What are the implications of NSA surveillance on the average internet user?

Question

It would appear as though the tinfoil hat-wearing were vindicated today, as news broke of the true scale of the U.S. government's surveillance of its citizens' online activities, conducted primarily through the NSA and seemingly beyond the realm of the law.

If the reports are to be believed, metadata about virtually every aspect of individuals' lives - phone records and geographic data, emails, web application login times and locations, credit card transactions - are being aggregated and subjected to 'big data' analysis.

The potential for abuse, especially in light of the recent IRS scandal and AP leak investigation, appears unlimited.

Knowing this, what steps can ordinary individuals take to safeguard themselves against the collection, and exposure, of such sensitive personal information?

I would start with greater adoption of PGP for emails, open source alternatives to web applications, and the use of VPNs. Are there any other (or better) steps that can be taken to minimize one's exposure to the surveillance dragnet?

Answer 1

Foreword: This problem isn't necessarily about governments. At the most general level, it's about online services giving their data about you (willingly or accidentally) to any third party. For the purposes of readability, I'll use the term "government" here, but understand that it could instead be replaced with any institution that a service provider has a compelling reason to cooperate with (or any institution the service could become totally compromised by -- the implications are reasonably similar). The advice below is generalizable to any case in which you want to use an external service while maintaining confidentiality against anyone who may have access to that service's data.

Now, to address the question itself:

...what steps can ordinary individuals take to safeguard themselves against the collection, and exposure, of such sensitive personal information?

If you don't want the government of any nation to have access to your data, don't put it on a data-storage service that might possibly collude with a government agency of that nation.

For our model, let's assume that some government has access to your data stored on particular major services at rest (as well as their server logs, possibly). If you're dealing with a service that does storage (Google Drive, email) then SSL will do absolutely nothing to help you: maybe a surveillance effort against you cannot see what you're storing as you're sending it over the wire, but they can see what you've stored once you've stored it.

Presumably, such a government could have access to the same data about you that Google or Microsoft or Apple has. Therefore, the problem of keeping information secret from surveillance reduces to the problem of keeping it secret from the service provider itself (i.e., Google, MS, Apple, etc.). Practically, I might offer the specific tips to reduce your risk of data exposure:

1. If there's some persistent information (i.e., a document) you don't want some government to see, don't let your service provider see it either. That means either use a service you absolutely trust (i.e., an installation of FengOffice or EtherPad that's running off your SheevaPlug at home (provided you trust the physical security of your home, of course)) or use encryption at rest -- i.e., encrypt your documents with a strong cipher before you send them to Google Drive (I might personally recommend AES, but see the discussion below in the comments).

   • In fact, this second strategy is exactly how "host-proof" Web applications work (also called "zero-knowledge" applications, but unrelated to the concept of zero-knowledge proofs). The server holds only encrypted data, and the client does encryption and decryption to read and write to the server.

2. For personal information that you don't need persistent access to, like your search history, you can probably prevent that information from being linked back to you personally by confusing the point of origin for each search using a VPN or onion routing like Tor.

I'm reminded of this xkcd:

:

Once a service has your data, it's impossible to control what that service does with it (or how well that service defends it). If you want control of your data, don't give it away. If you want to keep a secret, don't tell it to anyone. So long as the possibility of surveillance collusion or data compromise against a service is non-trivially high, do not expect your externally-stored data to be private from inspection by any government, even if you had expected that data to be generally private.

A separate question is whether there will be any significant actual impact to the average internet user from such information-gathering programs. It's impossible to say, at least in part because it's impossible to transparently audit the behavior of people involved in a secret information-collection program. In fact, there could be impact from such a program that would be impossible for the general public to recognize as impact from such a program.

In the case of NSA in particular, NSA is chartered to deal with foreign surveillance, so U.S. citizens are not generally targets for analysis, unless perhaps they happen to have a foreign national nearby in their social graph. The NSA publicly makes an effort not to collect information about U.S. citizens (though the degree to which this is followed in practice is impossible to verify, as discussed above).

Answer 2

Despite the media hype, the key thing here is not that the FBI/NSA/US Government was intercepting all phone calls, but that it was collecting all phone 'metadata' records which includes:

• Originating Phone Number
• Terminating Phone NUmber
• IMSI Number
• IMEI Number
• Trunk Identifier (which relates to the location)
• Telephone Calling Card numbers
• Time of the call
• Duration of the call
• Location information (possibly)

They can not, however, listen to your phone calls under this order.

Source: The Guardian, The Guardian, Wired

What can you do about this as an individual? Nothing, technically speaking. This information is not what you're communicating about, but who you're communicating with and from where. This information is not something that you control. The information the alphabet agencies wanted was 'metadata', meaning data that the telco providers generate/store on their own. As part of you using their service (and getting a useful service) this data is created.

If you are a citizen of the US, you can demand action from your government, support organizations like the EFF who work to protect your privacy and voice your feelings on the matter to your local representatives.

In a related, but older, news article from Germany a couple years ago, a German politician, Malte Spitz, sued to have German telecoms giant Deutsche Telekom hand over six months of his phone data that he then made available here. It's been plotted to a map and allows you to show where he was over the period of 6 months which gives you an idea of what this type of meta data can do.

Regarding PRISM specifically

Prism was a leak of documents detailing interception across a number of large online companies. This leak is separate, but related (as far as I understand) to the one above.

• Who is the data (apparently (as this is currently not 100% clear yet)) being collected from?

  • Microsoft (Lets assume Hotmail/Live/Bing and all other associated MS online services), Google, Yahoo!, Facebook, PalTalk, YouTube, Skype, AOL, Apple.

• What is actually being collected by PRISM?

  • Emails, Chat (voice and video), Videos, photos, stored data, VoIP, File Transfers, Video Conferences, Login metadata, social networking information and 'special requests' (which I assume to mean anything they can think of)

• What can I do to avoid my data being collected?

  • If you are concerned that your communications are being intercepted by this program there are several simple steps you can take.

  • Don't use any of the above mentioned providers. It's been common knowledge for a while now that emails over 180 days old can be accessed without a warrant, regardless of email provider. Naturally, if you're concerned about such things, encryption is the way to go. If you're getting a service for free, you're still paying with something. Usually that something is your meta-data. 'Secure', or at least privacy-friendly, alternatives to all the companies listed above exist and are easily found. For example, duckduckgo.com, PGP, TorMail, TOR, Linux, and Pidgin+OTR all assist in securing your communications (so that even if it is slurped up its unreadable).

The fact of the matter is this. You can try to always practice 'perfect' security (something which changes as new technologies emerge) but eventually, everyone is human and it's likely you'll mess up (forgetting to connect to a VPN for example). There're so many variables in staying hidden online that covering any specific aspect (like simple web browsing or just sending/receiving emails) is quite a complex task and requires a separate question dedicated in itself.

Answer 3

To add to the answer from @RoryAlsop I'd agree that you probably don't, as an average person, have a lot to worry about in terms of the PRISM/phone tapping by the NSA being used for it's intended purprose (anti-terrorism operations by the US gov.) as people's concept of security/privacy most of the time isn't too great.

There are other good reasons to be concerned about this though. Firstly if you work for a non-US corporate and put information relating to your job on peronsal e-mail /social networking, then could be a risk that the NSA would be able to intercept this and then may pass it to US corporates for commercial advantage. I have no specific proof that this is happening with PRISM but there have been cases of security agencies providing information to help corporates in the past, so not an unreasonable stretch.

Also I think there's a real risk of scope creep. Once the power exists and is used for one purpose other government agencies (perhaps less skilled in data analysis and less discerning in it's use) will start making use of the data. For example once the data gathering capabilities exist, if the FBI/CIA asked for the data would they be able to get it, then what about local law enforcement etc.

EDIT: It also looks like scope creep is already happening with this story talking about how other intelligence agencies including GCHQ have been making use of PRISM

One of the big risks about this kind of data mining (for me) is that someone mines the data and then comes to erroneous conclusions. For examples mining a list of people who have visited a site and using that as "evidence" of being involved in a crime. Anyone who knows about the modern Internet can see the problem with that approach, but not all law enforcement personnel have that level of training.

After all that, what can you do about it? Well the legal piece obviously of supporting the EFF and speaking to legal representatives about it.

Technically as @Dermike says you can look at things like ToR / VPNs for hiding traffic. A word of warning though is that the use of these services might be seen by government types as "having something to hide", so a bit catch 22 there. Apart from that don't use US based services if you're not in the US. Whilst there's no specific reason to believe that other governments don't do the same thing, the EU anyway does tend to have more protections for citizens personal information.

Edit Here's a page listing alternatives to products of compaies who were listed as participating in prism.

Answer 4

As someone who tracks people and their habits for a living, I will share a few observations about the average user.

Implications of the phone information collection initiative on the internet:

There will be a little more activity online worrying about privacy. The twitterverse will "explode" momentarily, but people will be aware of this as something going on in American government for about a week until it falls out of the mainstream media (where most people get their "news"). Then they'll stop talking about it. Most people who feel they are doing nothing wrong will feel they have nothing to worry about (most people are feeling people). Paranoid people will try to figure out how to hide things and [unknowingly] make themselves look more like people of interest. These are the people who think the government is always watching them, when in actuality the government is looking for patterns of usage that don't stick to the norm (so these people likely do pique interest, but they aren't ever really monitored because outside of a few similarities they will continue to act normally for themselves).

Successful, "Bad" people are much better at blending in with society than these people.

Will it gain anything for the government? Not really other than allowing them to be able to connect a few dots for communications in the past. (The information will be overwhelming.) Politically it will be more damaging (which is what I, myself think this is all about anyhow). If people were doing bad things on throw-away phones chances are (if those people are moderately smart) the phone with the bad-linked IMEI identifiers have been discarded, sold, or donated. It just makes the ignorantly "bad" people realize that they have to be better about their habits.

Knowing this, what steps can ordinary individuals take to safeguard themselves against the collection, and exposure, of such sensitive personal information?

Unfortunately statics are not on their side. Most "ordinary individuals" or average people don't have an intellect where they can begin to fathom what is possible with such numbers (identifiers). When they try to research it they can become really good at this one thing (if they have the luxury of focus), but they likely fail elsewhere and most of them are too busy to even worry about it because they have real-world problems going on. To the average American it will be one more thing that focuses on something other than what they feel they need. They'll likely see this as money being spent on something other than the necessities, which for them are going to be things like education, food, and public aid... things that above average (non-ordinary) people take for granted. Things that poor people fear losing because it is unfortunately out of their control.

Ordinary people might notice that there are fewer phone cards on the racks at big box retailers because of the spread of paranoia and because that's where they buy things.

Similar to what Rory Alsop was saying, most people will likely not be able to tell you the difference between their monitor and their computer (if they use a desktop) and they often think of electronic mobile devices as some little bit of magic or mysticism that works in some form or fashion they care not to know about. Or they consider them luxuries, gadgets, or toys. As long as it works, they are not concerned with the technology.

Overall security will increase, knowledgeable people will raise the bar; as always.

If you're in the know, then you likely know that there is nothing that you can do to stop this sort of thing from happening and go about living a normal "good" life. If you want to try and obfuscate all of your communications, or live off of the grid, you may feel more comfortable in mind, but I can tell you this is much harder. People are tracked everywhere they go.

Simple example:

Typical user buys a phone card at a big box retailer. They user their debit card (or some other traceable card). They go home and turn on their computer. They connect to the internet with a non-encrypted connection. They go onto Facebook, Twitter, Yahoo, or countless other sites where they receive numerous tracking cookies. Then they go onto the website where they re-up their phone by punching in the numbers from the card they purchased, or enter the numbers on the phone itself to add more minutes. They may use this phone to connect to their social media profile directly where they have downloaded a tracking app. The phones all have built-in tracking under the guise of "user protection." This phone number is in their public profiles on social media and provided on every marketing survey, job application, and form they complete. They are traceable and fairly consistent (until they lose a job or something of that nature). If they lose their phone (with their "life" on it), they will keep the same phone number.

How can you not be this person?

1. Use cash for all technology related purchases.
2. Do not register your purchase.
3. Wipe whatever OS is on the device and use an open-source OS as the host platform. Or use an OS like Knoppix if you would like not to leave any traces.
4. If you must run something like Windows, then run it under a VM. Activate but do not register it.
5. Prevent all communications with companies that track you. You can do this with firewall rules on a hardware firewall.
6. You can try to use something like TOR, but remember if they are monitoring your location, they are monitoring the location you are trying to reach because they have already figured out your pattern.
7. Stop using credit cards.
8. Stop providing your information freely on the web. (Domain registrations, Social Media, etc)
9. Stop linking your habits to your person online.
10. Be unpredictable.
11. Wipe things that need to be erased. No keeping cracked copies of anything on anything that can't be destroyed with a blow-torch or a lighter.
12. Think thumbdrives vs hard drives and SSDs.

Or better yet... unplug more often and stop worrying about it. Life is too short for this stuff.

Answer 5

@D3C4FF's answer hits the nail squarely on the head, however there is a further viewpoint regarding the average internet user:

The average internet user has no concept of privacy, other than "the government looking at my data is bad, mmmkay"

The average user shares far more information about themselves, deliberately, with the rest of the world than the 3-letter-acronym's used to be able to get using agents. (See this video for a not too far out view of reality)

If the average internet user was actually worried about this stuff, they would not use social networking sites, or a wide range of other sites either - but they aren't. They love to be able to do fun stuff, chat to people, share information etc.

So the implications are pretty much nil

Now this doesn't hold true for the tinfoil hatters, individuals who may be of high importance, criminals and other niche groups - but they aren't average...

Answer 6

It's Always Been an Issue, You Just Didn't Care

I'm not sure you need to worry that much more about it than you should have before. Keep in mind that what they are collecting are your operator's Call Data Records (or at leat a subset of that). You were already trusting a third-party with all that, and that was already a third-party I personally wouldn't have trusted with much of anything. They're mobile operators. They don't give you communications for free, just as Wi-Fi in airports very quickly stopped to be a free commodity, except if provided by shop where they expect you to buy coffee and cake (beware of what you're trusting that shop with as well, by the way, but that's a different topic).

(Note: I worked on developing tools to process call data records and other stuff for some major operators and phone manufacturers. And banks. It's shocking the stuff you'd assume to be done "the right way" and to be "secure" because it god-damn should be, but really isn't...)

Outcomes

Maybe it will push people towards using more secure communication systems. Sure, you can't bypass entirely your telecom operators. Or can you?

Your Data Plan is Your Friend

Users could resort to their data-plan for VoIP instead of using normal communications channels on their phone. Meaning preferring Skype, Google Hangouts, What's App or others over normal voice calls and SMS/MMS.

As long as you trust these to be encrypted in ways that are safe and not reversible, of course. You should prefer an open-source tool which provides more insights on what goes on under the covers, and provides strong encryption...

Decentralized Communications Using Your Phone's Embedded Wireless Technologies

I'm not aware of anything doing that right now (but there might be solutions already), but phones with embedded antennas for Wi-Fi or other wireless techs with decent ranges (or the ability to plug-in an external antenna with USB) could alrady lead up to some pretty interesting ways of communicating that would NOT need to connect to your operator's cell towers.

Think of it this way: with these, your phone can reach any phone that's within the local range of your chosen tech. Which can reach others. If that doesn't remind you of the swarm and DHT systems of some P2P networks...

This has awesome implications as you could have a decentralized communication system that doesn't rely on operators, is essentially anonymous AND secure, and could be used both in "civilized" areas to avoid costs or in "oppressed" areas to avoid censorship and tracking.

Of course, you only go as far as your mobile network would take you, and in remote areas that wouldn't be so great (say, keep your contract if you go trekking in the mountains...). But for the rest, with a few 6.8 billion activated mobile subscribers in 2013 and more coming up, you may be fine and able to reach preeetttyy far if you are in a big city and we set some VPN hubs in-between those...

Now, that would be pretty awesome. But that would take serious effort and community spirit to do without the big hairy hands of the greedy to try to steal the cake (or pass laws to make that illegal). I guess we could even use the same bands as for normal cellphone communications, however I'm pretty sure that's quite illegal, even if done in a non-disruptive manner.

Update 2014-04-02: And then there was OpenGarden's FireChat...

---

Then again, you'd still need to trust your handset and its OS to not be bugged. Darn.

Answer 7

If you want to hide your destination and the content of your communication (and help other people around the world hide theirs too*), have a look at 'The Onion Router' a.k.a. TOR.

It uses (mostly three) proxy-servers of your choice. Each doesn't know which server you want to connect to, but it's next neighbour. Given that not all proxy-servers are controlled by You-Know-Who it's not possible to know where the original request came from at the target. Also its not possible in between to know where your request is targeted at for only the next proxy in your line is known.

But don't take my word for it, see their description at https://www.torproject.org/

*) The more people use it for 'legitimate' surfing, the better people in e.g. Syria can deny they wanted to see forbidden stuff. When only ... say Nazi-propaganda is surfed to from TOR and nothing else, it's easy to tell what you looked at while using it.

Answer 8

There is a magazine about that type of security(especially against NSA and others). The Tech Active Series - The Hacker's Manual 2015. In the first chapter, it talks about Privacy; how to protect your privacy, how prevent agencies or black hats to track your data, open source alternatives for daily-use services, how to secure you smart-phone and encrypting your data. I advice you to read it carefully because there are some details that may surprise you.

For example:

• ...monitoring network activities is more efficient than attacking systems, so the NSA has programs that intercept consumer hardware, such as laptops and routers, and turns them into surveillance devices which can be turned on remotely
• ..Tor uses many relay nodes for privacy but there are uncorfimed reports that many exit nodes are run by government agencies
• ..how to use ZRTP to encrypt your phone calls
• .the NSA devotes considerable resources to infiltrate computers,handled by its TAO group. It's believed that TAO has a host of exploits can attack any PC..
• how to setup your own cloud to prevent tracking your data with OwnCloud
• how to use PGP encryption in your emails (it could be Gmail or Yahoo or any service)
• how to proxy your traffic and emails through JonDo
• encrypting plugins for instant messaging(Pidgin, Kopete) by OTR
• how to share secure files with http://www.securesha.re
• using Rasperry Pi for your own cloud and VPS service

I think there is no better teacher than suspicion in the security field. Don't trust anyone, me or that magazine, but at the same time don't trust google, facebook, dropbox or even tor. In that age, each individual can use his/her own tools, services, systems, although it may expensive for some of them;

privacy is priceless