Wednesday, July 31, 2013

New NSA Leak Confirms NSA Knows All You Do Online; Here's How to Stop Them


In rather depressing news (not that it should surprise anyone, however), it does indeed appear that Edward Snowden wasn't lying when he said that just about any lowly NSA analyst can find out literally everything that pretty much anyone does online (warning to those who work in the military-industrial complex: clicking on that link [or indeed, probably reading the below] will technically turn your computer into a machine covered by Top Secret clearance protocols):
A top secret National Security Agency program allows analysts to search with no prior authorization through vast databases containing emails, online chats and the browsing histories of millions of individuals, according to documents provided by whistleblower Edward Snowden.
The NSA boasts in training materials that the program, called XKeyscore, is its "widest-reaching" system for developing intelligence from the internet.
The latest revelations will add to the intense public and congressional debate around the extent of NSA surveillance programs. They come as senior intelligence officials testify to the Senate judiciary committee on Wednesday, releasing classified documents in response to the Guardian's earlier stories on bulk collection of phone records and Fisa surveillance court oversight.
The files shed light on one of Snowden's most controversial statements, made in his first video interview published by the Guardian on June 10.
"I, sitting at my desk," said Snowden, could "wiretap anyone, from you or your accountant, to a federal judge or even the president, if I had a personal email".
US officials vehemently denied this specific claim. Mike Rogers, the Republican chairman of the House intelligence committee, said of Snowden's assertion: "He's lying. It's impossible for him to do what he was saying he could do."
But training materials for XKeyscore detail how analysts can use it and other systems to mine enormous agency databases by filling in a simple on-screen form giving only a broad justification for the search. The request is not reviewed by a court or any NSA personnel before it is processed.
If you want to check out the original training slides, you can read them here - scary stuff, though again, and unfortunately, I'm not particularly surprised.

So, it turns out once again that the government was lying to us, while Snowden was telling the truth. Surprise, surprise.

Obviously, this is terrible news. As has been repeatedly pointed out by courts and privacy advocates, the right to privacy is a fundamental right that should be enjoyed by all, and the government should have to prove probable cause and obtain a warrant in order to be able to violate the privacy rights of an individual, whether a US citizen or not.

The NSA is apparently wiping their collective asses with the right to privacy by attempting to suck up all internet data about everyone all the time.

Here's how you can protect yourself from the prying eyes of the NSA.

Disclaimer: This is not easy or cheap. I do not and am not going to bother to go through these steps to protect my own privacy from the NSA, as the inconvenience of doing so would simply be too great, considering that I am doing nothing that I can possibly imagine would make me even a remotely interesting target to the NSA (with the possible exception of writing this article, I suppose). However, since I value the right to privacy, I will vote for any politician who promises to reign in the NSA's abuses, and I will vote to reelect any politician who follows through on reigning in the NSA's abuses. Furthermore, I believe that anyone who wants to should have the right (and knowledge) of how to escape the prying eyes of the NSA, if they want to embrace the burden of undertaking this difficult task.

0. The easiest way to keep away from the NSA's prying eyes is to simply go off the grid - no internet, email, Facebook, or anything of the kind. You will only communicate through the U.S. postal system. However, since the U.S. post office photographs the outside of every piece of mail and logs it for law enforcement purposes, you'll have to invest in non-see-through envelopes, you can never write return addresses on your letters, and (preferably) you'll drop all your letters into random post office boxes around your city/town (or, even better, in nearby cities and towns you don't live in). Of course, everyone you correspond with will have to do the same, and there's no way to confirm that the person received your letter. But this, in theory, should keep the NSA out of your affairs, and in theory, the government should require a warrant to read the contents of your correspondence.

1. However, we are going to assume that you want to continue to use the Internet in some fashion or another. Nevertheless, in order to do this, you have to go somewhat off the grid. The first thing you'll have to do is close all of your banking, credit card, and other accounts (or if you HAVE to have a bank account to receive your paycheck, pay some bills that don't accept cash payments, etc., then you can keep one checking account) and put your money in cash. You are now going to be a cash-only (well, not quite, but we'll get to that in a minute) person. (Strictly speaking, this step isn't necessary to protect your Internet activities from the NSA, but you should assume that the NSA has access to every single transaction you make in any financial account you have.)

2. With your new wad of cash, go buy a new computer (either a laptop or tablet, but I'd recommend a laptop, as they're more versatile than a tablet). You are ONLY going to use this computer for Internet activities you want to keep secret from the NSA. NEVER USE THIS COMPUTER FOR ANY OTHER ACTIVITY EVER - ONLY FOR THOSE ACTIVITIES YOU WANT TO KEEP PRIVATE FROM THE NSA. And, obviously, never do anything on this computer that might be personally identifiable.

3. Take your new computer to a public place with free wi-fi - a cafe, hotel, etc. Download the Tor Browser Bundle. Disconnect from the wi-fi. Install the Tor browser bundle.

3.5 [Post-publishing addition]: The TOR Project just announced a vulnerability in older versions of the Tor Browser Bundle for Windows that apparently is currently being exploited by the NSA to identify TOR users. As best I understand, even IF you had been using a vulnerable version of the Tor Browser Bundle, you still would have been safe, IF you had followed my entire guide to the letter. However, just to be ridiculously cautious, it would be best for you to build your own Linux Live CD / USB with Tor and OpenVPN preinstalled (if you're tech savvy enough to follow the rest of this guide, you're tech savvy enough to build your own Linux Live CD - there are a bunch of tools out there that let you do it with just a few clicks) - that way, you'll be using only Linux on this computer, and nothing that you do will be saved from one use of the computer to the next.

4. Go to a DIFFERENT public place with free wi-fi. Fire up the Tor Browser Bundle (in case you didn't realize, you'll be doing ALL of your interneting through the Tor Browser Bundle). Read up on how to deal with Bitcoins - you'll be paying for all of your online activities you want to hide from the NSA with bitcoins. After you have a comprehensive understanding of bitcoins, go to https://localbitcoins.com/ and arrange to buy some bitcoins with your wad of cash. I'd buy a few hundred dollars worth - bitcoin value is still quite volatile, so you don't want to buy too many extra at once.

5. Go to a THIRD public place with free wi-fi. Fire up the Tor Browser Bundle and go to AirVPN.org - it's a Europe-based VPN service with complete emphasis on privacy. Sign up for a year's worth of VPN service with bitcoins, and read up on how to use VPN with TOR (https://airvpn.org/tor/).

6. Go to a FOURTH public place with free wi-fi. Fire up the Tor Browser Bundle with VPN over TOR. You can now do what you want online while being relatively secure that the NSA cannot associate your online activities with you personally. Keep in mind that, while doing this, you should not engage in any activity that is associated with your real name, address, email address, social security number, or anything else that might be personally identifying. You should sign up for a new anonymous email address (https://www.hushmail.com/ is a good choice) if you want to do email and only use it with VPN over TOR on this computer and never use it at any other time or on any other computer.

7. Now the truly hard part begins - anyone else you want to communicate with online has to go through all the same steps above. You can never mention each others' real names in any communications. To exchange your anonymous email addresses, you should use semi-anonymous letters as described in Step 0.

8. There are a few other tools that will help you communicate with others online (as long as they've gone through all the steps above as well) - you can use an extension called Off The Record ("OTR") to encrypt your chats. There are also ways to try to make video or voice calls securely, but honestly, the performance of your VPN over TOR internet connection will probably be too poor to allow for such things.

There are without a doubt a few downsides to keeping your Internet activities private:
  1. It is expensive.
  2. It is ridiculously inconvenient.
  3. You'll have to stop many of your current internet activities (e.g., regular emailing, Facebook, anything associated with any personal information, etc.).
  4. This system is only as secure as the weakest link in the chain, which is probably the other person you're trying to communicate with securely - they have to follow all of the above rules too.
  5. The NSA will still be keeping your data, potentially for a long time, since it will be encrypted. However, it will be doubly (and perhaps triply, if you're using encrypted email or chat) encrypted, making it very hard for the NSA to crack. And even if they do crack it, there shouldn't be any personally identifiable information for them to crack. Furthermore, you'll be hiding all important metadata from them as well.
As I said at the outset, jumping through all these hoops just isn't worth it for me to keep my internet habits out of the hands of the NSA - instead, I'll support politicians who promise to stop the NSA's blatant, unconstitutional abuses.

However, if you value your privacy so highly that you are willing to go to great lengths to protect it from everyone, including the NSA, I figured you should at least know how to do it, since I think you have a right to your privacy.

No comments:

Post a Comment