Don’t let NSA paranoia destroy your productivity

Don’t let NSA paranoia destroy your productivity

Summary: There's an awful lot of paranoia going around these days. But the biggest threats to your privacy don't come from the NSA or the FBI. They come from private companies building massive databases to track your movements. Here's a sensible set of strategies to minimize privacy risks.

TOPICS: Privacy, Security

If your reaction to recent revelations about widespread surveillance by the National Security Agency has you feeling powerless and hopeless, you’re not alone.

But if your next reaction is to furiously start pulling the plug on everything that makes the modern Internet useful and that ties us together as a society, then it’s time for an intervention.

Look, let’s be clear: There are valid reasons to question the scope of government surveillance and to have a proper debate about oversight. If you’re an investigative reporter covering foreign relations, you should be extremely aware of security. If you’re a political activist in a country with a repressive regime, then God bless you and please be careful.

But if you’re an average citizen in a Western democracy considering cutting yourself off from connections to your fellow human beings, you need to stop and take a deep breath.

I’ve been biting my tongue over this stuff, but the creation of a new website called finally sent me over the edge. The domain name is brilliant, but the recommendations? Not so much.

Are you willing to throw away all your Windows PCs and Macs and iPads, install Linux on every piece of hardware that’s left, and do all your browsing through slow anonymous networks? Do you seriously plan to quit all social media completely and force your friends and family members to install personal certificates before they can read your email? Are you really going to switch your DNS to a distributed system based on Bitcoin?

Me neither.

So what’s the alternative? First of all, let’s define the problem. Your every movement on the Internet is being tracked, not just by the NSA and the FBI but by government agencies from other countries around the world and, much more importantly, by giant corporate entities. Those advertising giants, most of whose names you wouldn't recognize, are sucking up information about you from most of the websites you visit, including this one. They're stuffing those details into giant databases that they then correlate with your offline behavior (credit card transactions, for example) to profile you.

Unless you’re willing to move to a cabin in the Montana woods and type manifestos on an old Underwood typewriter by a kerosene lantern, you’re going to wind up in some of those databases. And did I mention that the NSA and the FBI have copies of those collections in their massive data centers?

So maybe we can take a clue from the NSA and practice the art of minimization. You can’t remove every trace of yourself from online databases, but you can minimize your digital footprint. And you can blur the picture of your digital identity that those databases create.

There are no silver bullets for online privacy. There are, however, tools you can use to make small but meaningful improvements in your online privacy. Here’s what I use:

For Web browsing, I have Abine’s free DoNotTrackMe add-on installed in every browser I use. It automatically blocks trackers (including those from Google and Facebook) but gives me the option to re-enable a third-party site if I need to. As a side benefit, it also makes web pages load faster.


For cloud-based storage of sensitive work files, I use a third-party provider that encrypts files both in transit and at rest. (Hint: It’s not SkyDrive, Dropbox, or Google Drive.) I use SkyDrive for personal files, pictures, and documents that don’t contain sensitive content.

On social media sites, I don’t share anything controversial or sensitive. If the NSA wants to paw through my vacation photos, or read my Facebook chats, they’ll probably nod off from sheer boredom.

Email encryption? Forget about it. Even privacy fanatics acknowledge the usability hassles are so high that it’s not worth it unless you’re exchanging state secrets with an investigative reporter. And if you’re doing that, you need to engage in some serious tradecraft.

Meanwhile, with all the time you spend not hassling with digital certificates and waiting for some Tor server in Iceland to process your search requests, maybe you can write a letter or make a phone call to your Congressional Representative or Senator. And convince your friends and family to do the same. In the long run, that will have far more impact than all of those paranoid strategies.

Topics: Privacy, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • OK, so who is your third-party provider?

    > I use a third-party provider that encrypts files both in transit and at rest. (Hint: It’s not SkyDrive, Dropbox, or Google Drive.)

    Why be coy? Who is it?
    • Post coming soon

      Ed Bott
      • mega?

    • Though...

      Hushmail can do that, though it isn't free if you want > 250Mb storage. In fact, Hushmail is an encrypted email service, so there's that.

      Or you could simply use PGP (I think Symantec may have turned it into payware) to encrypt files and then upload those to the cloud.
      • PGP

        It was payware before Symantec. You can use GPG for free though as it is GNU licenced. However, it is NOT easy to use and you are probably going to have to sharpen your command-line skills.
        • PGP and GPG

          Hello, I am an IT consultant who works with Symantec PGP. I am encouraging all of my friends, family and customers to start to encrypt their online communications. Especially their business critical data.

          One the side I am an activist. I have written a blog that shows the used of two free GPG tools that function very similarly to PGP. Enigmail for email and Cryptophane for files.

          I now encrypt my communications with PGP and have my customers use Cryptophane to decrypt and encrypt files for me. PGP and GPG are compatible.

    • doesn't matter

      Unless it is open source like axcrypt you are just trusting the next guy. Indeed the NSA is the least of your worries. Your cc, search provided, or cell carrier has more info. The NSA also has to obtain warrants from the FISC which is part of the judicial branch of government. We can only hope that the balance of power between the branches we set up does the right thing.
    • Who is?

      Use mate. Everything you do online is encrypted. Viruses and Spyware are filtered out as well.
      Stephen Davies
      • Spotflux uses Java

        If you want to use Spotflux, you must install Java and Java is a virus nightmare.
  • Private Data

    Here's the thing about private big data, as long as the terms of service disclose it, it's available for sale to third parties, and in the US, that could include the NSA.

    Not to suggest a new rabbit hole for paranoia; I have changed nothing since hearing the first details. Well, I do have some easily made jokes among my tweets now. I have no doubt that, because of false positives, NSA's data collection, whatever its scope, has zero predictive powers. I mean look at how many bad people were caught via the no-fly list. As a forensic tool to ascertain connections after something happens, absolutely, some completeness is the key.

    Still, all this data is there for a while and the temptation to use it against political rivals is irresistible to many who go into government. Go back and review the chain of evidence that led to Elliot Spitzer's mention in an indictment and I think you'll see the shadow of someone trawling his phone and bank records and then building a cover by investigating a prostitution ring. Who else was mentioned? Was there even a trial?

    Any way I'd vote that the NSA discontinue prism, that we stop having security letters and top secret requests for records. Sadly, there is bi-partisan consensus that finding and storing some significant portion of our associations is a-ok. The Libertarians are good on the issue, but I do not want to go to the Gold Standard. What you gonna do? Just buy that Racket book and count on being insignificant and boring, and if I somehow rise to the level of interesting, someone will see that's a programming language, not a RICO tutorial, and deescalate me back to verbose, but harmless.
  • Switching OSes won't do a thing to PRISM . . .

    "Are you willing to throw away all your Windows PCs and Macs and iPads, install Linux on every piece of hardware that’s left, and do all your browsing through slow anonymous networks?"

    That pretty much demonstrates a lack of understanding of what we know about PRISM.

    Last I checked, what it basically does is to sniff web traffic - and it's the browser that's responsible for your web traffic, not the OS. This comes across to me as an ad for open source software, not an actual anti-PRISM solution.

    "So maybe we can take a clue from the NSA and practice the art of minimization. You can’t remove every trace of yourself from online databases, but you can minimize your digital footprint."

    I would agree - Removing every trace is impractical. But minimizing might be reasonable.
    • Possibly

      Wouldn't know how to begin and not give up things I enjoy.

      Now, ramping up the noise to make extracting the signal less efficient. That might have promise, after all, at some point someone will look at the expense of storage and perhaps argue the benefits aren't sufficient for the cost. Money, I sadly note, is more motivating than reference to the Constitution. (Besides, the argument is that the 4th amendment is silent with regards to communication. Since the Supreme Court went against originalist intent with its ruling that silence before arrest may be provided as evidence of guilt by a prosecutor, good luck on looking to this bunch to acknowledge a right of privacy.)

      Bury them with boring, as I phrase it.
      • Creating noise

        My wife continually asks me questions on behalf of friends. So I am always searching for things that have no real interest to me. This has been rewarding, since now I receive advertising for products and services that I also have no interest in. It makes me happy to know there are a lot of companies that are spending money for my information and receiving no value from it.

        Try it yourself. Go to Amazon, pick a product category that interests you the least, and surf a few items. You'll see that item or others like it appear in advertizing banners everywhere.
        • Junk

          Great, instead of possibly interesting stuff. you get junk. At least junk mail you can burn in the fireplace.

          I hate the ads that duplicate stuff you've already bought, and they think you want to buy a second one.
        • further comments

          There is usually a cost associated with anything worth having.
          If most people spent at least some of their browsing time pursuing subjects they were not normally interested in they would:
          At first, receive advertising they can quickly recognize and ignore.
          Increase their own knowledge (on subjects they would not normally be exposed to).
          Eventually (hopefully), decease the accuracy and therefore the value of the information gathered on them.
          This last item is to be hoped for.

          Note: This is simply my opinion, you may agree, disagree or ignore as you see fit.
    • Encription

      One thing you all have to keep in mind is that all encription methods have to be registered with the NSA. Therefore, none of your info, unless you came up with something brand new ( and didnt register it), would be hidden from NSA/ FBI anyway.

      Just a thought...
      • No, that's not true

        Where did you hear that?
        Ed Bott
        • Yes it is true

          I recall an interview with a seasoned Silicon Valley security CEO stating that if you announce that you are making computer security systems to expect a knock on the door -- it will be the NSA asking for their backdoor into your system.
        • Ed this is what I understand

          this is from

          US non-military exports are controlled by Export Administration Regulations (EAR), a short name for the US Code of Federal Regulations (CFR) Title 15 chapter VII, subchapter C.

          Encryption items specifically designed, developed, configured, adapted or modified for military applications ( including command, control and intelligence applications) are controlled by the Department of State on the United States Munitions List.

          As of 2009, non-military cryptography exports from the U.S. are controlled by the Department of Commerce's Bureau of Industry and Security.[9] Some restrictions still exist, even for mass market products, particularly with regard to export to "rogue states" and terrorist organizations. Militarized encryption equipment, TEMPEST-approved electronics, custom cryptographic software, and even cryptographic consulting services still require an export license[9](pp. 6–7). Furthermore, encryption registration with the BIS is required for the export of "mass market encryption commodities, software and components with encryption exceeding 64 bits" (75 F.R. 36494). In addition, other items require a one-time review by or notification to BIS prior to export to most countries.[9] For instance, the BIS must be notified before open-source cryptographic software is made publicly available on the Internet, though no review is required.[10] Export regulations have been relaxed from pre-1996 standards, but are still complex.[9] Other countries, notably those participating in the Wassenaar Arrangement,[11] have similar restrictions.[12]

          Yes crypto is regulated. Considered military in its nature. Significantly sensitive.
      • Only for Export

        Cryptology exports have to be reviewed by one of the US government agents as it is considered restricted technology.

        If you want to license it to the government it has to be FIPS certified (which probably means you cannot export it unless the key length is fairly short).

        If you just want to grow your own you do not have to register anything. However, if you want to do an open source project -- which means the technology would be avilable to other countries -- you would probably be under the same restrictions as if you were exporting the technology.