Thursday, June 13, 2013

Why You Shouldn't Be Concerned By Government Surveillance

This post has moved! Click here to view the new home of this post.

Recently I have been hearing a lot about government surveillance in the USA. My initial thoughts were very negative because I feel that my personal data should be kept private, but after some thought I realized that it is my fault for trusting these companies, who for "legitimate" reasons may need to turn my data over to the government. If I trust them that far I shouldn't be too surprised when they turn that same data over without a proper request from the government.

Throughout this post I will be discussing ways to keep your information private no matter what these laws allow.

PGP

Many of the solutions in this article rely on PGP (or Pretty Good Privacy). PGP is a bit of infrastructure around encryption that makes it easier to use. There are two major implementations of PGP, the one I would recommend is the FOSS GPG. GPG is an open source implementation of the OpenPGP standard and is a command line tool. You may also wish to use a GUI key manager such as Seahorse. The other major implementation is the commercial solution at www.pgp.com which now appears to be owned by Symantec.

While I am not going to cover the specifics of PGP here I am going to give a quick overview of how it works. Each person creates a key pair which consists of one public key and one private key. You then give your public key to anyone who wishes to communicate with you and you keep your private key private. (My public key ID is 0xC0758A3B34D52E74). To encrypt something to someone you use their public key, then it can only be decrypted using their private key. This allows you to send people messages that only they can read without having a separate password for every person with which you communicate (passwords are a broken system).

Text Messages/Email

When I say text messages I don't mean SMS but rather sending messages that consist mainly of text to another person. The most common system for this is email. PGP does a fantastic job in this area as it is easy to encrypt data. PGP can also print out the encrypted data in a plain-text format (called ASCII-armoured) so you can send it over any medium which can handle text (such as an email) of course you can use the binary format for better space efficacy if you desire.

A quick example of the text "Hello, you can't read this." encrypted to me. Small messages get bloated quite a bit but larger messages are more efficient.

-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.20 (GNU/Linux)

hQQOAwZ9kp8O8w0lEBAAhlSqi168fzas9NvPTxGnmv38+HLZ1vxenEIz0GE29Q9X
bNDSHZg3PGpsdHZBVGgrDE6no2E1qUdFXRXXrc7ldHj608gTGA7WndHZn4MZEZuc
nsgx9tRe1Zg0QE1CFkOELdFOHzJJ0SrZxJBmzi1AOUtmIX1ubMEfONnmgNcTOs1J
iG8oZfgwShMAw45TrDwLjM2zLwiDodga6g3N///ZKzCKqetMRc5luZGsLn4rcuwM
6pMczbDXsyBRJWRNs9k94nWyWe51Mp5Cd8LtNs7FRgnVs3HMU4EhUKojMpnqQOhD
3BgSzc4JMQ/ixlHSNvs+7AsQKZVmAylgP6M5KVRmTm8IYfC6mAhOJPt68m3RQlbj
qLQfoCq3ImHecw9cxPu85ZztIyFgYHP8d4j9ZBgOAtlQHX8hvJCOzclKneboAcr6
g+iDxFLKx0Itf1pSOToALuAaTCFxZRIUevSHAL4lqpw5CM4hT8THlOd23eyjLdjm
0A2FVhdRSo24G5BnDJyMxZ+R5PGVogMkK5TzRK6yxDKOzLxnURVb+/fc96euCwGi
hhMnvbh3pC6YYaAYrr/3eDmPOUOQuofHpRnaVFi1aJv2jjp6YNrOB0d1QpY2j/FG
XYzsRmbCiK2q4pbaoukUigK9GlRGtLRBh2S9bvSS4yP6bXdwD4uB1I0bOJqfHKkP
+wS0xsWC8sBoqd6JGlFYNpLE9XJDXtixs3KAa1BQAPizfXgeBfhw57sDpm/2hRV+
ao4ygGpeVIA105dggnGICcdtD8f0JsMMQU3oxIGB3oBTCLUd/0cZC4Xie+6azeFf
Oebo6Du6rd6cO7V0bDwgzw3SKWJIjSIuYcEGAjAIRjJJF3eoeUcp6eVdDNMMWdup
9zgHIsB6J9LLWcZiEzjce4Y6HEk6tstxGJydebmjkzOAO+6t5hB9ZwTJYNtsV//n
22/VYO0G4YfSeA8YZtikxsGTiLYQo7C1POuYcoZmxOEsISebDe0zXbUM3ZLttYRZ
fK9vSui7hBJFE6KuX5BopvmuwHhUEaCn/QwFYlvS9iZ6P7ZKgwhNLsh861f/UgYr
+bjmNOzgxt3zEELPgBcPVUEjuVVEMd3Xc24xFrtKaaSR0WBPPQ98Ut6Dtfzl/+aZ
hcT8zgkEItwlOKd4OU3cyKEsirwhp4Z5oQ0bqCrrDVSRdOMVDbrrY154s0Xgq8vh
ybrdYr6HARVc1SbeQ1LNdjtqRO+pDiJuFEVhwl336W2/qofkGFDc+OEcHdurKV2O
KgVGGlvp/EJT5y2LM8bllkB4vO4Tr1wFdcFiRHjx29LhmFapqFuYp5/kHI0NQyaF
4wIhdQm7Z/aIfGajEQD/wBTuCM83Obhvm9/5frGCZusv0lcBO+mE3FyOY3Z7av1g
+Cm1M3SEwYFc/e7Wwv+VNp+23A7mcYZsojb42WlX50LagZt3STwV61M3lhM0L5IJ
gieMfryg3YYBByQmrhqN3ykmuhlGC+v5CoQ=
=SZa1
-----END PGP MESSAGE-----

That chunk of text can easily be sent to the recipient inside of an email or other message. To make this process seamless you may wish to get a PGP addon for your mail reader. I use Enigmail for Thunderbird and it is really easy and effective. I just select to encrypt my messages and it automatically encrypts it to the recipients when I press send. It also detects encrypted messages and decrypts them for me.

This method works well for text but isn't ideal if you have attachments. You could encrypt the attachments and send them but the better solution is to use the PGP/MIME standard which allows you to encrypt the whole email, attachments and all. Enigmail will do this by just checking a box. I would recommend using this for email messages.

Instant Messaging

For instant messaging you can use XMPP (aka Jabber) which besides being an open standard and a decentralized system has support for encryption. XMPP offers two types of encryption. One type is TLS which is used to encrypt your message during transit. The downside to this method is that any intermediate servers (your server and their server) still have access to the message. This means that if you are using Google Talk as your XMPP server Google will still have access to your messages. This is not an issue if you and your recipient run your own XMPP server. The second method solves this problem by using PGP to encrypt the actual messages sent and they can only be decrypted by the receiver, the same way PGP in email works. Many XMPP clients have support for PGP messages.

Files

PGP handles files just as well as it does text. You can use keys; or a pass phrase if you prefer. Simply encrypt the file then send it wherever you need it. However, if you want to encrypt your local hard disk, so that your information is safe even if someone gets your computer/hard drive I would recommend TrueCrypt. TrueCrypt encrypts all data on your hard drive (or a part of it if you wish) and you need to decrypt it (by entering the password) every time you want to use it, (usually every time you boot up your computer). This doesn't provide any protection against programs running on your computer or when you send files over the internet but is a nice layer of security if you are worried about someone getting physical access to your machine, especially on mobile computers.

Live Voice and Video Messaging

One of the main things that the government is tapping into is the phone system. The phone system is not secure and should not be trusted to keep messages private or ensure that messages are not altered. One solution is the Jingle XMPP extension. Jingle allows live audio or video sessions through a direct connection to another user. This connection can be encrypted to ensure no one is eavesdropping or modifying your calls. Almost all XMPP clients support the Jingle extension out of the box.

Another solution to live voice messaging is Mumble. Mumble uses SSL certificates for all of its connections so all data is encrypted. Mumble is also nice because it is designed for many participants and is very efficient even when a large number of people are in the same channel. Mumble also has the issue that the server can see the information but generally the server isn't recording the calls. This can again be solved by hosting your own server.

Web Browsing

Another thing to worry about is that you are being watched by your ISP. They can be monitoring and recording everything you do online. There is a way around this though and that is HTTPS. This encrypts your session to websites you visit so that anyone watching your web traffic knows what site you visited but they can't tell what pages you visited and what was on those pages. Unfortunately, most sites don't use HTTPS by default. But, while they don't use it by default most sites do support it you just need to ask. This can generally be done by changing the http:// in front of the URL to https://. There are also browser extensions that will do this for you. I use HTTPS Everywhere to automatically give me the HTTPS versions of sites that are known to have HTTPS. I also use HTTPS finder to try and detect other sites that support HTTPS and asks me to add a rule to HTTPS everywhere if one is found.

When you are using HTTPS people can still tell what sites you have accessed. There are also some sites that do not support HTTPS. A solution to this is to use Tor, which is a way to anonymize your internet traffic. This way someone who is watching you can't tell what servers you have accessed or data you have sent. It also encrypts it until the final leg of its journey where it is actually sent to the requesting server. If you are using HTTPS then this final leg is still encrypted. Tor can also be used for many or all programs depending if your operating system or individual programs support using proxies.

Conclusion

The reason why people are worried about the government getting access to their private information is because they have given information to untrustworthy sources (usually companies who can be forced to hand it over). If you restrict who you trust you can easily live your life in a way which the government (or other people) are unable to view your private information.

While it may be a pain to adopt some of these systems they are very easy to use once you get into it. The hardest problem will probably be convincing others come aboard. While these aren't the only forms of encryption and privacy protection available they are some of the easiest, most popular and well supported. These solutions cover all of my needs and as long as I stay within these bounds I don't have to worry about anyone snooping around in my beeswax.

No comments:

Post a Comment