Another Thursday, another huge NSA story based on Snowden documents.
Truthfully I'm still processing this one. The big takeaways for me, so far:
Most of the companies you trust to keep your information are compromised - either because they've made a deal with the NSA, or because the NSA has covert operatives who work for them.
A quarterly update from 2012 notes the project's team "continue to work on understanding" the big four communication providers, named in the document as Hotmail, Google, Yahoo and Facebook, adding "work has predominantly been focused this quarter on Google due to new access opportunities being developed". To help secure an insider advantage, GCHQ also established a Humint Operations Team (HOT). Humint, short for "human intelligence" refers to information gleaned directly from sources or undercover agents. This GCHQ team was, according to an internal document, "responsible for identifying, recruiting and running covert agents in the global telecommunications industry."
The amount of work you'd need to do to protect your data from the NSA is too geeky for most people to understand.
Security expert Bruce Schneier has a piece in the Guardian about how you can still protect yourself. The subtext of it is, unless you are very, very brainy, you probably can't.
Since I started working with Snowden's documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I'm not going to write about. There's an undocumented encryption feature in my Password Safe program from the command line); I've been using that as well.
I am a relatively nerdy person and have heard of none of those programs. Also, Schneier recommends that in highly delicate cases, you buy a second computer that you never connect to the internet.
If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it's pretty good.
Obviously, Schneier's security concerns are higher than mine or, probably, yours. He's working with the Snowden documents. The NSA would have a specific interest in peeking into his work. But still. There's something deeply disheartening about how impossible true privacy seems today.
People who are blase or unsurprised by this are wrong.
This summer's been punctuated by stories like this one, which wildly expand our notion of how far-reaching the NSA's surveillance apparatus is. To me, the most boring kind of cynicism looks like this:
I'm confused. Was there anyone in America who thought the govt couldn't read their email if it wanted to?— David Atkins (@DavidOAtkins) September 5, 2013
@bobcesca_go Fact is, anyone who didn't assume that GCHQ and NSA already had methods for defeating common encryption was very naïve.— Charles Johnson (@Green_Footballs) September 5, 2013
All these stories have the same message - that the NSA is spying on most of our internet - but there's significant differences between what we knew today and what we knew yesterday. Knowing that the NSA has broken much of the encryption that the world relies on, purposefully introduced weaknesses that anyone could exploit in communication software, and snuck covert agents into communications companies? That's a big deal. There's something pretty boring and narrowminded about refusing to see the differences of degree in these stories as meaningful. </soapbox>