163

It would appear as though the tinfoil hat-wearing were vindicated today, as news broke of the true scale of the U.S. government's surveillance of its citizens' online activities, conducted primarily through the NSA and seemingly beyond the realm of the law.

If the reports are to be believed, metadata about virtually every aspect of individuals' lives - phone records and geographic data, emails, web application login times and locations, credit card transactions - are being aggregated and subjected to 'big data' analysis.

The potential for abuse, especially in light of the recent IRS scandal and AP leak investigation, appears unlimited.

Knowing this, what steps can ordinary individuals take to safeguard themselves against the collection, and exposure, of such sensitive personal information?

I would start with greater adoption of PGP for emails, open source alternatives to web applications, and the use of VPNs. Are there any other (or better) steps that can be taken to minimize one's exposure to the surveillance dragnet?

Deer Hunter
  • 5,327
  • 5
  • 34
  • 50
nitrl
  • 3,003
  • 4
  • 20
  • 23
  • If you use the Internet wisely such as not allowing non-SSL traffic to a site at all then there is nothing they can learn about your activity on that site except when you visited the site. – Monstieur Jun 07 '13 at 09:54
  • 5
    @Kurian Read the article! The whole point is that they have been collecting connection data (who visited when what — or rather, since this was about phone calls, who phoned who when). SSL wouldn't help with this. (Also, SSL doesn't make communications completely confidential, especially for voice where the timing of sending of packets tends to match speech patterns and can allow keyword recognition if not full decryption.) – Gilles 'SO- stop being evil' Jun 07 '13 at 10:10
  • 102
    It's our fault for not spotting [this question](http://imgur.com/hy8t3wy) sooner – jackweirdy Jun 07 '13 at 10:38
  • 2
    "especially in light of the recent IRS scandal and AP leak investigation, appears unlimited." This case is very different from the IRS scandal; that was very likely an isolated case that was almost universally condemned, including by Barack Obama. Those are tiny blips compared to what the NSA does. – olliezhu Jun 07 '13 at 16:41
  • 2
    Browsers really ought to verify SSL certificate thumbprints as added protection against Man-in-the-Middle interception of SSL traffic, since there's no reason to believe that the US Government can't ask (or force) Verisign for any SSL certificate they want and use it to intercept SSL traffic. Unless your browser notices the new certificate, you would never know. – Johnny Jun 07 '13 at 19:10
  • 1
    @Johnny that's the point of [Perspectives/Convergence](http://perspectives-project.org/) What it doesn't protect against (which could be likely depending on how willing the various companies named in the PRISM document are) is the NSA getting themselves a copy of the original Private Key, rather than issuing themselves a trusted fake certificate for their own key. – DerfK Jun 08 '13 at 04:05
  • 1
    I'm surprised this is considered news. We've had this since post war. Do you imagine governments have considered the world a safer place and just stopped(?) (not sure if rhetorical questions should have a question mark .. can't be bothered to look it up ..anyone?) http://en.wikipedia.org/wiki/ECHELON – Rich Jun 08 '13 at 00:31
  • 9
    FYI: it seems that tin foil hats actually make it [*easier* for the government to spy on you](http://web.archive.org/web/20130314181014/http://berkeley.intel-research.net/arahimi/helmet/). – detly Jun 08 '13 at 06:20
  • 6
    This is why your metadata is important: https://www.eff.org/deeplinks/2013/06/why-metadata-matters – NULLZ Jun 09 '13 at 12:41
  • But if they're doing what they say they're doing with Facebook which is almost ubiquitously SSL, they have to be getting the keys somehow. Maybe as a part of the FISA warrants? PRISM claims direct access to actual data. Not just metadata like the Verizon debacle. – Erik Reppen Jun 09 '13 at 20:32
  • Well there's prism, and there's this whole "upstream" thing where they've tapped the lines they've been talking about forever. Back during Bush IIRC: http://gizmodo.com/new-prism-slide-shows-nsa-taking-data-directly-from-com-512098544 – Erik Reppen Jun 10 '13 at 02:43
  • 2
    I upvoted this question so your rep would not be `666`. You're welcome. – Caleb Jun 10 '13 at 19:26

8 Answers8

76

Foreword: This problem isn't necessarily about governments. At the most general level, it's about online services giving their data about you (willingly or accidentally) to any third party. For the purposes of readability, I'll use the term "government" here, but understand that it could instead be replaced with any institution that a service provider has a compelling reason to cooperate with (or any institution the service could become totally compromised by -- the implications are reasonably similar). The advice below is generalizable to any case in which you want to use an external service while maintaining confidentiality against anyone who may have access to that service's data.

Now, to address the question itself:

...what steps can ordinary individuals take to safeguard themselves against the collection, and exposure, of such sensitive personal information?

If you don't want the government of any nation to have access to your data, don't put it on a data-storage service that might possibly collude with a government agency of that nation.

For our model, let's assume that some government has access to your data stored on particular major services at rest (as well as their server logs, possibly). If you're dealing with a service that does storage (Google Drive, email) then SSL will do absolutely nothing to help you: maybe a surveillance effort against you cannot see what you're storing as you're sending it over the wire, but they can see what you've stored once you've stored it.

Presumably, such a government could have access to the same data about you that Google or Microsoft or Apple has. Therefore, the problem of keeping information secret from surveillance reduces to the problem of keeping it secret from the service provider itself (i.e., Google, MS, Apple, etc.). Practically, I might offer the specific tips to reduce your risk of data exposure:

  1. If there's some persistent information (i.e., a document) you don't want some government to see, don't let your service provider see it either. That means either use a service you absolutely trust (i.e., an installation of FengOffice or EtherPad that's running off your SheevaPlug at home (provided you trust the physical security of your home, of course)) or use encryption at rest -- i.e., encrypt your documents with a strong cipher before you send them to Google Drive (I might personally recommend AES, but see the discussion below in the comments).

    • In fact, this second strategy is exactly how "host-proof" Web applications work (also called "zero-knowledge" applications, but unrelated to the concept of zero-knowledge proofs). The server holds only encrypted data, and the client does encryption and decryption to read and write to the server.
  2. For personal information that you don't need persistent access to, like your search history, you can probably prevent that information from being linked back to you personally by confusing the point of origin for each search using a VPN or onion routing like Tor.

I'm reminded of this xkcd:

:

Once a service has your data, it's impossible to control what that service does with it (or how well that service defends it). If you want control of your data, don't give it away. If you want to keep a secret, don't tell it to anyone. So long as the possibility of surveillance collusion or data compromise against a service is non-trivially high, do not expect your externally-stored data to be private from inspection by any government, even if you had expected that data to be generally private.

A separate question is whether there will be any significant actual impact to the average internet user from such information-gathering programs. It's impossible to say, at least in part because it's impossible to transparently audit the behavior of people involved in a secret information-collection program. In fact, there could be impact from such a program that would be impossible for the general public to recognize as impact from such a program.

In the case of NSA in particular, NSA is chartered to deal with foreign surveillance, so U.S. citizens are not generally targets for analysis, unless perhaps they happen to have a foreign national nearby in their social graph. The NSA publicly makes an effort not to collect information about U.S. citizens (though the degree to which this is followed in practice is impossible to verify, as discussed above).

Phil
  • 309
  • 1
  • 3
  • 9
  • 1
    Would be v. funny if it turns out that PRISM data were used during the campaign... – Deer Hunter Jun 07 '13 at 16:19
  • 18
    You make a statement about using AES for encryption before putting files in the cloud. This algorithm is approved by NIST & NSA. As they've shown they can't be trusted and I wouldn't be surprised if they have non public domain knowledge/attacks against it that make it easier to decrypt the data. If we look at the design of DES, the NSA knew about differential cryptanalysis **15 years** before anyone else figured it out. It's safe to assume they are still much more advanced than the general public and we shouldn't just use their "approved" algorithms because they say they can't break it. – zuallauz Jun 09 '13 at 10:51
  • 6
    It's imporant to note that all of the major companies listed here have denied giving the NSA access to "irreglar" amounts of their data. These companies have been handing over data to various government agencies for years. PRISM is apparently just a program to make the transfer and request of data smoother and more secure. –  Jun 09 '13 at 11:20
  • Perhaps I wasn't clear, (or perhaps because the phone metadata story broke first it was therefore on everyone's minds,) but your response specifically addressed PRISM, and the countermeasures that can be taken to avoid (minimize) one's exposure. – nitrl Jun 09 '13 at 23:56
  • There's actually more than two stories. E.g. story about IRS considering every mailbox public information not requiring a warrant: http://www.aclu.org/blog/technology-and-liberty-national-security/new-documents-suggest-irs-reads-emails-without-warrant – StasM Jun 10 '13 at 00:31
  • 7
    Another relevant xkcd: http://xkcd.com/908/ – Mikey Jun 10 '13 at 02:55
  • 6
    @zuallauz A couple reasons why I think it is unlikely that the NSA has some sort of backdoor/attack against AES. The NSA did know about differential attacks against DES, but decided to design the S-Boxes in a way that makes them even more secure. And, those were very different times. Not many people did research in cryptography outside of the intelligence community and they had a massive advantage. Since the 90s and the ascend of the internet, cryptography has become important in many commercial enterprises and now there is a lot of funding outside of secret services. – Lucas Jun 10 '13 at 07:04
  • @Lucas, it's interesting to note that [Bruce Schneier recommends doubling the number of rounds for AES](http://www.schneier.com/blog/archives/2011/08/new_attack_on_a_1.html) in order to increase the "safety margins" ie AES-256 at 28 rounds. You didn't see that sort of advice coming out of the NSA when there were attacks on it. In fact if I was wanting to have some level of confidence of privacy from the NSA I'd use a combination of AES, Twofish and Serpent like TrueCrypt can do, or maybe start using some of the newer algorithms like Threefish which can do a 512-bit and 1024-bit block cipher. – zuallauz Jun 10 '13 at 10:49
  • @zuallauz That is an interesting post by Bruce Schneier, but the quote doesn't refer to any backdoor in the AES algorithm but is mostly a consequence of the poor key scheduler. In fact [Bruce Schneier has a sensible position](http://www.schneier.com/blog/archives/2012/03/can_the_nsa_bre.html): " can the NSA break AES? My guess is that they can't. That is, they don't have a cryptanalytic attack against the AES algorithm that allows them to recover a key from known or chosen ciphertext with a reasonable time and memory complexity." Sidechannel attacks and weak password are the problem, not AES. – Lucas Jun 10 '13 at 11:24
  • so to avoid US Government, you'd use tool created by US Navy? How ironic ;-) As for effect on average user, if TSA abuses it's power to rob luggage of valuables, it's not hard to imagine, that some rouge NSA employee would abuse system to steal let's say credit card numbers. – vartec Jun 10 '13 at 14:31
  • 3
    @vartec - you seriously underestimate the checks in place - the difference between TSA and NSA is much more than one letter. What is worrisome is not a wiretap-empowered individual's penchant for abuse but rather the ability of top government officials (I'm talking about Executive Office level, or assistant deputy secretaries) to subvert the system and exploit collected data for **political purposes** (instead of hunting national security threats). – Deer Hunter Jun 10 '13 at 19:18
  • 2
    @vartec - I also suppose you meant rogue, not rouge :) (although [NSA employees are known to have used the latter in the past](https://en.wikipedia.org/wiki/Martin_and_Mitchell_defection)). – Deer Hunter Jun 10 '13 at 19:21
  • @DeerHunter: I'm not worried about new Watergate, because as you say, there are safeguards, I'm worried about some underpaid low-level employee having access, and not even to the whole system, but just to small part of it. – vartec Jun 10 '13 at 20:15
  • 5
    @DeerHunter, I would go steps farther in paranoia worrying how the data can be misused. The Occupy Wall Street protesters were called terrorists more than once. What stops the police from asking the NSA for data identifying them? "Terrorist" has become the root password to pwning the Constitution, even though there is nothing in the Constitution about it. This data is flat out dangerous to all of us. If they want to collect it, they can get FISA to issue a warrant first - I'm fine with that. But this drift-net approach? Seriously dangerous. – John Deters Jun 19 '13 at 21:40
52

Despite the media hype, the key thing here is not that the FBI/NSA/US Government was intercepting all phone calls, but that it was collecting all phone 'metadata' records which includes:

  • Originating Phone Number
  • Terminating Phone NUmber
  • IMSI Number
  • IMEI Number
  • Trunk Identifier (which relates to the location)
  • Telephone Calling Card numbers
  • Time of the call
  • Duration of the call
  • Location information (possibly)

They can not, however, listen to your phone calls under this order.

Source: The Guardian, The Guardian, Wired

What can you do about this as an individual? Nothing, technically speaking. This information is not what you're communicating about, but who you're communicating with and from where. This information is not something that you control. The information the alphabet agencies wanted was 'metadata', meaning data that the telco providers generate/store on their own. As part of you using their service (and getting a useful service) this data is created.

If you are a citizen of the US, you can demand action from your government, support organizations like the EFF who work to protect your privacy and voice your feelings on the matter to your local representatives.

In a related, but older, news article from Germany a couple years ago, a German politician, Malte Spitz, sued to have German telecoms giant Deutsche Telekom hand over six months of his phone data that he then made available here. It's been plotted to a map and allows you to show where he was over the period of 6 months which gives you an idea of what this type of meta data can do.

Regarding PRISM specifically

Prism was a leak of documents detailing interception across a number of large online companies. This leak is separate, but related (as far as I understand) to the one above.

  • Who is the data (apparently (as this is currently not 100% clear yet)) being collected from?

    • Microsoft (Lets assume Hotmail/Live/Bing and all other associated MS online services), Google, Yahoo!, Facebook, PalTalk, YouTube, Skype, AOL, Apple.
  • What is actually being collected by PRISM?

    • Emails, Chat (voice and video), Videos, photos, stored data, VoIP, File Transfers, Video Conferences, Login metadata, social networking information and 'special requests' (which I assume to mean anything they can think of)
  • What can I do to avoid my data being collected?

    • If you are concerned that your communications are being intercepted by this program there are several simple steps you can take.

    • Don't use any of the above mentioned providers. It's been common knowledge for a while now that emails over 180 days old can be accessed without a warrant, regardless of email provider. Naturally, if you're concerned about such things, encryption is the way to go. If you're getting a service for free, you're still paying with something. Usually that something is your meta-data. 'Secure', or at least privacy-friendly, alternatives to all the companies listed above exist and are easily found. For example, duckduckgo.com, PGP, TorMail, TOR, Linux, and Pidgin+OTR all assist in securing your communications (so that even if it is slurped up its unreadable).

The fact of the matter is this. You can try to always practice 'perfect' security (something which changes as new technologies emerge) but eventually, everyone is human and it's likely you'll mess up (forgetting to connect to a VPN for example). There're so many variables in staying hidden online that covering any specific aspect (like simple web browsing or just sending/receiving emails) is quite a complex task and requires a separate question dedicated in itself.

NULLZ
  • 11,446
  • 18
  • 80
  • 111
  • 31
    *"They can not however listen to your phone calls under this order"* - Er, except they can and they are. This isn't anything new to anyone who follows security news, as it's been brought up in the media time-and-time again. See for example [here](http://www.schneier.com/blog/archives/2008/09/nsa_snooping_on.html) or [here](http://www.schneier.com/blog/archives/2005/12/nsa_and_bushs_i.html) or [here](http://www.schneier.com/blog/archives/2006/05/nsa_creating_ma.html) or [here](http://www.aclu.org/national-security/eavesdropping-101-what-can-nsa-do)... – BlueRaja - Danny Pflughoeft Jun 07 '13 at 10:07
  • 3
    Also, the NSA is [not the only department doing this](http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act); IANAL, but as I understand it, they used to require a warrant to listen in on phone conversations, but [not anymore](http://en.wikipedia.org/wiki/Patriot_Act) *(please correct me if I'm wrong)*. – BlueRaja - Danny Pflughoeft Jun 07 '13 at 10:36
  • 9
    @BlueRaja-DannyPflughoeft Actually, that's **Related** but not what the recent news is in regards to. The 'illegal' wiretaps are old news and the **specific 'leak'/order** described in question (and my answer) here is VERY specific in that it **ONLY** covers metadata. This is not just the NSA but also the FBI. – NULLZ Jun 07 '13 at 11:32
  • 21
    Updated comment: Your answer only covers the phone metadata which, I assume is irrelevant to the question (which explicitly mentions *internet* surveillance and *internet* security measures): Through project Prism, NSA also gets routine access to the servers and communications of most big IT companies. This implies that they can, for instance, listen in on all Skype calls, and read all emails (the latter is not a big thing actually, agencies have been doing this – semi-legally – for ages). Your answer is a huge red herring. – Konrad Rudolph Jun 07 '13 at 13:12
  • 1
    @BlueRaja-DannyPflughoeft You're just plain wrong. The answer is correct and was sited months ago on the NSA's whitepaper reports. They still can't listen to your phone calls without court order and they aren't targeting the average person anyway. They are simply collecting this data to gain information on people like "foreign informants" and the like. This has nothing to do with busting up your Pot Parties or tracking your calls to local gun shop. The media hype is meant to keep America paranoid because "fear rules". You really think this would be in the news if they wanted it hidden? – SpYk3HH Jun 07 '13 at 14:21
  • 3
    cleaning up some of the unconstructive stuff - for chats, visit [chat] – Rory Alsop Jun 07 '13 at 15:39
  • 13
    -1: this answer is completely unrelated to the question. Question is about the PRISM. – vartec Jun 07 '13 at 22:11
  • 10
    I'm astonished that this answer got so many votes since the PRISM program (about internet security) isn't mentioned – Jim B Jun 08 '13 at 03:48
  • 1
    It should be pointed out that anyone who is not an American citizen and who is also using services by these companies (e.g. Canadians, Brits, etc.) aren't subject to the same protections granted to American citizens. I think it's clear that the NSA, these companies, as well as the governments of other countries need to answer for all of these actions. Just because you don't have an American passport doesn't mean you aren't guaranteed a right to privacy for using an American product. – jmnwong Jun 09 '13 at 22:12
34

To add to the answer from @RoryAlsop I'd agree that you probably don't, as an average person, have a lot to worry about in terms of the PRISM/phone tapping by the NSA being used for it's intended purprose (anti-terrorism operations by the US gov.) as people's concept of security/privacy most of the time isn't too great.

There are other good reasons to be concerned about this though. Firstly if you work for a non-US corporate and put information relating to your job on peronsal e-mail /social networking, then could be a risk that the NSA would be able to intercept this and then may pass it to US corporates for commercial advantage. I have no specific proof that this is happening with PRISM but there have been cases of security agencies providing information to help corporates in the past, so not an unreasonable stretch.

Also I think there's a real risk of scope creep. Once the power exists and is used for one purpose other government agencies (perhaps less skilled in data analysis and less discerning in it's use) will start making use of the data. For example once the data gathering capabilities exist, if the FBI/CIA asked for the data would they be able to get it, then what about local law enforcement etc.

EDIT: It also looks like scope creep is already happening with this story talking about how other intelligence agencies including GCHQ have been making use of PRISM

One of the big risks about this kind of data mining (for me) is that someone mines the data and then comes to erroneous conclusions. For examples mining a list of people who have visited a site and using that as "evidence" of being involved in a crime. Anyone who knows about the modern Internet can see the problem with that approach, but not all law enforcement personnel have that level of training.

After all that, what can you do about it? Well the legal piece obviously of supporting the EFF and speaking to legal representatives about it.

Technically as @Dermike says you can look at things like ToR / VPNs for hiding traffic. A word of warning though is that the use of these services might be seen by government types as "having something to hide", so a bit catch 22 there. Apart from that don't use US based services if you're not in the US. Whilst there's no specific reason to believe that other governments don't do the same thing, the EU anyway does tend to have more protections for citizens personal information.

Edit Here's a page listing alternatives to products of compaies who were listed as participating in prism.

Rory McCune
  • 61,541
  • 14
  • 140
  • 221
  • 5
    +1 Totally agree. To be honest it concerns me - especially the certain knowledge that the scope will creep. But I don't think any of us here count as average users of the Internet:-) – Rory Alsop Jun 07 '13 at 11:17
  • 1
    @FreshPrinceOfSO - http://meta.security.stackexchange.com/a/881/13820 – Deer Hunter Jun 07 '13 at 16:22
  • 7
    *"...the use of these services might be seen by government types as 'having something to hide', so a bit catch-22 there"* ...but, **innocent until proven guilty** right? *right?* Aw, crap. – Justin ᚅᚔᚈᚄᚒᚔ Jun 07 '13 at 16:24
  • **"...but not all law enforcement personnel have that level of training"** which is indicative of simply slower or a smaller scale adoption than the other trades. Eventually, that aspect will be an integral part of law enforcement training, for at least a subset of officers/agents. – JustinC Jun 08 '13 at 01:43
  • @RoryMcCune What do you mean `don't use US based services if you're not in the US` ? I would believe it means services like Facebook,Twitter and even BlackBerry. – R11G Jun 12 '13 at 03:41
  • 2
    @R11G well I was thinking that from what I've seen the NSA has restrictions on monitoring US citizens but none on non-US citizens, so if you're not a US citizen and you make use of any service either run by a US company or with servers hosted in the US (i.e. subject to US laws) there's a risk that your use of that service will be monitored. This would include Facebook, Google services, Microsoft services, apple services, Blackberry I'm not sure about they're a canadian company but will likely have servers in the US.. – Rory McCune Jun 12 '13 at 08:32
23

As someone who tracks people and their habits for a living, I will share a few observations about the average user.

Implications of the phone information collection initiative on the internet:

There will be a little more activity online worrying about privacy. The twitterverse will "explode" momentarily, but people will be aware of this as something going on in American government for about a week until it falls out of the mainstream media (where most people get their "news"). Then they'll stop talking about it. Most people who feel they are doing nothing wrong will feel they have nothing to worry about (most people are feeling people). Paranoid people will try to figure out how to hide things and [unknowingly] make themselves look more like people of interest. These are the people who think the government is always watching them, when in actuality the government is looking for patterns of usage that don't stick to the norm (so these people likely do pique interest, but they aren't ever really monitored because outside of a few similarities they will continue to act normally for themselves).

Successful, "Bad" people are much better at blending in with society than these people.

Will it gain anything for the government? Not really other than allowing them to be able to connect a few dots for communications in the past. (The information will be overwhelming.) Politically it will be more damaging (which is what I, myself think this is all about anyhow). If people were doing bad things on throw-away phones chances are (if those people are moderately smart) the phone with the bad-linked IMEI identifiers have been discarded, sold, or donated. It just makes the ignorantly "bad" people realize that they have to be better about their habits.

Knowing this, what steps can ordinary individuals take to safeguard themselves against the collection, and exposure, of such sensitive personal information?

Unfortunately statics are not on their side. Most "ordinary individuals" or average people don't have an intellect where they can begin to fathom what is possible with such numbers (identifiers). When they try to research it they can become really good at this one thing (if they have the luxury of focus), but they likely fail elsewhere and most of them are too busy to even worry about it because they have real-world problems going on. To the average American it will be one more thing that focuses on something other than what they feel they need. They'll likely see this as money being spent on something other than the necessities, which for them are going to be things like education, food, and public aid... things that above average (non-ordinary) people take for granted. Things that poor people fear losing because it is unfortunately out of their control.

Ordinary people might notice that there are fewer phone cards on the racks at big box retailers because of the spread of paranoia and because that's where they buy things.

Similar to what Rory Alsop was saying, most people will likely not be able to tell you the difference between their monitor and their computer (if they use a desktop) and they often think of electronic mobile devices as some little bit of magic or mysticism that works in some form or fashion they care not to know about. Or they consider them luxuries, gadgets, or toys. As long as it works, they are not concerned with the technology.

Overall security will increase, knowledgeable people will raise the bar; as always.

If you're in the know, then you likely know that there is nothing that you can do to stop this sort of thing from happening and go about living a normal "good" life. If you want to try and obfuscate all of your communications, or live off of the grid, you may feel more comfortable in mind, but I can tell you this is much harder. People are tracked everywhere they go.

Simple example:

Typical user buys a phone card at a big box retailer. They user their debit card (or some other traceable card). They go home and turn on their computer. They connect to the internet with a non-encrypted connection. They go onto Facebook, Twitter, Yahoo, or countless other sites where they receive numerous tracking cookies. Then they go onto the website where they re-up their phone by punching in the numbers from the card they purchased, or enter the numbers on the phone itself to add more minutes. They may use this phone to connect to their social media profile directly where they have downloaded a tracking app. The phones all have built-in tracking under the guise of "user protection." This phone number is in their public profiles on social media and provided on every marketing survey, job application, and form they complete. They are traceable and fairly consistent (until they lose a job or something of that nature). If they lose their phone (with their "life" on it), they will keep the same phone number.

How can you not be this person?

  1. Use cash for all technology related purchases.
  2. Do not register your purchase.
  3. Wipe whatever OS is on the device and use an open-source OS as the host platform. Or use an OS like Knoppix if you would like not to leave any traces.
  4. If you must run something like Windows, then run it under a VM. Activate but do not register it.
  5. Prevent all communications with companies that track you. You can do this with firewall rules on a hardware firewall.
  6. You can try to use something like TOR, but remember if they are monitoring your location, they are monitoring the location you are trying to reach because they have already figured out your pattern.
  7. Stop using credit cards.
  8. Stop providing your information freely on the web. (Domain registrations, Social Media, etc)
  9. Stop linking your habits to your person online.
  10. Be unpredictable.
  11. Wipe things that need to be erased. No keeping cracked copies of anything on anything that can't be destroyed with a blow-torch or a lighter.
  12. Think thumbdrives vs hard drives and SSDs.

Or better yet... unplug more often and stop worrying about it. Life is too short for this stuff.

AbsoluteƵERØ
  • 3,104
  • 17
  • 20
15

@D3C4FF's answer hits the nail squarely on the head, however there is a further viewpoint regarding the average internet user:

The average internet user has no concept of privacy, other than "the government looking at my data is bad, mmmkay"

The average user shares far more information about themselves, deliberately, with the rest of the world than the 3-letter-acronym's used to be able to get using agents. (See this video for a not too far out view of reality)

If the average internet user was actually worried about this stuff, they would not use social networking sites, or a wide range of other sites either - but they aren't. They love to be able to do fun stuff, chat to people, share information etc.

So the implications are pretty much nil

Now this doesn't hold true for the tinfoil hatters, individuals who may be of high importance, criminals and other niche groups - but they aren't average...

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
  • 8
    It is true that people share massive amounts of information about themselves online. However, this is a choice that they make. If I want to post pictures of my cat wearing shades and talk about relationships and my breakfast then that's fair enough and it's public data. However, my private correspondence via Google, Yahoo etc is expected to be private. In Europe, we generally have a greater expectation and awareness of privacy/data protection than in the US. However, as we're using US businesses to host your data, we're to lower those expectations. That sucks! – AndyMac Jun 07 '13 at 10:54
  • 5
    Someone I know well enough to be friends on Facebook seemingly shared everything about his life, making detailed posts with pictures on Facebook about himself, wife, and kids, he traveled a lot for business and posted lots of interesting travel pictures and stories. However, about 6 months ago his wife found out that he had a secret mistress and a 2 year old son. It turns out that even people that appear to share a lot sometimes have secrets that they don't want others to know. People want to choose which information they make public. – Johnny Jun 07 '13 at 20:36
13

It's Always Been an Issue, You Just Didn't Care

I'm not sure you need to worry that much more about it than you should have before. Keep in mind that what they are collecting are your operator's Call Data Records (or at leat a subset of that). You were already trusting a third-party with all that, and that was already a third-party I personally wouldn't have trusted with much of anything. They're mobile operators. They don't give you communications for free, just as Wi-Fi in airports very quickly stopped to be a free commodity, except if provided by shop where they expect you to buy coffee and cake (beware of what you're trusting that shop with as well, by the way, but that's a different topic).

(Note: I worked on developing tools to process call data records and other stuff for some major operators and phone manufacturers. And banks. It's shocking the stuff you'd assume to be done "the right way" and to be "secure" because it god-damn should be, but really isn't...)

Outcomes

Maybe it will push people towards using more secure communication systems. Sure, you can't bypass entirely your telecom operators. Or can you?

Your Data Plan is Your Friend

Users could resort to their data-plan for VoIP instead of using normal communications channels on their phone. Meaning preferring Skype, Google Hangouts, What's App or others over normal voice calls and SMS/MMS.

As long as you trust these to be encrypted in ways that are safe and not reversible, of course. You should prefer an open-source tool which provides more insights on what goes on under the covers, and provides strong encryption...

Decentralized Communications Using Your Phone's Embedded Wireless Technologies

I'm not aware of anything doing that right now (but there might be solutions already), but phones with embedded antennas for Wi-Fi or other wireless techs with decent ranges (or the ability to plug-in an external antenna with USB) could alrady lead up to some pretty interesting ways of communicating that would NOT need to connect to your operator's cell towers.

Think of it this way: with these, your phone can reach any phone that's within the local range of your chosen tech. Which can reach others. If that doesn't remind you of the swarm and DHT systems of some P2P networks...

This has awesome implications as you could have a decentralized communication system that doesn't rely on operators, is essentially anonymous AND secure, and could be used both in "civilized" areas to avoid costs or in "oppressed" areas to avoid censorship and tracking.

Of course, you only go as far as your mobile network would take you, and in remote areas that wouldn't be so great (say, keep your contract if you go trekking in the mountains...). But for the rest, with a few 6.8 billion activated mobile subscribers in 2013 and more coming up, you may be fine and able to reach preeetttyy far if you are in a big city and we set some VPN hubs in-between those...

Now, that would be pretty awesome. But that would take serious effort and community spirit to do without the big hairy hands of the greedy to try to steal the cake (or pass laws to make that illegal). I guess we could even use the same bands as for normal cellphone communications, however I'm pretty sure that's quite illegal, even if done in a non-disruptive manner.

Update 2014-04-02: And then there was OpenGarden's FireChat...


Then again, you'd still need to trust your handset and its OS to not be bugged. Darn.

haylem
  • 300
  • 1
  • 8
  • 2
    I don't really see why that deserves a downvote. Please explain what you see as a problem so I can improve it. – haylem Jun 07 '13 at 15:38
  • I didn't downvote you, but NFC would not make for a great peer to peer network unless the peers are *very* close - it has a published range of 10cm but 4cm is more realistic. And it tops out at around 400kbit/sec. At that short range you may as well go with a tethered USB connection for far better speed (and the communication would be much harder to intercept). – Johnny Jun 07 '13 at 22:35
  • @Johnny: thanks, Johnny. Actually that's totally right, I was thinking of something else. *That* could have been a valid downvote! Using ad-hoc Wi-Fi connections using the built-in antennas would also be better (or, as mentioned, bluetooth, though range is also very limited). – haylem Jun 07 '13 at 22:54
  • @Johnny: there were some other mistakes in that rushed braindump, actually (including a typo where I said you would NEED to rely on your operator, when obviously I meant the opposite). Also, I didn't mention that but I guess it'd be technically feasible, with enough control over the handset's hardware, to use the normal cellphone antenna and bands for communicating in that P2P. But as mentioned in my revised answer, I'm pretty sure that's against the law in, well, most places with mobile operators coverage. – haylem Jun 07 '13 at 23:00
  • is there any possible security issue with using end-to-end encryption over operator's network? I'd be hardpressed to believe that anonymous adhoc Wifi mesh nodes are more trustworthy than operators. – Lie Ryan Jun 08 '13 at 14:00
  • 1
    @LieRyan: I think the problem with running over a carrier network is that it's subject to blocking. If the government didn't want people to use encryption, if the carrier can't decode a packet with DPI (or worse, if you're required to use their proxy server so they can easily log the details), then they may not let it pass. – Johnny Jun 08 '13 at 16:30
  • Actually I've always cared. – this.josh Jun 14 '13 at 05:48
  • @this.josh: well, good for you :) Why didn't you warn the rest of them? – haylem Jun 14 '13 at 15:36
  • 1
    I did. No one listened. – this.josh Jun 16 '13 at 05:20
4

If you want to hide your destination and the content of your communication (and help other people around the world hide theirs too*), have a look at 'The Onion Router' a.k.a. TOR.

It uses (mostly three) proxy-servers of your choice. Each doesn't know which server you want to connect to, but it's next neighbour. Given that not all proxy-servers are controlled by You-Know-Who it's not possible to know where the original request came from at the target. Also its not possible in between to know where your request is targeted at for only the next proxy in your line is known.

But don't take my word for it, see their description at https://www.torproject.org/

*) The more people use it for 'legitimate' surfing, the better people in e.g. Syria can deny they wanted to see forbidden stuff. When only ... say Nazi-propaganda is surfed to from TOR and nothing else, it's easy to tell what you looked at while using it.

DerMike
  • 157
  • 3
  • 2
    The downside to using TOR is that it is very slow. It is better not to use it for casual surfing, in order to allow dissidents in dictatorships to research and communicate without endangering their families or themselves. – Paddy Landau Jun 07 '13 at 14:06
  • 6
    Also, keep in mind that there are **plenty** of malevolent people who put up TOR exit nodes and bridges so they can peek at your traffic. So using TOR is good... if you use encrypted connections! – haylem Jun 07 '13 at 14:47
  • 2
    The nice thing about TOR is that it spreads your exit traffic across many exit nodes, so it takes a lot of malevolent exit nodes to capture a large portion of your traffic. And even if they do capture content, they can't easily tell who requested it. (unless they are watching your computer and correlate timestamps). So if you're doing anything secret, spoof your MAC address and use open Wifi nodes away from home to reduce the chance that "they" can snoop your end of the connection. – Johnny Jun 07 '13 at 22:40
  • 1
    Spoofing your IP with TOR isn't gonna help at all against the NSA data backdoors at Google, Facebook etc. – Gruber Jun 11 '13 at 07:41
  • The speed of TOR depends on the number of TOR exist nodes. If a lot of people start using TOR for normal browsing but nobody creates new exist nodes the whole network slows down. You don't help the system by using it for purposes that need no anonymity. – Christian Jun 14 '13 at 08:34
1

There is a magazine about that type of security(especially against NSA and others). The Tech Active Series - The Hacker's Manual 2015. In the first chapter, it talks about Privacy; how to protect your privacy, how prevent agencies or black hats to track your data, open source alternatives for daily-use services, how to secure you smart-phone and encrypting your data. I advice you to read it carefully because there are some details that may surprise you.

For example:

  • ...monitoring network activities is more efficient than attacking systems, so the NSA has programs that intercept consumer hardware, such as laptops and routers, and turns them into surveillance devices which can be turned on remotely
  • ..Tor uses many relay nodes for privacy but there are uncorfimed reports that many exit nodes are run by government agencies
  • ..how to use ZRTP to encrypt your phone calls
  • .the NSA devotes considerable resources to infiltrate computers,handled by its TAO group. It's believed that TAO has a host of exploits can attack any PC..
  • how to setup your own cloud to prevent tracking your data with OwnCloud
  • how to use PGP encryption in your emails (it could be Gmail or Yahoo or any service)
  • how to proxy your traffic and emails through JonDo
  • encrypting plugins for instant messaging(Pidgin, Kopete) by OTR
  • how to share secure files with http://www.securesha.re
  • using Rasperry Pi for your own cloud and VPS service

I think there is no better teacher than suspicion in the security field. Don't trust anyone, me or that magazine, but at the same time don't trust google, facebook, dropbox or even tor. In that age, each individual can use his/her own tools, services, systems, although it may expensive for some of them;

privacy is priceless

JackSparrow
  • 229
  • 2
  • 9
  • For example;--... monitoring network activities is more efficient than attacking systems, so the NSA has programs that intercept consumer hardware, such as laptops and routers, and turns them into surveillance devices which can be turned on remotely--, or --Tor usses many relay nodes for privacy but there are uncorfimed reports that many exit nodes are run by government agencies--, or -- how to use ZRTP to encrypt your phone calls--,or -- the NSA devotes considerable resources to infiltrate computers,handled by its TAO group. It's believed that TAO has a host of exploits can attack any PC.. – JackSparrow Apr 24 '15 at 09:03
  • "unconfirmed reports" - heck, a grand understatement if there ever was one. – Deer Hunter Apr 24 '15 at 09:08
  • @DeerHunter there is saying in my country; No smoke without fire, but I don't mean consipracy theories, but give importance when trusting anyone maybe people or organization or a little tool in your desktop – JackSparrow Apr 24 '15 at 09:13
  • 1
    The reports are not "unconfirmed" at all. It is public knowledge that the DoD runs Tor nodes. They aren't being sneaky about it - they too benefit from Tor. – schroeder Apr 24 '15 at 18:29