While most people are aware to at least some degree the ease that government agencies can tap-in to our private communications and stored data, few do anything about it. Of course most of us wouldn’t know what to do or where to begin, but it’s worth remembering it’s not just your Assanges and Snowdens who are targeted.
Whether you’re an activist, journalist or politician, or work in human rights, research and development or intellectual property, you’re a potential target. And even if you’re none of those and think your safe, think again, because your data and communications are being stored in any case and could come back to haunt you.
Once upon a time such claims would have been treated with suspicion, but post-Snowden, those who’d been paying attention have had their worst fears confirmed.
“The line between [people in] crazy tin foil hats and informed sources has become very thin.”
And while the majority of surveillance is being conducted by the USA’s NSA (National Security Agency) the UK monitors a fair share itself with Snowden’s leaks revealing every piece of data that enters the UK is tapped and monitored.
It should also be noted that data the NSA collects can and is shared with UK agencies.
So IT security geek and open software advocate Arjen Kamphuis has published (online and for free of course) a practical guide- Information Security for Journalists – for the less tech savvy among us on how to start taking data security a little more seriously.
At a talk at the NUJ office in London last night (Weds) he warned that the scope of the NSA’s (the USA’s intelligence gathering outfit) reach is far greater than most had dared to suggest and that its ambition is “to have a copy of everything everyone does with a digital device”.
Whereas under the Stasi in East Germany the number of people who could be monitored at any one time numbered in its thousands, the NSA counts them in their millions before their vast computers flag-up individuals for a closer look.
Kamphuis warned that “merely searching for privacy software online gets you marked by the NSA as someone to watch” let alone downloading a copy of Tor (the anonymous browsing tool).”
The NSA seeks to monitor everyone’s email, video, photos, store data, Voip calls, file transfers and video conferences, he said, although, if you already use Hotmail, MSN, Yahoo, Facebook, YouTube, Skype, AOL or Apple then your data is already subject to surveillance thanks to the Patriot Act (which gave the US government legal access to their data – whether it’s stored in the US or abroad).
Kamphuis, who used to work for IBM, said data on the IT giant’s servers is also freely available to the NSA wherever they are located. “Everyone in the EU’s financial data is held in Brussels on IBM servers. They have access to all of that.” The same applies to sites with a domain name ending in .com, .net or .org – all essentially owned by the US government, he said.
He singled out the Apple iPhone as being of particular concern due to the data it stores about how it’s being used and the inability to remove its battery. “They even know if you’re walking up hill thanks to the sensor inside.”
But where data is not so readily accessible, the NSA has the Tailored Access Operations department to delve into private or uncooperative organisations’ servers or people’s personal computers using the sort of gadgets that appeared on 70s sci-fi films.
If it weren’t for the Snowden revelations many would question the existence and use of the James Bond-esque radio-controlled Cottonmouth-1 that fits inside a USB connector to monitor and modify data on the device it’s connected to.
Kamphuis said these devices can be quickly fitted to a product as it passes through a UPS postal depot anywhere in the world after it has been ordered by the person under surveillance.
So what about the terrorists?
So what about them? According to Kamphuis, there’s absolutely no evidence that what the NSA does is to catch terrorists. It’s to monitor those who seek to challenge or undermine the state or its financial interests and assist big business.
“Governments are at best completely incompetent or at worst your enemy.”
Traditionally when governments were caught surveying huge amounts of personal data they blamed incompetence, but “that excuse has its limits and I believe we’ve reached that limit,” Kamphuis yawned.
EU governments have known about Echelon – the US/UK data monitoring programme set up during the cold war – since 2000, according to Kamphuis, although the BBC article linked-to above suggests earlier. Yet, he said, despite being targets of US surveillance the EU have curiously failed to implement effective counter-measures that have been available since 2001.
Furthermore the EU has spent a trillion dollars on easily monitored US software since then most of which is available for free off the net in the form of non-propriety software, he said.
“This [US data intrusion] is the greatest violation of human rights in terms of number of people involved since 1945, but nothing has been said by the EU governments in terms of what they are going to do. Nothing.”
But, he admitted, most politicians seem to have no idea about data security, the reach of spy agencies or what they could and should do about it. He said the British government is using Microsoft email, so all of its communications are monitored by the US: “You wonder how can they be allowed to do that, well, most people don’t even know it’s happening.”
“Until the law is changed, the only protection you have is to stop the government getting its hands on your data.”
If the NSA really wants to monitor you they can. There’s nothing you can do about it, but together people can make it more difficult and expensive to do so.
It costs the NSA about $0.10 per westerner per day to monitor our data, Kamphuis claims, but that figure can be increased to $100 a day with a little effort and forethought – sufficient to keep you under the radar long enough to publish a story and protect a source.
But more importantly, if more and more people use counter-surveillance measures to protect their data and comms, mass surveillance becomes unaffordable so governments have to be more selective as to who they monitor.
Kamphuis admits maintaining good security for your data and communications can seem difficult, time consuming and tiring, but it’s important it’s done consistently to avoid a breach. However, the first step is to simply give it a try. There’s no simple solution.
The NSA confirmed encryption is a huge headache for them, he said, so start using PGP encryption, which requires the sender and receiver to use virtual keys to encode and decode the email. It takes getting used to and both parties have to sign up to it, but it works.
Encrypt your hard-drives too and secure them with a complex password. And always keep a secure back-up of your data.
Use complex passwords for anything important such as your computer’s log-in, access to a hard-drive or encryption passwords. Kamphuis suggested using 20 lower case letters in a password so that it’s easy to remember and type – or less where numbers, symbols and upper case letters are employed. But in any case: never write your password down. And don’t bother with extravagant passwords for your social media accounts and applications as the US already has access to those.
Use different browsers for different purposes. One for Facebook, regular email and applications where there’s no hiding your identity. One for working and reading news – Kamphuis recommends Firefox because of the extensive security-based plug-ins available. And Tor for browsing sensitive sites that are likely to be monitored. Despite it being slow it keeps your IP address and identity anonymous, but don’t ever log in from it.
Avoid hosting sensitive data on .com, .net and .org domained websites where the US has jurisdiction, Kamphuis said. Instead use domains from countries with stronger data protection laws such as Switzerland (.ch), Holland (.nl) and Germany (.de).
There’s even a special secure operating system that uses secure Tor and Firefox connections to browse. Linux Tails even has a camouflage mode where the wallpaper makes it look like you’re using Windows to anyone looking over your shoulder. Running it from a USB stick helps avoid any monitoring viruses on the computer you’re using.
But also simple measures such as getting someone to Tweet from your account back home when you’re travelling to another country – with your personal phone switched off – could help throw someone off your trail.