ProPublica

Journalism in the Public Interest

Cancel

Worried about the Mass Surveillance? How to Practice Safer Communication

Here’s what you need to know to make your communications private

.

Update: A warning: Since this article was posted, we reported on the NSA's abilities to break encryption, as well as their secret efforts to weaken encryption standards. These revelations have cast doubt on the effectiveness of using encryption to keep communications private.

This is part one of a two-part series. Here’s part two: A Buyer’s Guide to Safer Communication.

With all the news coming out about possible mass surveillance and the relationship between an alphabet soup of federal agencies and the companies that hold huge swaths of your electronic life, it’s easy to feel powerless. But you’re not. Technology taketh away your privacy, but technology can giveth quite a bit of it back too.

Much of the news of the past week has been about government access to phone and internet “metadata,” which is a part of communications that we almost never think about in the course of normal life.

Here’s what you need to know to make your communications more private:

What is “Metadata” and Why Do You Care?

All communication is broken up into two parts – metadata and message. Metadata is what’s needed for your message to arrive at its intended destination. An address on an envelope is metadata, as is an email address, a phone number and a twitter handle. When you shout someone’s name across a room to get their attention, that’s metadata too.

The message is the letter inside the envelope. It’s everything below the “to/from/subject” information in an email. Everything you say after you connect with someone, either by calling them or shouting at them, is the message.

If the distinction between metadata and message seems a bit arbitrary, that’s because it is. In technology, what’s metadata and what’s message are designated by the programmer’s design, rather than some great dividing line. This is a problem in American law, because message is usually protected by strong laws, but metadata isn’t. Programmers, who are almost never also lawyers, put sensitive material in metadata all the time. And legislators, even fewer of whom are programmers, have never fixed the metadata loopholes in the law.

Given a couple decades of communication technology, you get a situation like the one revealed by the Verizon court order. The mobile phone companies track all cellphone locations and call data, and can uniquely identify every phone, SIM and user. This isn’t because the mobile phone companies are cackling evilly as they put trackers on nearly everyone in America, it’s because in order for cell phones to work, towers need to know where phones are. That’s not surveillance, it’s just how radio waves work. What’s more, in order to build out capacity and maintain service, the telcos need to keep track of how people move around. It’s all part of making their networks work. To the phone company, metadata about who you are and where you go is useful for running their network. Despite some of their ads, they aren’t particularly interested in your personal life. On the other hand, to you, where you go and who you talk to is sensitive information. Right now, you can’t do anything about keeping all of that a secret from your mobile phone company, except not having your phone with you.

The messages that come to and from your phone are another matter. There’s a lot you can do about keeping those private and secure, and doing so helps you live in a safer world – not just from government surveillance, but from anyone who wants to snoop on you for any reason.

On computers and smartphones (which are just smaller computers with hard-to-use keyboards) your main tool for protecting your information, both message and metadata, is cryptography. Cryptography (often also called “crypto”) is a way of using math to rewrite information in a secret code. Since metadata is needed to get information across the network, some level of it is always exposed. For you, the question is where does your metadata end, and the message begin?

Making Crypto Work for You

A warning: Computer scientists are terrible at naming things, and trying to get them to explain how things they make work is a world of Lovecraftian horrors. Nowhere is this worse than in crypto, which is full of unintuitive names and nonsensical metaphors. Fortunately you don’t really need to know how cryptography works to use it, though if you want to, there’s a video series that explains the concepts in some detail for a general audience.

Communication crypto works by exchanging “keys,” or long strings of numbers that each side of a conversation uses to encrypt and decrypt each other’s messages. The various schemes for coming up with these shared numbers include symmetric-key exchange, Diffie–Hellman key exchange, and public-key cryptography – but you definitely don’t need to understand the details in order to use keys. All you need to know is that they all involve performing math functions that are easy for a computer to do, but extremely hard to undo. These methods are strong. There’s evidence that even the NSA can have trouble circumventing well-done key exchange crypto, and cracking it en masse is probably still not practical. There are two basic ways to use crypto:

Talking to Bob

Let’s say you’re trying to talk to your friend Bob. Over the internet, you’re generally going to pass your messages through a server. Let’s say you’re talking to Bob over a Google service (though most other services work similarly).

Obviously, Google can see all of this. But if someone steps into the stream they can see everything, too. This was the case with the cable splices detailed in the 2006 stories of warrantless wiretapping, and in last week’s story about the Verizon order.

In an attempt to be witty, cryptographers always call the party stepping into the stream Eve. Because Google is good at security, they use something called SSL to hide your traffic from Eve as it passes through the wires (or over the air). You can tell you’re using SSL, also called TLS for no good reason, when you visit a web address that starts with https instead of http. (Gee, thanks for making that so clear, computer scientists.) SSL is effective in blocking Eve, which is why the Electronic Frontier Foundation developed a browser plug-in called HTTPS Everywhere, which helps you put the majority of your web browsing inside SSL and out of view. You should use that. (Disclosure: I’m legally married to an EFF employee, and occasionally seek advice from their legal department.)

HTTPS Everywhere Logo

But if Eve has a special relationship with Google, you have another problem. With SSL, Google still has a copy of all your information, metadata and message. You can’t avoid Google having your metadata – the like cell phone towers, they need it to make the network work.

Encrypting Message Data

What now? There’s a fix: You can encrypt your message with a deeper layer of public-key cryptography called “end-to-end encryption.” Even the server that passes the message can’t look at it. Google can still give Eve your metadata, but even Google can’t see your messages, only encrypted gobbledegook. There’s a catch: This kind of encryption isn’t always easy to use. More on that in Part 2.

Even with end-to-end encryption, you have the same problem with metadata being visible to Google that you had before you encrypted anything. You’ve just made Eve go through one extra step – talking to Google – to get it. That might be all the protection you need, depending on your service provider legally resisting blanket requests from the government. If you don’t trust them to do that, then you should use a different service.

But here is where most people, even cryptographers, make their big mistake. We encrypt our messages and feel safe. But without using SSL, even when using a provider that won’t give information to Eve, the metadata is being transmitted unencrypted. You’re not even making Eve take the extra step of asking your provider. Eve can just step into the stream and capture a copy of your metadata as it passes by.

So let’s say you’ve moved to a new chat service. You trust it. It’s run entirely by Swedish hacker teenagers on offshore servers who respond to legal queries with pictures of sarcastic lolcats, not to cooperate with Eve. This new service requires you to encrypt your messages.

But being teenagers, they’ve overlooked a few details, and are accidentally leaking your metadata back to Eve, which is just fine with Eve, since your message data was legally protected anyhow, and when Eve is the NSA, she’s not supposed to keep it.

Oops. You were probably better off staying with your last service.

You abandon the Swedish teenagers then and turn to their somewhat more learned cousins, who have set up independent services around the world with an eye towards security being able to resist intrusion from outside actors. With services like Dukgo.com, and Riseup.net, you can have the best of both worlds: SSL and encrypted messages inside it.

Now you’ve got some privacy back.

Caveat: Who’s Out to Get You?

This advice assumes you’re trying to avoid mass surveillance, of the type that’s been in the news over the last few days, raising constitutional and societal questions. In security we call this an “untargeted attack.” If someone is investigating, surveilling or watching you personally, the rules and the advice change. You can no longer count on hiding in plain sight using SSL and encrypted messages. If you believe you need to resist targeted surveillance, things are more complex. Check out security in-A-box to start learning more.

End of Part 1

Coming soon, in Part 2: Let’s Get Specific. Tools, Techniques, and Services.

For a rundown of what we know — and what we still don't — about surveillance, read "The NSA Black Hole: 5 Basic Things We Don't Know About Government Snooping. Have more questions? Follow @NSAQuestions for updates, and let us know what questions YOU have by tweeting us with #NSAquestions.

Jonathan Stray

June 11, 2013, 11:39 a.m.

Quinn, you’ve lost me with this line:

“Oops. You were probably better off staying with your last service.”

What exactly is the problem with Dugko and Riseup?

A couple of quick issues with the article.  Feel free to take or ignore.

First, metadata is data about data, formally speaking.  Don’t think of it as an “envelope” so much as “everything that everybody might need to make sense out of the ‘core’ information.”  Informally, it’s everything someone might consider storing with data, that’s not actually the core service.

For a phone call, the audio is the data.  Necessary metadata is something like the sampling rate, which a phone vendor needs to know to decode the message.  Obvious metadata is the “envelope” stuff that the network uses for delivery.  Possible metadata could include how often you call customer service and what web browser you use to pay your bills online.  Nobody knows what any company actually collects in full.

Second, cryptography isn’t actually that hard if you made it through…oh, let’s say third grade math or so, especially if we only talking about concepts.

Remember long division?  You have the Dividend (inside the symbol) and the Divisor (to the left), and you want to know how many times the Divisor divides the Dividend.  You get a Quotient and, until you start dealing in fractions, a Remainder.

In cryptography, the message you want to send is the Remainder.  You send the Dividend.  The “Key” to the encryption is the Divisor.  Without the Divisor, you can’t possibly figure out the Remainder except by brute force trying every possible Quotient and Remainder.

Notice that we don’t use the Quotient?  There are two interpretations we could use, here.  One is that the Quotient is like a “private key,” even though it’s revealed to whoever has the Divisor.  The other is that the Quotient is “entropy,” garbage information in the message you need to work to find, but doesn’t help.

As I said, that’s not entirely accurate, but it’s a pretty good model with almost all the moving parts.  If you’re comfortable with that and want to move up to high school math, you actually raise the message number to the key’s exponent and take the modulus (the remainder if dividing by a number) by a certain size, giving you the message.  If you fuss around with some number theory, you can have two exponents that work opposite each other (so that you take the number encrypted by one and decrypt it with the other in the same way), but that gets into Field Theory, which…ick.

Third, SSL has a core problem in that certificates are issued from quasi-central authorities.  If the government issues a National Security Letter to a provider, they know Google’s SSL keys and can decrypt their data—this happened with a Middle Eastern authority a couple of summers ago and a few of the governments.

Fourth, remember that cryptography delays someone from getting at your data, it doesn’t prevent it.  An attacker dedicated to reading your e-mail will get it eventually, where “eventually” is measured in hours rather than years, these days.

Cryptography is also a red flag to a lot of authoritarians.  If you’ve never encrypted any of your messages before and suddenly you start encrypting everything, anybody watching you (if anybody is) is going to assume you’re hiding because you have reason to hide, making you more a more interesting target.

I hope that’s of some use, somewhere.  If not, hopefully everybody had the sense to read something else.

Jonathan I think you’re referring to a formatting problem, which is now fixed.

It’s a little unfair to blame the programmers - they tend to write software according to a Grand Design provided for them, usually by Analysts. Those are the guys who decide what’s included in metadata (and usually with the approval of management up the line).

In the current furore, many commentators seem to have lost sight of several things. One is that many providers are required by law to keep records of the communications they handle, usually for a fixed period of time (anything up to five years in some cases). All the agencies have done is to make sure they get access to that dataset if and when they need it.

People like Bill O’Reilly have conflated that perfectly legitimate access with actual wiretapping and stirred up an even bigger hornet’s nest. There’s nothing like preventing the facts from getting in the way of a good bit of self promotion.

As John notes elsewhere, the best way to attract attention to yourself is to make it obvious that you’re hiding something. Those who genuinely have something to hide will use steganographic approaches to mask their activities. No encryption required.

You don’t have to leave your phone at home to avoid being tracked. Simply remove the battery, then put it back in when you want to use your phone. I know, it’s cumbersome.
The NSA says it doesn’t listen in on phone calls. If you call me, and the NSA captures our phone numbers, time of call, duration of call and our location, what good is that to the NSA if it doesn’t know what we said? Am I missing something here?

I could swear that I read that the DOJ has filed to make Verizon and other cell phone carriers to decrypt.

@Jame The key thing is the NSA doesn’t know where to look until they find someone of interest. Then they ask for, say, phone records for that individual from all service providers. They look at who called them and who they called, and if you happen to be one of the callers or the called, then they know to look closer at you. What you said in the past isn’t their focus - it’s what you do from now on that will interest them - so they’ll request records for your calls, and work outwards from there.

The point at which they want to know what you’re saying in those calls arises when either you or someone you know does something that triggers a need to know more, at which point they go to a court and ask for permission to wiretap.

It’s not just phone calls. If you use your ATM card to pay for a Big Mac, that record places you in a physical location at a specific date and time. If they have a GPS record for someone of interest (because they carried their phone with them) and the record shows that person was in exactly the same location on the same day at roughly the same time, then can put you in close proximity if not actually together.

I’d caution you against thinking that removing your phone’s battery makes the phone silent. In the UK there’s a portable television detector that sends out a signal over a relatively short distance. Any device possessing a TV tuner circuit - even if it’s unplugged and not operating - will respond to that signal. It’s been in use for decades - they used to have to use vehicles containing the detectors but then miniaturization came along. Ask any older Brit about TV detector vans (and why they’re used).

It would be foolish to think that a similar type of detector couldn’t trigger a response from circuitry inside your phone, and finger you even with an apparently dead phone.

If you can find a copy, read Spy Catcher by Peter Wright. He describes technology from 70 years ago that seems eerily way ahead of its time. Operation RAFTER is an eye-opener too.

I don’t subscribe to conspiracy theories, so I’m quite sure that what Congress has been authorizing all these years is perfectly legal and above board. It’s just not very nice to find out about it.

Papa Maury Clark

June 11, 2013, 7:36 p.m.

SWEET LAND OF LIBERTY?

Sadly, I am old enough to remember WW II ” Americans of Japanese descent”  internment camps, and the senate-McCarthy hearings of the early ‘50s. Both were conducted under the guise of “National Security”. So at this point I cannot help by being saddened by the first verse in one of our early national anthems: “My country ‘tis of the, sweet land of liberty—” Saddened because of my memory of something said by James Madison: “If tyranny and oppression come to this land it will be in the guise of fighting a foreign enemy”.

I voted for Democrats these past two national elections because of my deeply held committment to freedom around the world. That, and the fact that if we had elected Jesus Christ on the Republican ticket the rest of the world would have believed that Christ had been converted as a foil for Republican National Committee policies, and a figurehead for the same old Republican military interference in third world countries solely for the benefit of America. Guess what- we got ‘em anyway.

I suppose now that I should begin keeping a daily log of my activities in case our federal government decides that I may have been a cause of the Oklahoma tornados.

I have no plans to leave my country, but I just don’t understand why my country has left me.

I believe the government also is able to get the subject lines of your emails. i seem to recall a recent case where a person was arrested over child porn found in emails that he had never opened. The courts found that the emails were off limits but the subject lines were accessible to spying.

Jame, to follow up on what Peter said, it’s possible that the phone companies also record your phone calls and maintain them for a “brief” period (or they can be asked to, without much trouble).  So it’s possible for them to “not listen in” on your calls yet still hear the calls.

The NSA people seem to enjoy word games like this.  Keep in mind that they recently stated that they didn’t “collect” this data, because they define “collection” as something a human being has thoroughly analyzed.  Since there’s some data that has only been in a computer, it’s hasn’t been “collected.”  So imagine what their definitions might show up for “listening in”...

Even if they’re not doing that, if you’ve ever gotten a wrong number and the person at the other end was somehow connected with terrorists (maybe because he answered a wrong number call…), you’re now suspicious.  The lack of context would make a program like this so much worse, not better, because it’s guilt by association of secret laws with little to no oversight.

I know the media has been reporting that sales of “1984” have gone through the roof, but if anybody wants to impress his or her friends, grab a copy of Kafka’s “The Trial.”  (At Project Gutenberg for free, no less, and I doubt they do much tracking.)

Papa Maury Clark:
I’ve saved your comment…...your comment and sentiment are right on.
We seem to have lost the “intent” of the whole discussion; commenters (I enjoyed every one of them as I usually do on websites)....
This is about the 4th Amendment to the Constitution:
The intent was/is to assure that each citizen in the US is “....safe and secure in their persons”........
There is a word in the paragraph: “unreasonable…” the is kind of “squishy”....and I would term, a “....phrase of conditionality” that would give the government an “out” to slice and dice arguments for or against the “abuse” of the 4th amendment…..which is/and has happened time and time again in our history.
This is nothing new.
William E. Burrows wrote a good “seminal” book on the NSA, which dealt mostly with the emerging satellite surveillance systems, “Deep Black”, published in 1986.
(Lyndon Johnson felt that we had to get something out of just….reaching the ability to travel in space…..something more tangible and being the political hack he was, his thoughts were that we should exploit that technology in surveillance satellites)

This is a letter to editor to my local paper on the subject of Edward Snowden and his revelations:

“The US government has a long, active history of attempting to stifle political dissent.  “Uttering” negative speech against the US government was a crime; any “scurrilous” language to “defame” it, a crime.
Acts by the US government cast a wide and far net against individual citizen, immigrant, main stream opposition political party participants, or other “troublemakers” who opposed entrenched political power.
The US has used overt and covert programs in place to divert public attention from its black and covert ops by impugning its own citizen dissenters during times of stress.
June 1798, The “Alien Friends Act”, authorized the president to deport any resident alien considered ‘dangerous’ to the peace and safety of the US”
July 1798, The “Sedition Act” made it a crime to ‘oppose any measure of the government……or its officials.”
The famous “Palmer Raids” of 1919, targeting the most vulnerable, immigrants, organized labor activists and other dissenters that were eventually deported.
Dies Committee of 1938 and its successor, The House Un-American Activities Committee, 1945; Smith Act, 1940; American Legion/FBI scandal (and other citizen groups) 1940-1954; Project Shamrock, 1945; McCarran Act, 1950; 1956, the infamous secret FBI Cointel-Pro program; “Operation Chaos”, (anti-Vietnam dissent) 1967, and many more up to the present Patriot Act and its resultant expansive machinations.
The April 1976, “Church Committee Report on Domestic Surveillance and Other Illegal Activities by US Intelligence” is an excellent primer on the danger of these programs and the ultimate result, a totalitarian government. Obviously this excellent report has been ignored by presidents and the two major political parties.
The more severe US foreign policies embrace the perceived inherent right to exploit anyone else’s natural, human and political resources for its own “interests”, the more repressive it will act against its own citizens’ constitutional rights.
Our Bill or Rights needs “Whistleblowers”.”

The point is that this is nothing new; on the contrary.  Our government (and too many others) has placed surveillance procedures on its citizens since it’s creation.  It will not stop.
It is up to the citizens of the US to keep the governments’ feet to the fire when it comes to the Bill of Rights.
The Constitution without the Bill of Rights is nothing better than yesterday’s newspaper….useless except to “....wrap fish”.

I enjoyed this article tho it is confusing.  It’s like, “I need major surgery, but don’t tell me how it’s done!”

Lastly, another major point that Mr. Snowden has tried to make is that these issues should not be left entirely up to our (a) government…especially to a government that is so intentionally involved in heavy handed foreign campaigns that seem to continually “create” more enemies than not.

The more our foreign adventures continue, the more repressive and intrusive the US government will be, especially on vocal dissenters.

Vigilance and activism is what keeps the Bill of Rights a “bill of rights” reinforcing our constitution.

There is no other way.

Papa Maury Clark

June 12, 2013, 5:19 p.m.

Bert,

Well enumerated arguments such as yours, and mine, will have little impact as long as most people buy into those people who would change the subject and fasten onto irrelevant digressions.

It makes little difference the color of the paper upon which a report is written, and type font size is meaningless, as are inane arguments that there are adequate “immediate” protections for citizens under current surveillance authorizations. “Immediate” is not what worries me.

The Titanic had adequate lifeboats, and I am sure that documents exist to prove that point. It was very foolish to expect that the number of lifeboats would have been adequate should the Titanic founder while at dockside, while expecting that the identical number of lifeboats would also have been adequate if the ship were to strike an iceberg.

I believe that (possibly) safe, current surveillance would likely be totally unsafe to the citizens should the government decide that “terrorist icebergs” warranted more intrusive, direct recordation of individual communications. Since all of this was secret, it seems to me to be a VERY small step in that direction should secrecy have prevailed without disclosure by the whistleblower.

Further, the rule of unintended consequences applies in this case, for example: Virtually all autmobiles manufactured in the past decade have a recording onboard computer that was designed by manufacturers for safety purposes, as well as mechanical problem warnings and resolution. “Fasten your seatbelt”, “Check engine”, “Onstar crash assistance”, etc..

Most people are unaware that their automobile computer can also be used by law enforcement to trace time, location, speed, driving conditions, skid distances and (probably) the color of your eyes in the event they choose to do so. Insurance companies can, and do, use that data to deny claims or cancel coverage. The preceding FACTS were unlikely to have been forseen consequences by car manufacturers of their desire to provide safety services to their customers, but guess what happened!

We are not talking about immediate safeguards here. Simply put, we have inadequate lifeboats for our protection when the captain, and ONLY THE CAPTAIN, can decide the course of the ship.

Does anyone else feel the chill in the air here?

Papa Maury

If this issue is allowed to die down and all Americans do not stop this government now the future is indeed bleak.

George Chamberlain

June 12, 2013, 6:29 p.m.

This is a must read. Please write re your reaction.

Papa Maury wrote: The Titanic had adequate lifeboats and I am sure that documents exist to prove that point...

From Wikipedia: “Because of outdated maritime safety regulations, she carried only enough lifeboats for 1,178 people - slightly more than half of the number travelling on the maiden voyage, and one-third her total passenger and crew capacity.”

If this is an example of a well-enumerated argument, I think we’re in even more trouble than you think…:)

Papa maury Clark

June 12, 2013, 9:50 p.m.

Peter B

Good catch!

I should have inserted the words “under then current regulations” following the word “lifeboats”.

Regardless of parsing phrases, I agree with you that we may be in even more trouble than we think.

Thanks for reading carefully.

Younger folk don’t care about being watched.  They believe its part of the equation.  Its a fact they will live with. 

In my opinion :  live and learn.  S

Susie, that’s partly because we’ve focused the privacy discussion in very selfish ways.  We say “you’ll be watched,” not “the guy who speaks out against the government can be watched until the government knows his friends and family.”

I mean, that’s the point, isn’t it?  It doesn’t matter if I have something to hide.  It’s that whistleblowers have something to hide.  Gay people in regions where there’s anti-gay violence have something to hide.  People fleeing abusive relationships have something to hide.  People who admire and support the Constitution and Bill of Rights apparently have something to hide, in some circles.  Socialists once had something to hide.  Lots of people, who we generally claim we want to protect, need protection of their privacy, not us.

But by trying to pitch it as “they’re watching you,” all that gets forgotten, and so it’s acceptable to people in the same way healthy people don’t generally worry about the state of health care.

On reading John’s comment to Susie, it arises in mind the famous statement and poem attributed to pastor Martin Niemöller (1892–1984) about the sloth of German intellectuals following the Nazis’ rise to power and the subsequent purging of their chosen targets, group after group.

According to the Martin-Niemöller-Foundation the text is as follows:

  First they came for the communists,
  and I didn’t speak out because I wasn’t a communist.

  Then they came for the socialists,
  and I didn’t speak out because I wasn’t a socialist.

  Then they came for the trade unionists,
  and I didn’t speak out because I wasn’t a trade unionist.

  Then they came for me,
  and there was no one left to speak for me.

(All quoted directly from Wikipedia.)

Get Updates

Stay on top of what we’re working on by subscribing to our email digest.

optional