Lessons Learned From Don’t Spy On Us: Your Guide To Internet Privacy

With 500 attendees and some big names from the data privacy and human rights fields, the Don’t Spy on Us Day of Action was a fascinating afternoon of discussion, debate, and practical advice on how to keep our personal data private from snooping governments. I learned a lot, and I’ve condensed the most important parts of what I’ve learned into five main points.

I’ve also included five things you can do right now to make a difference, both for yourself and for other internet users.

1. Online Privacy Isn’t Just About Protecting Our Data

While keeping our personal data private online is important, the Don’t Spy On Us campaign and others like it emphasize the bigger picture. The speakers didn’t include just security experts; there were a number of human rights advocates and important figures from the press, and discussion ranged from governmental privilege and judicial oversight to the nature of democracy, international cooperation, self-determination, and social relations.

bruce schneier wef   Lessons Learned From Dont Spy On Us: Your Guide To Internet Privacy

Bruce Schneier (@schneierblog), a security and cryptography expert that we’ve interviewed before, discussed our right to have control over our public face and the people who see it (for example, you can act differently around your family and your friends). But being constantly surveilled violates that right, because you no longer have any control over which information is being shared or who has access to it.

As Carly Nyst (@carlynyst) pointed out, privacy is the ability to choose who has your information and what they do with it. Mass surveillance is dependent on neither of these things being possible.

There was also a great deal of discussion about governmental transparency in surveillance programs, and a number of experts emphasized the need for judicial oversight of the digital intelligence community. At the moment, most of the oversight is political, and oversight committees often include former intelligence officials.

Of course, the government isn’t the only group that’s to blame; Cory Doctorow (@doctorow) pointed out that companies are doing a lot of spying on behalf of the government by turning over vast amounts of data (the recent Vodafone law enforcement disclosure report provides evidence for this).

free speech eff   Lessons Learned From Dont Spy On Us: Your Guide To Internet Privacy

Jimmy Wales (@jimmy_wales) discussed how he and his friends had e-mail discussions when they were teens to explore their politics and views, which sometimes ranged into the radical. Could they have been identified as extremists and targeted for further surveillance? What else might a paranoid government do if they felt that discussions like these were a threat? If people are afraid of punishment for sharing their opinions because of government monitoring, the argument goes, the right of free speech has been violated.

“Privacy is the ability to choose who has your information and what they do with it.”
—Carly Nyst

As you can see, there’s a huge variety of issues that all tie into online privacy—and this is just a small sample.

2. Privacy Is An International Issue

While this event focused on information privacy and security in the UK (and, to a lesser degree, in the US), it quickly became clear that it needs to be addressed on an international level. Caspar Bowden (@CasparBowden), a privacy expert and former chief privacy advisor at Microsoft, repeatedly pointed out that the American government uses different standards when surveilling American citizens and foreigners or immigrants, and made the claim that this was a violation of the European Human Right Convention.

privacy world map   Lessons Learned From Dont Spy On Us: Your Guide To Internet Privacy

And with the NSA’s cooperation with GCHQ, it’s clear that countries are willing to share information and, effectively, gather masses of data on behalf of other countries, further convoluting the oversight issue. Carly Nyst pointed out that agreements between governments on intelligence-gathering tactics are often completely shrouded in secrecy, making any sort of oversight difficult, if not impossible.

It’s easy to focus on what’s happening wherever you are, but it’s important to take an international perspective and make your voice heard in many places around the world.

3. Economics Is Our Best Bet For Making A Difference

One of the most common themes of the day was what we can do to take a stand against mass surveillance, and there were generally two points made: first, that the most important action that we can take as concerned citizens is political. Second, in the words of Bruce Schneier, “the NSA is subject to the laws of economics.”

Earlier in the day, Cory Doctorow stated that it costs less than a penny to add someone to the NSA’s or GCHQ’s monitoring lists—at the moment, it’s more economically feasible for these agencies to collect data on everyone because it’s so easy. And while political statements are extremely important, we can also fight back on the economic front by making it more difficult, and thus more expensive, to put millions of people on watch.

sliced dollar bill   Lessons Learned From Dont Spy On Us: Your Guide To Internet Privacy

Even if it costs a few pennies to add someone to a surveillance list, that’s going to make a huge difference in the long run. And when it becomes expensive enough, it will become more economically efficient for governments to only surveil people who are under suspicion of committing a crime.

“The NSA is subject to the laws of economics.”
—Bruce Schneier

So how do we make it more expensive? In short, encryption (keep reading to find out which encryption tools were recommended at the hands-on session of the afternoon). By encrypting our traffic and communication online, we make it much more difficult for intelligence agencies to monitor what we’re doing. Of course, no encryption protocol is perfect; eventually, encryption can be broken. But going through that effort costs a lot more than simply adding an IP address to a list. And when it becomes more economically efficient to monitor only people who are under suspicion of nefarious activities, mass surveillance will stop.

4. DRM And Copyright Laws Are Big Issues

One of Doctorow’s primary areas of advocacy centers around digital rights management (DRM) and copyright law. DRM allows companies to manage how users access their software; for example, the DRM on a Kindle book prevents you from opening it on someone else’s Kindle. The DRM on Netflix prevents you from streaming video unless you have the proper access codes on your computer. And Firefox now packs DRM from Adobe, meaning Adobe has gained some measure of control over how you use your browser.

drm warning1   Lessons Learned From Dont Spy On Us: Your Guide To Internet Privacy

So why is DRM such a big deal? Because it makes security research and testing much more difficult, and often illegal. Even when security flaws are found, people can be nervous about reporting them, meaning that known security risks could go unreported. In addition to this, DRM functions by giving some control of your computer over to the rights holder; and if someone can impersonate the rights holder, they now have some of that control.

“It should no longer be acceptable for our devices to betray us.”
—Dr. Richard Tynan (@richietynan)

Fighting against DRM is a great way to show that this betrayal isn’t acceptable, and to show that consumers are willing to take action to take back control of their devices.

As I was preparing this article, Chris Hoffman’s great piece Is DRM a Threat to Computer Security? was published. Go check it out for a great explanation of DRM and the trouble it causes.

5. “Nothing To Hide, Nothing To Fear” Is Still A Common Argument

“If you have nothing to hide, you have nothing to fear” is a very common line when discussing privacy issues, both from the people who support the programs and those who don’t fully understand them. It might sound like a reasonable argument. But upon reflection, it’s just not true.

Adam D. Moore sums it up nicely in three points in Privacy Rights: Moral and Legal Foundations: first, if we have a right to privacy, then “nothing to hide, nothing to fear” is irrelevant. When we lose control of who has access to our information and what they do with it, our rights are being violated, and that’s never a good thing.

big brother graffiti   Lessons Learned From Dont Spy On Us: Your Guide To Internet Privacy

Second, even if people aren’t engaging in illegal activities, they may be taking part in activities or hold beliefs that aren’t accepted by the dominant culture in which they live—whether they hold a different religion than the majority one, hold radical political beliefs, or practice any sort of alternative lifestyle—and want to hide them. If someone’s interest in Marxism, polygamy, or Islam was leaked to the public, they could face character defamation. This is especially of concern when there’s no telling who will come into power next—reading about Sikhism at the library isn’t a crime today, but what if it is tomorrow? And you’re on record as having done it?

And, finally, if having nothing to hide means having nothing to fear, then why are politicians and intelligence agencies so averse to total transparency for their agencies? Bruce Schneier framed this argument as a power imbalance: privacy increases power, while transparency reduces it. By violating citizens’ right to privacy and refusing to be transparent, government agencies are increasing the power imbalance between citizens and their government.

nsa surveillance   Lessons Learned From Dont Spy On Us: Your Guide To Internet Privacy

As discussed above, privacy is a much more complicated issue than just keeping one’s activities a secret: it relates to human rights on a broad scale. And the “nothing to hide, nothing to fear” argument is inadequate for addressing the complex issues that are at stake in the mass surveillance battle.

What Can You Do?

In addition to a large amount of political discussion, attendees of the Don’t Spy On Us event received some really useful pieces of advice, both on how to protect themselves from snooping and on how to make a difference in the fight against uninhibited mass surveillance.

1. Show your support.

This is absolutely crucial. Sign up with the organizations listed below, get your name on petitions, and speak out. Follow privacy advocates on Twitter (I’ve tried to link to as many as possible throughout this article), post their articles on Facebook, and tell your friends and family about the important issues at stake. Concerted action by the internet denizens stopped SOPA and PIPA (remember the Wikipedia blackout?).

wikipedia blackout   Lessons Learned From Dont Spy On Us: Your Guide To Internet Privacy

We can stop PRISM and TEMPORA, too. There are a lot of people out there working to defend our right to privacy, but they need as much help as they can get.

“This will only stop politically. This is a political issue.”
—Bruce Schneier

There are a lot of others out there—leave your suggestions in the comments! And don’t forget to take every chance you can to show your congressional or parliamentary representatives that you care about your privacy and that mass violations and infringements on our rights, both from governments and private companies, are unacceptable.

2. Use encryption tools.

There’s a wealth of knowledge on MakeUseOf about how to use encryption to improve your security. If you’re looking to started with encryption, I recommend checking out How the Tor Project Can Help You Protect Your Online Privacy, Encrypt Your Gmail, Hotmail, and Other Webmail: Here’s How, and 5 Ways to Securely Encrypt Your Files in the Cloud. And if you’re still not convinced that you need to use encryption, don’t miss Not Just for Paranoids: 4 Reasons to Encrypt Your Digital Life.

And there are tons more. Just run a search from the menu bar and you’ll find what you’re looking for. You can also check out this great handout from the Day of Action, courtesy of The Occupied Times (click to download the PDF):

the occupied times combat surveillance   Lessons Learned From Dont Spy On Us: Your Guide To Internet Privacy

3. Throw a cryptoparty.

As I mentioned earlier, the more people that are using encryption, the more secure we’re going to be. Once we reach a critical mass, surveillance will need to become more targeted to be cost-effective. And one of the best ways to share the importance of encryption, as well as make it easy for people to start using the proper tools, is to throw a cryptoparty.

   Lessons Learned From Dont Spy On Us: Your Guide To Internet Privacy

There’s an official group that runs big parties around the world, but you don’t need to go that big. Just throw your own cryptoparty! Have your friends over, tell them to bring their devices, and help them install encryption tools. That’s all there is to it! To make it more fun, don’t make crypto the focus of the party, but just do it in the background (or during half-time of a World Cup game, maybe). Install things like HTTPS Everywhere, OTR-compatible IM tools, PGP e-mail tools, and secure messaging apps.

If people are interested in heavier-duty things, like encrypting their hard drives or cloud storage, help them out with that, too. But don’t pressure anyone into anything—the point of a cryptoparty is to have fun and improve privacy and security. In that order.

4. Stay up to date.

Read news about privacy regularly—following the people I’ve linked to on Twitter will help a lot, but make sure to subscribe blogs like Cory Doctorow’s Craphound blog, The Privacy Blog, and Privacy International’s blog, too. Again, please share your favorites in the comments!

It’s also a good idea to stay up to date on general tech news, because that’s often the best place to find out about any new vulnerabilities (such as when our own Tech News Digest reported on the mysterious disappearance of TrueCrypt.)

5. Support open-source tools.

While there are certainly closed-source tools that will help you protect your privacy, point #4 above makes it easy to see why open-source software is likely to be more secure. If a program is DRM- and copyright-protected, there are parts of it that are invisible to you, which means no one can be looking for bugs or even intentional security holes. When you can, use open-source alternatives to popular software. It shows companies that transparency is valued by consumers.

open source hardware   Lessons Learned From Dont Spy On Us: Your Guide To Internet Privacy

And don’t just use the software: contribute to open-source projects, too!

Fight Back, Encrypt, Share

Online privacy and mass surveillance are very complicated issues, which is why there are entire organizations dedicated to educating the public about fighting back. It might feel hopeless at times, or like it’s not worth doing, but the fight back against the mass infringement on our rights is worth the time and effort. Encrypting your browsing or your e-mail doesn’t take much, but if even 30% of people did it, we’d make a huge statement that would be impossible to ignore.

Please share this article, and get more people thinking about their online rights and privacy. And fill up the comments section with links for others to learn more, sign petitions, get involved, and make a difference.

It’s going to take a lot of cooperation to do this, so let’s start right here!

Image credits: Alec Perkins via The Day We Fight BackMohamed Nanabhay via Flickr, Electronic Frontier Foundation via Flickr, Wüstling via Wikimedia Commons, TaxCredits.net via Flickr, YayAdrian via Flickr, Paterm via Wikimedia Commons, Electronic Frontier Foundation via Flickr, Per-Olof Forsberg via Flickr, CryptoParty via Wikimedia CommonsAndrew via Flickr.

15 Comments - Write a Comment

1 votes
Reply

dragonmouth

While the Don’t Spy on Us Day of Action may have been a fascinating afternoon of discussion, debate, and practical advice on how to keep our personal data private from snooping governments, it was also quite naive.

Did anybody think that this event was allowed to proceed just to identify the leaders and proponents?

What happens when governments make it illegal to use Tor and encryption?

How are we to retrieve/destroy all the personal data that has already been collected and stored? Not only by government entities but also by private companies.

What happens when the organizations you recommend that we support are declared illegal by governments?

How are you going to overcome the “Nothing To Hide, Nothing To Fear” attitude of the sheeple? An education campaign will not work when it is countered by claims of “protecting our children and our national security.” Have you noticed that anytime politicians want to ram through some obnoxious law, they always claim it is for the “protection of our children” or “stopping terrorism”? What good citizen is against those two things?

0 votes

Dann A

dragon,

You bring up some interesting points. Regarding your first question, I don’t think anyone would have had any problem identifying the leaders and adherents of this philosophy. The leaders are already very outspoken, and they were big names. As for the proponents, that also wouldn’t have been much trouble; I would imagine most of them were using encryption technologies already.

As for illegalizing Tor, encryption, and these organizations, that’s a possibility, but I think governments would face very serious backlash that they wouldn’t be able to overcome. That’s too blatant of a move against privacy. Especially with the human rights focus of these organizations. And while we can’t ensure the destruction of data that’s already been collected, we can try to make sure that no more is collected. No one was calling for a return to an ideal world here—just to make it better than it is right now.

Finally, as for the messaging angle, that’s a tough one, but that’s the point of educating people. If you go out and tell five people about why “nothing to hide, nothing to fear” isn’t a valid argument, and each of them tells a couple people, and so on, we’ll see a big change in public opinion and outspokenness. And yes, it’s falsely set against protecting our children and stopping terrorism, but that’s what education is all about.

Thanks for your input—you bring up a lot of interesting points here, and discussion like this is good for everyone!

0 votes
Reply

Todd Clay

Besides the fact that TOR has already been hacked by Big Brother during the Silk Road shuttering.

0 votes

Dann A

Do you have any evidence for this, Todd? Or is it just speculation? Though I haven’t been following Tor news, I didn’t hear anything about this at the event, and there was quite a bit of discussion about Tor. That would be quite interesting if it was true.

0 votes

Godel

Tor wasn’t hacked. The Feds identified some of the Silk road sellers and forced them to put cop “malware’ on their sites.

When a potential drug customer logged in, the malware put a program on their computer that transmitted information to the Feds AFTER they had logged off Tor and were just browsing unprotected.

From there on it was easy to trace them back to their real identities.

0 votes

Dann A

Thanks for clearing this up, Godel. No matter how secure your connection is, key loggers and other malware can get a lot of information. That’s always going to be a risk if your objective is to conceal your data.

That’s one reason why taking political and economic action is a great way to go about trying to change the way things are going right now.

0 votes

rec

Dann, regarding TOR, you aren’t going to be able to receive any confirmation it has been compromised. In this vein, what you have confirmation of to date is the WW2 codes that were broken.

In the meantime, I paid very little attention to Edward Snowden reporting, but the one thing I can tell you he did for the NSA was run a TOR server.

That’s 100% of the named administrators for TOR servers I’ve accidentally encountered via casual reading.

More to the point, out of the 10s of thousands of NSA employees and contractors we don’t know the names of, the one we do happened to be a TOR administrator.
I would find it very odd that they don’t hold the market share for this. You should be sacked if you weren’t.

0 votes

rec

Godel, Silk Road admin was busted via identity re-use. If you want to do something nefarious, you really shouldn’t re-use the gmail account you used to post online tied to your new identity. Pretty basic error.

That’s actually a real low level of infosec. It was the 1990s when repetition of cadence, punctuation styles and grammar structure was identified as inroads to tracking identities across multiple pseudonyms.

0 votes

rec

“You should be sacked if you weren’t.”
As in, your NSA contract if you aren’t doing this.

0 votes

Dann A

rec, I’m not sure that I totally understood your comment, but it seems to me like you’re arguing that because Snowden ran an exit node server, there must be a number of other NSA employees doing the same thing, which could be a security risk. Is that correct?

I did a bit of research, and the Electronic Frontier Foundation says that if you’re using HTTP instead of HTTPS, a malicious exit node operator could capture your information. The Tor FAQ itself says that not using SSL or running traffic through an exit node with a bad security certificate will allow someone to capture some of your browsing data.

However, the EFF just came out and said that Tor still works, and that they’re confident that it’s a safe way to protect your anonymity. https://www.eff.org/deeplinks/2014/07/7-things-you-should-know-about-tor

Finally, when it comes down to it, I’d say that even if Tor has, in some cases, been compromised, in general it’s still better to use it than not, as it’s going to be more effort-intensive to monitor than unencrypted, non-routed traffic. And if it’s more difficult and takes longer, it costs more money.

0 votes
Reply

John W

In the UK it is a criminal offence to “interfere” with the mails – if it is sealed in an envelope it is private.
Even the Government has to obtain a Court Order from a Judge to “intercept” mail and tap telephones.

I believe the same rules apply to the US Postal Service and Ma Bell.

What happened to these laws? Why couldn’t they simply be applied to new technology? Isn’t this what we call Western civilised democracy? The right to privacy. The right to protest and complain about those that govern us without being “disappeared” one dark night by the Gestapo.

It is bad enough that Google, Amazon and sundry botnets watch what I buy so they can sell me another one (pretty stupid really – I’ve already bought it, why would I need another?)

Spying on folks private lives should be illegal – all the way up to the top of government. Nixon was impeached. When is the trial for the head of the NSA?

0 votes

Dann A

John,

Yes, the laws, as far as I’m aware, are fairly similar in the US and the UK, though the existence of a written constitution in the US does make things a bit different.

Anyway, some of the laws are just being ignored. There are regulations in place for governmental organizations to bend or break laws when national security is at risk—which, in my opinion, is often warranted. However, the way that they interpret these laws is suspect. And because there’s so little judicial oversight, this goes on behind closed doors, and very few people actually know what’s going on or whether or not it’s ACTUALLY in the interest of national security.

Also, I think there’s a fundamental difference between opening a letter and adding an e-mail to a database: you actually have to physically go out to someone’s mailbox, intercept the mail, check it out, and put it back (or not). With e-mail, it just comes to you. It’s a bit more like a wiretap, though I’d say it takes even less effort than that.

So yes, laws are definitely being broken, and some people should answer for that. Things need to change. And that’s what Don’t Spy on Us and other campaigns are calling for!

0 votes

dragonmouth

“Why couldn’t they simply be applied to new technology?”
They can and they are. But since laws and lawyers are involved, whatever isn’t specifically forbidden, is allowed . Data gatherers (and their lawyers) are fighting tooth and nail to exclude any new technology from purview of old laws.

Supreme Court of the United States ruled just last week that law enforcement officers need a search warrant to examine the contents of a cell phone confiscated during an arrest of a perpetrator. In other words cops need probable cause. Until that decision, cops would arrest someone and then go through the phone with a fine tooth comb, searching for incriminating evidence, then charging the individual with new crimes based on that evidence. Not any more. From now on law enforcement is limited to whatever is displayed on the screen, if the phone is turned on. I don’t believe cops are even allowed to turn the phone on if it is off.

However, just like with all other laws, law enforcement officers will find a way around this restriction too.

“Spying on folks private lives should be illegal”
It is but the justification for it is that the spying is “in the name of national security”. That magic phrase will get any governmental entity around any restrictions.

” Nixon was impeached.”
Check the records. “Illegal surveillance” was only a minor part of Nixon’s Articles of Impeachment.
http://historyplace.com/unitedstates/impeachments/nixon.htm

0 votes
Reply

Eddie

From encryption of our day-to-day communications to well-scrutinized opensource hardware and software, securing our communications needs to become a mainstream behavior

0 votes

Dann A

I totally agree, Eddie. Once it becomes popular enough, we should start seeing changes in the way that governments behave. It just takes enough people!

Your comment