Forgot your password?
typodupeerror
Privacy Encryption

Keeping Your Data Private From the NSA (And Everyone Else) 622

Posted by Unknown Lamer
from the secret-nsa-quantum-computer-knows-all dept.
Nerval's Lobster writes "If those newspaper reports are accurate, the NSA's surveillance programs are enormous and sophisticated, and rely on the latest in analytics software. In the face of that, is there any way to keep your communications truly private? Or should you resign yourself to saying or typing, 'Hi, NSA!' every time you make a phone call or send an email? Fortunately there are ways to gain a measure of security: HTTPS, Tor, SCP, SFTP, and the vendors who build software on top of those protocols. But those host-proof solutions offer security in exchange for some measure of inconvenience. If you lose your access credentials, you're likely toast: few highly secure services include a 'Forgot Your Password?' link, which can be easily engineered to reset a password and username without the account owner's knowledge. And while 'big' providers like Google provide some degree of encryption, they may give up user data in response to a court order. Also, all the privacy software in the world also can't prevent the NSA (or other entities) from capturing metadata and other information. What do you think is the best way to keep your data locked down? Or do you think it's all a lost cause?"
This discussion has been archived. No new comments can be posted.

Keeping Your Data Private From the NSA (And Everyone Else)

Comments Filter:
  • by Anonymous Coward on Wednesday June 12, 2013 @12:56PM (#43986387)

    I don't want "it all". I just want our government to respect our rights and our Constitution. Is that too much to ask?

  • by Lunix Nutcase (1092239) on Wednesday June 12, 2013 @12:57PM (#43986407)

    Those who worry are usually those who have something to hide or something criminal in the works.

    You won't mind me wiretapping your phones, installing caneras in your home and adding keyloggers to your computers? You're not a criminal with anything to hide, right?

  • by atom1c (2868995) on Wednesday June 12, 2013 @01:00PM (#43986455)

    That's silly. Privacy is a constitutional right -- so important that it's part of the original Bill of Rights (first 10 amendments). To state that the desire to MAINTAIN your right to privacy means you have ill intent to "do wrong" (whatever the hell THAT means) is saying that nobody has any rights whatsoever -- since whatever is "granted" is as easily revocable and ostensibly temporary.

    Furthermore, what constitutes "wrong"? Who's the judge? It's a moral characterization to actions of an inalienable right afforded by our founding fathers. Your statements simply don't make sense.

  • Lol (Score:5, Insightful)

    by lightknight (213164) on Wednesday June 12, 2013 @01:05PM (#43986557) Homepage

    As with all things, assume that your communications are going to be monitored, whether electronic or not. I know, I know, it's not the answer you want; but the truth is...we put innocent people to death. If we are willing to do that, and not tear down our societies in an act of grief over the loss of a single innocent life, looking deeply within and without as to how or why we allowed this to happen, and how we can prevent it from ever happening again, then caring about protecting your privacy from the monsters waiting outside your door is the wrong approach. You're fighting Evil himself, and he aims to win by any means; if putting a gun to the head of one your children's heads to get you to decrypt your hard drive is what it takes, then he will do it, no hesitation.

  • by gstoddart (321705) on Wednesday June 12, 2013 @01:07PM (#43986585) Homepage

    Bottom line, you can't care about this, unless you do wrong or plan on doing wrong.

    "If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him." Cardinal Richelieu.

    See, when your government spies on everything you do, sooner or later someone will come along and decide that since they already have this information, they can use it for other things.

    If you don't grasp this, I suggest you read more about Joseph McCarthy -- America is entirely capable of political persecution as any other government.

    Bottom line, with your attitude, you deserve to be dragged off in the night, because you're part of the problem with the complacency and people not seeing what's really wrong here. That's kinda how I see it.

    Since you're not part of the solution, you are the problem.

    Twenty years ago, the US would make jokes about "papers please" and the Soviets. Now, that's just normal routine.

  • Re:SneakerNet (Score:4, Insightful)

    by meta-monkey (321000) on Wednesday June 12, 2013 @01:10PM (#43986641) Journal

    The USPS, however, still takes a picture of both sides of every envelope (and obviously time, date, location) and stores it.

  • by 1s44c (552956) on Wednesday June 12, 2013 @01:12PM (#43986665)

    The old 'if you are innocent you have nothing to fear' argument. I thought that one went out of fashion when the German Jews realized that being innocent is no defense again tyrants.

  • by Capt.DrumkenBum (1173011) on Wednesday June 12, 2013 @01:13PM (#43986691)
    This is the kind of crap that was held up as examples of why communist countries were so much worse than the US.
    People, the government is supposed to work for you, not the other way around.
  • by Dputiger (561114) on Wednesday June 12, 2013 @01:15PM (#43986723)

    The problem with heavily encrypted solutions is that they rely on human perfection. There was a story a few months back about Sabu. He eluded the FBI for months until, in a hotel room, he made the mistake of logging into IRC without using Tor first.

    That was all it took. One non-Tor login, and the FBI had him.

    Human beings are not designed for constant watchfulness. We make mistakes. We screw up. Even if *you* stay perfect, the person or persons you're communicating with may not, and if the FBI or NSA wants the details of what you're talking about, they can "break" the encryption at either end of the conversation. Maybe they can't find you -- but if they find the people you're talking to, they can still grab the info.

    I'm not saying that all security is useless, or that there's no benefit to raising the bar. My point is that the solution to this is to *stop spying.* Because, in the long run, almost everyone screws up.

  • by j1976 (618621) on Wednesday June 12, 2013 @01:22PM (#43986821)

    So, in an effort to hide from NSA you go all out HTTPS. However, to avoid getting those pesky "this site is dangerous!!!" messages browsers show you on self-signed certificates, you buy your keys from any of the larger certificate authorities. Safe? Sorry, no. Almost all those CAs work under American jurisdiction, or on delegation from American CAs. Assuming NSA doesn't get the keys in other ways, all they have to do to get them is to ask the CA and the company would have to hand them over.

    With those private keys available they can listen in on the HTTPS conversations in real time, and there is no way for the participants of the conversation to know this.

    Amusingly enough, the safest bid (well, to hide from NSA at least) would be to use self-signed keys despite all the browser warnings.

    If you still want to get valid keys, here is an interesting discussion [riseup.net] on which CA to choose.

  • by Impy the Impiuos Imp (442658) on Wednesday June 12, 2013 @01:25PM (#43986877) Journal

    Those who worry are usually those who have something to hide or something criminal in the works.. Bottom line, you can't care about this, unless you do wrong or plan on doing wrong. That's kinda how I see it.

    Security concerns are not about common people, or even criminals being tracked. It's aboud political opposition being tracked.

    Snowden said he could listen in on conversations of anyone he wanted, including powerful people, and proceeded to do so as a test. No one came to get him for doing so without a warrant.

    Among hundreds, maybe thousands of agents, it's trivial to insert an operative to listen to opposition.

    He says he has data ready to release in case he's arrested. I hope it includes embarrasing conversations of said powerful people. Maybe then these jackasses will wake up.

    All people want is a system design that tracks and records everything the government does, as it tracks and records everyhing we do, from Twitterers to opposition discussing political planning.

    That currently does not exist.

  • by Mysticalfruit (533341) on Wednesday June 12, 2013 @01:27PM (#43986893) Journal
    I'll presume that you're a troll but you drag out the age old "If you've got nothing to hide... argument"
    Here are a couple of issues with this argument.

    1. Retroactive violation of new laws:
    Let's imagine that you're a smoker and that you smoke in your house. The government could pass a law saying "Smoking is not allowed inside any building. Anyone caught must pay a $500 fine." They can now either go back and look at their surveillance data and retroactively charge you for smoking in your house in the past or they can put you on a list of people to watch and then catch you smoking in your house.

    2. If this is your stance that you have nothing to hide.... I presume that you don't have shades. Why don't you post your credit card statement on your front door for your neighbors to inspect "Hey, you've got nothing to hide". In fact let's make your browsing history completely public. How about your health records?

    You may nothing to hide but I suspect you're also not eager to share your personal details with the world.
  • by g0bshiTe (596213) on Wednesday June 12, 2013 @01:29PM (#43986937)
    While in theory I agree. Then again what the government is doing is criminal. Did you not see the /. post yesterday about relational metadata and how it can be used. It was a very interesting read, and I actually did RTFA. It showed how innocuous data mining like this could be used to identify people, in this case the data was used to show how seemingly innocent data could point to potential threats in this case it was Paul Revere.

    I can fully see how this can be used to stop terrorist attacks, but so far we have finger pointing from every corner that says our intelligence community has had prior knowledge of several potential attacks and neglected to follow through. It is far more likely this will be used against law abiding citizens. What if I am a law abiding citizen but I begin speaking out against the injustices the administration is committing in the name of fighting terror and they use my data to pin point and come after me. I've committed no crime other than I could be labeled a terrorist for speaking up for my rights.

    The way I see it it's just another way the government can abuse or circumvent checks and balances that were put in place to protect our rights.

    Do you honestly want your government to know every minute detail of your life?
  • by holophrastic (221104) on Wednesday June 12, 2013 @01:29PM (#43986943)

    So let me get this straight. You've got a military that spends trillions of dollars. You've got eight national defence organizations screwing with your own citizens. And a) you think that you can dodge an organization that has spent that many dollars purely to find you, and b) you think that you don't have a cultural problem?

    Where do you think all of those funds come from? For every tax dollar that you spend, how much goes to military, para-military, and anti-crime organizations? How much of it winds up in actual crime? Are you spending more on anti-crime than you would on crime in the first place?

    Maybe you should solve the actual problem. Maybe you should start electing officials who spend your money on things that you like, instead of things that you dislike. I can't vote for you.

    And correct me if I'm wrong -- you see, my country earned its independence by asking nicely -- doesn't your country believe in violently fighting your own government to break free of restrictions to your freedoms? Have you forgotten how to do that? Your right to fight would seem to be the only freedom for which you do fight, and then you don't use that right to protect your other freedoms.

    One of these days, you'll wake up to realize that you've kept the right, but eliminated the opportunity. What good is the right to bear arms when you can't get away with using it?

  • by cdrudge (68377) on Wednesday June 12, 2013 @01:29PM (#43986949) Homepage

    But the NSA says it's just collecting the metadata on communications, not the actual communications. So while encrypting the message in your email may prevent them from (easily) reading your email, they still see that you sent or received an email and who it was coming or going to.

  • by Black Parrot (19622) on Wednesday June 12, 2013 @01:30PM (#43986957)

    This is the kind of crap that was held up as examples of why communist countries were so much worse than the US.

    People, the government is supposed to work for you, not the other way around.

    How many times in the last 12 years have you heard "the President's job is to keep us safe"?

    How many times in the last 12 years have you heard "the President's job is to keep us free"?

    Most people vote for low taxes, baseball stadiums, security theater, and enforcing their values on everyone else. Freedom and privacy get trumped by too many of those things.

  • by PetiePooo (606423) on Wednesday June 12, 2013 @01:32PM (#43986999)
    Wrong, wrong, wrong! And wrong!

    It's a common fallacy spouted by those who foist surveillance on us. See here, [theartofprivacy.com] here, [ssrn.com] or any other of the many hits when you search for privacy "nothing to hide" [lmgtfy.com]

    It goes right along with the "privacy and security are mutually exclusive" [securitymanagement.com] fallacy.

    People like you that are trading your long-term liberty and privacy for a current sense of security are going to rue this day eventually. These essential freedoms need constant vigilance. Many of our forefathers died defending them. They're rolling in their graves now seeing how so many are nonchalantly pissing them away.

    Here's your homework. Go read the Constitution of the United States of America. No, really. Read it line by line and understand why some say it's the most important and influential document created in the last 1000 years.
  • by AthanasiusKircher (1333179) on Wednesday June 12, 2013 @01:32PM (#43987005)

    2. Keep social network data private, more importantly don't post anything sensitive.

    Are you serious? How about "don't participate in an online social network"?

    Just knowing your set of friends or contacts is enough to extrapolate a huge amount of information about you. So, even if the ONLY data you provide a social network is your friends, that's already a LOT of information.

    The classic study on this was probably about five years ago now, where someone showed how it was possible to predict (to a reasonably high degree of certainty) whether you were gay or not using just your list of friends.

    More recently, it's been shown how easy it is to guess Social Security numbers -- for people of certain ages -- with just things like a birthplace (often same as home town) and approximate birth date, which can often be extrapolated just from a friend list. ("He's friends with a bunch of people all from the same town, and they're all about the same age -- probably high school friends, therefore....")

    Of course, the NSA probably can figure out your SS#, birthdate, birthplace, and similar information without going to any trouble. But the point is that you can often be significantly profiled on a social network even if you never post anything and only accept friend requests from people you know.

  • by SiliconSeraph (996818) on Wednesday June 12, 2013 @01:36PM (#43987079)
    They shouldn't just be working for you, they should be actively afraid of you. That's what keeps democracy going.
  • by meta-monkey (321000) on Wednesday June 12, 2013 @01:38PM (#43987121) Journal

    Exactly. We weren't secure in our homes because we had unbreakdownable doors, and we weren't secure in our papers because papercuts were too ouchy. We were secure(ish) because the constitution forbade the government from spying on us, and those who did so would be...I don't know, embarrassed?

    Now that's not the case. It's not secret spying anymore. It's routine, obvious, and "perfectly legal!"

    And worse, the storing. The perpetual storage. Never forgetting, always searchable. What you say today innocently will hang you tomorrow (and justly and legally at that!).

    CNN is making jokes by writing about the "Obama reads your email" meme. I wish Obama just read my email. It's boring. But it's not Obama reading my email that kept me awake last night. It was the endless rows of computers, parsing, sifting, correlating, profiling, and storing, forever. And with every record they can "buy" from every corporation.

    But at least they can't read my physical, printed papers without a warrant, eh? I feel so secure. Thanks, National Security Administration. You've done your job well, and a grateful nation salu^H^H^H^Hbows to you.

  • by meta-monkey (321000) on Wednesday June 12, 2013 @01:46PM (#43987237) Journal

    And don't say it can't happen here. It just did.

  • by meta-monkey (321000) on Wednesday June 12, 2013 @01:49PM (#43987289) Journal

    And encrypting it screams "hey look at me look at me I'm saying something I don't want you to know about!"

  • by Frobnicator (565869) on Wednesday June 12, 2013 @01:55PM (#43987381) Journal

    This presupposes that privacy is a right, rather than a privilege.

    This is part of the reasons we have so many problems with government. At the time the US government was formed the premise was:

    The people have all the rights; the government has no rights at all, except those granted by the people through the constitution.

    For most people today the belief similar, except they swap people and government.

  • by Anonymous Coward on Wednesday June 12, 2013 @01:56PM (#43987387)

    Certificate-based encryption (like HTTPS) is only as secure as the certificates that sign sub-certs. If you accept certificates signed by a trusted CA, and that CA is compromised (i.e. controlled or accessible by the NSA, which all of them are), then you have no privacy, and all of your communications can be monitored without your knowledge or consent.

    Here's a good writeup on how it works:

    http://theorylunch.wordpress.com/2013/01/24/ca-mitm/ [wordpress.com]

  • by hawguy (1600213) on Wednesday June 12, 2013 @01:56PM (#43987393)

    How would you interpret this:

    The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

    What part of that do you feel authorizes the government to collect detailed information about our private lives? Or do you think email is not "papers" because it's stored electronically and that if our founding fathers meant for email to be included, they would have had the foresight to include electronic document storage?

  • by AmiMoJo (196126) * <.ten.3dlrow. .ta. .ojom.> on Wednesday June 12, 2013 @01:56PM (#43987397) Homepage

    3. Don't engage in terrorism, they really hate that.

    Problem is that if they dislike you for some reason they tend to define whatever you do as terrorism. Even if you just happen to get blown up by a random drone strike while attending your friend's wedding you become a terrorist.

  • by meta-monkey (321000) on Wednesday June 12, 2013 @01:56PM (#43987401) Journal

    They are. Why else are they recording everything you do?

    Remember, Snowden has committed "treason." Treason means he gave aid and comfort to an enemy of The United States. The jihadists already knew they were being watched. Only the American people didn't. What enemy, exactly, did he give aid and comfort to?

  • by Medievalist (16032) on Wednesday June 12, 2013 @02:08PM (#43987585)

    Those who worry are usually those who have something to hide or something criminal in the works.. Bottom line, you can't care about this, unless you do wrong or plan on doing wrong. That's kinda how I see it.

    Nope. You don't see it at all. Because illegal is not a synonym for wrong .

    Over 2000 years ago, Sun Tzu pointed out that when the laws imposed by the rulers are aligned with the customs and ethics of the people, societies are prosperous and resistant to crime, war and rebellion. When the rulers lose the way, as the corporate overlords of the USA have, the people become unhappy and the society becomes progressively more fragile over time. Eventually a neighbor invades or a province revolts and the rulers are replaced, because nobody's willing to die to protect them anymore.

  • by Charliemopps (1157495) on Wednesday June 12, 2013 @02:12PM (#43987633)

    But the NSA says it's just collecting the metadata on communications, not the actual communications. So while encrypting the message in your email may prevent them from (easily) reading your email, they still see that you sent or received an email and who it was coming or going to.

    You're forgetting: They are lying. They lied before each leak, and after were proven liers. Now they claim to have told congress "The least untruthful" thing they could. You think they are finally telling the truth now? lol

  • by GLMDesigns (2044134) on Wednesday June 12, 2013 @02:20PM (#43987773) Homepage
    The word "privacy" isn't used but please reread the 4th Amendment:

    The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

    Tell me if this isn't a more exact definition of privacy than simply stating: "People have a right to privacy."

  • by Beardo the Bearded (321478) on Wednesday June 12, 2013 @02:24PM (#43987807)

    That's why DHS was monitoring the anti-war protestors in Boston instead of looking for terrorists with bombs, right?

    Because TERRORISM!

    Face it, the jokers in power aren't Republican or Democrat. They're authoritarians.

  • by EvilSS (557649) on Wednesday June 12, 2013 @02:28PM (#43987879)
    I think the problem, and I find this truly astonishing, is most people here don't seem to care! The only reason to keep the items recently leaked secret is to prevent public outcry over them. Same with classifying the numbers for these programs. Any terrorist smarter than a bag of rocks would have already assumed that we have the capabilities that we found out about last week. They are not that big of a stretch to imagine.

    My fear is now that it's out and the majority of people either don't care or outright support it, we have reset their expectation of what people will go along with and, thus, what they can get away with in secret.
  • by LordLimecat (1103839) on Wednesday June 12, 2013 @02:40PM (#43988011)

    Rumor is they've found a way to efficiently brute-force low-level AES.

    A rumor that hasnt been substantiated even after over a decade of analysis by top crypto experts around the world. Color me skeptical.

    Im sure the NSA is good, but AES security has been pretty thoroughly tested, hammered, and inspected for chinks.

  • by Dr_Barnowl (709838) on Wednesday June 12, 2013 @03:08PM (#43988323)

    Right now it screams "I've heard of PRISM".

    Now is the best time to start routinely encrypting your communications, because you have a plausible reason to do so.

  • by m.ducharme (1082683) on Wednesday June 12, 2013 @03:23PM (#43988453)

    "And while 'big' providers like Google provide some degree of encryption, they WILL give up user data in response to a court order"

    I believe the correct statement would be:

    "And while 'big' providers like Google provide some degree of encryption, they HAVE GIVEN up user data in response to a court order"

  • by J'raxis (248192) on Wednesday June 12, 2013 @06:33PM (#43990397) Homepage

    Wrong. If Google cared, they could take measures to immunize themselves against court orders.

    Courts can only order that these businesses divulge data they have. Google could encrypt your email, docs, &c., that are stored on their servers using your login password, and so long as they don't store your login password, they cannot now decrypt the data. All they could respond to a court order with would be an encrypted blob and, "if you want the data, subpoena the owner and get the password from him." No more spying without the owner's knowledge.

    Google's encryption is just HTTPS, which is end-to-end between the user and Google's servers. It's great for protecting against MITM attacks, but useless to protect against Google themselves.

  • by DrVomact (726065) on Wednesday June 12, 2013 @07:25PM (#43990861) Journal

    Of course, the NSA probably can figure out your SS#, birthdate, birthplace, and similar information without going to any trouble. But the point is that you can often be significantly profiled on a social network even if you never post anything and only accept friend requests from people you know.

    The NSA can have anything it wants. First of all, they are not in the habit of asking permission, and they simply don't tell anyone what they are doing. Second, there have been perfectly legal ways for the government to buy your data for as long as marketing data has been kept and sold. It's perfectly legal for a private corp to buy your purchase history (via a credit card), the data that Google has mined out of your "free" email service, your transactions with any vendor who has a low integrity threshold (who doesn't?) So what keeps the government from buying it also? Nothing at all. If I were doing it, I'd set up a front corporation (like "Air America" of CIA fame) to buy the data so I don't get screaming headlines.

    The reason for all the hyperventilation is that three things have happened: agencies who lack the subtlety of NSA have gotten into the market, and they've done it directly—that is, they've outright seized the data instead of using the kinder gentler approach of greasing corporate palms. Third, the amount of data they have sucked has gotten so huge that it is impossible to manage without an army of low-level clerks. This is why an Army private and a contracted data massager can give the whole show away. With this many people involved, you are going to have leaks. I am surprised that there have been only two.

    I wonder. In order to fully capitalize on the amount of data they are collecting on us, will it be necessary for all of us to be employed by the US government as DB admins? Welcome to the new Greece.

Never invest your money in anything that eats or needs repainting. -- Billy Rose

Working...