Before we begin, we’ll note that technically the NSA isn’t allowed to look at the stuff you do online. Thanks to the Patriot Act, it can (and does) store the metadata on phone calls Americans make every day—who was called, how long the call lasted, maybe some location data. The NSA also pulls in online content, but can’t do so legally on targets in the United States. This is part of the PRISM program you may have heard about, in which the NSA can access data from an array of companies in near-real-time. In practice, the NSA’s procedures are sufficiently lax that it does collect information (content) from Americans, of course. And until 2011, it collected metadata on emails, including subject lines and to- and from-addresses.
That is the worst case scenario. Yes, the NSA is definitely slurping up scads of information about your phone calls. It probably isn’t storing your Facebook chats, emails, and Skype calls. Our goal with this guide is to detail exactly what you need to do to assure that it can’t, even if it wants to. As you will see, it is a cumbersome process.
For assistance in fleshing out this guide, we spoke with Micah Lee, staff technologist with the Electronic Frontier Foundation.
The world learned about PRISM thanks to a series of slides leaked by Edward Snowden. Among those slides was one where, you can see the companies that participate in the program but also the data they offer the NSA, if the agency asks. Microsoft, Google, Yahoo (complete with trademark exclamation point), Facebook, YouTube, Skype, AOL, Apple. All of the logos smushed into the header of the slide. And all of the companies to be avoided if you don’t want any chance that the NSA can surveil what you’re doing.
Again: We are not saying that you should not use Facebook. What we are saying is that if you are desperate to prevent the NSA from knowing what you’re doing, you shouldn’t use Facebook. And there’s nothing you can do to make using Facebook better—no encryption, no anything can make Facebook safe from the NSA. (We’ll discuss this more a little later on.)
But it gets worse. These are the companies known to be participating in PRISM as of last October (when Apple was added). Since then, others may have been added; others may be added in the future. The truly paranoid, then, will have second thoughts about nearly any major Internet company.
And then it gets worse still, as Lee pointed out. “Any company that’s inside of U.S. jurisdiction,” he said, “can get government requests for data. Even if they’re not listed in the PRISM slides, that doesn’t mean the government isn’t getting data from them.” If the NSA wants your data, in other words, it can probably get it. It just might not be in real-time.
(There is some hope: Montana recently passed a bill that requires the governent to btain a probable cause warrant before spying on you through your cell phone or laptop. As Alexander Abad-Santos writes, “if you don’t want the government to spy on you, move to Montana.” Montana might be the safest state from cyber-spying in the nation, as it is the first to pass a comprehensive anti-spying bill, doing so even before the Edward Snowden saga broke out.)
Before we continue, we should flesh out an important distinction. When you think of an email, what you generally think of is the content of the email, the message. In order for that message to get to you, though, the email also needs to contain metadata, a term loosely-and-not-entirely-accurately used to refer to information about the email message itself. For example: who it is addressed to, who it came from, what its subject is. (We have gone deeper into this before.)
That distinction is important because email operates like a letter sent through the post office. A letter, sealed in an envelope, can be hidden from the mailman. But the mailman needs to be able to read the address, or your letter won’t get there. In this case, the metadata is what appears on the envelope; the content is the letter.
So there is a good way to hide the content of your email messages. A tool called PGP (short for “Pretty Good Privacy”), created by a man named Philip Zimmerman, offers a way to encrypt (encode) email messages between two parties using what’s know as peer-to-peer encryption. That’s an important property. It means that person A encoded the message and only person B is able to decode it. So as the envelope moves around the web, you can be sure it stays sealed until it gets where it’s going. (How PGP actually works isn’t important for our purposes. In short: It involves doing a math problem involving two very, very large numbers.)
How do you get PGP? PGP as a brand is now owned by Symantec, so you can give them your money and they will set you up. But there are also open source implementations of the technology. (If you’re deeply knowledgeable about technology, you can establish your own PGP system—but if you can do this, we doubt you need a tutorial.) One such product is known as GPG (Gnu Privacy Guard), which comes in both Mac and Windows versions. This is not simple to implement, mind you, but the documentation is pretty thorough.
That’s the tradeoff on this stuff. You can use a packaged product like, say HushMail, a program that gives you a free email account that can send encrypted messages. But when you sign up, you’ll see a little notice that the company will work with law enforcement if you’re using your account for illegal activity. And in the past, the company has done exactly that when ordered to do so. Easy to use, but not a guaranteed protection against the NSA—as the site’s security page makes clear.
So you’ve got your PGP up and running and you’re all set, right? Nope. Lee explains why. “PGP protects the content of your email,” he says. “Specifically: Just the body, not the subject line. Even without the content of the email, it still doesn’t protect the metadata.” As recently as two years ago, the government was scooping up all of that metadata, reading all of those envelopes. PGP can’t help with that. So how do you protect yourself from having your metadata read?