Your Privacy and How Not to be Surveilled on the Internet

by Dietrich Schmitz

Now that the dust has settled over the disclosure that the NSA has been actively engaged in a surveillance program called PRISM for several years, we can now get down to the business at hand. (Image credit: www.techinasia.com)

Namely, this post highlights some of the ways you, the general public, can exercise your right to privacy on the Internet all on your own and for free.  The discussion is limited to Desktop systems only, not Tablets and Smartphones.

Some rules apply to this discussion:

1) Don't talk about private matters in a public place
2) Don't leave your valuables in an unsecured public place, lock them away for safe-keeping
3) Provide information only on a 'need to know' basis

If those rules seem obvious, it's because that's how you conduct yourself in the physical real world.  And, it's no different on the Internet.  That is common sense really when you think about it.

On-line Storage

Kim Dot Com and the MegaUpload ISP seizure by the U.S. government is a blazing roadside neon sign from which we can all learn.  It's an incomplete yet to be told story about how people used this site for storage of their personal things but turned into an International scandal when corporate entities assisted by the government brought pressure to bear with a website take down.  The whole issue of what happened and how it was handled is still unclear, but it is nonetheless emblematic of what potentially can happen if such a take down occurs and results in interrupted service for all ISP tenants, irrespective of whether they were negligent in any way.

It also points to the question of 'how' data is stored on Cloud ISPs.  Is the ISP doing anything to protect your data?  If so, what?  Those questions should be answered before storing any sensitive data in the Cloud.

In fact, MegaUpload did nothing to protect its customers' data.  As a result, the majority of tenants were held hostage to a takedown because of a few who used the site for illegal file sharing.

So what should you be looking for?  If you really have sensitive personal data then take the same precaution as you would in the real-world -- keep it locked away and don't give the key to anyone.

In the real world that is fairly easy to accomplish.  That's why we have a burgeoning business with locksmiths and safe manufacturers and such to maintain privacy.

As for the Internet, well, essentially the only way to guarantee your privacy is by employing encryption. That's it my Friends.  Encryption.  And, the only 100% fool-proof way to do defeat access thereto is with what is called Zero Knowledge Encryption (ZK).

Effectively, ZK encryption encrypts your data store at an ISP but only you have the private key to unlock the data. (Image credit: www.spideroak.com)

ZK cleans up a heretofore otherwise 'messy' relationship between the lessor of Cloud storage drive space and lessee who stores data in it for free or an agreed to periodic subscription fee.  As a direct side effect and benefit of using ZK technology, the lessor then has zero knowledge of what the lessee is storing.  Had this been the case with Kim Dot Com and MegaUpload, Kim could have asserted 'plausible deniability'.  In so doing, neither the RIAA nor the MPAA would have had reasonable and justifiable cause to legally challenge MegaUpload, as the ISP could irrefutably claim to possess no knowledge of what the lessee is storing.  Thus, commercial and governmental third-parties would have no choice but to come directly to the lessee to question how that space is being used and would be put in the position to present specific details for their inquiry directly related to suspicion of wrong doing and demonstrating probable cause for granting any search warrant.

Currently, the U.S. Patriot Act has a provision called a demand National Security Letter which allows U.S. governmental access to any ISP to obtain a copy of any account holder's private data and it legally restrains the ISP from communicating in any form that the event occurred to anyone.  Microsoft, Google and civil liberties group the Electronic Frontier Foundation, are petitioning that such represents a violation of our constitution's First Amendment rights with the Federal Intelligence Surveillance Court which oversees provisions of the Federal Intelligence Surveillance Act of 1978.

So, you can plainly see why it is coming to this.  Encryption.  Use it to protect your privacy.

Start looking for an ISP that offers Zero Knowledge, such as SpiderOak and Wuala.  Any other form of encryption in the Cloud is unacceptable.

(There are 'unofficial' rumors that Google is beginning to roll out encryption for their Google Drive storage.  If it is anything but ZK, don't use it for your personal data.)

Browsing the Internet

If you want to keep your Internet browsing habits truly private, deleting cookies, and setting the user agent string to 'DO NOT TRACK' are useless.  It's entirely up to the ISP to 'respect' the latter so don't rely upon it.

The best way to do anonymous surfing is by using a VPN proxy service.  Essentially, this service sets up the VPN service as a proxy connection encrypted tunnel between you and their end point.  The ip address given to you going out of the VPN's end point to the Internet is then randomized so that there is no relationship to your actual ip address and a translation mapping brings back all browsing over the VPN to you transparently.  Some VPNs are free, others will require a subscription fee payable monthly or yearly, such as vpnproxy, for example.

SocialNets and Chat

Being 'social' is the latest rage, of course, and the need to stay in touch with Friends encourages use of devices to text and chat.  Currently, Facebook and Google Plus use the open source standard Jabber/XMPP protocol.  By default, your chat log is stored in a central server.  And, Google very recently announced they will be phasing out Google Talk (the XMPP component) in favor of their own 'Hangout' proprietary protocol.

There is more than one way to keep your chat's fully private.  With Google's Hangout on Google Plus, you can explicitly set, for example, your chat as 'off the record' and there will be no persistent logging of your chat sessions.  Even then, if a third-party (cough PRISM) chooses to bridge your stream (aka 'Man in the Middle') they can eavesdrop on your voice, video, and text streams.

For the ultra-paranoid, currently there are a few solutions.  One is to use Pidgin with their 'Off the Record' (OTR) plugin, a name borrowed from the well-known cryptographic protocol of the same name.  This effectively allows taking any stream (AIM, Facebook, G+, etc.) and setting up an encrypted tunnel between you and the other person with whom you are communicating.

Another option is to install the Cryptocat plugin for Chrome or Firefox.  Cryptocat also uses the OTR cryptographic protocol for private messaging.

Otherwise, yet another alternative is to avoid using any of the standard messaging protocols in favor of a P2P decentralized encrypted connection via RetroShare.  I've written several stories regarding the importance of RetroShare.  Retroshare, being on its own P2P closed loop, has it's own secure messaging chat software.

Email

Email by default is clear text and if you use it to communicate it can be read along the path of mail transfer agents to its destination recipient.  And, in the case of Gmail, that email along with everything else on Drive is all unencrypted.  That means all of your data can be read by third-parties.

Encryption solutions include using GnuPG or PGP encryption.  The problem with methods like GPG encryption is that, while free, most software application implementations are not user-friendly and, as such, difficult to use by the general public.  Commercial solutions include Symantec Encryption Solutions and Phil Zimmerman's newest Silent Circle, and are both viable options to consider. (Image credit: www.philzimmerman.com)

One other realistic alternative is to use RetroShare's email.  Essentially, Retroshare's 2048-bit RSA encrypted F2F channels are totally encapsulated on a 'closed loop' away from the world wide web's non-encrypted email system.  As such, RetroShare email is guaranteed to be strictly private and devoid of any spam.

DarkNet

If you want to employ tools which offer guaranteed pure privacy, then your list of choices is only a few.  I'll save you some trouble -- the technology used is called DarkNet and, while it does sound subversive, it, however, represents the only form of software technology which is  100% 'effective' in combating Internet snooping of any kind.  Not all darknets are alike and I would encourage you to only consider RetroShare's product.  If you want to fully lock down your RetroShare environment, you are only a few click settings away from running in pure stealth darknet mode.  You need not feel embarrassed in employing this tool -- it is the NSA who should be ashamed of their activities, spying on Americans without the use of the traditional and appropriate procedural Judiciary search warrant oversight process, which provides constitutional checks and balances on the potential for abuse of authority.

RetroShare offers currently the best reference design for what should be integrated into all computer desktop GUIs.  We accept the need for integrated Office Automation tools and soon privacy-mandated applications will find their way onto the Desktop as part of a standard default deployment of operating system software.

RetroShare is written in C/C++ using the advanced Qt gui framework and is currently available for Windows, Linux, OSX, and BSD machines.

Be safe.

-- Dietrich

Related articles

• RetroShare: For the Paranoid in You!
• An Unmet Need: Privacy Integration on the PC Desktop
• Technology to Protect Against Mass Surveillance (Part 1)
• Five Ways to Have a Chat Behind Big Brother's Back
• Utah ISP owner describes the NSA 'black box' that spied on his customers