Recently, there has been growing realisation of the concerning implications of widespread, generalised government surveillance programmes. Last week for example, ex-US President Jimmy Carter concluded that America has no functioning democracy with PRISM. The Nobel Peace Prize winner applauded NSA whistle blower Edward Snowden saying his actions could have a positive effect. IT security expert Bruce Schneier says that the PRISM database and NSA surveillance poses a risk to national security.
How easy or difficult is it for an individual to take steps to ensure anonymity and privacy of internet communications? In a previous post I examined using the Tor network for anonymous internet communications. Tor effectively hides a user’s IP address, but has latency issues, and its use attracts the attention of surveillance authorities. In this post I will touch on additional tools.
VOIP: We now know that Microsoft worked with the NSA to allow the PRISM database to collect video and audio communications through Skype. So, what reliable alternatives to Skype are available? CryptoCat offers encrypted instant messaging. However, it does not anonymise the user (their IP address is not masked), so is best used through the Tor network. CryptoCat was popular with activists during the Arab spring uprisings.
Earlier this month it was revealed that CryptoCat has had a vulnerability over the past 7 months, through which the encryption could have been cracked. Although the bug has now been rectified, users are warned to take care – CryptoCat’s security may not be impenetrable.
Search: Some Google search users have moved to DuckDuckGo post-PRISM. This search provider has noticed a doubling of traffic in recent weeks, but compared to Google their usage is minute. The search anonymity of DuckDuckGo is explained here.
Cloud file storage: The privacy of Microsoft SkyDrive’s 250 million users cannot be relied upon after the revelations of their involvement with the NSA. Ditto for Google Drive. Last week, Google announced they are considering offering encrypted cloud file storage. However, in order to ensure privacy, the encryption needs to occur on the client-side rather than on the cloud. Client-side encrypted cloud file storage is offered by Wuala. Kim Dotcom’s Mega is another cloud file storage service with encryption.
Email: Privacy in email communications is also important to many. Whistle blowers and activists should avoid email providers such as Zoho mail who have a history of simply shutting down a user following requests from those wishing to suppress information. PGP is a useful tool for encrypting email, however it requires both the sender and receiver to participate.
None of the tools mentioned here, protect against key loggers. Even though Big Brother key logging tools are in use (such as FinFisher), hopefully they are not yet in widespread government use harvesting data from everybody. Currently, the main threat of key logging is for identity theft and corporate espionage, rather than widespread State surveillance. At this point I must put my hand up to say that my company developed a great little anti-key logger utility which effectively protects all PC browsing.
In the post-PRISM revelation era, privacy is something which many more people are going to take more seriously. Most do not accept the argument that “it is ok for the government to snoop my communications because I have nothing to hide”. However, as more and more users migrate to tools to safeguard their anonymity and privacy, they may find this an elusive concept. Total privacy and anonymity is difficult, more easily obtained in James Bond movies in the words of Sheena Easton:
For your eyes only, only for you
You’ll see what no one else can see, and now I’m breaking free
For your eyes only, only for you
The passions that collide in me, the wild abandoned side of me
Only for you, for your eyes only
Thanks for a great post!
The separation of anonymity and privacy is one that too few people focus on. But as the Tor project shows, you don’t always need to do both.
When developing Crypho http://www.crypho.com (unfortunately missed in your listing of relevant encrypted communications tools), we deliberately chose to only solve the issue of confidentiality/privacy, not anonymity. Since Crypho is primarily a business tool, we consider the anonymity usecase less relevant.
(disclaimer: i am one of the Crypho founders)