Shadow Logo
By A. Kronstadt

The government pretty much invented the Internet, and since its inception government agencies—in particular the National Security Agency (NSA), Army and Navy intelligence, the FBI, and the DEA—have been developing and deploying means of finding out what you and I have been doing out there. Indeed, many of the Internet privacy and encryption techniques that we will mention here as ways of protecting our own data were originated by the very same government inquisitors that we may be trying to protect ourselves from when we use them. For example, the Tor anonymity network was pioneered by the Navy as a means of protecting their own data online, and anyone using it should realize that there might be and probably are back doors built into all of these systems whereby the government can find out whatever it wants to find out.

That does not mean, however, that it is futile or useless to try and protect our data via the same techniques that the government and big business use to protect theirs. Encryption is not just a technique that the military uses in wartime. It is not just something that criminals, terrorists, and human traffickers use to hide their nefarious activities, but is fundamental to the existence of personal property in the digital age. The only reason why the money that you have in your bank account belongs to you and not to any Tom, Dick, or Harry that walks into an ATM is that the bank data has been encrypted and only your PIN number will activate the algorithm that decrypts it. Your four letter PIN number is actually a diluted form of encryption—to protect their own assets banks use 64-character encryption keys stored on USB drives that their top executives carry around on their persons at all times. The ruling rich are not stupid and we should not be stupid either.

The average computer and Internet user wants to protect his or her data because money and credit card numbers are involved and because certain things that we do are just plain nobody else’s business. In the former Soviet Union, if you bought a typewriter you were required to register it with the government and provide the KGB with a sample of the text that it produced so that if incriminating writing turned up they could trace it back to its author. Presumably we do not have to live like that in the good old U.S. of A.

Many computer users simply leave themselves open to snooping by individuals who do not even have extensive spying resources. A wireless connection is often the weak link in a network; for example, an activist organizing center might provide free wireless to people who come into their offices without realizing that if the wireless router is connected to their network and the wrong person gets hold of the password, such an individual could gain access to other peoples’ e-mail or instant messaging or install spyware on the snetwork, or even disable it altogether.

The infamous Magic Lantern system used by the FBI during the early part of the millennium was a spyware application that would be installed on the system clandestinely by someone gaining access to the file system (or by getting the user to click on a booby trapped link in an e-mail or pop-up on the Web); the program would then log the user’s keystrokes, save them in a file, and periodically send them back to the FBI server. This type of “keylogger” software is particularly insidious because it can circumvent any encryption technique no matter how sophisticated. What use is encryption if the FBI has already recorded the original text that you typed before it was encrypted, or if they are recording the key that you type in order to decrypt the text?

Government spyware like Magic Lantern and its successors, although no different in principle from malware or viruses created by individual hackers, will in most cases NOT be detected by commercial antivirus software applications like McAfee or Norton antivirus because the government has agreements with such companies to leave this type of “policeware” out of their virus-detection algorithms. Only a handful of antivirus companies have stated unequivocally that they would not leave a back door in their software for malware used by law enforcement: these include the Finnish developer F-Secure and the U.K developer Sophos, so concerned readers might want to check out products offered by those firms.

In general, to avoid penetration of your system by either hackers or government agencies, and to keep your system free from any form of malware, you should strictly avoid clicking on any link in an e-mail unless it is from a verified user. Even if you know the sender, one should first right click the link to make sure that it represents a reasonable looking URL that spells something recognizable. Particularly dangerous are URLs that are all numbers and short URLs that give no indication of where they go. Do not click these. Always set your browser to block pop-ups and never click on anything that looks like a pop-up or on anything that is ordering you to to click on it.

In a series of 2013-2014 broadcast interviews, former NSA subcontractor and now-exiled whistleblower Edward Snowden revealed the NSA’s overall “signal intelligence” goals manifested in their secret XKeyscore system. The NSA maintains 700 servers globally for purposes of “digital network intelligence” in cooperation with the intelligence services of the other members of the“Five Eyes” nations--Australia, Canada, New Zealand, the United Kingdom and the United States—who, since the inception of the Internet, have used data gathered by each other’s spying agencies to circumvent their own nations’ laws restricting domestic surveillance.

Was Snowden exaggerating when he stated the following on German radio in January 2014?

…You can tag individuals… Let's say you work at a major German corporation and I want access to that network, I can track your username on a website on a form somewhere, I can track your real name, I can track associations with your friends and I can build what's called a fingerprint, which is network activity unique to you, which means anywhere you go in the world, anywhere you try to sort of hide your online presence, your identity.
Snowden described XKeyscore as a huge database accompanied by a search engine similar to what is
provided by Google or Bing for searching the Internet, but this system searches through terabytes of data gathered clandestinely by the NSA, allowing their personnel to read the emails and access the browsing histories and Google search terms that web users have entered, with links to any associated activity at the targeted email and IP addresses. He estimated that the NSA is collecting the data equivalent of the whole Library of Congress every 14.4 seconds. Instrumental to XKeyscore is the Special Source Operations division, the “crown jewel of the NSA” which, according to Snowden, obtains access to the world’s main fiber optic cables via partnerships with private telecommunications giants.

Telecommunication companies are legally obligated under the FISA Amendments Act of 2008 to record and retain customer data for a certain period and turn over any data that matches certain court approved search terms known to the government and the telecom companies but not to the customers who are being surveilled. Companies like Time Warner/Spectrum and Verizon are also obligated under the Communications Assistance to Law Enforcement Act (CALEA) of 1994 to incorporate into all broadband Internet services the ability of law enforcement agencies to intercept any targeted item of traffic. These companies are also required to give the FBI access to the IP addresses of people suspected of illegal downloads/copyright violations under the Digital Millenium Copyright Act (DMCA) of 1998. While the FISA Amendments are Bush-era legislation, CALEA and DMCA were signed into law by Bill Clinton. Neither the Democrats nor the Republicans have been friends of our right to privacy online.

Should we take Snowden’s revelations in the spirit of paranoia and assume that there is no privacy at all when we are online? The answer is relative, in the sense that although we are being recorded, government spies are probably not actually pulling up your data in their XKeyscore search engine unless they are interested in you for some reason. Most security that an ordinary person experiences de facto on line is “security through obscurity”, meaning that nobody at any of the snooping agencies have become interested in what that person is doing. If you are not Edward Snowden or Julian Assange and have not communicated with someone who has communicated with someone else in whom the government is interested , maybe they have not yet distinguished you from the other couple of billion users of the Internet. In that case maybe you don’t have to do anything at all to scramble your data. If it still bothers you that the NSA potentially has records of your communications with your bank, or if you are in the habit of mining data for research or journalistic purposes and do not wish to leave an online trail of the people whom you are checking out or the information that you have obtained, there are ways of making it less easy for them.

Your Internet Service Provide (ISP), for example Verizon Fios or Spectrum (formerly Time Warner Cable), records the IP address of every computer that you contact with your browser. They can do this because you are using their servers to contact the servers that administer the Web pages that you visit and the e-mail accounts of the people you are communicating with. If you are surfing the Web in the ordinary way, these big corporations will have a complete record of every Web page that you visit and the recipient of every e-mail that you send.

It is possible to surf the Web more privately by using your regular ISP to log into a virtual private network (VPN), which is another server somewhere else in the world which you will then use to actually contact other servers on the Internet that host the Web pages that you wish to view. Your ISP will then only know that you logged into the VPN, but will not record the specific Web sites that you visited after having done that. The Opera browser, an alternative to Internet Explorer and Mozilla, gives the user the option to route all traffic through a Norwegian VPN which will then handle all further Internet activity. Of course, the administrators of the VPN continue to have access to your information, but by using the VPN you have already forced anyone who wants to snoop on you to contact two separate entities, your ISP and the VPN, in order to reconstruct what you have done; hence, you have made it more difficult for them. If you were actually suspected of a serious crime or if the NSA were really interested in you, the snoops would go through all of that trouble, but if you are just trying not to expose your private business to the world, a VPN might be helpful. There are numerous VPNs, some free and some commercial; these can be searched online. Some, like the Opera browser only protect Web surfing, but there are others that cover e-mail and other Internet activities.

Internet users wishing an additional layer of security might want to consider the Tor Network, which is similar to a VPN but switches you between routers periodically so that you are not on the same network all of the time; encryptionmakes it impossible for the next router to know the IP address of the previous one. An advantage here is that the information is split up among different servers, and neither your ISP nor the administrators of any of the other servers involved will see anything but fragmentary encrypted gibberish.

The open-source Tor Project makes no secret of the fact that it receives grant money from the U.S. Navy and the NSA, and that both of those agencies make use of the Tor Network for their own secure communications and are spearheading research on both strengthening and cracking Tor. This should be an indication to those wishing to try Tor for enhancing their own online privacy that (1) the government has done plenty of research on the system and can probably circumvent it if they really want to, and (2) that the system works and may actually be useful for routinely maintaining privacy. The easiest way to install Tor on your computer is to download the Tor browser from the Tor Project’s Web site.

Another revelation of Edward Snowden that needs to be kept in mind is that the XKeyscore system records the IP addresses of everyone who downloads the Tor Browser or even visits the site to check out the documentation, and that searches that include keywords related to VPN or even Internet privacy in general are logged by XKeyscore servers. If you value “security through obscurity” more than the technological fix, you might decide to leave well enough alone. Also, certain Web sites, particularly Federal ones, will reject users trying to access them through Tor or VPN networks, limiting the usefulness of these tools for doing research anonymously. These are risks and benefits that must be weighed on a case by case basis.

If you have sensitive information of any kind on your hard drive, be it political, personal, or financial, there are ways of encrypting it so that online snoops or perhaps more immediately people who have physical contact with the machine itself cannot gain access. VeraCrypt is an open-source encryption program that may be useful for keeping sensitive files out of the hands of the more casual intruder. Using VeraCrypt it is possible to create a “hidden volume,” which is a virtual drive represented by a drive letter like your hard drive, but only accessible when the encryption key has been entered into the VeraCrypt program. Until the encryption key is entered, the hidden drive is just an ordinary looking file (which cannot be opened and just contains apparently random bytes) that resides anywhere you put it on your hard drive; when you turn off your computer, the virtual drive disappears and becomes an ordinary file again. We must keep in mind once again that much of the research behind VeraCrypt and other encryption programs, particularly the theory behind the encryption algorithms, was sponsored by the NSA. That is just a fact of life in the world of encryption and it does not stop business institutions from using these algorithms to protect assets worth billions of dollars.

Government officials will contend that we need to sacrifice privacy for security, and that we need to allow the government to have a back door into our data to stop the so-called bad guys. However, the ruling rich who have a financial stake in keeping their data under control do not subscribe to this doctrine, and neither should we. If anything, the government should be forced to share its encryption keys with the people so that we can keep tabs on what they are doing that affects our lives.