“Does the [National Security Agency] collect any type of data at all on millions or hundreds of millions of Americans?” Sen. Ron Wyden (D-Ore.) asked James Clapper, the director of national intelligence, during a Senate Intelligence Committee hearing in March. Clapper replied, “No sir...not wittingly.”
We now know that was a bald-faced lie. Or as Clapper nicely parsed it later, it was the “least untruthful” statement. The NSA has been collecting telephone and telecommunications data from tens of millions of Americans for years now.
The idea is that this data is collected but no federal spook actually looks at it unless additional information—say, a letter from Russia warning about a couple of Chechens living Boston—prompts them to winnow the data seeking connections that might indicate a person is up to no good. But it hasn't worked out that way. Christopher Soghoian, a policy analyst at the American Civil Liberties Union, likens the situation to having someone tell you that he wants to put a video camera in your bedroom but will not actually look at the stored video unless something bad happens later.
The NSA was able to obtain all that personal information about American citizens because the dominant Internet business model is to exchange free services for personal information that enables targeted advertising. When I interviewed Soghoian, he suggested that the free market has delivered us into a world that is insecure by default. But when I pointed out that Verizon and the other telephone companies are highly regulated semi-monopolies, Soghoian agreed, noting that the phone companies are subject to more regulation that Internet companies like Google or Facebook. That gives the government more opportunities for punishing them should they be recalcitrant when it comes to government demands. Soghoian added that the telephone industry has been practicing surveillance for 100 years already.
Seeking information on the nuts and bolts of technical steps that citizens might take to shield themselves from electronic snooping by the government, I talked with Mark Wuergler, a senior security researcher at the cybersecurity firm Immunity, Inc. “I have bad news for the average citizen,” Wuergler told me: In order to avoid monitoring by the government, citizens need to have control over their own hardware, networks, and servers and use encryption ubiquitously. He’s pretty certain that currently available methods for trying to maintain data privacy and security are so clunky and complicated that most Americans will simply not bother trying to use them. “It boils down to less convenient more secure; more convenient less secure,” Wuergler said. “You just need to assume that your data is being watched.”
Assuming that your data is being watched, what might you do to hide it?
First, consider not putting so much stuff out there in the first place. Wuergler devised a program he calls Stalker that can siphon off nearly all of your digital information to put together an amazingly complete portrait of your life and pretty much find out where you are at all times. Use Facebook if you must, but realize you’re making it easy for the government to track and find you when they choose to do so.
A second step toward increased privacy is to use a browser search engine like DuckDuckGo, which does not collect the sort of information—say, your IP address—that can identify you with your Internet searches. Thus, if the government bangs on their doors to find out what you’ve been up to, DuckDuckGo has nothing to hand over. I have decided to make DuckDuckGo my default for general browsing searching, turning to Google only for items such as breaking news and scholarly articles. (Presumably, the NSA would be able to tap into my searches on DuckDuckGo in real time.)
Third, TOR offers free software and a network of relays that can shield your location from prying eyes. TOR operates by bouncing your emails and files around the Internet through encrypted relays. Anyone intercepting your message once it exits a TOR relay cannot trace it back to your computer and your physical location. TOR is used by dissidents and journalists around the world. On the downside, in my experience it operates more slowly than, say, Google.
Fourth, there is encryption. An intriguing one-stop encryption solution is Silent Circle. Developed by Phil Zimmermann, the inventor of the Pretty Good Privacy encryption system, Silent Circle enables users to encrypt their text messages, video, and phone calls, as well as their emails. Zimmermann and his colleagues claim that they, or anyone else, cannot decrypt our messages across their network, period. As Wuergler warned, this security doesn’t come free. Silent Circle charges $10 per month for its encryption services.
You might consider encrypting the data stored on your computer using the free encryption software offered by TrueCrypt. If you keep data in the cloud, you might use SpiderOak, which bills itself as a “zero-knowledge” company. That means it does not have any way to decrypt the data you store with it. However, SpiderOak will provide personally identifiable information about users to law enforcement if required to do so by law. The company offers two gigabytes of free storage for beginners.
With regard to encrypting data, you should keep in mind a recent case, United States v. Fricosu. Ramona Fricosu was accused of mortgage fraud. Asserting Fifth Amendment protections against self-incrimination, Fricosu refused to provide prosecutors with the password to her encrypted computer. A federal judge ordered her to provide the password or supply a decrypted hard drive to the police. She claimed to have forgotten the password, but her husband offered the police some plausible possibilities, one of which worked.
Now for some bad news. Telephone metadata of the sort the NSA acquired from Verizon is hard—read: impossible—to hide. As the ACLU’s Soghoian notes, you can’t violate the laws of physics: In order to connect your mobile phone, the phone company necessarily needs to know where you are located. Of course, you can avoid being tracked through your cell phone by removing its batteries (unless you have an iPhone), but once you slot it back in, there you are.
For lots more information on how to you might be able to baffle government monitoring agencies, check out the Electronic Frontier Foundation's Surveillance Self-Defense Web pages.
Wuergler is sanguine about NSA snooping. “To me personally, I think it’s an acceptable risk,” he told me. “I believe that it’s not being used on a mass basis against American citizens. At least I hope not.” I hope not, too. But in the meantime, I want to rely on something more than hope when it comes to reining in government power.