Friday, August 23, 2013

Security and the Price of Liberty II

I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.
Ladar Levison, Lavabit LLC
under Section 702, the government may not "intentionally target any U.S. citizen, any other U.S. person, or anyone located within the United States. ... [I]n those cases where NSA seeks to acquire communications about the target that are not to or from the target [NSA procedures document] ... the NSA believes it not only can (1) intercept the communications of the target, but also (2) intercept communications about a target, even if the target isn't a party to the communication."

In my previous commentary on this issue, I listed some tools and options for self-protection against online snooping.  Since I wrote that column, events have moved rapidly and bizarrely.  The limit of the extent to which the gov't is probing our private lives has been pushed out considerably.  I've done more research on the elements of security available to ordinary users.

In August, two American companies that provided encrypted email services, closed their email services.  One, Lavabit, made clear in its announcement that it was closing to avoid having to turn over its data files to the US gov't.
I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.
Ladar Levison
Owner and Operator, Lavabit LLC

The other service, Silent Circle, announced that it was taking the action proactively, because its management was convinced that the US gov't intended to go after its data files in the same way it went after Lavabit.

Ladies and gentlemen, this is the country we are creating for ourselves.  A country in which we cannot protect our online communications from the gov't.  Period.
If you mean by 'secure' a system to which the U.S. government cannot get access, it is beginning to look as if that might not be possible.
Fred H Cate, director of Indiana University's Center for Applied Cybersecurity Research

Let's clarify.  We're not referring to a search for terrorists.  We are not referring to a carefully controlled, documented and properly warranted search, directed at specific individuals about whom the gov't has reasonable concerns, based on court-verified information.  We're referring to blanket "vacuuming" of information about every American citizen who conducts business on the internet.  Email, search, social networks, Flickr, the whole Gitchagummi.  According to the Wall Street Journal, "The system has the capacity to reach roughly 75% of all U.S. Internet traffic in the hunt for foreign intelligence, including a wide array of communications by foreigners and Americans. In some cases, it retains the written content of emails sent between citizens within the U.S. and also filters domestic phone calls made with Internet technology, ..."

The same article reports that the Blarney intercept program (one of several current programs lumped up as NSA spying) was named as a joking reference to the Shamrock project, an NSA communications intercept that operated for almost 30 years following WWII.  The Shamrock project, which operated with no outside oversight, and accessed American communications without warrants, routinely shared out gathered information to other US gov't agencies.  Its operations were one of the secret spy operations that led to the Church Committee investigations of secret intelligence operations in the mid-70s.

Now, I can easily say, "Well, I am not doing anything online of significance to national security. It's not me they're after. Why should I care?"

Why I Care

I care because my responsibility as a citizen is to care.  My responsibility as a citizen is to defend liberty.  The gov't has the responsibility to protect the physical existence of the United States and its citizens, "against all enemies, foreign and domestic;" as an organization, the gov't has no vested interest in protecting liberty.  None.  That's not its job.   The aspect of our current situation that I find most amazing, unfathomable -- so many individuals on the Left seem to think that the gov't has a duty or an expectation to protect individual liberties.  No.  The country was created via a Constitution designed to spell out powers, responsibilities and limits for the national gov't.  The express reason for that Constitution was to prevent members of the gov't from going all Saturday night on citizens' liberties.  The Constitution protects us from the gov't -- a gov't that is made up of men and women, ordinary human beings with the same qualities as the rest of us.
There is danger from all men.  The only maxim of a free government ought to be to trust no man living with power to endanger the public liberty.
John Adams

We are the last line of defense for civil liberties and our only weapon in the fight is the Constitution.  Defending civil liberties from occlusion by the gov't is self defense.

Contravening the goals and beliefs of the nation's founders, the modern American has abandoned self-defense.  This isn't even a political divider.  Left, Right or Center,  two different polls have reported that 57% of Americans approve NSA secretly spying on them "to catch terrorists," "to keep us safe."  The modern American does not believe in the absolute right to be safe from gov't intrusion -- at home, on the job, walking down the streets.

Getting Off the Grid

In the interim, as 57% of Americans have consigned the Constitution to the dust bin, members of the minority are not left without options.

Of course, an important option is supporting the ACLU and the EFF in their legal challenges to the gov't actions.  These challenges cost money, real money.  Get over there and pony up.

Additionally, as an individual citizen, you and I can take the responsibility for our own behaviors and put as much of them as possible beyond the reach of the gov't spy agencies.


A first and simple step to protecting your online activities is to use SSL encrypted connections as much as possible.  You take these connections for granted when making a purchase online.  Big web sites like Amazon are papered with logos assuring you of the strong encryption that protects your financial information as you complete the buying process.

HTTPS Everywhere

Nearly all enterprise web sites have SSL implemented by default, although they don't advertise this fact. HTTS Everywhere is a simple browser extension that forces the encrypted connection whenever you browse normally to a non-secure connection (http://).  In most cases, if the SSL port is not open, the site will gracefully degrade back to the non-secure connection, and the browser will mark the protocol (e.g., in Chrome, with a red line slashed through the http).  Just stepping up and using SSL makes your ordinary web behavior inscrutable to everyone between you and your target.  Well, almost.  A caveat:  SSL is probably not a showstopper for the NSA.

The technology outlined in the article would be nontrivial to design and implement.  It remains a possibility.

VPN (Virtual Private Networks)

Everybody in the corporate world probably knows about and uses a VPN.  This is how corporations protect their data being sent over the internet.  You can think of it as a tunnel through which your communications pass from place to place, encrypted and inaccessible to everyone except you and the system at the other end of the tunnel.  A plethora of companies, large and small, offer VPN and proxy services for individuals.  Costs range from free to $100 a year or more.  Critical for the citizen-user, these services have servers located all over the world, putting your internet activities out of reach of the gov't.

Email Encryption

Lately, we have been subjected to a fair amount of needless scarifying about the insecurity of Gmail.  In fact, Gmail is no more insecure than any other online mail service.  The citizen-user need not accept the default.  For Chrome, the plugin Mymail-Crypt for Gmail easily integrates into Gmail when using Chrome.  Plugins are available for desktop clients such as Thunderbird (Enigmail) or Outlook (gpg4o).  If your client doesn't support encryption, perhaps it's time for a change.

Encrypting email using public key encryption has been around for decades.  Almost nobody uses it because it requires users at both ends to sync up with their technologies.  Hushmail is one secure email service that offers the option of encrypting emails with "one time" encryption keys.  This symmetric option requires only that the person on the other end of the mail know the key/password.  Secure Gmail by Streak is a Chrome extension that works the same way.  You have to have a secure means of relaying the password to the party receiving the encrypted message -- e.g., face to face or via a phone call.

Data Storage

A big hole in security for the citizen-user is "cloud" data storage.  Storing data on the servers of any company, anywhere in the world is problematic from the security standpoint.  Recently, Google announced that it had extended its cloud security model to include all data, using the same parameters as it uses for its own data.  And, says a Google spokesperson, "We don't give our encryption keys to anybody."  Again, the citizen-user does not have to rely on the default.  A number of options exist to encrypt your data before you send it to Google Drive, Dropbox or any other online service.


In the era of the "smart" phone, it's important to have solutions that are as portable as possible. My password manager, cloud encryption software and VPN software all work on my PC and on my Galaxy S3 phone.  I move from one to the other without any hiccups.

What's Going to Happen

Taking the time to secure your online communications has the useful side effect of protecting all your financial and personal activity against hackers, as well.  But, more importantly, as a citizen-user, you are taking a stand against cart blanche gov't spying on American citizens.  You may not be able to fire the legislators who created this miasma of corrupt secrecy, but you may prevent them from vacuuming you up.  Increasing the visible usage of off-shore services and encrypted communications sends an important message to gov't agents:  we are not surrender monkeys.

I'm sure that the NSA and every other agency with covert intelligence operations is currently vetting everyone in the buildings, right down to the janitors.  But, the nature of large, bureaucratic organizations is that someone, somewhere, sometime, is going to get a bright idea.  The next theft from the NSA may well be committed by someone with more venal motives. And deadly consequences.

Nor should citizens of any political view be naive in thinking.  These programs do not go away when the next President is inaugurated, nor when the next Congress convenes with some number of new members.  What happens when the next Nixon is elected; or another Ed Meese becomes Attorney General?  When another J. Edgar Hoover takes control of the FBI?  What happens when another Oliver North becomes adviser to the President?  The programs now under scrutiny are only under scrutiny because Edward Snowden did a bunk with the papers.  More than half of Americans polled think Snowden is a traitor.  If we let this program continue as is, embracing the Presidential and Congressional mantra, "trust us, we know what we're doing," we are going straight into a moral and political ditch.  Our Constitution protects our liberties -- not the gov't.  And our liberties are protected only to the extent that we're willing to take up the challenge now being thrown down by the gov't.
We have seen segments of our Government, in their attitudes and action, adopt tactics unworthy of a democracy, and occasionally reminiscent of the tactics of totalitarian regimes. We have seen a consistent pattern in which programs initiated with limited goals, such as preventing criminal violence or identifying foreign spies, were expanded to what witnesses characterized as "vacuum cleaners", sweeping in information about lawful activities of  American citizens.  The tendency of intelligence activities to expand beyond their initial scope is a theme which runs through every aspect of our investigative findings. Intelligence collection programs naturally generate ever-increasing demands for new data. And once intelligence has been collected, there are strong pressures to use it against the target.
Book II: Intelligence Activities and the Rights of Americans, Select Committee to Study Governmental Operations with respect to Intelligence Activities (aka the "Church Committee"), United States Senate, April 1976

Deja vu, anyone?

No comments:

Post a Comment