Opt Out of PRISM—You’re Probably Doing it Wrong
July 4, 2013
This site is no longer being maintained so anything below could still be accurate, or very outdated.
As a result of Edward Snowden’s leaks about the United States NSA’s PRISM program and mass collection of internet traffic, there has been a small flutter of public interest in privacy related web services over the past month. DuckDuckGo, Startpage, Tor Project and BitMessage are some who report a spike in web traffic while blogs, forums and news sites are still buzzing with Snowden and related topics.
This means that there very likely is an increase in people using new or different services with the presumption they'll now be safe from "tracking". But...tracking by who? From where and to what end? In my writing, I’ve always tried to distinguish between protecting yourself from advertisers and malicious internet users, and then government threats. PRISM is the latter, and you can’t shake off a world superpower nearly as easily as you can with marketing companies.
So I want to reiterate that the vast majority of tSc’s Webmail for Better Privacy article will NOT protect you against government, neither will most of what’s written in the fingerprinting article. I also want to caution that most services and applications on prism-break.org will not protect you either.
PRISM Break is an extensive list of valuable software and services and while not perfect, it's a great resource to have available. However, while much of it will protect from advertisers and general online security/privacy issues, depending on what you use and how, it could have little to no effect on what literally is your own form of personal counter-surveillance, all while you order a new pair of jeans from HauteLook.
With enormous irresponsibility and minimal knowledge, the media is pushing PRISM Break as a solution for people to stop internet spying, as if they can check a few boxes in a Settings popup and disable the NSA. It doesn't work that way—anything will only protect you within the context it's created to function in. One application may take care of one piece of the armor, but that's only part of the big picture.
The U.S. government’s claws are deeply embedded into the network infrastructure that much of the online world connects to. Indeed, much of 'the Internet' is in the U.S. or traverses it at some point. American internet service providers like ATT, Sprint and Verizon make customer data available to Big Government on-demand. National Security Letters are accompanied by gag orders while subpoenas, court orders, harassment and/or extortion all make sure that the desired information is handed over by companies who prove uncooperative. No one will ever publicly hear about the ordeal.
Fiber optic splitting bypasses all of that, and from there, it’s a question of how far back in history you want to look. Naurus Insight? Carnivore? Echelon? Shamrock? Etcetera, etcetera, etcetera.
Add to all that this question: To anyone outside the U.S. reading this, what kind of surveillance programs does your own government have in place, be it known or unknown to the public? What kind of relationships do your country's service providers and government have with U.S. intelligence agencies?
Snowden’s revelations are merely the condensation from the tip of the iceberg for the American and British data dragnets. His leaks are further extrapolation of what was quietly, yet already, known to be occurring, and we can not be foolish enough to assume that this is isolated to only a few countries. This unfolds into a very messy and very global situation, exactly in the way a grasshopper which jumps out of your hand is not free if you immediately catch it again. Due to inter-agency partnerships and how the world’s telecommunications infrastructure is built, dodging one surveillance tap-in point means you merely get caught up in another further downstream.
To say nothing of compromised end-point devices, the way to obscure your internet traffic still boils down to encryption. You want to prefer decentralized services like I2P, Tor or BitMessage (there are others). Centralized services should be met with 'roll your own' solutions like GPG encrypted email, files inside encrypted containers, OTR and Jitsi sorta stuff.
VPN services open up a whole new dimension of problems with payments and the fact that the majority of a VPN service provider's servers are still in someone else's datacenter. So while a VPN service may not enable logging on their servers, the VPS provider (the company many VPN providers rent their server space from) has hardware-level access and is completely autonomous of the VPN provider. Using multiple chained VPNs or a VPN in conjunction with Tor or I2P can help.
Yet nothing is a sure bet. At this point, we can only assume that the cryptography and certificates used by these services has not yet been compromised, and the entire CA system is laughable to say the least. That still leaves us with zero-day exploits, side channel attacks, general implementation weaknesses and of course, user mistakes. Then there’s the issue of encrypted traffic being more interesting to government than non-encrypted data, so it is likely to be stored longer than plaintext messages.
Know the context for when a certain application will provide the protection you need, and when it’s ineffective or an unnecessary complication. Also beware the emergence of fraudulent/malicious/snake oil apps, extensions and schemes offering anonymous services. If there’s one thing cryptographers will predictably do, it’s stick with well trusted, proven and documented encryption protocols and software. The internet is still your friend, just do your research and think before committing sensitive info.
So one more time to drive it home: Spend time reading the PRISM Break site. Familiarize yourself with the different options available to you, but study the context in which an application or service is intended to function. Don't over-expect anything like the careless media has done.
While there are a plethora of benefits to using the software listed on PRISM Break, most of these changes do not mean the NSA or any surveillance organization looses sight of your web traffic. That will not even begin to happen unless you send your connection requests into a nebula of encryption and multiple server hops. Now the question becomes, do you even care? (...and what of your subverted hardware?)