Brendan Gates

I filled out our Census form today. Several “news” stories I saw about potential privacy implications, or rather about politicians and public figures spreading FUD about those privacy implications, was what reminded me to fill mine out. So is there a hidden government conspiracy to track you and everything about you? Are there giant databases containing ream upon ream of your most private data?

Yes and yes. But it’s not because of the Census. That should be the least of your concerns.

Do you use email? Instant messaging? Social networking? Do you browse the web? Shop online? Then somebody else already has your private data.

Google, eBay, Yahoo, Amazon and Microsoft aren’t really who you should be most concerned with, though. They have at least some vested interest in keeping your data private, since they want to keep you as a customer. And let’s be honest – you did willingly hand the data over to them in the first place. You can always choose not to do that. So yes, do make smart decisions with the data you do or don’t put online. But don’t confuse what these companies do with your data, with what the government is doing with your data.

Since 2001, the US Government has been making copies of the data passing over the internet. Not all of the data, but certainly a significant portion of all traffic. This is done using splitter cabinets installed at the backbone switching offices of major ISPs like AT&T (source: Wired Magazine, NY Times). The splitters don’t discriminate; it’s a mirror image copy of whatever flows down the pipe. So your emails and purchases are getting swept up right along with the data from those who actually are suspected of crimes. Search warrants are not a part of the process, though it’s debatable that they even could be, as a warrant must be specific and this type of data collection by definition is the opposite of specific. The program was originally called Total Information Awareness (source: DARPA website @ Internet Archive, Wired Magazine), but was later changed to Terrorism Information Awareness so that it sounded less like the snooping was on Americans and more like it was specifically on Terrorists (source: 5/2003 DARPA report to Congress, page 1 footnote). What is all of the data for? It is mined and queried to establish patterns that could be related to criminal activity (source: 5/2003 DARPA report to Congress, page 14).

I’m summarizing greatly here, so please do check out the sources I’ve linked to for more explanation. The Frontline episode Spying on the Home Front is another great resource.

I promise I’m not wearing a tinfoil hat as I type all of this. I’m also not trying to convince you that our government is evil, nor do I expect you to smash your computer and become a Luddite. You might even agree that a program such as TIA is necessary in today’s world, and that you don’t mind the trade off of civil liberties for security. That’s totally fine. The most important thing is that you know about the program, and then you can come to your own conclusions about it.

My personal conclusion is that the program likely started with good intentions, but that it takes advantage of outdated privacy laws (like the ECPA of 1986) that were written long before digital data was as ubiquitous as it is today. And even though I have no illegal activity to hide, I’m still uncomfortable being snooped on. It’s no different than if the police came to my house and told me that I was not suspected of anything, but they were going to catalog the items in my home just in case. I would have a problem with that, as I imagine many other people would as well.

Is there anything you can do to protect yourself? Reformation of our various laws concerning surveillance and private data is the best long term solution, so think about writing your elected officials or supporting reform groups like the EFF or Digital Due Process. Until that reform happens, you have a few technological remedies you can take.

Web Browsing

Use Tor. It’s free software that bounces your web traffic off of dozens of anonymous nodes to prevent a snooper from knowing what traffic belongs to whom. In that way Tor anonymizes your traffic, meaning that it cannot be connected back to you. Keep in mind that this is not the same as having your traffic encrypted. The trade off with Tor is that it can be very slow. It is run by volunteers who donate little bits of bandwith at a time, so the more people who use it the faster (and more anonymous) it gets.

Search Engines

To Google or not to Google? They collect a lot of data about you, and use it to become very good at selling ads. The payoff for you is that the proceeds from those ads go to fund great services like Search, Mail, Voice, Calendar, and Maps. So is it worth it? You can read their privacy policy here and decide for yourself. If that policy doesn’t provide you with enough peace of mind, you might want to consider an alternative search engine like ixquick. They don’t collect your IP address when you search, which is very privacy friendly. Note: It’s true that using a search engine with a good privacy policy won’t prevent somebody from snooping on your traffic, but this is still an important point. Keep in mind that a search engine can’t lose your data, or turn it over to the government, or sell it to another company, if they didn’t collect that data on you in the first place.

Email

Think of email as a postcard. Yes, we do now have default HTTPS in Gmail. That’s a great thing, but it only protects the data between you and Gmail’s servers. It doesn’t keep Gmail from reading it, nor will it keep anybody else from viewing it or reading it as it’s sent out across the internet and towards your recipient – just like a postcard as it travels through the mail. The only way to truly secure your email is with encryption.

The best way to do this is to use PGP (or OpenPGP), likely the strongest encryption available to us civilians. Start using Thunderbird (which is free) to read your email, and then get the very easy to use Enigmail plugin (also free) to start encrypting. When used properly, it is extremely strong; virtually unbreakable. The catch is that it takes two to tango. I have a public key available to use, but since nobody else I know uses encryption, the “encrypt” button on my email is just something pretty that I look at but never use.

Chat

Use Pidgin. It’s free, and it works with most major chat platforms (AIM, GTalk, MSN, IRC, Yahoo, Facebook, MySpaceIM, XMPP, etc). Adding the Off The Record (OTR) plugin will encrypt your chats and ensure you that the person you’re chatting with is who they say they are. Just like encrypted email, though, both sides have to be using Pidgin with OTR for the security to be effective. If only one side has it then you’re using a great IM program but your data is no more private than it was before.

Everything Else

Security and privacy are both a process, not an end. Just like you know to be vigilant and take common sense steps to protect your offline data, do the same with your online data. Throwing out bank statements? Shred them first. Need to email something sensitive to a friend? Encrypt it first.

Oh, and be sure to fill out that Census form and send it back in. It’s your civic duty, you know.