Not too long ago I posted Privacy and Data Security for the Normal Person and provided general steps the average computer user can take to protect privacy and security online. In the wake of the disclosures about NSA monitoring, many people have wondered what it would take to actually protect communications from being monitored by governments.
The short answer was provided long before the advent of the computer:
“Three may keep a secret, if two of them are dead.”
― Benjamin Franklin, Poor Richard’s Almanack
But, assuming that you have a secret that you’re willing to risk communicating to someone else, how can you do it while minimizing the chances that someone else will get access to it?
One thing that frequently gets mentioned is the idea of encrypting your email using something like PGP. The truth is that most of the world does not use email encryption precisely because it is hard to use. Something like SilentCircle’s SilentMail and BitMessage provide good alternatives.
While PGP and other tools can protect the contents of your messages, if you’re using any cloud-based service (like GMail) to compose your messages, the unencrypted versions of your drafts are leaving your computer and flying through the aether, which means they can be monitored. Also, if your recipients are using any cloud service, then once they unencrypt the message, it’s stored in unencrypted form on that cloud service. So, if you want to make sure that your encrypted messages have to be decrypted before someone like the NSA could read them, both you and your recipient have to be encrypting/decrypting your messages before they leave your computer. One way to do this would be to compose your messages in a word processor, encrypt the files and send them as an attachment to an email that your recipient can download and decrypt on his/her computer at home.
The next level of protection would be to follow the advice of this article from Scientific American on how to set up and manage your own email server. For the technically minded DIY-ers, this is a good way to take control of your own email, and there are advantages to this beyond some level of protection from commercial and governmental monitoring.
Be aware, though, that being responsible for your own email server means being responsible for your own backup and recovery. There are many cloud-based services that provide backup services, but, again, once your unencrypted data is in the cloud, it can be monitored. To protect information in the cloud, you can use something like Cloudfogger in conjunction with a cloud storage service like Dropbox.
Managing your own email server only covers the sending side of the equation, though. You need to make sure that your recipients handle their email securely, as well, which can limit the number of people with whom you communicate securely. On top of that, the first layer of what the NSA has been collecting, however, is not the contents of messages, but, rather the metadata associated with the email – who it is from, who it is to, etc. As this article shows, just using modern tools to analyze communications metadata can reveal plenty of interesting information.
So, in addition to you and your fellow communicators maintaining your own email servers and using them to send PGP-encrypted mail, if you really want to minimize the chances of being monitored:
Browsing: When browsing the net you can mask your identity by using an anonymizing tool like Tor. For search, rather than Google or Bing you can use an alternative like Ixquick, which says it does not log any IP addresses or search terms or share information with third parties. Ixquick also has a “proxy” service that allows you to look at other websites through the Ixquick service, so that you’re browsing of those other sites is also protected. However, there are some technical limitations and downsides to the proxy service.
IM/Text: For encrypted IM you can try Off-the-Record with Pidgin (Windows) or Adium (Mac) plugins. Like running your own email server, installing these services can be technically challenging and require patience. Options for more secure texting include Silent Circle’s SilentText and WhisperSystems TextSecure. Like email, your communications are only as safe as your recipients are willing to make them.
Online phone/video chats: For online phone/video chats, you can avoid the major services like Skype and Gchat by moving to more secure alternatives like Jitsi, which can be used for P2P encrypted audio/video chats or SilentEyes.
Telephone: The nice thing about phone calls is that the data is ephemeral. To protect your calls from eavesdropping or stop a government entity from obtaining metadata about who you are calling and when you could use an encryption app like Silent Circle’s SilentPhone or WhisperSystems’ RedPhone to make and receive encrypted calls.
At the end of the day, though, if a state actor wants to know what you’re talking about, they will find out.