informationliberation
The news you're not supposed to know...




An Introduction to Austrian Economics: Understand Economics, Understand Everything
The Century of the Self: The Untold History of Controlling the Masses Through the Manipulation of Unconscious Desires
The Disappearing Male: From Virility to Sterility

The Obama Deception: The Mask Comes Off
Operation Gladio: The Hidden History of U.S. Sponsored False Flag Terrorism in EuropeThe New American Century: The Untold History of The Project for the New American Century
(more)
Article posted Jul 18 2013, 12:27 PM Category: Big Brother/Orwellian Source: EFF.org Print

Technology to Protect Against Mass Surveillance

BY SETH SCHOEN, Electronic Frontier Foundation

In the past several weeks, EFF has received many requests for advice about privacy tools that provide technological shields against mass surveillance. We've been interested for many years in software tools that help people protect their own privacy; we've defended your right to develop and use cryptographic software, we've supported the development of the Tor software, and written privacy software of our own.

This article is part one of a two-part series. In this part, we'll take a brief look at some of the available tools to blunt the effects of mass surveillance. In the second part, we'll discuss the big picture, reasons Internet users have been slow to adopt cryptographic software, and some limitations of existing technology's ability to defend us against government snooping.

I. The things users want to keep private There are many different kinds of electronic surveillance and many aspects of our communicative activities we may want to keep private. The online privacy landscape can be daunting in part because each different tool addresses different kinds of monitoring and privacy threats.

For example, most web browsers now include a "private browsing mode" which limits the web history kept on your own computer, preventing others who access your computer from learning about your browsing, but which has no effect on the data that's transmitted over the Internet, and doesn't try to stop, say, your Internet service provider from knowing where you went online.

Similarly, some privacy settings on services like Google and Facebook limit the display of some account history and information either to you or to your friends, but don't do anything at a technical level to stop Google or Facebook themselves from accessing or recording the communications and activities you send through their sites.

Even when we use cryptography to hide the content of our communications, there's a distinction to be drawn between transport encryption (protecting the communications as they travel between your computer and a service provider, like Gmail or your cell phone carrier) and end-to-end encryption (protecting them all the way between your device and the device of the person you're talking to, so that no intermediaries can read them at any stage). Accessing a webmail account over a secure HTTPS connection is an example of the former; it prevents your ISP, as well as people on your wifi network, from reading your mail as it travels between you and your mail provider. Using email encryption software like PGP is an example of the latter; it prevents even your webmail provider itself from reading the mail.

As we'll discuss in more detail in part two of this series, it's relatively easy to use transport encryption to prevent network operators from reading your communication. It's more work to use end-to-end encryption to keep communications private from an intermediary like an IM provider, cell phone carrier, or email service. And it's quite difficult to conceal the fact that communications happened between one user and another--it's much easier to hide what you said in an IM, phone call, or email than to conceal that you contacted a particular friend via IM, phone, or email at a particular moment.

Finally, you might want to hide your physical location when you're communicating. By default, Internet service providers along the way see, and most Internet sites you interact with store, your Internet protocol address (IP address), which can be used to figure out where you connected to the Internet from. This gives services a potential profile of your whereabouts over time, and even the potential to infer other information such as who else was with you and where you spent the night.

Here, we'll look at a few options to increase the use of cryptography to protect the contents of your on-line communications. As we'll discuss in Part 2, these technologies can't offer complete protection against every kind of surveillance, or against every possible eavesdropper; still, making encryption mainstream should help increase everyone's privacy baseline.

II. Privacy for Connections to Web Sites: HTTPS Everywhere The technology we use to secure our communications with web sites against eavesdropping as our data travels over the Internet is HTTPS. Major web sites have been gradually migrating toward supporting or requiring HTTPS connections, which provide an important kind of protection against mass surveillance targeted against the Internet infrastructure itself.

Your web browser already supports HTTPS, but for some sites you might or might not use a secure connection. (For example, a secure connection for Google Search or for Wikipedia is available, but is optional.) To address this problem, EFF developed HTTPS Everywhere, a browser add-on that tries to make sure your connection to web sites is secure whenever the web site you're visiting supports it.

Even with HTTPS Everywhere, you can only have a secure connection with web sites that choose to offer HTTPS. Some still don't. If you use a site that still doesn't offer a secure HTTPS connection, please ask the site operators to start supporting HTTPS.

III. Privacy for Instant Messaging: OTR You can use Off-the-Record Messaging (OTR) to encrypt your instant messaging conversations, preventing your IM provider from reading them. This only works with IM providers that allow the use of external IM software, and you'll need to install an OTR-capable IM application on your devices.

Wikipedia has a list of IM software that supports OTR. Currently the most widely-used chat applications with OTR support are Pidgin (on Linux and Windows) and Adium (on Mac OS X). There's also Gibberbot (for Android) and ChatSecure (for iOS). The number of applications with OTR support has increased dramatically and the landscape may change over time.

OTR can only protect your conversations when you're chatting with another user who has an OTR-capable client. It won't protect you, for example, if you're using Pidgin and the person you're chatting with is using the web-based chat on their IM account; in this case OTR mode will simply not be activated.

As we discuss below, Cryptocat also addresses encrypted chat, using a web browser rather than an external IM application.

IV. Privacy for Phone Calls: Encrypted VoIP Instead of making an unencrypted and easily-tappable phone call, you can try to protect your communications by making an encrypted Internet (or "VoIP") call. The encryption technologies used with Internet calling, and the kind and level of protection provided, vary enormously.

Many popular Internet phone and video conferencing tools do provide some kind of encryption, but most often not encryption meant to protect against the service provider. For example, Google Hangouts are encrypted to protect against someone tapping your network connection, but Google itself could easily record them. Popular applications like Skype and Viber are also thought to provide a similar level of protection in practice: equivalent to transport encryption, not end-to-end encryption. That means they can be forced to help spy on you.

There are end-to-end encrypted VoIP applications available. Many are based on a technology called ZRTP. An example that we're particularly excited about is Moxie Marlinspike's RedPhone (currently available for Android devices). We've also seen a lot of interest in Silent Circle's proprietary applications.

As with IM, you can only get secure phone calls with people you call who are using compatible software.

V. Privacy for Email: PGP PGP-compatible software lets you encrypt email, though most often only if you're using a standalone email application (not if you use web-based email). The main version of PGP technology targeted at individual users today is GnuPG, a free and open source implementation. For users who have not previously worked with encryption technologies, PGP can have a steep learning curve: it requires users to manually create, manage, and exchange keys.

VI. Anonymity and Location Privacy: Tor The Tor software is the state of the art for providing Internet users with anonymity when they go online, and for concealing where they're accessing the Internet from, even when they log into sites or use their real name.

Most users use Tor by downloading the Tor Browser Bundle from the Tor Project's site. The Tor Browser is a special browser that sends all of your browsing activity through the Tor network, preventing an easy, direct association between where you're coming from and where you're going. (There are other solutions that also purport to hide your IP address, but most just route your connections through a single company's servers and require you to trust that company not to reveal information about your browsing. Tor bounces your communications through three servers, hopefully not all run by the same entity, to reduce the chance that someone will be in a position to see the whole picture.)

Last year, we prepared an interactive graphic about Tor and HTTPS to show how Tor and HTTPS work together to protect your privacy. The graphic shows which kinds of information each technology normally conceals--and from whom. (In this graphic, we used the word "location" to refer to information about your IP address because this knowing your location is often the most privacy-sensitive consequence of letting someone know your IP address.)

VII. Host-Proof Hosting The rise of convenient online communications, storage, and social networking tools has had serious privacy consequences. When you use popular online or cloud services, you turn all of your data over to an intermediary, where it may have significantly reduced legal protections compared to information you keep on your own personal devices. You also need to trust the service provider to use your data properly and not disclose it to others. (Whether this makes your data "safer" is a complicated question. Most Internet companies have vastly more time and money to spend securing and backing up your data than you do, as well as making it conveniently available, so trusting them may be rational. At the same time, Internet intermediaries may be a tempting target for hacking attacks, and are regularly forced by legal process to hand over user information to government agencies.)

The last few years have seen increased interest in the idea of "host-proof hosting", where data is encrypted on your own computer before being uploaded to a cloud service. Then the service provider itself can't read the data you're storing there. These applications are called "host-proof" because they provide protection even against the service provider itself1.

Today this is particularly popular for online backup services, which might be the simplest case from an engineering point of view. A "host-proof" online backup provider can't read your files without knowing your encryption password. (You can also get this kind of protection by encrypting the files yourself before backing them up--perhaps with TrueCrypt or Boxcryptor.) Examples of host-proof backup tools include SpiderOak, Wuala, Tarsnap, and others.

Creating host-proof applications is challenging and involves trade-offs. For example, a host-proof service can't easily search through your data, because it can't read the data. And it can't help you recover your data if you forget or lose your password, though there are ways the service could help you create your own password-recovery options.

There have been attempts to create host-proof services beyond the realm of backups, including host-proof web-based chat like Cryptocat. We've heard from people who are doing exciting work in this area, targeting host-proof social networking and online collaboration, as well as host-proof online storage with 100% open source client software. We expect to see a lot of announcements in this area. If demand for these technologies continues to increase, we could see a new wave of more privacy-protective communications tools.

VIII. For more information More details about how to start using these and other tools can be found in Micah Lee's whitepaper "Encryption Works: How to Protect Your Privacy (And Your Sources) in the Age of NSA Surveillance".

    1. There is still a challenge when the encryption software is automatically downloaded from the provider's web server: how does the user know that, on a particular occasion, the provider is giving them the real encryption software and not a fake version that leaks their information? This was a concern with the service Hushmail, which said that a court order might force it to give particular users modified, weakened versions of its web-based email encryption tool. In 2003, the Ninth Circuit said that companies can in principle be compelled to secretly modify their services to facilitate interception, but not when doing so is too disruptive. We need services to find practical ways of ensuring users are getting the unmodified version of the encryption software and to make the details clear and public.





Latest Big Brother/Orwellian
- Sony Hack Reinvigorates Support for Privacy-Busting CISPA-Style Legislation
- Government Wastes Taxpayers' Money On Crappy "Shark-Like Spy Drone"
- Silk Road Prosecutors Rely on Slander As Trial Approaches
- Copyright Law as a Tool for State Censorship of the Internet
- Bill Aimed At Shutting Off NSA's Water Starts Moving Forward Again
- Baltimore Prosecutors Withdraw Evidence Rather Than Talk About Police Department's Stingray Usage
- Detekt: A New Malware Detection Tool That Can Expose Illegitimate State Surveillance
- 2nd Grader's Homework Teaches 'The Government GIVES Us Our Rights'









Comments Add Comment Page 1 of 1
Peter

Posted: Jul 20 2013, 6:05 AM

Link
81161 'How is SSL hopelessly broken? Let us count the ways'
http://www.theregister.co.uk/2011/04/11/state_of_ssl_analysis/

TOR ? You gotta be fucking joking ..
It was invented by the US Navy, as a way for their spooks and terrorist to hide their communications . Use TOR and you are aiding and abetting US-spies
and Gladio-terrorists !
Besides, you can not trust the exit-nodes ..


Add Comment
Name
Comment

* No HTML


Verification *
Please Enter the Verification Code Seen Below
 


PLEASE NOTE
Please see our About Page, our Disclaimer, and our Comments Policy.


FAIR USE NOTICE
This site contains copyrighted material the use of which in some cases has not been specifically authorized by the copyright owner. Such material is made available for the purposes of news reporting, education, research, comment, and criticism, which constitutes a 'fair use' of such copyrighted material in accordance with Title 17 U.S.C. Section 107. If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. It is our policy to respond to notices of alleged infringement that comply with the DMCA and other applicable intellectual property laws. It is our policy to remove material from public view that we believe in good faith to be copyrighted material that has been illegally copied and distributed by any of our members or users.

About Us - Disclaimer - Privacy Policy



Advanced Search
Username:

Password:

Remember Me
Forgot Password?
Register

A Peace Officer Defies the "Blue Tribe": The Exile of Officer Cariol Horne - 12/19Baby Clings to Life After Flash-Bang Grenade Lands in His Crib - 12/20Cop Stops Fellow Cop From Choking a Handcuffed Man, She Was Then Beaten and Fired - 12/18For Punitive Populists, "Comply or Die" IS The "Law" - 12/19Thieves Yell "Police" Before Invading Home, Shooting and Robbing Resident - 12/18Psychotic Vegas Cop Filmed Beating Man For Filming In Viral Video Queitly Hired By Another Dept. - 12/17Cops Called For Wellness Check Beat Innocent Man, Pile On False Charges; Jury Exonerates, Twice - 12/17Ignorance Is No Excuse for Wrongdoing, Unless You're a Cop - 12/17

Rialto, CA Police Made to Wear Cameras, Use of Force Drops by Over Two-ThirdsCop Who Karate Chopped NY Judge In Throat Gets Off Scot-FreeFlorida Cop Smashes Compliant Woman's Face Into Car -- "Maybe Now You Can Understand Simple Instructions"VIDEO: Lapel Cam Reveals A Day In The Life Of A U.S. Police Officer (Tasing, Beating, Breaking & Entering, Stomping On Heads... and Laughing About It)Caught On Tape: Officer Sucker Punches Inmate In Face, Files Report Claiming 'Self Defense'Insult Person On Twitter, Go To JailSWAT Team Brings TV Crew To Film Raid Against Threatening Internet Critic -- Raids Innocent Grandma InsteadCop Karate Chops NY Judge In The Throat
(more)

 
Top