How the NSA Gets Your Private Data, and What You Can Do to Protect Yourself

[Newer]

Lately, the National Security Agency has been in the news for all the wrong reasons. Constituted in 1954 from the ashes of the Armed Forces Security Agency, the institution is charged with carrying out clandestine electronic surveillance to protect the United States and its allies. Ideally, this should be carried out within the limits of the law. Documents leaked by Ed Snowden, a former employee of the organization have raised concerns that this may not the case. Failing to stick to its legally-constituted limits would put the NSA on the same level as rogue white blood cells, a danger to the very people it is meant to protect. Going by information from the leaks, intelligence agencies from other countries may also be a part of the problem. The agency uses several approaches to gain access to private information.


1. Legal Compulsion

The Patriot Act's Section 215 gives the NSA power to compel American businesses to give up private information in a restricted set of circumstances. To prevent abuse, such actions are governed by law. Unfortunately, affected companies are legally forbidden to publicly reveal the number and nature of such requests. Snowden's revelations seem to indicate that Google, Facebook, Twitter, Microsoft, Apple, and other technology giants have been forced to give up private subscriber data on several occasions.



2. Cooperation

Some companies voluntarily give the NSA access to private information. Reports backed up by Snowden's leaked documents show that in the period after September 11, 2001, a major American telecommunications company - rumored to be either AT&T or Verizon - voluntarily gave the agency access to its call records among other customer data. The NSA has invested a significant amount of time and money on personnel, software and equipment to sweep such data for important clues. Companies that choose this route are immune to prosecution courtesy of the protection conferred by the FISA Amendments Act.



3. Digital Splitters and Undersea Cables

Where legal instruments and cooperation are not available, the agency turns to other tricks up its clandestine sleeve. Snowden's documents indicate that from the second quarter of 2012, the Government Communications Headquarters, the British equivalent of the NSA, has been tapping undersea cables that move massive amounts of information across the globe. The GCHQ calls this 'Operation Tempora'. Data is collected and stored for up to 30 days. The NSA provides the tools needed to glean important clues from the stored data. Results are shared between the two agencies. Another approach involves installing digital splitters in a company's servers to shunt communications traffic to the NSA.



4. Spies

When all else fails, the NSA and its partner agencies turn to a tried and tested method; old fashioned spying. According to a respected British publication, The Guardian, the GCHQ has a unit dubbed the Humint Operations Team. 'Humint' stands for 'human intelligence.' This team is responsible for recruiting and planting agents in telecommunications companies around the world. With spies in the right places, the NSA can get practically any information it needs.



5. Malicious Software

Where necessary, the agency uses malicious applications to exploit unreported software weaknesses and extract, implant or manipulate information. Stuxnet and Flame are some examples of such malware. Using infected email and other methods, the agency installs remote administration software in target computers, making surreptitious long term surveillance possible. In addition, Germany's respected Der Spiegel magazine reports that the NSA can even worm its way into devices using iOS, Android and Blackberry operating systems, and take advantage of their unique capabilities to, for example, track the whereabouts of those using them.



6. Back Doors

In order to find its way around encrypted data, the NSA will at times work with technology companies and other organizations to build backdoors into commercial encryption hardware and software. These holes are designed to be invisible to the end user while offering surreptitious access to those who know about them. For instance, the global technology community suspects that the NSA may have somehow compelled the US National Institute of Standards and Technology to approve the deliberately flawed Dual Elliptic Curve Deterministic Random Bit Generator cryptographic standard.



7. Brute Force Attacks on Encrypted Databases

The NSA cannot snoop at data that is properly encrypted. In such cases, the agency finds other ways to get what it wants. Usually, it will look for weaknesses at the points where data originates or ends. In a strategy reminiscent of hacking attacks that have affected a number of organizations around the world, the agency covertly acquires target databases, then applies brute force attacks to uncover their contents. In case that approach fails, the NSA stores the information for up to five years, waiting for the day when advances in technology will give them the means to crack recalcitrant databases.



How to Keep Your Data Safe

1. Avoid Texting and Instant Messaging

When you send texts or an instant messages, copies are retained in your service provider's servers, where they are vulnerable to hackers and, well, government spooks. Currently, it is not possible to make texting more secure. However, instant messages can be protected, but this is not possible if you are using public IM services like Google Hangouts, Skype and AIM. For enhanced security, turn to Cisco United Presence or any other service that offers an Extensible Messaging and Presence Protocol. However, the recipient should use the same approach, because if they are on a public IM service, copies of your messages will end up in a corporate server somewhere.



2. Always Encrypt Your Email

Solutions for encrypting email have been around for a long time, but an overwhelming majority of users are not even aware of them. The biggest hurdles to mass adoption of these technologies is lack of awareness and the relatively high level of technical proficiency needed. Please note that email encryption only works when both the sender and receiver use it.



3. Avoid Social Networks

Close your Facebook, Twitter and other social media accounts, and never use them again. Social networks are a treasure trove of personal information, so avoid them like the plague. Some people may find this advice a bit hard to swallow, but the benefits in enhanced privacy are worth it in the end.



4. Turn Off Services That You Do Not Use

Modern devices are constantly syncing data with servers in the cloud. While this makes it possible to receive emails and instant messages almost as soon as they are sent, it may provide a way for government agents to snoop into your private data. So, if you do not need location information, turn off your GPS; if you are not within the range of a hotspot, turn off WiFi, and if you are not transferring files or listening to music, turn off Bluetooth.



5. Do Not Store Sensitive Files in Public Cloud Services

Going by Snowden's leaks, cloud service providers have been a particularly juicy target for the NSA. Add that to the unresolved crisis that is Megaupload, and you can see why you should not store sensitive data in public clouds. NSA personnel do not necessarily need access to your cloud account; they can grab data as you upload your files. The same methods can be used to collect information from software-as-a-service applications like Office 365 and Google Drive. To protect yourself, store data in your own servers or in a private cloud, encrypt your traffic and limit communications to your corporate intranet.



6. Keep Web Browsing Private

Avoid relying on the 'do not track' feature that is built into most modern websites. It cannot prevent snooping. Firefox and Chrome users should switch to the Electronic Frontier Foundation's HTTPS Everywhere browser extension. It uses the popular Secure Socket Layer encryption scheme to keep web browsing private. An even better option is Tor; use it to secure yourself. Unfortunately, the technology makes browsing rather slow, but that may be the price you need to pay to keep your data secure.



7. Use Open Source Encryption

Wherever possible, use open source encryption software. Unlike proprietary programs from companies like Microsoft, they are less likely to incorporate back doors. The truly paranoid can always turn to carrier pigeons; it is a little hard to build backdoors into feathers.



Parting Words

Ultimately, however, no system, no matter how secure can be said to be truly NSA proof. A lasting solution may lie in strengthening privacy laws and improving oversight. This would ensure that intelligence agencies exercise their mandate without violating the law. If you haven't already done so, start petitioning the relevant authorities.