Friday, August 29, 2014

Worried About Government Surveillance? Don't Be!

I've been hearing a lot of people complaining about the NSA lately. Many have suddenly become infatuated with the topic of privacy, and more annoyingly, self-proclaimed experts on the subject matter. I ask where was everyone when the Patriot Act was enacted? How about the Foreign Intelligence Surveillance Act (FISA) of 1978, and the Wiretap Act of 1968? The truth, I think, is that almost no one cared until the media hit everyone in the face with Edward Snowden's "revelations" in June 2013. While I do respect Snowden for his actions, he only confirmed what many had already suspected for a long time.

The majority of the people I know supposedly concerned about their (online) privacy are friends with me on Facebook. The irony here is like something out of a fairytale - they claim to be concerned about government surveillance, but knowingly and freely submit their personal details to a business that makes a large amount of money by selling and reselling that data (as well as willingly cooperating with law enforcement on occasion). Those that don't have a Facebook profile will still more often than not have an active email address with Google, Microsoft, or Yahoo. While Google and the others claim they value your privacy, you can rest assured each of them will bow down to a court order to at least some degree. I won't even begin to mention the immense amount of data that your Android-based smartphone and/or iPhone is known to collect and transmit [http://arstechnica.com/security/2014/07/undocumented-ios-functions-allow-monitoring-of-personal-data-expert-says/].

To hit a little closer to home, let's talk about your place of work or study. It's very likely that you have an email address with that organization, and also just as likely that you browse the web or otherwise utilize the internet from their location. Forget what's going on way upstream - think about what is immediately available to your local IT staff! As a remote systems administrator for quite a few companies, I can attest to the fact that I would quite easily be able to view all of the emails of all of the employers and employees if the situation ever arises - and without the individual(s) ever knowing. In addition, it's fairly trivial to intercept and read a large amount of HTTP traffic that either enters or egresses the premises. SSL/TLS (HTTPS) can make things somewhat more difficult, but is quite easily subverted when one has access to a particular organization's entire infrastructure. To add a note about unencrypted traffic, such traffic can very easily be intercepted (without anyone noticing) via the trivial process of ARP spoofing by anyone on almost any local network, anywhere.

The solution to all of this has multiple layers, and differs depending on who and how you ask. The popular suggestions include learning to use, and subsequently using PGP or GPG encryption when sending emails to others (preferably using a mail server that you have personally provisioned and configured). For web browsing, the popular recommendation is to browse material that you would like to keep private only from home, and perhaps to purchase a subscription to a foreign VPN service (or use Tor). Furthermore, if dealing with highly sensitive data, some will suggest not using Microsoft Windows or Mac OS X altogether (instead suggesting mostly open source alternatives like distributions built on top of the Linux kernel or FreeBSD). The problem with all of this is that, in most cases, it makes life significantly more difficult - and when something is difficult, most people are reluctant to do or use it. Assuming you take all of these precautions and more, you still have to deal with the problem of going outside... just think of all of the surveillance cameras you encounter each day!

One of the biggest problems that still remains is that of metadata. Whether you are calling a friend, emailing them, or otherwise communicating with them electronically, there is an entire class of data that describes the situation. Even if you are able to encrypt your entire conversation, the number you called, the time you called it, where you called it from, what phone number you called from, and the time you spent speaking with them all remains in plaintext on the cell tower indefinitely. [A fantastic talk by Matt Blaze at the HOPE X conference in New York City in July 2014 covered this subject pretty nicely.] Purchasing a VPN? You're leaving a trace that you purchased one with a particular provider - you had better hope that provider does not keep logs/cannot be compelled to submit evidence against you!

The good news is that the government/NSA is just not as worried about the individual as most would like to/been led to think. The NSA probably will not care that you posted something inflammatory against them (or anyone else for that matter) - but your employer and those close to you might. While the NSA has the current spotlight, never forget how much information you give to a multitude of other organizations. If you care about privacy, worry about that first!

1 comment:

  1. A few things: one, plenty of people have been against government surveillance since the PATRIOT Act and before, myself included. Further, even if we were too poorly informed or apathetic to complain back then, we still have a right to be upset now about new ways the government is invading our privacy. Finally, there is already a lot of evidence of NSA workers using ill-gotten information for illicit purposes, and more will almost certainly come as investigations continue (look up "sexint").

    Otherwise, this is pretty well written; I don't mean to be all negative.

    ReplyDelete