Category Archives: Online Security, Anonymity, and Privacy

PRISM (surveillance program)

I’ve ended up writing a lot about Internet security in the past couple of months. This week PRISM has received massive attention in the media.

What appears to be the case is that pretty much every phone call and text message in the USA is kept track off. When you call someone in the US the NSA (National Security Agency) stores what phone number the call came from, to what phone number the call was made, the duration of the call, and the gps coordinates of the locations of any cellphones involved. This information is routinely retrieved (by court order) and used during police investigations. European nations do the exact same thing.

It’s possible the content of text messages are stored, and that calls are transcribed. This takes massive amounts of storage, which is available. The US constitution forbids this data from being analyzed (unless the call or text message is to/from someone outside of the US) but by court order the data can be retrieved.

In a recent speech Obama quite clearly stated that actual phone conversations are not being recorded, and this seems plausible as it’ll make people very nervous, but it is likely to happen in the future when transcription software becomes more powerful, particularly in Europe.

PRISM itself is apparently the name of the surveillance program I’ve talked about previously. The US government creates extensive profiles of all unencrypted Internet traffic that travels through US territory. The software will try to attach email addresses, usernames, passwords, and other information to a certain identity. If the IP address is American the data can only be retrieved by court order, unless there is strong suspicion that the person is not American and is using a proxy. It’s fairly easy to examine someone’s sleeping pattern for example, and if this indicates someone is sleeping at times most Europeans sleep, this increases the probability of someone not being an American. Using non-American English is another indication that you’re from across the pond. Once the probability that you’re not a US resident reaches 51% your data becomes accessible to the NSA.

The big problem however is encrypted data. To work around this the USA has created a legal framework for companies to handover private data to the government. Doing so without anyone finding out is close to impossible for the larger corporations like Google, not to mention it’d be a public relations nightmare, but smaller companies might be offered financial compensation for taking the trouble to give their data to the NSA. It’s been my suspicion that the USA has a surveillance program in place to monitor the TOR network, and it makes sense to be suspicious of small nifty Internet companies that offer a useful encryption related service for free.

According to an anonymous source Microsoft (2007), Yahoo (2008), Google (2009), Facebook (2009), Paltalk (2009), YouTube (2010), AOL (2011), Skype (2011), and Apple (2012) are leaking information to the NSA. Microsoft, Yahoo, Google, Facebook, and Apple have already denied these allegations.

I’ve previously wondered if the US government has the balls to tap into Google’s local network and get access to information that’s been shielded by encryption, and my conclusion was that no, they do not have the balls. Would they have the balls to create a rumor that encrypted services, beyond their ability to watch, are being monitored? With full deniability? Most certainly.

So my best guess is that rather than using the Chinese approach (block services that offer https to encrypt the connection) they’re trying to scare people away from using companies that utilize https. Still it’s not a bad idea to consider Russian https encrypted services. For example, VK as an alternative to Facebook, and Yandex as an alternative to Gmail.

Keep in mind that emails are only more private if you send an email from a Gmail account to another Gmail account, or from a Yandex account to another Yandex account. If you link your Gmail account to your VK account, and have VK forward every private message to your email account, the NSA will be reading along. So I’d suggest to link your VK account to a Yandex account and disable all automated email notifications, because the Russian government is reading along as well.

Update 2013-06-09

Based on new information it might be the case that PRISM is used exclusively to analyze information that has been retrieved by court order. If the NSA would for example get a court order for my information Google would hand over everything associated to my user account, and PRISM in turn would be used to analyze this data. There’s a chance the NSA secretly taps into Google, but this would be such a major violation of the US constitution that I doubt this will happen anytime soon.

The software used to analyze all Internet traffic flowing through the USA is called Boundless Informant.


Password Management

A couple of people have gotten locked out of their accounts, and as it can’t hurt to take precautions I’m giving some tips regarding password management and some general information on what governments are capable of.

Governments have the ability to detect you when you visit a suspicious site. If you for example visit the Stormfront website from Belgium and login with your username and password this data will pass through the United Kingdom. The UK secret service may detect that you just logged in to Stormfront and store your username and password, next it can keep a log of all other sites you visit from the same IP address. If you login on Tumblr next the SS (Secret Service) won’t know your password because Tumblr will encrypt your password submission, but as encryption ends after you login the SS can obtain the name of your Tumblr blog. By analyzing your internet traffic the SS can create a list of usernames, email addresses, and passwords you use.

Taking your blog down by juridical means is difficult and time consuming, not to mention the population at large may be uncomfortable with extensive online censorship. If you use the same password on Stormfront and Tumblr it’s possible for the SS to hijack your Tumblr account, or worse, your email account and every service related to it. When the SS hijacks your accounts you’ll simply be unable to log in as they’ll change the password, associated email address, and leave the account in a frozen state. They’ll do so from behind an anonymous proxy so they have complete deniability. If a hacker would hijack your page they will likely vandalize the page and leave offending messages, the SS is unlikely to do so as they want to draw as little attention as possible to their acts of sabotage.

To minimize your risk you should avoid websites that do not encrypt the entire connection using https, this is difficult however as many websites don’t do this. If you need an email address make sure the email provider is hosted in the same nation as the service you are using. So if you make an account on Jux do so from a Gmail, Hotmail, or Zoho email address. If you link an email address to VK do so from a Yandex email address as the Yandex server is in Russia. Doing so will make it harder for governments to intercept password retrieval email messages. Make sure to never use the same password for different accounts, and be particularly careful when it comes to the password of your email address.

Using Tor will help quite a bit at keeping you anonymous, though it’s unclear to what degree the Tor network has been infiltrated by governments, and well written analytical software will still be able to generate a detailed profile if unencrypted services are used, as they don’t need your identity to hijack you, just a list of email addresses and associated passwords you entered on unencrypted websites.

There is reason to believe the German, Norwegian, and UK governments have reached the level of totalitarianism required to subject their citizens to this treatment for ultra-nationalist content. If this seems like paranoia, realize that pretty much any website in support of al-Qaeda is taken down by means of self-censorship, legal threats, hacking, and on rare occasion assassination.

When the European resistance commits another major act of terror it’s likely that Western governments will try to silence anyone who holds the notion that it’s a human right to resist your own genocide. That’s why I suggest that people take precautions because today you are relatively free, but next year you may find yourself having documents on your computer that have been declared illegal, or be on a list of people who support a terrorist organization, and having to wonder when they will come knocking on your door.

For more information read: Online Anonymity and Privacy