Ever since news broke that the United States' National Security Agency has been secretly gathering internet data on American residents, millions of people across the world have become increasingly worried about their online privacy. There’s good reason for this: the trove of jewels I’ve just ordered for my secret harem in Ulan Bator aren't a national security threat, and they're none of Kapil Sibal's business either. The thing is, spies don't know if the trove of jewels I’ve just ordered are in fact meant to pay for uranium for dirty bombs—and so, they snoop. Then—and this is the worrying bit—they tell Sibal, blackmails me for 50 percent of the loot.
The NSA was harvesting metadata -- that is, scrubbing internet traffic for information that tells it who is communicating with whom. For example, if I visit a jihadist website, traffic analysis can tell spies who I e-mail, and what those people do online.
For decades now, as I recently wrote in Firstpost, governments across the world have been harvesting a whole lot more than metadata -- the debate in the US is about the NSA targeting its own residents, not what it does to us. Pretty much anything that ends up as digital data is vulnerable, and not just to governments but to greedy corporates and other criminals.
So, what should you actually do? There’s plenty of open-source freeware around -- which though it wouldn’t do for the for the NSA, will give you a reasonably secure online life.
1. Encrypt Your Mail. Banks do this. Whistle-blowers do this. Governments do this. Large companies across the world do this. For some reason, though, most of us can’t be bothered. Few of us would send out intimate correspondence, or even our school grades, through snail-mail without sealing the envelope. Yet, we do the equivalent of this every single day online—trusting that the postman, your nosy aunt and the pimply kid next door won’t read it.
• GNUPG has software which will install on your PC or Mac, using technology very similar to that banks use to secure credit card transactions. It’s a bit fiddly, but nothing Firstpost’s genius readers won’t be able to crack in half an hour, tops. It will generate something called a public key, which you distribute to all people you correspond with (they send you their public keys). The combination of your private key—which only you have—and your friend’s public key lets you generate text only they can read, with the combination of your public key and their private key.
• There’s also Hushmail, which works on exactly the same principle, though it’s web-based and only part of the service is free.
• In case you’re worried that your enemies will know you’re using encryption, and rip out your fingernails to get the passwords, try SpamMimic which turns your text into one of those letters saying a Nigerian druglord has just left you his inheritance. Even if you’re not worried about your fingernails being ripped out, it’s a great way to pass the time.
2. Don’t Advertise Who You Are Online—which, whether you like it or not, you do every single time you log in. Traffic analysis—the issue at stake in the whole PRISM debate—lets computers see who you’re talking to online, even if they don’t know just what you’re talking about. In this way, all sorts of eavesdroppers can gather all kinds of information -- who your family and friends are, for example, or what your reading habits are.
• The gold-standard for anonymising your online life is Tor, which works on Windows, Mac and Linux. Tor basically creates virtual online tunnels, making it hard for eavesdroppers to link you to the servers you’re accessing.
• UltraSurf offers a similar anti-censorship tool, allowing you to bypass firewalls set up by some restrictive governments and service providers. It works, regrettably, only on Windows.
• Finally, there’s YourFreedom, though it only seems to offer a rudimentary free service
3. Assume Everything is Unsafe: No privacy tool is good if law enforcement or criminals have penetrated your computer using a variety of tools; if someone’s planted a bug in your workspace; if a warrant or torture forces you to disclose your passwords; if some genius in a spy agency somewhere has discovered a formula to easily factorise large primes. In general, smart terrorists and smart spies work on the principle that all communication is vulnerable.
There’s lots of online material on the risks you face every time you go online -- and what you can do about them. Simon Singh’s wonderful book, The Code Book, is a great starting point to understanding why these risks are centuries old. Do also watch science journalist Simon Pampena’s great little video on large primes and cryptography to understand the science being protecting yourself.
I personally do not share the surveillance-state fantasies of some privacy advocates. In my view, it’s ahistorical to argue that new surveillance technologies are taking us closer to tyranny. Tyrants have long sustained themselves with nothing more sophisticated than pliers and electric wires; democracies, conversely, have often defended freedom using, gasp, surveillance and subterfuge. There’s a moral hazard, moreover, to not conducting surveillance which passes unnoticed: if someone had been reading David Headley’s e-mail before 26/11 rather than after, people would be alive today who aren’t.
Having said that, privacy is a huge issue in countries where political dissidents are subjected to imprisonment and torture; in countries where states block access to legitimate information; on, and yep, in countries unfortunate enough to have Kapil Sibal as internet czar.
The technology does necessitate a very serious debate on oversight of intelligence services—which isn’t happening, at least in India. This leaves the door open to all sorts of unsavoury political misuse of the intelligence services, which happens every single day.
My public key, apropos of nothing, since I’m greying and respectable and don’t actually have a secret harem in Ulan Bator, is:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
-----END PGP PUBLIC KEY BLOCK-----