There was a strong anti-establishment ethos among many of the digital pioneers who helped build the modern Internet. Yet the communication networks that serve most Americans today have become an almost ideal tool for government surveillance.
There are some things ordinary people can do to minimize their online footprint and make it harder for anybody — whether the government, marketers, hackers or your ex-boyfriend — to track your communications the way the government seems to be doing as part of its aggressive efforts to thwart terrorism. The key to genuine privacy, however, seems to be knowing the limits of various security tools and, if you really don’t want to risk online surveillance, giving up some of the perks of modern communication. “For some of the [government] programs, there is nothing to do unless you give up technology altogether, or restrict a lot of what makes it useful,” says Aleecia McDonald, director of privacy at Stanford University's Center for Internet & Society.
For privacy purposes, there are two types of communication: Those that go over phone systems — including text messages and web browsing from a mobile device — and those that go over the Internet, including email, web browsing from a computer, VOIP phone calls and videoconferencing. Phone surveillance has recently received intense scrutiny due to revelations that the National Security Agency is gathering “metadata” on millions of Verizon (VZ) customers, including many Americans. Other carriers, such as AT&T (T) and Sprint Nextel (S), are probably part of the same program. The phone companies most likely aren’t providing customer data voluntarily but doing so under legal orders issued by a secret court.
There’s very little most people can do to prevent government collection of metadata, which doesn’t include the actual content of calls but does feature the kind of details you’d find on an itemized bill: the numbers and times you call, how long you talk and the general location you make calls from. Virtually all U.S. phone calls are routed through systems controlled by one of the big telecom companies, and since phone service costs money, most calls are linked to an account somebody pays for. That makes it very difficult to attain true anonymity (without breaking any laws).
The drug-dealer method
One exception is a prepaid mobile plan that allows you to pay for minutes in advance, without a phone-company contract and without necessarily identifying yourself, since you can pay in cash. But such calls still run over big-company phone networks, which means metadata from a given number can be tracked. Drug dealers and other criminals sometimes use prepaid accounts to skirt authorities, but that requires buying a new phone and getting a new number as often as every day, before calling patterns give away too much information. “If you’re not a drug dealer, this can get pricey,” says Martin Libicki of the Rand Corp. “If you want to avoid metadata, you really have to avoid making phone calls, or get a prepaid phone and use it sparingly.”
Some new services are springing up to offer ordinary consumers the ability to encrypt the content of phone calls, though they don’t always block metadata. What they will do is help scramble content sent from one user to another, rendering it unreadable to those not a part of the direct communication. RedPhone, for instance, is a free Android app that encrypts the content of calls when placed to another phone with the same app. Silent Circle offers an encryption service starting at $120 per year that promises higher security than typical phone service when calling any other number, with even stronger, end-to-end encryption — and no metadata — when you call a number on its own network. You have to get a new, 10-digit number, but you can use the service on an existing smartphone by downloading an app.
One word of caution about phone-encryption services: Scammers may emerge to take advantage of paranoia fueled by the NSA surveillance controversy. Signs of a legitimate provider include open-source code and clear statements about how the firm creates firewalls around their customers’ data.
Hiding your data on the Internet can be even harder, because many of the most popular Internet services were deliberately designed from the outset to collect as much information as possible on the people using them. That includes social-media postings on sites such as Facebook (FB), Internet searches on engines powered by companies including Google (GOOG), Yahoo! (YHOO) and Microsoft (MSFT), and email addresses offered by many of the same companies, plus Apple (AAPL).
Those firms gather copious data because it’s highly valuable to marketers and advertisers, and therefore very profitable. But it turns out those huge datasets are also coveted by federal agents, because terrorists go online, too, and leave digital clues. While fishing for leads on foreign terrorists, government investigators apparently suck up loads of info on harmless Americans, which has fueled the latest controversy.
A simple upgrade
One simple upgrade that can make online communications more secure is an HTTPS add-on, which encrypts data leaving your computer, making it harder (though never impossible) for middlemen to hack or capture it while it’s en route to a web site or other server. If the destination site also uses HTTPS, that will make the data more secure still. But whoever ends up with your data — which could be Amazon (AMZN) if you’ve made a purchase, say, or Facebook if you’ve signaled a “like”— can still use it in any way you’ve given them permission to. And if the feds come calling with a court order in hand, those firms are bound to turn it over in decrypted form.
Other services can add incremental layers of protection. In addition to encrypting phone service, Silent Circle also offers encryption for email, video chat and other types of Internet activity, with the highest level of protection requiring the company’s software on both ends of a transaction. Free downloads such as PGP (“pretty good encryption”) or GNUpG also help encrypt email and other data leaving your computer, but these programs tend to be clunky.
Alternative search engines such as Duck Duck Go or Start Page don’t track your personal searches the way more-mainstream search engines do, which means they won’t have any data on you if the government shows up asking for it. In the same way, web browsers such as Tor don’t gather data on the sites you visit, which can be quite revealing, even if it’s not clear what you did on those sites.
Even Tor has limitations, though. If you visit a web site through Tor and make a purchase, provide your email address or indicate interest in something, the data you provide to that site remains fair game. “Tor is about a C+,” says Scott Bethel, a former senior Air Force intelligence officer who’s now with San Antonio cybersecurity firm Delta Risk. “If you use their browser to use Amazon or any open architecture, then you’re out in the open.” Plus, Tor can be slower than other browsers, and not fully compatible with popular offerings such as Skype or YouTube.
In the end, the only way to 100% protect yourself from online surveillance is through abstinence. But to many Americans, that may seem like an excessive concession to terrorists, who, after all, are seeking to spread fear and disrupt the American way of life. That suggests one other way to evade the digital spies: Do nothing that might interest them.
Rick Newman’s latest book is Rebounders: How Winners Pivot From Setback To Success. Follow him on Twitter: @rickjnewman.