43 comments

[ 2.6 ms ] story [ 115 ms ] thread
I seem to be discussing this topic with my friends almost on a regular basis now.

However, and as we all agree, it's much difficult putting them into use. We need these services. If I get lost, I need Google Maps to find the way. I need GPS. These are things that have no other alternative.

Likewise, if I want to talk with a friend over video and I tell him I don't want to use Skype, he laughs at me. Will he download and install Jitsi just for me? No, that is not how it works.

If we are using these tools for ourselves, say personal browsing using Tor, that is fine. But the moment you start interacting with someone else and expect them to send you PGP encrypted emails, not to use Google Talk/Skype, people just don't care and will not switch to other alternatives. Also, you will get laughed at for being a paranoid nut. Unless these secure alternatives become the norm, good luck expecting others to change. That means your family and friends who just want to use a service and don't care about the privacy problems behind it.

TL;DR: our reliance on these technologies makes it difficult to completely let go of them. And for most of them, there are no privacy-preserving alternatives.

As an alternative to google maps, try openstreetmap. It's got good coverage, and there are numerous routing engines based off it.
Also, try a map ;-) (semi serious)
On Android I use OSMAnd+ (uses OSM data) and have had good luck with using it to supplement GMaps. The map coverage is fantastic and IIRC you can download as much map data as your device will hold. That really helped me in Europe where my American mobile phone (Sprint network) did not work but its GPS receiver still did.
Not to mention all those who lack the required expertise, yet also deserve privacy.

That's why instead of looking for ways to ditch these services, we need to make sure they are audited on a regular basis, and that government agencies don't feel they are above the law; to remind our masters that only our consent gives them the power they crave.

While I agree with your sentiment, doing that will likely be difficult.

However, the end-to-end encryption is what we need, so that we don't have to rely or expect service providers to change. Things like PGP for sending emails, OTR for IM, Jitsi for video conferencing. All these do end-to-end encryption and this is what we should be moving to. So if you are using Gmail, but you only send PGP emails, great. You are using Google's services while not giving them anything.

Minimizing their use minimizes the reason to have any fear or concern over the data NSA or whatever collects.

It's always better to use alternatives to the eavesdropped service, but the benefit comes from minimizing and eliminating the amount of eavesdropped data, so it's always good to minimize the usage. If it means to use Skype only in strictly required cases, I think it's acceptable as long as you realize that whatever you say or imply directly or indirectly or whatever can be gathered through metadata or side-channels, it's a no biggie really.

The best hide is to hide in the crowd and realize the situation and act accordingly.

First install optional encryption software. Something like textsecure and redphone. This way you use your phone in the same way, but if there's an option for encryption, you can use it.

Then maybe just use with your spouse . since those conversations are very private, maybe you could Convince him/her. And it does buy you protection from law and inadvertent snooping by friends(if I understand otr correctly).

Now talk about this with your friends. They might want to use the same strategy.

And now some of you're friends have the software, it's just a matter of setting keys. Seems possible.

>We need these services. If I get lost, I need Google Maps to find the way. I need GPS. These are things that have no other alternative.

No you don't. These services didn't even exist ten years ago and people got along just fine. Get rid of them and I guarantee your intrepid little human resourcefulness will find ways of managing without them. They're first world luxuries, nothing more.

Instead run your own IM service with your own Extensible Messaging and Presence Protocol (XMPP) server

Only technical savvy people can do something like that, and from those few will ever bother. Besides if I’m to set-up my own XMPP server why not hangout at IRC.

Quit social networks, all of them

Try telling that to a 20 something. Social networks are the Internet for them, they don’t just quit.

Advices like these are absolutely useless. HTTPS Everywhere is probably the only usable advice in the whole article. Everything else can’t be proposed to the average user.

IMHO privacy is one thing and protecting yourself from NSA a whole different. While you can protect your privacy following some simple rules, making yourself invisible from NSA is practically impossible-unless you're willing to forgo many of the conventions of modern life.

> Advices like these are absolutely useless. HTTPS Everywhere is probably the only usable advice in the whole article. Everything else can’t be proposed to the average user.

Considering that the so-called Average User doesn't care aboit his/her privacy in the first place, is this much of an issue really?

"HTTPS Everywhere is probably the only usable advice in the whole article."

Which still doesn't prevent you if the service provider is rogue.

Read the last paragraph of the article.
Quitting social networks and using Tor and PGP isn't going to protect you from a nation-state intelligence agency. To suggest so is laughable and naive. We're not even at amateur hour yet.

You're better off reading Grugq's post[1] on developing good OPSEC, and even then you're far and away from it.

[1] http://grugq.github.io/blog/2013/06/14/you-cant-get-there-fr...

I agree. First of all, what I have read so far, we the "public" don't know the capabilities of that agency, so by definition, you can't know whether some technique will protect you.

Correct me if I am wrong, but a common sense tells me, that if they are able to monitor all Internet traffic, and also can run their own Tor nodes, and also possess software to analyze those big amounts of data that the monitoring will produce, I just can't see how you cannot be ultimately tracked even on Tor.

As I see it, many of those defenses just assume that your adversary is not able to "cache" the whole Internet traffic, and that he also don't have such a strong computer to crack PGP. But relating to nation-state agency, those are already nothing more than assumptions.

Anyway, the points in the article are quite efficient against the lesser capable hackers. It never hurts to put less amount of private data to the Internet, for example.

Did you read the article?! It's a straw-man pointing out that the only way to ensure privacy is with the protection of law:

>If we really want to protect our privacy on the net what we need is more than better technology, we need fundamental changes in our laws and how we enforce the privacy laws we do have. Then, and only then, will we have a fighting chance of keeping our privacy on the Internet.

You're right but I don't think this very likely. I think changing your online behavior is the only real way to escape surveillance. That basically means either not using the web or only using it when you don't care about who's watching.

Changing the laws and/or enforcing them would be ideal but then it seems we'd end up right where we are again. Part of the reason for the secrecy of these programs isn't only national security but a way to circumvent the laws. From what we know about the current NSA controversy, these programs are mostly legal and being enforced just fine. Courts are ruling in favor of these things. That's not to say a debate over the 4th amendment isn't unreasonable.

Sometimes I feel there's a part of me that believes we could change the laws. The problem may not be our representatives exactly but rather the power that's been given to the military industrial complex. It's like a totally separate government unto itself, creating problems to solve to justify its own existence.

Yeah, but even that is wrong. It isn't fundamental changes in our laws; it's fundamental changes in the way we interact with our governments. And that's far too much to ask a privacy advocate to do.
Foreign state actors are not subject to your national laws. You need to protect your data in depth.
A much shorter version of this article: "Quit Google. Quit Facebook. Quit Apple. Quit Microsoft. Quit Yahoo. Quit Skype."
It seems like it should be possible to make a much lighter weight encrypted email protocol than, say, GnuPG. Address books should have a public key field. Emails should have a X-Public-Key: and X-Signature: fields. You can add key exchange on the existing protocol. If you've got a public key in your address book, outgoing emails should be encrypted. It seems like it would be trivial for GMail or Thunderbird to support something like this. I realize this doesn't solve all the problems GnuPG does, but email exchange would be encrypted, it would be easy to adopt, and would let the end user choose manage keys and store emails encrypted (Thunderbird, say) or not (GMail).
> Address books should have a public key field.

Smart.

They do, in the DoD.
It's really curious how cloud services companies could be doing all this and more to build confidence in their services. Imagine, for example, NFC-based key signing parties - just touch your smartphones.

But not a word, yet. Not one word.

we already know the government can, and will, grab cloud servers.

They will grab your private servers too, if they have probable cause to do so. I don't see this particular argument being very persuasive.

Yeah but your private servers have full disk encryption. And whichever other security measures to decide to not skimp on for convenience.
The only way to protect yourself, is to force politics, to stop the sniffing now and to delete all the previously gathered data. There is no technical solution, only a political one.
Damn right.

The worry has to be the data they have on us from the past. We now know to be careful, so presumably those wanting to be careful, will be.

I now don't care what they do from now on. The key thing is that I am now 100% sure the internet and electronic comms are insecure. If I need to be secure, I'll find other ways to communicate, or do all I can to lower the risk, act accordingly, and accept the risk.

But what I do want, as a non terrorist/pedophile/bogyman, is all the data they have that relates to me to be purged.

Wont happen.

And then in 5 years, when the program rises from the dead only with a different name and a more closely-screened cadre of analysts, what then?

I hate to say it but what you're saying is like telling a 17-year-old that the only way to protect themself from STD/pregnancy is to never have sex. I mean, you're right, but you're also failing to cope with the reality of the situation. ;)

Well, before enough people are telling their governments to stop surveillance, it needs to be a strong matter of public interest. The same applies for a broad application of any technical solution.

At the end we probably need both, the public constantly controlling politics and technical solutions to make surveillance generally harder, but it all requires the public interest reaching at least the critical mass.

If 99% of people didn't want surveillance, then governments would have virtually no chance to install it, but at the moment many people think surveillance is good for them.

The week before the Snowden story broke, the news was full of foreign spying against US industry and government. How is changing our laws going to stop that?
What about the data that is already out there ?? Is there any way to get that removed from their servers ?
This article is a bit of a copout, but you can certainly lower your footprint.

Using Tor or a VPN are definately good things to obfuscate traffic, but you basically have to use them ALL the time otherwise your activity can be corrolated.

Using your own IM isn't a requirement either, you can use OTR for semiprivate conversation.

It will be funny if the NSA saves the newspapers as the only method left of communicating securely. You just take out encrypted ads in the nytimes when you want to communicate with someone. No way for them to know who it was meant for. What are they going to do, ban encryption in newspapers ? Are they going to torture everyone taking out encrypted ads ?
Clarification, I meant save print delivery.
Don't need print delivery if nytimes releases an app that pumps all classifieds to you even if you ask for just the front page.
Did you forgot to change your username when you replied to yourself?
This could just be an app, on iOS even... Doesn't have to be associated with a newspaper. Just needs a million users. Kind of like an "encrypted wall" or "ewall"