Thursday afternoon, a bombshell dropped: Two leading reports claimed that the U.S. government has been spying on emails, searches, Skype calls, and other electronic communications used by Americans for the last several years, via a program known as Prism.
According to the reports, the Web’s largest names—AOL, Apple, Facebook, Google, Microsoft, Skype, PalTalk, Yahoo, and YouTube—participated, perhaps unwittingly. (Dropbox will reportedly be added as well.) The report claims that the National Security Agency had “direct access” to servers owned by those companies. Most, if not all, of those companies have denied participating in Prism, although it’s unclear whether they were unaware of the NSA’s spying, or simply turned a blind eye.
If nothing else, however, the Prism disclosure is worrying and deeply shocking. If the report is accurate, the government may simply listen in on virtually any electronic communication you’ve made, in the interests of national security. Is this something that should be encouraged to fight domestic terrorism, or is this sort of government intrusion something that should be deeply distrusted? For the purposes of this story, we’re going to err on the side of the latter; whether you take advantage of our advice is up to you.
Note that there is absolutely no guarantee that our tips will make your PC Prism proof. One of the generally held beliefs in the security world is that, with enough resources on the part of the attacker, any secrets that are known about can eventually be unearthed. But let’s say that you support an “Arab Spring” movement in a country whose interests parallel those of the U.S. government. It’s this sort of political uncertainty that encrypting personal communications is designed to liberate.
So what can you do? Here are some tips.
Avoid using popular Web services
This is an easy one. If you’re concerned about the government watching your moves online, simply avoid making Microsoft Bing and Google your search engines of choice; try DuckDuckGo instead. The site promises not to track or store your searches (although it does store anonymized searches to improve results, executives said) which should provide some degree of confidence that you’re not being tracked online. Both reports from the Post and the Guardian indicate that the Prism program is expanding, although for now DuckDuckGo seems to be safe.
Naturally, this also means ditching a Gmail or Hotmail account, and deleting your accounts from those sites. Instead, it’s time to think about laying low and skipping around services that you might have forgotten about: Mapquest for maps, for example. You may as well stop social networking altogether, unless it happens to be direct, person-to-person communications.
And there’s no sense in surfing using Chrome, Internet Explorer, or Safari, either. Sure, there’s Firefox and Opera, but the PCWorld’s review of the Tor browser shows it to be a slow but anonymous way of browsing the Internet.
Ditch your smartphone
If we assume that Apple, Google and Microsoft are being monitored, then the safest way to avoid being tracked is to ditch your smartphone. A number of services already ask for your location, in the name of providing better search results or services. And BlackBerry, of course, is no better; that company has already acceded to requests to allow foreign governments access to its data, so the paranoiacs should ditch them, too. Feature phones may be no better, but the amount of information that can be captured is much smaller.
Encryption, encryption, encryption
Eventually, however, you’re going to have to start communicating with someone, probably electronically. If you’d like to think those conversations are private, it’s time to start thinking about encryption.
To start out with, you’ll want to encrypt your hard drive and existing files. Alex Castle’s piece discusses using TrueCrypt and other tools to start securing your files. Note that some of the tools he recommends are from the providers that Prism is reportedly monitoring; you’ll have to decide if you want to go elsewhere for encryption protection.
From there, protect your email by encrypting it. To secure your email effectively, you should encrypt three things, Eric Geier notes: the connection from your email provider; your actual email messages; and your stored, cached, or archived email messages. If you want to take it even further, consider using a secure email service. Email will travel over the Internet, where it can be accessed by theoretically just about anyone. Companies like Silent Circle (founded by PGP creator Paul Zimmermann) profess to offer secure voice, email, voice communications via dedicated connections between subscribed devices.
Subscribe to a VPN
In the same vein, consider signing up a virtual private network, which creates an encrypted “tunnel” to another server, which then acts as an agent on your behalf. Eric Geier’s piece on how to set up a VPN explains how to do this. Note that the performance of your PC may suffer somewhat, as the latency to funnel communications back and forth (some solutions use servers based in the EU, for example) may take some time. But security layered upon the encryption applied by other solutions may provide some additional reassurance that your communications are private.
Watch those hotspots
Wandering from coffee shop to library to free cafe may provide another layer of security, as your client IP address will vary by location. Just make sure that when you’re roaming from location to location, someone isn’t trying to sniff your PC—or worse. Preston Gralla’s story on protecting yourself at hotspots also contains advice tailor-made to protecting your privacy while on the go, including nailing down older apps that might allow an intruder inside your PC.
Obviously, block that malware
Let’s face it: the first and most obvious thing you should do to secure your PC is to lock it down from malware. Our tests from January provide you the best antimalware solutions, empirically tested to ensure that no Trojan or other worm sneaks inside your PC and provides its own spying eyes on your online activities. Your PC should be your castle, and antimalware is the first line of defense. Frankly, if you’re concerned about the safety and well-being of your PC, you should have taken care of this long ago.
Tie it up together with a hard password knot
The last thing you’ll want to to do is make sure that all of your encrypted services are tied up neatly with a unique, easy-to-remember-but-impossible-to-crack passphrase. PCWorld has some tips to manage passwords, including what’s coming down the pipe. But the best practice right now seems to be to find a good password manager like LastPass, and create your own unique password. Bruce Schneier’s “Schneier scheme” recommends that you create a passphrase (“Man, those six flights of stairs to my New York apartment were killer.”) and then abstract it, possibly with the first letters. (“M,tsfostmNYawk.”) It’s not perfect, but it’s a lot better than random words and phrases that can be easily guessed.
Will these tips make your PC Prism proof? No, not necessarily. But if you’re concerned about the recent Prism disclosures, they’ll go a long way to help you sleep better at night—outside of smashing your PC to bits, distributing the pieces randomly among a dozen scrap heaps, and moving to the woods, that is.