THE Washington Post has published four slides, leaked from the US’s National Security Agency (NSA), which outline how data is collected through the Prism programme.
The process is simple: after an NSA analyst identifies a surveillance target and a supervisor endorses it, data collection can begin. Say you’re one of these targets or you don’t want to be incidentally monitored. How can you minimise the data you share?
Commentators agree the Prism technology is based on optical fibre “wiretaps” placed at the connection of internet providers to companies like Google, Yahoo and Facebook in the US.
A copy of the optical signal is split off and routed to a room operated by the NSA, where it is indexed, categorised and shipped back to the NSA for analysis. Most of the traffic on the optical fibre is transmitted using plain text protocols – packets containing a plain text header and a payload.
If the payload is encrypted, the NSA can probably decrypt it, but here are 10 ways to minimise the likelihood of the NSA monitoring your internet and voice traffic.
1. Encrypt your internet traffic
In the URL field of the browser, type in “https://” before the domain name. Your browser will download a certificate from the website and use it to exchange an encryption key so all your traffic is encrypted. If you don’t see “https” in the URL field, it’s not encrypted.
2. Check encryption used by the websites you visit
Not all websites use good keys or encryption algorithms. Test the sites you visit at ssllabs.com and ask them to improve their security.
3. Disable internet use tracking
There are two ways to prevent website tracking: black listing and white listing. Black list programs, such as PeerBlock, block known spyware sites. NoScript is a white list system, and turns off JavaScript (a programming language that runs in your browser) when you visit a site unless the site is on the list. Most tracking uses JavaScript, so turning it off makes it harder for the spies to track you. (but not impossible).
4. Encrypt your files
If you upload files, you might want to control who reads them by password protecting them. Use a serious encryption system that scrambles the file contents with a really big key and strong algorithm, such as TrueCrypt.
5. Trust no one
Do you use Dropbox? iCloud? Other cloud services? Do you have a password? If you do, so do they. If you forget your password, can they tell you what it is? Some cloud services offer accelerated uploads and syncing. They can do this because they know what you’ve uploaded. It also means they have the key and can provide it to the NSA. The only way to be sure is to encrypt your files before they leave your computer. Don’t use the provider’s encryption software. Use open source software, so any hidden back doors will be discovered. AxCrypt is a nice example.
6. Tunnel your traffic
Every message (or web request) you send on the internet has headers – with your address, the destination address, the date and time. Anonymising services and products attempt to obscure your web behaviour by mixing your traffic with other people’s traffic. Install a proxy server or a virtual private network (VPN) client, which encrypts your traffic and sends it to another location, where it is decrypted. The NSA can read the traffic once it leaves the tunnel, but can’t separate your traffic from the traffic of other users of the system.
7. Secure your kit
To be sure your PC is free of all unwanted software, you can use a read-only operating system. There are many bootable Linux distributions that detect your hardware at boot time and contain pre-installed programs such as web browsers and VPN clients. Puppy Linux (really fast) and Privatix (really secure) are good examples.
8. Safe text
Texting is not secure. Skype chat is monitored by Microsoft. E-mail normally uses unencrypted protocols and is not secure. Even sending e-mails through websites is no guarantee of security as most mail servers communicate with each other using plain text protocols containing the message, sender and recipient.
It is possible to install Pretty Good Privacy (PGP) – an “uncrackable” e-mail encryption – but it’s difficult. Gateway devices can implement PGP at the edge of your network, so you can exchange encrypted e-mail with minimal configuration. Phone apps such as Silent Circle and iChat can encrypt text messages. CryptoCat does a similar thing through the web.
9. Anonymous searches
We all know Google caches our search terms and profiles us – it’s how they generate revenue. But there are other search engines less interested in what we are doing, such as Duckduckgo and Startpage. Another option is to use a different Google (such as google.de or google.ca) or Tor (anonymity software) or a VPN to access Google from a different country.
10. Voice
Smartphones are great, but they are really little computers and vulnerable to malware, phishing scams and a range of malicious phone apps. Skype voice encryption has been weakened by Microsoft to allow lawful interception. Probably the best option for voice security is the BlackBerry – if you are not in a country where the government has compelled Research In Motion (the company behind BlackBerry) to install a server so local police can intercept calls.
None of these suggestions can protect you from a determined adversary, but they can make things more difficult. – New Zealand Herald
* James Hamlyn-Harris is a lecturer at Swinburne University of Technology in Melbourne
Use of ‘anonymous’ search engine rockets
“Anonymous” search engine DuckDuckGo has announced record usage numbers after the Prism scandal has spurred public distrust of internet companies tracking individuals’ data.
Though not truly anonymous, DuckDuckGo aggressively filters spam site-like content farms (sites designed to make money from advertising revenue), doesn’t track users’ searches, and doesn’t create a “filter bubble” for each individual (that is, it doesn’t alter search results to reflect what a user might prefer to see).
A tweet from the firm tracking the number of searches a day said: “It took 1 445 days to get 1M searches, 483 days to get 2M searches, and then just 8 days to pass 3M searches.”
The essential difference between Google and DuckDuckGo is that for the latter each search request is a separate event – it could still be tracked by someone who had already infiltrated your computer, but it will not aggregate the data of your searches to create a profile, like Google does. – The Independent