In the wake of PRISM, should we give up on online privacy?By Christopher Reynolds 40 comments
This is a guest blog by Christopher Reynolds, Head of Business Development at IVPN. IVPN is a VPN privacy service, and Electronic Frontier Foundation member, committed to defending online freedoms.
Depending who you ask, the scandal over PRISM, the NSA's secret data mining program, is either mere confirmation of what we already knew, or a shocking revelation that should drive people onto the streets in protest. It's certainly true that many people suspected internet services, such as Google and Facebook, were open houses to government agents, but there's a difference between suspicions and hard evidence.
Now we know the US government doesn't need to enact legislation such as CISPA in order to ride roughshod over civil liberties, it really does beg the question: Is online privacy a lost cause and is online anonymity impossible to achieve? Well, if you ask me, there's good reason to be cynical over the concept of online privacy, but with a few key tools tools and best practices, we can still reclaim a private space on the internet and surf - almost - anonymously.
Email and social
If you want to take privacy seriously then you'll have to make sacrifices -there's no way around it. This means many of the most convenient online services, such as web-based email and social networks, need to be purged from your online life. While this distrust of major providers such as Gmail, Yahoo and Microsoft could extend to all email providers, you could argue that smaller companies, which are not behemoths heavily reliant on government lobbying and co-operation, could offer better privacy protection.
Following this reasoning, privacy-orientated email services such as RiseUp, could be good alternatives if you really want to use web-based email. But ideally you should avoid using web-based services and only store your mail locally (or even rent your own Virtual Private Server). You can use encryption tools such as GPG/PGP to protect your data (though whoever your emailing will need to use the same encryption), web-based tools like Sendinc (though you're trusting a third party again) and encrypted versions of POP or IMAP. Just remember, if you email someone with a Gmail or Yahoo account you're back to square one.
You could also ditch Google and Bing, and start using a more privacy-oriented search engine like DuckDuckGo. But as long as your IP is obscured (which we'll get onto later), you can still use Google privately if you employ a cookie blocker like Ghostery and don't log into your account.
When it comes to social networks it's interesting that Twitter was not on the PRISM's list of compromised companies - especially since Twitter has a track record of defending users.
VPNs and TOR
If you want to browse the web anonymously then the most common, secure, and easy-to-use tools, are The Onion Router (TOR) and commercial VPN services (I2P is also worth looking into for peer-to-peer sharing). But VPN services and TOR both bring different problems to the table.
TOR is generally a very effective tool to keep your IP address private and hidden from surveillance. It's also free and used successfully by journalists, dissidents and privacy-conscious citizens. But it does have vulnerabilities. The most obvious being the ability to passively monitor the connection of both a sender and receiver of data over the TOR network and therefore correlate traffic. This is doable because anyone can run a TOR exit node.
The other vulnerability is the so-called 'bad apple' attack, which involves injecting traffic to trigger an insecure UDP connection, which in turn can reveal an IP address.
Commercial VPN services don't suffer from these vulnerabilities, but they do suffer from potentially much worse flaws. The problem with VPN services - providing they use a secure standard like OpenVPN - is that you have to trust the company providing your service. A cursory look at many VPN privacy policies will reveal that such trust is easily misplaced - policies often either explicitly state they log data in the same way as an ISP, or they're so vague that you don't know either way.
There are some good resources to get around this problem such as TorrentFreak's round-up of VPNs that don't log data and my own company's ongoing guide on understanding VPN privacy policies. Of course, a good way of mitigating the vulnerabilities of TOR and VPN services is to combine both services to achieve security in depth.
The biggest barrier
So to summarise; yes, you can achieve a high degree of anonymity online without any specialist knowledge, but regaining your online privacy is not a simple task. It requires some work and a few sacrifices.
Perhaps herein lies the biggest problem. While many of us were up in arms over the PRISM revelations, how many have since changed their online behaviour in the last few days? How much of that outrage translated into closed Gmail accounts and TOR installations? Maybe it's still too early to assess the fallout, but my suspicion is the main barriers to online privacy - other than the illegitimate behaviour of law enforcement - is our own apathy.