Six ways to protect yourself from the NSA and other eavesdroppers

Yes, you have many options for protecting your privacy on the Internet. But are these measures worth the time and sacrifice required? That's up to you.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Worried sick about the NSA, or someone else, looking over your shoulder? Well, you can do things that will make it harder for someone to eavesdrop on you.


That's the good news. The bad news is that all these things require a fair amount of effort, some will cripple your use of the modern Internet, and none of them will stop a sufficiently determined electronic Peeping Tom.

1) Abandon the cloud

IT professionals who've resisted moving to a public cloud have never liked the idea of putting their programs and data into someone else's hands. Now, as David S. Linthicum, senior vice-president of Cloud Technology Partners, recently wrote, "Personally, I don't see much of a connection between the NSA and cloud computing, but those on the fence regarding cloud computing will cite this as another reason to kick the can further down the road. Thanks for nothing, NSA."

True, the NSA probably isn't sitting in Amazon, Google, or Microsoft's data-centers, but the NSA could be sitting at tier one ISPs watching your data go by on its way to the cloud.

Regardless of what the NSA might or might not be doing, we already know the government can, and will, grab cloud servers. Just ask Kim Dotcom about the seizure of Megaupload cloud storage servers. Whether Dotcom was guilty of anything is still open to doubt, but all of Megaupload's former customers' data is still sitting in seized servers.

Want to be sure your data is secure? Keep it on your own servers, datacenters, or private cloud and keep your traffic on the corporate intranet. A system administrator may still be able to walk out with your corporate secrets on a USB stick, but at least it won't be an outsider stealing your data.

In addition, when you're thinking about the cloud, consider all those software as a service (SaaS) apps that you use everyday such as Office 365 and Gmail. Keep in mind that every time you use one of those convenient, free or inexpensive apps your work is potentially visible to the eyes of others.

2) Stop texting and using most instant messaging services

When you text or instant message (IM) someone, you might think your message goes directly to the person you're writing to. It doesn't.

Instead, typically, your first message goes to a server, where a copy is kept, and then is sent out to your buddy. Those stored texts can be used against you. Just ask former Detroit mayor Kwame Kilpatrick, whose texting lead to his pleading guilty to felony charges back in 2008.

You can't do a lot to make texting safer, but you can make IM safer. First, you must avoid using any public IM service such as AIM, Microsoft Messenger/Skype, or Google Talk. Instead run your own IM service with your own Extensible Messaging and Presence Protocol (XMPP) server, such as Cisco United Presence.

Keep in mind, though, that the second you send a message from your IM network to an external XMPP compatible IM network, such as Google Hangouts, your messages will end up being kept in a third-party server anyway.

3) Encrypt your e-mail

There have been technologies such as PGP (Pretty Good Privacy) and Secure/Multipurpose Internet Mail Extensions (S/MIME) that you can use to encrypt your e-mail messages for ages. There's just one little problem with them: They're a pain in the rump to use and the people you e-mail must always use them.

As Peter Bright and Dan Goodin wrote recently, "The long and the short of it is that e-mail isn't a very good system for secure communications. You're wholly dependent on other people doing the right thing and sending you properly encrypted mail." Be that as it may, all of us still use e-mail for important communications every day of the year. 

4) Hide your Web browsing

Secure-socket layer (SSL) can be broken, but using SSL whenever possible is still a good idea. One way to do this is with the Electronic Frontier Foundation's HTTPS Everywhere Web browser extension. Unfortunately, HTTPS Everywhere is only available for Firefox and Chrome.

That's fine as far as it goes, but it's still easy to see which sites you visit and when. If you want to really disguise your tracks on the Web, you need to use Tor. Tor takes your Internet communications and bounces it around a distributed network of relays so a watcher can't see what sites you're visiting. It also keeps Web site owners from figuring out where you're browsing from.

There are lots of way to put Tor to work, but the easiest is to use Tor Browser Bundle (TBB). There are TBB versions for Linux, Mac OS X, and Windows.

Practically speaking, Tor connections can be very, very slow. Your connection -- because it depends on the kindness of strangers for bandwidth and multiple relays -- will only be as fast as the slowest link.

5) Turn off all services you don't need

If you're a system or network administrator, you already know you should never run or open your firewall to any service you don't need. But, have you looked at your tablet or smartphone lately?

In your pocket at this very moment, your phone may very well be syncing your contacts, calendar, browser history, and messages with others -- and let's not even talk about GPS.

Actually, let's do talk about GPS. Want to scare yourself silly? If you use Google location services for finding your way around or locating the nearest pub, check out your location history. Why, yes, you were in that bar two weeks ago weren't you!

Now, you can stop Google from recording your location; but with any location service from any vendor you're constantly sending out a "Here I am" message. So, if you want to really maintain your privacy, you're going to want to stop using all those apps that want your location. That's easier said than done. Lots of apps want your location.

There are groups, like the Android alternative firmware maker CyanogenMod, that are working on features such as "Run in Incognito Mode", that will make it easier to lock down your smartphone privacy, but it's never going to be easy to be private with the current generation of tablets and smartphones.

6) Quit social networks: All of them

Facebook may be the worst of the social networks at hanging on to your data, but if you're sharing your personal information on a social network--any of them--then you're potentially sharing it with the world.

Think about it. If you're blabbing to the world, or just your closest buddies, on Google+, Twitter, whatever, you're putting out lots of information about yourself that can be picked up by snoopers.

Real Privacy

Let's say you do make yourself an Internet hermit; is that enough? No. No, it's not. You may be able to conceal the contents of your messages, but thanks to the trio of big data, metadata, and traffic analysis, an expert with access to your Internet traffic can still work out what you're up to.

In short, sure, if you're Anonymous, you can hide on the Internet. For the rest of us, though, especially if you want to get all the goodness that comes from SaaS, cloud storage, IM, GPS, social networks, etc., you're going to have to learn to live with the knowledge that if someone with expertise and access really wants to know what you're doing on the Internet, they can find out.

If we really want to protect our privacy on the net what  we need is more than better technology, we need fundamental changes in our laws and how we enforce the privacy laws we do have. Then, and only then, will we have a fighting chance of keeping our privacy on the Internet. 

Related Stories:

Editorial standards