When federal contractor Edward Snowden downloaded a trove of National Security Agency (NSA) secrets onto a thumb drive and flew to Hong Kong, intent on exposing what he felt were gross excesses of the U.S. government’s surveillance programs, he probably had little idea what would happen next—but he certainly hoped that people would listen to him.
And listen they did. Using Snowden’s documents, The Guardian and The Washington Post published articles in summer 2013 that described two massive NSA projects for monitoring Americans; one of those projects, codenamed PRISM, allegedly siphoned information from the databases of nine major technology companies: Microsoft, Google, Yahoo, Facebook, PalTalk, YouTube, Skype, AOL, and Apple. Most of those firms denied knowledge of the NSA’s work.
If that had been the extent of Snowden’s revelations, that might have been the end of it—but Snowden, evidently a busy little bee during his time contracting for the NSA, had much, much more to share with the world. Over the course of the summer, newspapers fueled by Snowden data published story after story on how the NSA, Britain’s GCHQ, and other intelligence agencies had managed to penetrate the world’s telecommunications networks.
Faced with a steady drumbeat of protest over the NSA’s activities, the U.S. government finally felt the need to respond. In January (roughly eight months after the first Snowden revelations broke), President Obama took to a podium to detail some major changes in how the NSA collects data—while offering a defense of the agency’s actions. “They’re not abusing authorities to listen to your private phone calls,” he told the audience of reporters and government officials. “What sustains those who work at NSA and these other agencies through all these pressures is the knowledge that their dedication plays a central role in the defense of our nation.”
Obama’s proposed reforms, at least in theory, will stop the NSA from storing telephone metadata on its own servers, although the location of the new data repository remains unclear. In addition, the NSA will only pursue phone calls that are two steps removed from a number associated with a terrorist organization, and companies will have the opportunity to reveal more about government requests for their user information. That’s on top of the executive branch supposedly increasing its oversight of intelligence programs via executive order, via annual reviews of targets and missions by senior members of the President’s national security team.
Whether or not the federal government curtails its surveillance activities—a lot of people are betting “no”—it’s unlikely that the debate over online privacy and surveillance will end anytime soon. With thousands of Websites planning a mass protest of surveillance on Feb. 11, it’s worth revisiting what you can do to keep yourself as safe as possible online.
What You Can Do
As Slashdot pointed out after the news of the NSA’s widespread surveillance programs first broke, installing upgrades to existing browsers, or putting those browsers in “safe” or “private” mode, will do precious little to block surveillance.
“A lot of people have been contacting me talking about private browsing modes as a defense against NSA surveillance,” Dave Maass, media relations coordinator for the Electronic Frontier Foundation (EFF), wrote in an email to Slashdot soon after Snowden’s revelations. “Of course, private browsing modes are meant to avoid leaving records of one’s web browsing history—on one’s own computer—and that’s basically the extent of it! So people are very often missing the idea of what is meant to defend against what.”
In other words, scratch Private Browsing as a way of keeping your communications safe from prying eyes. Fortunately, other tools exist. The EFF offers a handy visualization of the protections afforded by HTTPS (Hypertext Transfer Protocol Secure, a communications protocol for secure communication over a network) and Tor (a network that relies on relays that make it difficult to trace a user’s Internet activity). HTTPS and Tor can hide very specific kinds of information, depending on which one is used.
But Tor has its limits, particularly if an outside agency is willing to devote the resources necessary to make an anonymity-killing end-to-end traffic correlation. Platforms such as SpiderOak offer host-proof cryptography for protecting data, but these services come with a significant catch: since “Forgot Your Password?” links can be easily reverse-engineered to reset a password or username, few highly secure services offer that sort of protection against the loss of login information; misplace that piece of paper where you wrote down your password, and any data stored with the service is toast.
Other encryption vendors include Voltage Security (encryption and tokenization tools), Liaison (communications and transaction encryption), and Application Security (database security). For those who want a messaging service that vaporizes messages within a few seconds of opening, but don’t quite trust Snapchat, several alternatives exist, including Silent Circle, Wickr, and Squawk.
With regard to transferring files between devices, experts recommend platforms such as SFTP (Secure File Transfer Protocol) and SCP (a method of transferring data between hosts, based on Secure Shell or SSH protocol); be aware, however, that transferring files in a way that’s totally secure is often difficult.
In the wake of the NSA revelations, Google and other tech companies have also indicated a willingness to encrypt data that passes through their infrastructure, both in movement and at rest. That won’t stop government requests for user data, of course, but it could ease some users’ fears over hacking and surveillance by other third parties.
Good luck out there, and happy anti-snooping.