The day the wiretaps go dead

With all of the attention that the Foreign Intelligence Surveillance Act (FISA) update (and the administration's vigorous attempts to immunize the criminals telcos), it seems like a good time to explore the issues surrounding surveillance and privacy in America today.

NSA: We're watching you....

(Credit: National Security Agency)

While there are so many scary things being done by intelligence and law enforcement, hope is not far away. Easy to use privacy technologies are upon us, and with them, comes a radical shift in the balance of power. As this article will explain, the scalable techniques with which the NSA, FBI and other agencies can spy on innocent Americans may soon be made useless - forcing them to go back to the old school (and labor intensive) black bag job.

First, a few facts:

• Fact: The National Security Agency (NSA) has data-mined the call records of millions of Americans. These records were handed over to the spying agency without a court order or warrant.
• Fact: Calling your Aunt Susan in Australia? The NSA is listening. No warrant? No problem. What about for international calls made to a lawyer, doctor or priest? No warrant necessary there either.
• Fact: Mobile phones transmit extremely accurate location information back to the wireless carriers. The FBI, DEA and other federal law enforcement agencies routinely get access to this location data without demonstrating "probable cause," which is typically required before a judge will issue a warrant.
• Fact: Most mobile providers claim that they do not save copies of text messages sent to phones and pagers for extended periods of time. However, up until the point that the messages are deleted, the companies will happily turn them over to the police without a warrant, requiring only that the prosecutors claim that the records are "relevant and material" to an investigation.
• If you are arrested by the police, in addition to searching your body, they are also permitted to search through your mobile phone and look through anything that they can find. Got an iPhone? They may be able to browse through hundreds of emails from your gmail account using the device, all without the pesky requirement that they first get a warrant.

As the debate over FISA and telco immunity has demonstrated, the telecom companies are willing to completely eviscerate consumer privacy in order to help law enforcement and the intelligence community. With the telcos getting handsomely paid for their participation in illegal surveillance programs, its clear that consumers cannot rely upon AT&T and Verizon to protect their privacy.

Consumers will need to take matters into their own hands - and luckily, secure communication technology is finally user-friendly enough to be usable by non-geeks.

In addition to enabling the average Joe to regain a bit of his privacy, the rapid deployment of easy to use crypto will have a major impact on our society: The end of large scale surveillance.

Raising The Bar: The Black Bag Job

The big problem with the surveillance techniques currently used by the NSA, aside from the fact that they are creepy and illegal, is that they scale so well.

Just like Google, if the NSA wants to expand its surveillance abilities, it simply has to build another data center. Want real-time spying on the phone calls of 10 million more people? No problem -- just buy another 10,000 computers, and set them up with NSA's existing pattern recognition software

In the old days, the spooks would have to rely on the so called 'black bag job' -- a term to describe the act of breaking into a suspect's house in order to install bugs and other listening equipment. The team doing it, at least in Hollywood movies, were, like ninjas, dressed in all black.

The nice thing about the black bag job - is that it is labor intensive. Want to install bugs in the home of a suspected Soviet agent? That'll take a team of five agents, plus around the clock surveillance for a few days beforehand. Using traditional techniques, spying on an additional 10,000 Americans would require an additional 50,000 NSA black-bag-job agents to install the bugs.

As large as the NSA is, it simply doesn't have that level of resources. Thus, simply due to the man hours required, the NSA's surveillance net was limited in scope.

Unfortunately, due to computers, and the willing assistance of telecom companies - this is no longer a problem. Surveillance today scales very very easily, and it is almost trivial for the NSA to spy on an additional 100,000 Americans.

The deployment of easy to use cryptography for the average user will significantly upset the status quo. Large scale surveillance will no longer be possible, and the spooks will have to return to the days of the black bag job. Will they still be able to focus on high-profile terrorist targets? Sure. However, their days of spying on the average American, simply because it's easy, could be over.

I'll now explore the technologies that will make that possible.

Secure Instant Messaging

I've written extensively about this form of secure communication before. Adium, one of the most popular instant messaging applications for the Mac, ships with high-end encryption out of the box. Similarly, Pidgin, an IM application shipped with practically every Linux distribution, also includes support for the same encryption protocol that Adium uses. A port of Pidgin is also available for Windows users.

An encrypted conversation in Adium

(Credit: The Adium Dev Team)

These IM applications and the off-the-record encryption standard they use are protocol independent. That is, they work with AOL Instant Messenger, Google Talk, Yahoo IM, and others. By using one of these applications, your IM communications are encrypted, authenticated, and completely deniable.

No amount of telecom company assistance will enable the Feds to passively snoop on an encrypted IM conversation. In order to have any chance at getting a copy of the messages, Uncle Sam will need to resort to a significantly more invasive (and riskier) surveillance techniques.

Secure Voice over Internet Protocol (VOIP)

Unfortunately, out of the box, most internet based telephony services are horribly insecure. Use Vonage, Packet8, or one of the other popular VOIP services? Your calls are going over the wire in the clear. Using one of several open source hacking tools, it's trivially easy for an attacker or nosey neighbor to snoop on your calls.

With regard to the mainstream voice solutions, Skype is the clear exception to the rule. All Skype communications are encrypted (as long as you don't live in China, where the government has forced the eBay owned software company to install some fairly suspect filters).

Skype has been extremely secretive about the technical details of their encryption technologies. They paid a few security consultants to conduct a review of the system, which, not surprisngly, was rewarded with rave reviews. However, some crypto geeks have been able to reverse engineer Skype, and have determined that by and large, the program does a pretty good job.

Skype's security is good enough, it seems, to stump the police and intelligence agencies in Germany. They've had to resort to paying 2500 euros per victim suspect to install malware that secretly records the audio as its recorded and played on the user's PC during a Skype call.

Thus, for most users, Skype is more than good enough - and a complete pain in the ass for law enforcement.

For those users not willing to trust their communications to a closed-source communications system, the gold standard really is Zfone, an encrypted VOIP solution made by famed cryptographer and cypherpunk Phil Zimmerman. While it's easily the best tool out there, it unfortunately suffers from the network effect -- that is, there really isn't anyone using it right now.... and Skype has, in a few years, become the most widely deployed cryptographic application ever.

If you can get your pals to install it, go for Zfone, but for those you can't, Skype is probably good enough.

Anonymous Web Surfing

One word: Tor. If you're not using it already, you need to be.

Encrypted Computer Data

Both Microsoft Windows Vista and Mac OS X include encrypted disk support out of the box. While I can't speak to the Windows experience, I can say that encrypted disk support is a piece of cake on the Mac. As recent court cases have shown, this disk encryption can be a total roadblock for law enforcement, and can completely derail any attempted investigation or prosecution.

Mobile phones

As fans of the HBO show The Wire will already know, mobile phone privacy and anonymity is something that there is a significant market need for. For now, psuedo-anonymity can potentially be achieved through the use of prepaid phones, but this provides no safety against a government agent with a wiretap order (or a spying agency willing to break the law).

For now, we as consumers are left out in the cold. However, the rise of devices such as the iPhone and Google's Android OS do give me some hope. If we get Skype on mobile phones (a not so unrealistic possibility), law enforcement is going to have a very very tough time. Furthermore, if we can replace SMS text messages with off-the-record encrypted IMs, users will finally get the privacy they deserve.

While we can't rely on Steve Jobs to bring this to us, there is a decent chance that Google's Android system may end up having these features. It's an open platform, right? So it's just a matter of time until someone hacks it up, and releases it.