KEEPING
THE GOVERNMENT OUT OF YOUR COMPUTER |
By A.
Kronstadt |
|
ITS THEIR
SYSTEM |
The government
pretty much invented the Internet, and since its
inception government agencies—in particular the National
Security Agency (NSA), Army and Navy intelligence, the
FBI, and the DEA—have been developing and deploying
means of finding out what you and I have been doing out
there. Indeed, many of the Internet privacy and
encryption techniques that we will mention here as ways
of protecting our own data were originated by the very
same government inquisitors that we may be trying to
protect ourselves from when we use them. For example,
the Tor anonymity network was pioneered by the Navy as a
means of protecting their own data online, and anyone
using it should realize that there might be and probably
are back doors built into all of these systems whereby
the government can find out whatever it wants to find
out. |
|
ENCRYPTION
IS A RIGHT |
That does not
mean, however, that it is futile or useless to try and
protect our data via the same techniques that the
government and big business use to protect theirs.
Encryption is not just a technique that the military
uses in wartime. It is not just something that
criminals, terrorists, and human traffickers use to hide
their nefarious activities, but is fundamental to the
existence of personal property in the digital age. The
only reason why the money that you have in your bank
account belongs to you and not to any Tom, Dick, or
Harry that walks into an ATM is that the bank data has
been encrypted and only your PIN number will activate
the algorithm that decrypts it. Your four letter PIN
number is actually a diluted form of encryption—to
protect their own assets banks use 64-character
encryption keys stored on USB drives that their top
executives carry around on their persons at all times.
The ruling rich are not stupid and we should not be
stupid either. |
|
The average
computer and Internet user wants to protect his or her
data because money and credit card numbers are involved
and because certain things that we do are just plain
nobody else’s business. In the former Soviet Union, if
you bought a typewriter you were required to register it
with the government and provide the KGB with a sample of
the text that it produced so that if incriminating
writing turned up they could trace it back to its
author. Presumably we do not have to live like that in
the good old U.S. of A. |
|
WHO IS
WATCHING AND HOW |
Many computer
users simply leave themselves open to snooping by
individuals who do not even have extensive spying
resources. A wireless connection is often the weak link
in a network; for example, an activist organizing center
might provide free wireless to people who come into
their offices without realizing that if the wireless
router is connected to their network and the wrong
person gets hold of the password, such an individual
could gain access to other peoples’ e-mail or instant
messaging or install spyware on the snetwork, or even
disable it altogether. |
|
The infamous
Magic Lantern system used by the FBI during the early
part of the millennium was a spyware application that
would be installed on the system clandestinely by
someone gaining access to the file system (or by getting
the user to click on a booby trapped link in an e-mail
or pop-up on the Web); the program would then log the
user’s keystrokes, save them in a file, and periodically
send them back to the FBI server. This type of
“keylogger” software is particularly insidious because
it can circumvent any encryption technique no matter how
sophisticated. What use is encryption if the FBI has
already recorded the original text that you typed before
it was encrypted, or if they are recording the key that
you type in order to decrypt the text? |
|
Government
spyware like Magic Lantern and its successors, although
no different in principle from malware or viruses
created by individual hackers, will in most cases NOT be
detected by commercial antivirus software applications
like McAfee or Norton antivirus because the government
has agreements with such companies to leave this type of
“policeware” out of their virus-detection algorithms.
Only a handful of antivirus companies have stated
unequivocally that they would not leave a back door in
their software for malware used by law enforcement:
these include the Finnish developer F-Secure and the U.K
developer Sophos, so concerned readers might want to
check out products offered by those firms. |
|
In general, to
avoid penetration of your system by either hackers or
government agencies, and to keep your system free from
any form of malware, you should strictly avoid clicking
on any link in an e-mail unless it is from a verified
user. Even if you know the sender, one should first
right click the link to make sure that it represents a
reasonable looking URL that spells something
recognizable. Particularly dangerous are URLs that are
all numbers and short URLs that give no indication of
where they go. Do not click these. Always set your
browser to block pop-ups and never click on anything
that looks like a pop-up or on anything that is ordering
you to to click on it. |
|
THE FIVE
EYES ARE UPON YOU |
In a series of
2013-2014 broadcast interviews, former NSA subcontractor
and now-exiled whistleblower Edward Snowden revealed the
NSA’s overall “signal intelligence” goals manifested in
their secret XKeyscore system. The NSA maintains 700
servers globally for purposes of “digital network
intelligence” in cooperation with the intelligence
services of the other members of the“Five Eyes”
nations--Australia, Canada, New Zealand, the United
Kingdom and the United States—who, since the inception
of the Internet, have used data gathered by each other’s
spying agencies to circumvent their own nations’ laws
restricting domestic surveillance. |
|
Was Snowden
exaggerating when he stated the following on German
radio in January 2014? |
|
…You can
tag individuals… Let's say you work at a major German
corporation and I want access to that network, I can
track your username on a website on a form somewhere, I
can track your real name, I can track associations with
your friends and I can build what's called a
fingerprint, which is network activity unique to you,
which means anywhere you go in the world, anywhere you
try to sort of hide your online presence, your identity. |
Snowden
described XKeyscore as a huge database accompanied by a
search engine similar to what is |
provided by
Google or Bing for searching the Internet, but this
system searches through terabytes of data gathered
clandestinely by the NSA, allowing their personnel to
read the emails and access the browsing histories and
Google search terms that web users have entered, with
links to any associated activity at the targeted email
and IP addresses. He estimated that the NSA is
collecting the data equivalent of the whole Library of
Congress every 14.4 seconds. Instrumental to XKeyscore
is the Special Source Operations division, the “crown
jewel of the NSA” which, according to Snowden, obtains
access to the world’s main fiber optic cables via
partnerships with private telecommunications giants. |
|
Telecommunication
companies are legally obligated under the FISA
Amendments Act of 2008 to record and retain customer
data for a certain period and turn over any data that
matches certain court approved search terms known to the
government and the telecom companies but not to the
customers who are being surveilled. Companies like Time
Warner/Spectrum and Verizon are also obligated under the
Communications Assistance to Law Enforcement Act (CALEA)
of 1994 to incorporate into all broadband Internet
services the ability of law enforcement agencies to
intercept any targeted item of traffic. These companies
are also required to give the FBI access to the IP
addresses of people suspected of illegal
downloads/copyright violations under the Digital
Millenium Copyright Act (DMCA) of 1998. While the FISA
Amendments are Bush-era legislation, CALEA and DMCA were
signed into law by Bill Clinton. Neither the Democrats
nor the Republicans have been friends of our right to
privacy online. |
|
Should we take
Snowden’s revelations in the spirit of paranoia and
assume that there is no privacy at all when we are
online? The answer is relative, in the sense that
although we are being recorded, government spies are
probably not actually pulling up your data in their
XKeyscore search engine unless they are interested in
you for some reason. Most security that an ordinary
person experiences de facto on line is “security through
obscurity”, meaning that nobody at any of the snooping
agencies have become interested in what that person is
doing. If you are not Edward Snowden or Julian Assange
and have not communicated with someone who has
communicated with someone else in whom the government is
interested , maybe they have not yet distinguished you
from the other couple of billion users of the Internet.
In that case maybe you don’t have to do anything at all
to scramble your data. If it still bothers you that the
NSA potentially has records of your communications with
your bank, or if you are in the habit of mining data for
research or journalistic purposes and do not wish to
leave an online trail of the people whom you are
checking out or the information that you have obtained,
there are ways of making it less easy for them. |
|
MAKING IT
HARD FOR THEM: VPN, TOR, and VERACRYPT |
Your Internet
Service Provide (ISP), for example Verizon Fios or
Spectrum (formerly Time Warner Cable), records the IP
address of every computer that you contact with your
browser. They can do this because you are using their
servers to contact the servers that administer the Web
pages that you visit and the e-mail accounts of the
people you are communicating with. If you are surfing
the Web in the ordinary way, these big corporations will
have a complete record of every Web page that you visit
and the recipient of every e-mail that you send. |
|
It is possible
to surf the Web more privately by using your regular ISP
to log into a virtual private network (VPN), which is
another server somewhere else in the world which you
will then use to actually contact other servers on the
Internet that host the Web pages that you wish to view.
Your ISP will then only know that you logged into the
VPN, but will not record the specific Web sites that you
visited after having done that. The Opera browser, an
alternative to Internet Explorer and Mozilla, gives the
user the option to route all traffic through a Norwegian
VPN which will then handle all further Internet
activity. Of course, the administrators of the VPN
continue to have access to your information, but by
using the VPN you have already forced anyone who wants
to snoop on you to contact two separate entities, your
ISP and the VPN, in order to reconstruct what you have
done; hence, you have made it more difficult for them.
If you were actually suspected of a serious crime or if
the NSA were really interested in you, the snoops would
go through all of that trouble, but if you are just
trying not to expose your private business to the world,
a VPN might be helpful. There are numerous VPNs, some
free and some commercial; these can be searched online.
Some, like the Opera browser only protect Web surfing,
but there are others that cover e-mail and other
Internet activities. |
|
Internet users
wishing an additional layer of security might want to
consider the Tor Network, which is similar to a VPN but
switches you between routers periodically so that you
are not on the same network all of the time;
encryptionmakes it impossible for the next router to
know the IP address of the previous one. An advantage
here is that the information is split up among different
servers, and neither your ISP nor the administrators of
any of the other servers involved will see anything but
fragmentary encrypted gibberish. |
|
The open-source
Tor Project makes no secret of the fact that it receives
grant money from the U.S. Navy and the NSA, and that
both of those agencies make use of the Tor Network for
their own secure communications and are spearheading
research on both strengthening and cracking Tor. This
should be an indication to those wishing to try Tor for
enhancing their own online privacy that (1) the
government has done plenty of research on the system and
can probably circumvent it if they really want to, and
(2) that the system works and may actually be useful for
routinely maintaining privacy. The easiest way to
install Tor on your computer is to download the Tor
browser from the Tor Project’s Web site. |
|
Another
revelation of Edward Snowden that needs to be kept in
mind is that the XKeyscore system records the IP
addresses of everyone who downloads the Tor Browser or
even visits the site to check out the documentation, and
that searches that include keywords related to VPN or
even Internet privacy in general are logged by XKeyscore
servers. If you value “security through obscurity” more
than the technological fix, you might decide to leave
well enough alone. Also, certain Web sites, particularly
Federal ones, will reject users trying to access them
through Tor or VPN networks, limiting the usefulness of
these tools for doing research anonymously. These are
risks and benefits that must be weighed on a case by
case basis. |
|
If you have
sensitive information of any kind on your hard drive, be
it political, personal, or financial, there are ways of
encrypting it so that online snoops or perhaps more
immediately people who have physical contact with the
machine itself cannot gain access. VeraCrypt is an
open-source encryption program that may be useful for
keeping sensitive files out of the hands of the more
casual intruder. Using VeraCrypt it is possible to
create a “hidden volume,” which is a virtual drive
represented by a drive letter like your hard drive, but
only accessible when the encryption key has been entered
into the VeraCrypt program. Until the encryption key is
entered, the hidden drive is just an ordinary looking
file (which cannot be opened and just contains
apparently random bytes) that resides anywhere you put
it on your hard drive; when you turn off your computer,
the virtual drive disappears and becomes an ordinary
file again. We must keep in mind once again that much of
the research behind VeraCrypt and other encryption
programs, particularly the theory behind the encryption
algorithms, was sponsored by the NSA. That is just a
fact of life in the world of encryption and it does not
stop business institutions from using these algorithms
to protect assets worth billions of dollars. |
|
Government
officials will contend that we need to sacrifice privacy
for security, and that we need to allow the government
to have a back door into our data to stop the so-called
bad guys. However, the ruling rich who have a financial
stake in keeping their data under control do not
subscribe to this doctrine, and neither should we. If
anything, the government should be forced to share its
encryption keys with the people so that we can keep tabs
on what they are doing that affects our lives. |