Six ways to protect yourself from the NSA and other eavesdroppers

Six ways to protect yourself from the NSA and other eavesdroppers

Summary: Yes, you have many options for protecting your privacy on the Internet. But are these measures worth the time and sacrifice required? That's up to you.


Worried sick about the NSA, or someone else, looking over your shoulder? Well, you can do things that will make it harder for someone to eavesdrop on you.


That's the good news. The bad news is that all these things require a fair amount of effort, some will cripple your use of the modern Internet, and none of them will stop a sufficiently determined electronic Peeping Tom.

1) Abandon the cloud

IT professionals who've resisted moving to a public cloud have never liked the idea of putting their programs and data into someone else's hands. Now, as David S. Linthicum, senior vice-president of Cloud Technology Partners, recently wrote, "Personally, I don't see much of a connection between the NSA and cloud computing, but those on the fence regarding cloud computing will cite this as another reason to kick the can further down the road. Thanks for nothing, NSA."

True, the NSA probably isn't sitting in Amazon, Google, or Microsoft's data-centers, but the NSA could be sitting at tier one ISPs watching your data go by on its way to the cloud.

Regardless of what the NSA might or might not be doing, we already know the government can, and will, grab cloud servers. Just ask Kim Dotcom about the seizure of Megaupload cloud storage servers. Whether Dotcom was guilty of anything is still open to doubt, but all of Megaupload's former customers' data is still sitting in seized servers.

Want to be sure your data is secure? Keep it on your own servers, datacenters, or private cloud and keep your traffic on the corporate intranet. A system administrator may still be able to walk out with your corporate secrets on a USB stick, but at least it won't be an outsider stealing your data.

In addition, when you're thinking about the cloud, consider all those software as a service (SaaS) apps that you use everyday such as Office 365 and Gmail. Keep in mind that every time you use one of those convenient, free or inexpensive apps your work is potentially visible to the eyes of others.

2) Stop texting and using most instant messaging services

When you text or instant message (IM) someone, you might think your message goes directly to the person you're writing to. It doesn't.

Instead, typically, your first message goes to a server, where a copy is kept, and then is sent out to your buddy. Those stored texts can be used against you. Just ask former Detroit mayor Kwame Kilpatrick, whose texting lead to his pleading guilty to felony charges back in 2008.

You can't do a lot to make texting safer, but you can make IM safer. First, you must avoid using any public IM service such as AIM, Microsoft Messenger/Skype, or Google Talk. Instead run your own IM service with your own Extensible Messaging and Presence Protocol (XMPP) server, such as Cisco United Presence.

Keep in mind, though, that the second you send a message from your IM network to an external XMPP compatible IM network, such as Google Hangouts, your messages will end up being kept in a third-party server anyway.

3) Encrypt your e-mail

There have been technologies such as PGP (Pretty Good Privacy) and Secure/Multipurpose Internet Mail Extensions (S/MIME) that you can use to encrypt your e-mail messages for ages. There's just one little problem with them: They're a pain in the rump to use and the people you e-mail must always use them.

As Peter Bright and Dan Goodin wrote recently, "The long and the short of it is that e-mail isn't a very good system for secure communications. You're wholly dependent on other people doing the right thing and sending you properly encrypted mail." Be that as it may, all of us still use e-mail for important communications every day of the year. 

4) Hide your Web browsing

Secure-socket layer (SSL) can be broken, but using SSL whenever possible is still a good idea. One way to do this is with the Electronic Frontier Foundation's HTTPS Everywhere Web browser extension. Unfortunately, HTTPS Everywhere is only available for Firefox and Chrome.

That's fine as far as it goes, but it's still easy to see which sites you visit and when. If you want to really disguise your tracks on the Web, you need to use Tor. Tor takes your Internet communications and bounces it around a distributed network of relays so a watcher can't see what sites you're visiting. It also keeps Web site owners from figuring out where you're browsing from.

There are lots of way to put Tor to work, but the easiest is to use Tor Browser Bundle (TBB). There are TBB versions for Linux, Mac OS X, and Windows.

Practically speaking, Tor connections can be very, very slow. Your connection -- because it depends on the kindness of strangers for bandwidth and multiple relays -- will only be as fast as the slowest link.

5) Turn off all services you don't need

If you're a system or network administrator, you already know you should never run or open your firewall to any service you don't need. But, have you looked at your tablet or smartphone lately?

In your pocket at this very moment, your phone may very well be syncing your contacts, calendar, browser history, and messages with others -- and let's not even talk about GPS.

Actually, let's do talk about GPS. Want to scare yourself silly? If you use Google location services for finding your way around or locating the nearest pub, check out your location history. Why, yes, you were in that bar two weeks ago weren't you!

Now, you can stop Google from recording your location; but with any location service from any vendor you're constantly sending out a "Here I am" message. So, if you want to really maintain your privacy, you're going to want to stop using all those apps that want your location. That's easier said than done. Lots of apps want your location.

There are groups, like the Android alternative firmware maker CyanogenMod, that are working on features such as "Run in Incognito Mode", that will make it easier to lock down your smartphone privacy, but it's never going to be easy to be private with the current generation of tablets and smartphones.

6) Quit social networks: All of them

Facebook may be the worst of the social networks at hanging on to your data, but if you're sharing your personal information on a social network--any of them--then you're potentially sharing it with the world.

Think about it. If you're blabbing to the world, or just your closest buddies, on Google+, Twitter, whatever, you're putting out lots of information about yourself that can be picked up by snoopers.

Real Privacy

Let's say you do make yourself an Internet hermit; is that enough? No. No, it's not. You may be able to conceal the contents of your messages, but thanks to the trio of big data, metadata, and traffic analysis, an expert with access to your Internet traffic can still work out what you're up to.

In short, sure, if you're Anonymous, you can hide on the Internet. For the rest of us, though, especially if you want to get all the goodness that comes from SaaS, cloud storage, IM, GPS, social networks, etc., you're going to have to learn to live with the knowledge that if someone with expertise and access really wants to know what you're doing on the Internet, they can find out.

If we really want to protect our privacy on the net what  we need is more than better technology, we need fundamental changes in our laws and how we enforce the privacy laws we do have. Then, and only then, will we have a fighting chance of keeping our privacy on the Internet. 

Related Stories:

Topics: Cloud, Browser, Networking, Privacy, Unified Comms

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Better way is

    To revert back to 1970s technology, the NSA will never read leters typed on a typewriter or read stuff stored in a punchcard computer!
    Pollo Pazzo
    • Would make it harder

      ...but it would surprise me if the NSA wasn't intercepting teletype traffic; and steaming open letters is definitely low tech (it's why seals were used in the old days).
      John L. Ries
    • Punch Cards?

      Aside from the low data density of punch cards (12*80*2000 = 1.9 megaBITS of column in pure binary, or 160 kiloBYTES in Hollerith code, per 18"x9"x4" box weighing about 5 lbs), I am sure the government has ways to read them. If nothing else, take a picture of each card on a black background and use scanning software on the same principles as QR codes to scan each picture. And although IT departments phased out card equipment in the '80s and '90s, there are (or were) surplus punch card ballot readers that can be adapted.
  • nice recommendations

    Only one question
    >>They're a pain in the rump to use and the people you e-mail must always use them.
    To dissuade or alleviate the pain, you can use gpg and a good email client/agent. gpg (the gnu privacy guard ) is compatible with pgp. Thunderbird, evolution, mutt (my favorite), alpine (the descendant of the pine UA), rmail and more make it really easy to decrypt/encrypt and sign your emails. Just publish your public key on a keyserver or send it to all of your recipients.
    You can encrypt only certain pieces of text, open it in a text editor (again a decent one) like GNU Emacs and run gpg command on those . Things are not as painful as one can see.
    As a side note I don't care if NSA reads my email or not, I am really skeptical about their competence (should perhaps run gpg -e on this sentence :)) Just recall NSA's last lapse with one of the Boston bombers when they misspelled his name and didn't put him through extra scrutiny as a result, did not listen to the Russian colleagues. Come on, a spell checker program, google and other search engines would be able to correct it...
    • to clarify

      The passage "You can encrypt only certain pieces of text" should be accompanied with "(if you want to)"
    • Re: NSA competence

      The issue, IMO, is more about what happens to that data once they have it (assuming they are able to obtain data without a warrant). Today that data may only be used for national security, but if there was a huge warehouse with all this data, it's only a matter of time, before it's mined for other purposes. Truth is, I'm just not that concerned about terrorism. If some group wants to pull off some act, they're eventually going to succeed. It seems pretty likely that Al Qaeda could use encryption, which if done correctly could make it very hard to determine what the contents of a message are.
  • Bomb details no problem

    If you want to send a message to would-be terrorists, telling them how to make a bomb and where to place it, and at what time, just send a postcard; the most secure form of communication in existence.
  • Citation needed.

    "Secure-socket layer (SSL) can be broken"

    Citation needed.

    From what I've heard, this is not black and white as just a blanket statement. If implemented improperly, yes it can be broken. However, if done right, I don't believe it can be. I'd like to see a proper citation for a way to break all SSL implementations.

    "Actually, let's do talk about GPS. Want to scare yourself silly? If you use Google location services for finding your way around or locating the nearest pub, check out your location history. "

    Nope, not seeing much at all. I'm very careful with my location data.

    And in all honesty, turning off GPS is something almost everybody can do - it won't actually break very much. I doubt most people will notice the difference.

    "There's just one little problem with them: They're a pain in the rump to use and the people you e-mail must always use them."

    This really just boils down to a UI problem - I've used systems that do all of the encryption stuff automatically. It's just that to make it seamless likely requires a lot of setup work, and most places don't bother to set it up.
    • Turning GPS on and off

      If you leave it turned off, you will have to turn it on momentarily when you NEED to tell an application where you are. One example is searching for the nearest Starbucks or bank when you do not know the zip code where you are and you do NOT want one near HOME, you want one near your CURRENT location. Another example is trying to get the weather app to keep up with you on a road trip. But I will admit, turning it off saves the battery (also, on the road, turning off wi-fi searching and living with the slow speed of 3G/4G, which saves the battery and prevents your connecting to a hacker's "free" wi-fi by accident).
      • Wifi v 3G/4G

        I'm pretty sure that Wifi uses less energy than 3G/4G. As for connecting to a "hacker's" wifi, that can't happen if you don't set your phone up to connect automatically to random routers. My phones only connect to routers I've defined as OK. The others show up, but I have to tell it to connect.

        Thus, it'll connect at work at my house and certain other places, but it won't connect to some random signal in the airport.
  • Best alternative

    Ubuntu with AppArmor = perfect security.
    Jab. Poke. Troll.
  • https

    you mention using https but your web site does not support this functionality.
  • forgot one, FUDmonger

    Wear a tinfoil helmet!

    NSA doesn't have the resources to truly invade privacy. It's more that if you become a suspected criminal that they have the data already collected as opposed to collect it later.
    • Well said

      If the NSA is busy reading the emails I sent to by sis asking what my nephew would like for his birthday, or to my Mum asking what time the barbecue was last week, they should all be sacked!
      Wear a tin foil hat, cut your phone line, burn your mobile and smash all electronic devices.
      Live in a cave, and don't talk to anyone (even animals, NSA in disguise).
      Don't ever go out and look up in case the satellites get you.
      Don't be a criminal, terrorist, or send stupid joke emails to someone with details of how to make nerve agents, and you might just slip under the radar.
      • oh no

        they might be on to me now..................
        Must got rip out the phone now.............
      • You have no idea

        I work for no government agency and I have no clearance, but if you're on my cell network, I can track where you are, if I was so inclined. Now imagine what I could do if I had access to everything you do in your life via the phone, email, FB and so on. If you don't think that I could use that information to hurt you then you're either a saint or you lack imagination.

        Will that happen? Probably not, but 10 or 15 years from now, computers will be faster and data mining will be far better than it is now.
    • They don't have the resources....

      But they have all the stupidity. So if one of the algorithms go after you so would they. Do you trust the computer systems they build 100%?
      Otherwise they are doing very good job. Backing up data for the taxpayers- this is commendable. Actually my new signature under my e-mails is:
      "Notice to NSA: Thank you for backing up my data! With love: from a grateful taxpayer."
    • NSA doesn't have the resources to truly invade privacy? Wrong.

      NSA has better capacity to invade privacy than even they realize; much less the rest of us.

      And as usual, you underestimate the capacity of people to abuse what they have operational control over.
  • If there is no way to filter all the spam in my inbox

    How can the NSA wade through the billions of spam messages sent every day?
  • Steven the Security Expert

    My, My. Steven is now a security expert with the knowledge and ability to beat the NSA. Nice to know that ZDNET has such highly qualified personnel working for peanuts.

    Then again, if his security knowledge is as broad as his knowledge of Microsoft and as accurate, just ignore the article.