter how you look at it. – TwentyMiles Apr 04 '12 at 16:47
3

Use Tor with additional safeguards along with Firefox browser with addons like No redirect, do not track, always https, etc. Having 100% privacy, anonymity and cyber security may not be possible. But if you use these methods, you may get 95% privacy and security.

And why are you presuming only government snoops? Take these precautions whenever you surf or deal online.

2

This depends on how paranoid you are. Seriously...

Operating system backdoors exist

OS X http://apple.slashdot.org/story/12/01/08/069204/leaked-memo-says-apple-provides-backdoor-to-governments

Windows http://newsworldwide.wordpress.com/2008/05/02/microsoft-discloses-government-backdoor-on-windows-operating-systems/

Wiretapping Internet Communications http://www.techdirt.com/articles/20100927/10481011183/feds-pushing-for-new-legally-required-wiretap-backdoor-to-all-internet-communications.shtml

In their defence, it to attempt to thwart attacks of botnets, organized crime and such.

Chances are that you just want to be as secure as you can be, being a law abiding citizen then just encrypt stuff that you want to keep private with a long passkey and keep several physical backups of the key and you should be fine. If you want ot keep everything ultra secure, download and verify the sourcecode to your favorite Linux distro and compile and install it, then encrypt everything as well.

As for as data "in motion" SFTP, FTPS, HTTPS, and SSL all offer some security as well.

I've configured VPN's between the locations that sensative data needs to be transferred and of course encrypt the data as well so it would be much harder to decipher to someone who might be sniffing the traffic.

For browsing the web, most users privacy concerns can be addressed by using something like HTTPS Everywhere, check out: https://www.eff.org/https-everywhere this will help prevent sidejacking attacks on the same network to your social media sites.

Brad
  • 849
  • 4
  • 7
0

Get a VPN account with a provider that keeps no logs and is based in a jurisdiction that has strong privacy laws. Route all your traffic through it. Then all that UK snoopers can see is that you're using the VPN.

Mike Scott
  • 10,118
  • 1
  • 27
  • 35
0

I think in your closing statement you hit the nail on the head. Balancing security and accessibility is extremely tough.

If you want complete control over your privacy, you should become a crypto expert and write all of the applications you use online. If that doesn't sound appealing, then just limit your exposure as best as you can. Does everyone on Facebook and Twitter really need to know what you're doing ALL the time?

When you post or do something online, it is there forever and someone who was the unintended recipient will have access to it. So don't do post anything if you aren't okay with that.

M15K
  • 1,182
  • 6
  • 7