DOKK Library

Avoiding Surveillance

Authors Jason Self

License GPL-3.0-or-later

Plaintext 
jxself.org


Avoiding Surveillance                                                                       Home

Please note that, although I primarily refer to the NSA in this article, unchecked,         Linux-libre
rampant surveillance is actually a worldwide problem.

The NSA has been in the news a lot lately, and for all the wrong reasons. It shouldn't      GitWeb
be surprising to anyone that all of this is happening. It's been coming for years now
and anyone had the ability to see it coming, if they were careful enough to pay             How To
attention. The question now becomes how to deal with it. It's a complex problem and,
like many complex problems, requires a multi-pronged effort to address it.                  Articles
In order to explain how to do that it's best to understand how we got here. To do that
                                                                                            RSS Feed
we must back up first and trace things back a few decades to the beginning of the
Internet. Some felt that the Internet would be used as a tool to spread knowledge and
information. It would empower the masses. Anonymity was easy. Censorship was                About Me
impossible. Easy copying would destroy the traditional movie and music industries.
Even bigger changes seemed inevitable. Many believed that the Internet was the tool         Contact Me
that was going to be used to begin a new world order. It was going to be the start of a
utopian age in our collective history.                                                      GPL enforced

To some extent this has happened but that utopian vision never really did fully
materialize, but two other things did that were critical in making mass surveillance         If you appreciate any of the things I
possible.                                                                                    am doing you can make a donation.

One is that, little by little, people started becoming dependent on the Internet. It is a
fact that many of the Internet-using public place their e-mail, photos, videos,
calendars, address books, search terms, messages, documents, and perhaps their
entire lives into massive data collection silos belonging to companies like Google,
Facebook, Apple, Microsoft, and others. The existence of such huge repositories of
information makes a tasty target to anyone that is interested.

The second thing that happened is that people began to increasingly access their data
using devices that they have ever diminishing control over: iPhones, iPads, Android
phones, Kindles, ChromeBooks, and so on. Unlike operating systems made up of free
software (such as GNU/Linux), these devices are controlled entirely by vendors, who
limit what software can run, what they can do, how they're updated, and so on. Even
desktop computers are heading in the direction of more vendor control and less of
your control. The lack of control over their own computing devices meant that people
were forbidden from knowing what was being done with their data and, even if they
did know, were powerless to stop it.

With most of the Internet-using public reliant on software that they cannot study and
using third party services that sell them out, it began to create the perfect storm that
made mass surveillance possible. It seems somewhat ironic that the public actually
helped with their own surveillance by using these things.

That is how we got here. The next question is what to do about it. For that, it's
important to understand how things are being done. When the NSA wants information,
they get it and they have several methods at their disposal. This is probably not
exhaustive but what is known so far is:

    • Cooperation - Some companies voluntarily give the NSA access to private
      information. Reports backed up by Snowden's leaked documents show that
      after September 11, 2001 a major American telecommunications company -
      rumored to be either AT&T or Verizon - voluntarily gave the agency access to
      its call records among other customer data. The NSA has invested a
      significant amount of time and money on personnel, software and equipment
      to sweep such data for important clues. Companies that choose this route
      are immune to prosecution, courtesy of the FISA Ammendments Act.
    • Legal Compulsion - If the company or person won't cooperate voluntarily,
      Section 215 of the Patriot Act gives the NSA the power to force Americans
      and American businesses to give up private information that it has. There is a
      supposed restricted set of circumstances that would allow the NSA to act in
      this way. These restrictions were set in place to prevent abuse of power.
      Unfortunately, by law, companies cannot reveal the number of times that the
      NSA requests this private information from them or the type of information
      that is requested. According to Snowden, companies like Google, Facebook,
      Twitter, Microsoft, Apple and others have all been forced to give up this
      private information.
    • Digital Splitters And Undersea Cables - Not every company is going to
      volunteer information to the NSA or their British counterpart GCHQ. There
      are times when of these governmental agencies, in their infinite wisdom, feel
      that it needs to resort to illegal methods in order to get information. According
      to documents released by Snowden from the second quarter of the year
      2012, GCHQ has been tapping undersea cables. These cables move
      unfathomably large amounts of information around the world. This
      information is shared with the NSA, and together these agencies use the
      tools and resources they have to glean information from the stored data. The
      NSA has also resorted to installing digital splitters in company servers. These
      splitters allow the NSA to shunt communications traffic to the NSA.
    • Spies - When everything else fails, nothing works like good old-fashioned
      spying. According to the Guardian, GCHQ has a team of operatives that they
      referred to as the Humint unit. This stands for Human Intelligence. This team
      has the responsibility of recruiting and placing agents in telecommunication
      companies around the world. Now, with this large network of spies, the NSA
      is able to get information from almost any source that it needs.
    • Malicious Software - The NSA is not above using software and malicious
      applications to exploit software weaknesses. They can use the software to
      either extract, implant, or manipulate information. Stuxnet and Flame are two
      examples of the type of software that the NSA uses. They can deliver this
      either by using infected emails or other methods. They even intercept
      computers in transit to install malicious software, and some of their methods
      can survive hard disk replacement and operating system reinstallation. The
      idea is to make it easy to engage in long-term surveillance that is impossible
      to detect. It is reported that the NSA also has the ability to worm its way into
      devices that even use iOS, Android, and BlackBerry operating systems.
    • Backdoors - One of the ways that the NSA uses to find its way in and
      around encrypted data is by cooperating with technology companies. These
      technology companies will build backdoors into hardware and software.
      These backdoors are designed to be absolutely invisible to the individual who
      was using the software and in some cases can't even be proven to exist even
      when you suspect they might be there. However, it will allow the NSA to have
      unprecedented access to the electronic device that they want to spy on. For
      instance, the global technology community suspects that the NSA may have
      somehow compelled the US National Institute of Standards and Technology
      to approve the deliberately flawed Dual Elliptic Curve Deterministic Random
      Bit Generator cryptographic standard.
    • Brute Force Attacks - It is difficult, if not impossible, for the NSA to snoop
      on a information that is properly encrypted. So, they will find other ways to
      get at it. They may try brute force to decrypt the data. Even if the NSA
      cannot, they will store the information for up to five years. When the
      technology advances to the point that they can decrypt the information, they
      will.

That covers how we get here, and what's happening now. After hearing about all of
the avenues that the NSA has at its disposal to do surveillance on people, it is easy
for a person to think that there is nothing that they can do in order to avoid
surveillance. However, this is nowhere near the truth. There are a lot of things that
people can do in order to avoid surveillance, minimize what information can be
obtained, and make it harder to obtain that. Some of these are regulatory while some
are technical.

Those giant repositories of information made the NSA's job very easy by providing a
form of one-stop shopping for them. Tearing down those data collection silos is an
important step, so the first step anyone can do is move out of that silo and host your
own data instead.
When it comes to centralized social networks I can only say one thing about them: Get
rid of them. Close your Facebook, your Twitter, and all of your centralized social media
accounts and never use them again. Social media networks are a treasure trove of
personal information that the NSA and other government agencies can easily have
access to. Use decentralized social networking instead:

    •   GNU MediaGoblin is a replacement for sites like Flickr and YouTube.
    •   XMPP is a replacement for things like Skype and AIM.
    •   GNU Social can be used as a replacement for Twitter.
    •   Pump.io can be used as a replacement for Facebook.

Don't use a cell phone. Surveillance is inevitable in this case: Whenever your phone is
powered on, your cell phone company is able to record where you are, the phone calls
and text messages sent and received, and what was accessed over the Internet, etc.
If you do use one, you'll have to accept that surveillance is inevitable although there
are still steps that can be taken to minimize it:

    • Use Replicant. It is a mobile phone operating system that is made entirely of
      free software.
    • Encrypt your text messages using TextSecure.
    • Encrypt your phone calls using RedPhone.

Don't use email. It is insecure. Look at something encrypted and decentralized like
BitMessage. If you must use email, run it yourself on your own machine out of your
own home and use GPG and SSL/TLS to communicate with the recipient, who should
also be using their own mail server (or at the very least maybe arrangements could be
made for them to use yours.) I have written about running your own server previously.
Check the archive.

Don't store files in public cloud services. Going by Snowden's leaks, cloud service
providers have been juicy targets for the NSA. Add to that the unresolved crisis that is
Megaupload, and you can see why you should not store data in public clouds. NSA
personnel do not necessarily need access to your cloud account - they can grab data
as you upload your files. The same methods can be used to collect information from
software-as-a-service applications like Office 365 and Google Drive. To protect
yourself, store data in your own servers, encrypt your traffic, and limit
communications.

Keep web browsing private - Avoid relying on the "Do Not Track" feature. It cannot
prevent snooping. Use the Electronic Frontier Foundation's HTTPS Everywhere
extension. It uses the popular Secure Sockets Layer encryption scheme to keep web
browsing private but doesn't prevent the NSA from knowing what servers or people
you're communicating with. To avoid that, an even better option is to use HTTPS
Everywhere along with TOR.
Always use free software encryption. Unlike proprietary programs, they are less likely
to incorporate backdoors and if there is one it can be removed by the people using the
software.

Use free boot firmware. Most computers begin to run proprietary software as soon as
you press the power button, in the form of the BIOS. Given that we know that NSA
has BIOS exploits, it's more important than ever to use a free one. The Free Software
Foundation recently certified a laptop to Respect Your Freedom, all the way down to
the boot firmware. This can't be said of every machine running coreboot: It took
specific hardware and a modified version of coreboot with proprietary software
removed to pull this off.

Use 100% free software GNU/Linux distributions. The Free Software Foundation
maintains a list of these at https://www.gnu.org/distros/. The combination of free boot
firmware and a 100% free GNU/Linux distribution means that the people using these
systems can be sure that their computers are working for them, and not against them.

These are just some ideas - there may be more. Please feel free to share your ideas
with me so that I can update this. Ultimately, the methods I've mentioned will only
serve as a way to make it more difficult for the NSA to collect information, but it will not
be impossible. As it sits right now they have the full weight and power of the United
States government behind them so if they decide that they want some information,
they will find a way to get it. The only way that we are going to be able to protect our
privacy is by demanding regulatory change. If you haven't already done so, start
petitioning the relevant authorities.


Copyright © 2013 Jason Self. See license.shtml for license conditions. Please copy and share.