Week of 3.14.08
Protecting Your Privacy
More From NOW: Wiretap Whistleblower | Candidate Positions on Surveillance | Telecom Money in Congress | Protecting Your Privacy | Feedback Forum | TranscriptNOW spoke with Christopher Soghoian, a PhD student in the School of Informatics at Indiana University, and an expert on privacy and cyber-law.
Soghoian's answers (including his recommendations) are his own and do not represent the views of EPIC, Indiana University, or CNET, and do not necessarily reflect the views of NOW on PBS, PBS, or your local station.
NOW: Why should innocent Americans be worried about the government monitoring their private communications?
Christopher Soghoian: We all have a right to privacy. Many of us don't want strangers to know about our private lives—the medical problems we have, the medicines we take, who we date, who we speak to, which books we read.
Once information is collected and put into a database, who knows how it can be misused. Perhaps you'll be added to a TSA watch list, perhaps your insurance company will raise your insurance rates, perhaps it will be leaked to the newspaper if you become famous or run for office.
Professor Daniel Solove of George Washington Law School wrote a fantastic (and relatively short) paper with great responses to the frequently asked question "If you have nothing to hide, what do you have to worry about?." [Find it here]
NOW: Do we know what kind of information the National Security Agency is tracking and what it does with that information?
CS: We know that major telecom companies (including but not limited to AT&T) are providing the NSA with a direct pipe into the Internet backbone. That means that the NSA gets a copy of every e-mail, phone call, instant message, Internet search that flows over AT&T's network.
Even if you are not an AT&T customer, it is likely that a large percentage of your Web traffic flows over an AT&T line at some point between your computer and the remote destination. That is just how the Internet works.
The fantastic article in Monday's Wall Street Journal points to a gigantic surveillance infrastructure, that pulls in information from multiple sources. Credit reports, bank and credit card transactions, travel records (flights, hotels, etc), e-mail, Internet searches, mobile phone location information.
While the NSA getting access any one category of information is alarming—it is even more troubling when these sources are combined.
NOW: In laymen's terms, what kind of protections can average citizens employ to maintain their privacy? Are some protections stronger than others, or misleading?
CS: Rule 1: Don't do anything on the Internet that you wouldn't want your parents, wife or employer to see.
Rule 2: The same thing goes for the telephone.
Most Internet communications travel in the clear. That means that when you use a wireless network, anyone else nearby with a laptop can see the e-mails you send, the websites you surf, the instant messages you write. It is slightly better on non-WiFi networks, but you are still very exposed.
Use encrypted instant messaging. Mac users can install Adium (http://www.adiumx.com/), while Windows/Linux users can install Pidgin
(http://www.pidgin.im/). Both support encrypted instant messaging out of the box for AOL IM, MSN, Yahoo and Google Talk. No one watching the wire will be able to see what you type.
Encrypted e-mail is available, but to be honest, it is not yet simple enough to use for the average Joe.
While nothing is truly anonymous on the Web, there are technologies that can help you to surf the web as anonymously as possible. The Tor project (www.torproject.org) is the best of these. It is easy to install, and can make your Web-surfing anonymous from the peeking eyes of your telecom company or even next door neighbor.
For people who use WiFi at home: Make sure to turn on encryption in the router. Otherwise, your next door neighbor can watch which websites you visit. Creepy!
Turn on disk encryption for your computer. This is built-in to WindowsVista and Mac OS. It's just a matter of turning on a single option. If the police ever try to arrest you and look through your computer, they'll see gibberish.
If you don't want your financial transactions to be tracked, don't use credit cards—use cash.
Don't sign up for one of those supermarket loyalty cards. It doesn't matter if you use a fake name and address—especially if you pay for your groceries with a credit/debit card which is listed in your name.
If you don't want the government to know where you are at all times—turn off your mobile phone when you're not making a call. Once the phone is turned on, Verizon, Sprint and the other carriers know exactly where you are.
Don't use the same company for e-mail and search.
If you use Google mail—use Yahoo for search. If you use Yahoo mail—use Ask.com for search. Etcetera. You don't want Uncle Sam to be able to learn—everything—about you with just one subpoena. Make him work harder.
Assert your right to decline to show ID when you travel. TSA has no right to know who you are. Their job is just to make sure you are not carrying weapons. See Skip to the Front of the Airport Security Line.
NOW: Why does the government need to partner with telecommunications companies? What advantage does this give them?
CS: There are a few ways the government can get access to all the data they need:
1. They can force the telecom companies to do so. This requires a court order, probable cause, and at least some oversight by the court to make sure laws are not being broken.
2. They can pay the telecom companies to do so. This doesn't require a court order, probable cause and only costs the government money.
3. They can break in during the middle of the night, and install covert taps themselves.
It's not too surprising that option 2 is more appealing. Less oversight, less legal trouble (until they got caught).
It is important to note, also, that if the NSA does its surveillance outside of the United States, they do not need to go to the courts. The NSA can listen to two terrorists in Afghanistan talking without ever having to get a warrant.
The FISA court is only involved when the NSA wants to get the help of AT&T domestically.
NOW: Who has the edge in terms of invasive or defensive technology—the government and telecom giants, or citizens and private industry?
CS: The government has vastly more resources. However, there are fairly simple technologies out there that can make large-scale surveillance by the government significantly more difficult.
If every citizen encrypted their computer, the FBI would have a miserable time.
Likewise, if people used encrypted instant messaging, encrypted e-mail, or encrypted voiceover-IP (see: http://zfoneproject.com/), government wiretaps would be useless.
Finally, anonymous Web surfing tools like Tor would seriously hamper the NSA's wholesale Internet surveillance efforts.
Sure, the government could still spy on individuals if they wanted to by breaking into their home at 2 a.m. and planting microphones, cameras, etc. But they wouldn't be able to easily do it to 300 million people at once with the help of AT&T.
NOW: What are the most important things people DON'T realize about their privacy while using the Internet?
CS: They don't have any. Anyone could be watching. Your next door neighbor, the woman sitting across from you at Starbucks, some pervert who works for the phone company and who wants to read your text messages, or a spy working for the FBI or NSA.
Over the past few years, there have been multiple reports that the FBI abused the authority given to it under the Patriot Act.
NOW: Is protecting yourself from being monitored in this way a costly proposition? Is it legal?
CS: It's not expensive (in terms of money), but it can be inconvenient. We get significant benefits by using credit cards, mobile phones, etc. However, we sacrifice privacy in order to use these tools.
A mobile phone seems like a great device, until you find out that you're carrying around a location tracking device on you at all times.
Anonymous Web surfing with tools like Tor can be a bit slower than normal.
Privacy vs. speed. It's a tradeoff.
Protecting your privacy using these tools is 100% legal. It is not a crime to secure your own communications.
Electronic Frontier Foundation: Top 12 Ways to Protect Your Internet Privacy
Soghoian's CNET Blog: The day the wiretaps go dead
More about Christopher Soghoian
Christopher Soghoian is a PhD student in the School of Informatics at Indiana University. His research is focused on phishing , privacy and cyber-law. He is a nationally recognized expert in the area of airport security and was cited by the House Oversight Committee for his work exposing flaws in a website run by the Transportation Security Administration. He is the primary inventor of four pending patents in the areas of anti-virus defenses, phishing, mobile authentication and privacy preserving digital payments. He blogs regularly at http://www.cnet.com/surveillance-state/.
Back to Top