Saturday, June 29, 2013

The NSA and You - Privacy in a Connected World

By now everyone has (hopefully) heard about the most recent scandal involving the National Security Agency (NSA) collecting data on everyone's "private" phone calls, emails, internet activity, etc.. While I do agree that this activity is illegal, a violation of our rights, and not to mention wildly inappropriate in a nation formerly known as "the land of the free," I am not in the least bit surprised. You shouldn't be, either.  Here's why.

The thing that makes the internet wonderfully awesome is that, at its core, it is really dirt simple. It's just a really great and (usually) efficient way of moving bits and bytes of data across networks of computers. It was never designed with security in mind - just simplicity.  It's that simplicity that has allowed it to be used for so many different things from email to streaming music videos to phone calls to shopping .. the sky's the limit, really. If it can be done by moving information from one point to another, it can be done on the internet. And the convenience and speed with which it can accomplish that simple task has become an inextricable part of our modern lives.

The thing is, we have also developed several unrealistic expectations when it comes to privacy on the internet. We expect our email and text messages, for example, to only be "opened" and read by the recipient - similar to when we send a letter via the US Postal Service. We expect our phone calls made over digital networks to be private, just like our old analog phones were back when you had to get a warrant and climb a telephone pole to establish a wire-tap. And for some reason that is incomprehensible to me, we also seem to expect information we post on public web sites like Facebook and Twitter to only be seen by people we want to see it and no one else. The thing is, these things just aren't so. Those of us who make a living in the computer industry and have been exposed to the internet and its internal workings for a long time know this, and it's about time the rest of the world did, too.

Your "private" email and text messages are not at all like a sealed letter going through the post office. They're more like postcards - able to be read, copied, archived, and even modified undetectably any time during transit. The protocols that handle these "letters" were not designed with security in mind - they were designed to be dirt simple and fast.  Security was to be the responsibility of the user, not the transporter.  And don't even get me started about your facebook and twitter activity - you might as well be publishing your information in a newspaper or yelling it through a megaphone on a street corner.

"Well, what does all this have to do with the NSA spying program," you ask?

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

-- US Constitution, Amendment 4

Written as part of the original Bill of Rights, the Fourth Amendment pre-dates the internet by 2 centuries. However, it has been interpreted to apply to modern forms of communications like telephone calls, etc, and presumably also to internet communications. At this point, before you continue, I'd like you to followthat link up there and read the Wikipedia page on the Fourth Amendment.  Go ahead, read it. I'll wait...

So .. did you notice how much it's already been eroded over time by the courts?  Did you notice how the government can basically look at anything you say or do as long as they can show you had no "reasonable expectation of privacy?"  Did you notice how "reasonable" isn't clearly defined, so it can mean whatever they want it to?  So, how do you think they will argue when you say your un-encrypted email had a reasonable expectation of privacy?  What about your unencrypted text messages?

What you need to know is that there's a very good reason the NSA and other government agencies and even corporations are spying on internet users the way they are:  it's because it's so EASY, and because we let them in exchange for convenience.  That's right, when you sign up for a gmail or facebook or yahoo or whatever account, you usually agree to allow them to collect, analyze, and sell anything you do with that account.  You basically waive your "reasonable expectation" of privacy by agreeing to the terms and conditions for your shiny and very convenient google account. Don't get me wrong, I love the convenience these things offer - I even have 2 google accounts myself!  But, I harbor no delusions about privacy or security of anything I do online, because I know how the internet works. And now you have an idea, too.

"I don't use encryption because no-
one I communicate with uses encryption."
 -- Me
If you want the privacy afforded in the "snail mail" world by a "privacy envelope," then you need to use encryption, and you need to encrypt your stuff in files on your own computer before you type them into your GMail (or whatever web mail client you like) window.  You need to learn about public key cryptography and secure passwords and entropy and a host of other complex and scary-sounding words. You need to learn about SSL and secure data destruction as well, as well as all the shortcomings and vulnerabilities of these methods.  Did you know that, for example, anything stored to your hard drive can be recovered after being deleted?  This is true to the point that even so-called "secure data destruction" software isn't a guarantee. In fact, the standard FBI-approved method for secure data destruction involves melting the hard drive with a thermite bomb!

The thing is, encryption and security is HARD.  Certainly harder than it was in 1789!  Back then, if you wanted privacy, all you had to do was lock your papers up in your house, or talk to your buddy out behind the woodshed without anyone in earshot. Today, the "lock" is strong encryption .. the "secure envelope" is public key crypto with strong digital message signing and trusted public keys. And while some degree of anonymity and privacy can be had from Virtual Private Networking and projects like TOR, "Behind the woodshed" remains unchanged:  if you want real privacy in your communications, that's where you have to be - not on the internet and not through the mail.  I think the real purpose of these tools, rather than to actually keep your stuff away from prying eyes, is to allow us to reclaim some of that "reasonable expectation of privacy" in case we're ever taken to court over something we said in an email.  A lawyer could conceivably argue that the evidence, if seized without a warrant or probable cause (as in the case of NSA surveillance), was inadmissible if the user attempted to protect it with strong encryption.

Anyway, the whole point of this article is to shatter your illusions of privacy online, and provide you some search terms to check out if you're interested in trying to get some of those illusions back.  Meanwhile, one simple rule applies:  don't do or say anything on the internet that you wouldn't want Big Brother to know. Because if you think they're going to stop spying on us, you're even more delusional than I thought.