Monday, July 8, 2013

More Info on Prism

I absolutely love F-Secure. They have been my go to antivirus and security software providers for several years now.
From time to time the company also sends out an e-mail with interesting info on viruses and other sorts of security issues that are in the headlines.
Over the weekend, I received your latest e-mail where they discuss the impact of the NSA Prism project.
If you would like to visit the F-Secure website for more information or to purchase their software you can do so by clicking here.
Here is what they have to say about  Prism. I think you'll find it a very interesting read.  I'm very grateful to them for providing this info.  You should be too!

You have all heard about PRISM, maybe the most significant spying machine in the world’s history. And certainly one of the most significant disclosures about the United States’ intelligence operations. But how does this affect us ordinary netizens?

Let’s look at PRISM from a couple of different angles. The PRISM system is a gigantic intelligence network that gives NSA access to data in Google (Gmail, YouTube etc.), Facebook, Microsoft (Skydrive, Live, Skype etc.), Yahoo!, PalTalk, AOL and Apple. These companies are naturally denying it all, but it means nothing as that is what they would say anyway. The PRISM disclosure is backed up by leaked documents, and whistleblower Edward Snowden’s brave decision to come out under his own name makes it even more credible.

The disclosure of PRISM is hardly surprising for people familiar with IT security and privacy issues. It is not the only known intelligence program, data about Internet traffic is gathered in many other ways too. But it is still significant in many ways. It should first of all act as an eye-opener for ordinary people and politicians. It is no longer possible to dismiss people who talk about spying governments as paranoid tin foil hats.

US is not the worst country on earth when it comes to freedom on the net. But it is however a country that has made a strong promise about democracy, freedom of speech and integrity. It also aggressively fights many other countries that don’t live up to western ideals. The disclosure of a spying network that would make Stasi green of envy is of course much bigger news in a country like this.

And last but not least. US has a central role in the Internet of today. This makes PRISM a global issue and not just a local privacy threat in US. Many popular services, like Facebook, are US-based and your only options are to participate and live with PRISM, or quit. The authorities claim that they aren’t targeting US citizens, just communications involving foreigners. But that is about 95% of the world’s population. And can we believe them about not spying on the remaining 5%? So PRISM is really an issue for all of us, US citizen or not.

OK, but should I be worried? I’m no terrorist and not even criminal. I have nothing to hide. Will this really affect me?

Yes and no.

The immediate impact on your life is probably zero. These intelligence systems sift through and store huge amounts of data and it is impossible to read every single message. They use automatic filters that trigger on certain secret keywords, and flag these messages for closer examination. A message to or from you may trigger a filter once in a while, but its harmless nature will be apparent in the manual examination. There are of course a lot of private secrets that shouldn’t leak to others, but they are of no interest to authorities. The risk that such secrets leak through PRISM is close to zero. Most ordinary people fly under the radar of these systems and will not really notice them at all. What’s more scary is the stored data. We have no clue about how it will be used in the future and who will have access to it. To cite Snowden: “Even if you are not doing anything wrong, you are being watched and recorded. … You don’t have to have done anything wrong. You just have to eventually fall under suspicion from somebody. Even by a wrong call.  And then they can use this system to go back in time and scrutinize every decision you ever made.  Every friend you ever discussed something with and attack you on that basis to sort of derive suspicion from an innocent life and paint anyone in the context f a wrongdoer.”

So you should be very worried on a principal level. Have you ever thrown away something, just to later realize how much you would have needed it? This is what’s happening to privacy today. Many claim that they have nothing to hide and that the loss of privacy is a fair price for security. There are however two fundamental problems with that reasoning. Very few have any idea about what price we really pay, i.e. what impact the loss of privacy may have on our future lives. And nobody knows what security we get in return, if we get any at all.

The price. Today we live in a world where Internet still isn’t fully integrated in our lives. The development is fast but the net is still often seen as an alternative to handling your business in the traditional way. Any privacy issue will naturally be magnified by the day Internet is our mainstream way to communicate with other people and businesses. The intelligence systems of today are also fully capable of collecting data for any purpose, even if the official reason for building them is the fight against crime and terrorism. Today we are building more and more capable systems that tap into something that is becoming the backbone in our society. And all this with a blatant lack of openness and very rudimentary control of the purpose and use of these systems. I call this a recipe for disaster. Future misuse is inevitable, unless we change direction.

Can there for example be fair democratic elections in a country where one of the parties control the intelligence agencies, which in turn can intercept all electronic communications, including those of their political enemies?

And the upside, the benefit? Security? Sure, it sounds nice and easy to tap into the mail traffic between terrorists, wait until you have enough evidence and then bust in to arrest them all before they strike. But it’s not that easy. You can defeat these systems by using encryption, like PGP. This will still leave metadata about the communication and does not protect your identity. But you can use anonymity networks like TOR to access a webmail account. The groups that pose a real threat is no doubt competent enough to do this, so PRISM won’t catch them.  Anders Behring Breivik killed 77 in Norway in July 2011. He acted alone and didn’t need to plan the attack with anybody else. Here again, nothing to catch for PRISM. So what are we left with? A couple of lunatics who work together but aren’t skilled enough to protect their communications. The authorities will catch some of these every now and then, and proudly present the catch to prove how necessary their intelligence system is. We will never know if these lunatics really were capable to perform the strikes they were detained for. So it all boils down to something that won’t catch the real threats, but still is a privacy problem for ordinary people who aren’t motivated to use all the countermeasures.

But is there anything we can do? Some claim that we have lost the battle and privacy is dead. I disagree. Privacy is fatally wounded but not dead. It needs CPR to survive, but there is a chance if enough people realize that we shouldn’t throw privacy away.

Here’s tree concrete advices about how you can deal with government intelligence and the privacy threat it poses.

  1. The fight for our future privacy is not about technology, it’s about politics. Prerequisites for privacy are a strong protection in the legislation as well as openness and clear rules for the inevitable cases where privacy must be breached to fight crime. Vote for candidates who share the concern about privacy and are motivated to join the fight. Get familiar with EFF.
  2. Should I avoid services that participate in PRISM? You can if you like, but it may not make much difference. And some PRISM-systems are hard to avoid. But as mentioned above, we don’t know how the PRISM-data will be (mis)used in the future. If you want to minimize your exposure to intelligence, prefer cloud services located in your own country. They are not perfectly safe either, but you do at least know what legislation applies to them. Things always get complicated when you communicate over borders. The legislation and secret practices in other countries may differ significantly from your own country, and a cloud service provider must naturally obey the authorities in the country where their server farm is located.
  3. You can safely assume that if a government wants your unprotected data, they will get it. No matter where you live and whom you communicate with. And no matter if it’s your own government or some other. There are numerous known intelligence programs that target both stored data and data in transit, and even more that have remained secret. You really need to use strong cryptography and other means of protection if you have secrets that is of interest to authorities. You need to pay attention to a lot of different factors so go through your case with a trustworthy expert. Remember that intelligence systems can be used for industrial espionage as well, so relevant business secrets should be protected too. Criminals and terrorist are not the only ones who have a reason to hide.

Post a Comment