Headlines over the past few months have made official something that many of us suspected for a while: the United States government has access to information that many people — and businesses — believed was private. Specifically, the National Security Agency (NSA) is capable of monitoring email and phone calls (and may be doing so more frequently than suspected.)
I want to address the question that’s been asked frequently since the NSA story broke: What can organizations do to shield themselves from the kind of scrutiny that has caught the world’s attention?
There is a lot we can do to keep our data private and, like many aspects of managing security, it’s a process that is best grounded in common sense. A good starting point is to comprehensively assess your organization’s digital trails. This includes everything that everyone on your network does from the moment his or her computer is turned on to the moment it’s shut down. If you do not yet mandate completely shutting down computers throughout your network when they’re not in use, now is the time to revisit your policy.
Another step is to get out of the habit of confusing the name of a tool with its function. For example, “private browsing.” Simply because a tool says that it enables “private browsing” does not mean that your identity is kept private; much depends on the definition of “private.” To be sure, you need to read the fine print to determine whether the tool you are using keeps your browsing history private, or your identity private, or a combination of both.
Awareness
If you want to find out who is watching you, and from where, the website BuggedPlanet.info is a good resource. Created in a Wiki-style, the site relies on input from its worldwide community of registered contributors to build a deep look at what surveillance methods are current, from what sources and in what geographies. The site describes itself as being about “Signals Intelligence (SIGINT), Communications Intelligence (COMINT), Tactical and Strategic[al] Measures used to intercept Communications and the Vendors and Governmental & Private Operators of this Technology.”
Bugged Planet is a strong starting point in the process of learning more about what’s going on in the world of surveillance, including its “Unconfirmed Rumors” section; there, you can find information provided by those who aren’t able to reveal their identity, such as insiders and whistleblowers. Of course, you should seek to confirm information found in this area before making decisions that rely on it.
Breaking Encryption
Shrouding sensitive information with encryption has long been a popular privacy tactic. A survey conducted in 2011 by the Computer Security Institute found that 66 percent of companies surveyed used encryption technologies. (According to the same report, even more popular is anti-spyware software, used by 85 percent of companies and Virtual Private Networks, used by 79 percent of companies.)
The NSA, though, is equally enthusiastic about data encryption. Playing a minor role in the Snowden revelations was information about the NSA working with security product vendors to ensure that commercial encryption products could be broken in ways that only the NSA knows about.
One solution (suitable even for non-technical people)
One concrete step to consider is Tor, originally developed for the U.S. Naval Research Laboratory to protect government communications. Today it’s an online version of the Underground Railroad – a network of virtual tunnels developed to help groups and individuals increase their security and protect their privacy as they travel through the Internet. According to the project’s home page, Tor is used by an array of people, including members of the military, journalists, law enforcement officers, activists and non-technical people.
Tor protects users by disguising the link between the end source and the end destination. By passing traffic through a series of relays, Tor makes it difficult for passive eavesdroppers to know who is communicating with whom, and thus provides greater identity protection than encryption alone, which only protects the content of the communication.
If your identity and the identity of the organization for which you work is sensitive, logging into a network that’s under surveillance can reveal who you are and where you are physically. In some professions, that creates serious safety concerns. Tor currently provides protection from anyone learning your location or your browsing habits and history; however, ingress and egress into private networks have been employed to track Tor use. To date, no security measure has proven 100 percent invulnerable, but Tor has a pretty good track record.
Given the focus on global security and the need for privacy in many situations, other solutions are being discussed and developed. It will be interesting to see the interplay between keeping individuals private while complying with local and international law.