A number of people have reached out to me to tap my technical expertise, asking essentially — is it possible to have a private conversation anymore? Well, it is — in a few ways. The first answer will surprise you least.
If you travel to where there is no cellphone network, and no recording devices, and you’re not visible by any satellites, you should be able to have a conversation no one can hear. That’s not as impossible as it sounds given how much of the planet isn’t covered by a cell network, but for at least my lazy tech-loving life, it’s probably never going to happen. I also have to acknowledge that the warrantless wiretapping program itself is something out of the paranoid conspiracy theories of a crazy person, and yet by all accounts it’s very real — I just don’t want to propose a response any crazier than the evidence demands. So now let’s work back through all the ways the government can capture a conversation.
Who’s Actually Listening
Although most articles refer to the NSA, there’s evidence that it’s actually a wide range of organizations either listening in or getting access through others. The
FBI, NSA and
DEA have all been shown to have their own monitoring programs. Some of them have been shown to have more than one. And the
IRS and local police departments have been shown to have access to one or more of these monitoring programs. So while I’ll also be using “the NSA” as a convenience, brave reporters, journalists and whistleblowers have taken great risk to show us it’s a lot more than one program at one department of the government.
Tinfoil Hat Stuff
First let’s get past the tinfoil hat stuff that sounds insane.
Satellites
Technically speaking, a satellite recording you with no cloud cover should be able to get a clear enough video of you speaking, that a lip reader (or lip reading software) could capture what you’re saying.
There’s also technology out there that reads the small vibrations in a large flat surface, like a pane of glass in a window, and translates that back into a crappy version of the original audio. To make it sound even more ridiculous, this technology is actually called a
Laser Microphone. Yeah that’s right — go ahead and click that amazing word combination. And then go build one.
Both of these mean that if you’re in view of a satellite — basically if you’re outdoors or near a window, you could not assume your conversation is private. That said, satellites are big expensive things that must be launched up into space, and replaced by launching another one, because they fail over time — not cheap. There aren’t many, so they can’t be recording everyone at once. Even if they could, they wouldn’t have the bandwidth to send all that video or audio back to Earth where anyone could make use of it. Basically, if someone at NSA, CIA, FBI etc is watching you with a satellite, either they’re violating your privacy for fun (and
with no public oversight, it’s not unfair to assume) or you did something really, really suspect worth an incredible expense. So let’s assuage the satellite fears with, “I’m not a top ten criminal, I just want my right to privacy, and I’ll avoid being outside naked.”
High Altitude Drones
Perhaps the only thing that sounds more insane than satellite monitoring is drone monitoring. Drones unfortunately are a lot cheaper than satellites, can get a much better view of you, and have a lot more opportunity for even just plain getting an actual audio recording of what you're saying - or even recording the wifi signal your cellphone is putting out. The only solace here is it appears the government doesn't have many of these. In
2011 US Customs and Border Patrol received their 9th drone - meaning they have fewer operating over the first 100 miles from the Mexican border than we have satellites orbiting earth. But, there's still obvious opportunity for abuse here, and again, no public oversight. But, they're still few enough that we'll assuage this the same way we did the satellites.
Cellphones Recording While Off
Still acting like paranoid maniacs, it has been
documented numerous times that various agencies have found ways to switch someone’s cellphone mic on in secret, to record audio and send it back to the FBI or NSA, while that person wasn’t making a call and thought they were in the clear. However, what has been documented suggests a couple of important things: First, you have to specifically be targeted. It may be that some of these phones have a bug in them that lets any wise hacker in to do this, but descriptions of what’s been uncovered suggest it was more about a really vicious virus getting installed on a phone, often through direct physical access.
So we’ll set this one aside the same way we did with the satellites — seems like the top cops have to really want you imprisoned or dead to have this happen to you. There is one exception though, and that is a dragnet approach to infecting phones in this way.
For example, if the NSA etc worked out a deal with Samsung, HTC, etc to have this backdoor built in to every phone they made (as may have happened in the RIM/Blackberry case), it would be possible for everyday citizens to get surveilled with little way to detect it and no way to prevent it (short of leaving the modern technological world). But, even if this were so, the way cellphone networks are designed is unlikely to enable that much bandwidth usage. Basically to transmit that much information back to where it could be recorded and analyzed, every cellphone would need to be continuously transmitting data over the network — when the design of cell networks is based on the assumption that most phones spend their time idling, and in this mode they have almost zero interaction with the very limited resources at their local cell tower.
The remaining possibility is a dragnet hack into many phones, or all phones or desktops by a given manufacturer or with
a given OS, and they only phone home periodically to avoid saturating networks. The only way to really catch this would be to monitor traffic - on wifi you could watch your router's traffic, and on the cell network unfortunately you'd have to do something more elaborate, like reading how much signal it's putting out when, and whether all of those times it emits a signal are expected. This is a real weakness - as usual, if your device is compromised, so are you.
Your Location
Sadly the nature of cellphones is that they have to constantly check in with the cell network by their nature. They need to tell the cell network, "Hey, in case anybody calls - I'm here." Unless you pull the battery, you are constantly broadcasting your location. That location information is available to the NSA etc. The alternatives here are pretty slim: Leave the phone on and be tracked as you wander the globe, pull the battery when not in use and only be tracked sometimes, or set it to Airport Mode and hope that there isn't some passive way to still be tracked anyway (debatable), and simultaneously wonder why it is you bought a smartphone that never connects to anything.
Corporations That Caved
So now let's finally get away from the paranoia stuff and on to one people like to harp on: big evil corporations. Companies like Google talk a big game about privacy, but it's now been shown they and a whole bunch of other companies did not fight the good fight when it came to secret warrants allowing dragnet data gathering on their networks, of your data. Cue
There Goes My Hero by Foo Fighters. So even if you could trust the way you transmitted your data, while it's stored at Google etc unencrypted, the NSA gets to casually peruse it - or really, record every last character so they can casually peruse it later, even if you delete it. So you can't trust any company known to have caved to this dragnet, and you can't trust anything you've ever said, even the deleted stuff, over any of those companies' servers. If we're going to be really honest with ourselves, it's probably not safe to assume any company has fought back against these secret warrants issued by secret courts, unless you've seen them make a very public stink about it. So, any normal, unencrypted data on these services is out.
Secret Warrants
This may be the biggest barrier in the way of privacy. Since the various government agencies doing this do so with zero public oversight, never declassify what they've done, and use courts that are themselves secret, it's not possible to exercise your right to privacy - because the warrant your service provider is served specifically instructs them not to tell you about it. Since the person whose rights are being violated never knows, they can never challenge it in court and never enact the mechanism that calls this program what it is: Unconstitutional. Apparently the Constitution failed to include the "If a right falls in the forest and no one's there to hear it" clause.
Strictly speaking, it may not be legally possible to solve this for any service in reach of the United States - that is, either in the US itself, or in a country that either actively collaborates with the US dragnet, or caves to US pressure. Fortunately the US has plenty of enemies, but often they have warrantless wiretapping programs or worse of their own - so it's a tricky legal conundrum, and my area of expertise is technical, not legal. I'll make some technical proposals here below, but I welcome legal considerations by those who know more about that side of it.
What's Possible
With what's in the way discussed, finally what I promised: What's actually possible. First let's get non-goals out of the way.
Non-Goals
Our goal isn't to completely shut the government out. We already acknowledged the tinfoil hat stuff as being legitimately possible, so if you're dangerous enough, they may use those extreme tools, and we won't even try to interfere there. Our goal also isn't to be able to have a private conversation that's absolutely impossible to ever get into - because if we can use it, so can some big bad guy, and the Constitution provides for reasonable things like publicly inspectable warrants where justified with good reason; technology that shuts out even this legal option is likely an unwise tool to give to the world.
Don't Have Any Viruses
This probably goes without saying but if you have a virus on your machine of any sort you're probably hosed. Even if the NSA didn't put it there, any virus that made it on is probably transmitting something private off the machine - maybe everything. If your machine is infected all bets are off. Not trivial advice to follow through on but that's how it is.
Pre-Shared Key
If we go back to the initial proposal where you have a conversation outside of any listening devices, there's one more option you have here: Instead of having the one private conversation, you could share a secret (encryption keys), keep it private (for example by passing it on a thumb drive - never emailing it), and have as many encrypted conversations as you like over the open internet with your friend without anyone, including the NSA, able to read what you're saying. As long as the key size was large enough, you could even be so brazen as to post your encrypted messages anywhere - public forums, Amazon product reviews, wherever - and the only person able to read them would be your friend(s). However, this doesn't facilitate much communication. You're unlikely to meet privately offline with everyone you'll ever want to communicate with, share private keys, bank that neither of you will ever get a virus, and communicate solely via these keys.
From an actual technological perspective it works like this: You could use what's called a Symmetric Key, where a single gigantic primary number is all you need to read anything written in this secret format. This approach would be easy to use with
TrueCrypt, free encryption software for any computer out there. It would be a bit annoying, but each time you wanted to say something, you'd encrypt for example a text file into a .tc file, attach it to an email to as many friends as you wanted to send it to (that you've shared this key with), and they'd all open the .tc attachment to find your one text file and read it. Not super convenient for text, but about the same time as you'd spend attaching other files. For just text you can automate this kind of pre-shared key encryption with PGP or GPG (the distinction isn't super important, they do the same thing).
You can tie this into Gmail, but it only works on desktops - though you could probably pair it with
APG on Android and get it working on mobile as well. For IM on desktops that leverages this approach you can use
Pidgin with OTR.
The vulnerability here is that for every friend you share the key with, that's one more person you have to worry will someday get a virus on their phone or computer and get that key stolen. When they do, now everyone's vulnerable, including everything they ever said with it.
1 It's also pretty inconvenient as-is, although again you could write software to improve that a little.
On the flip side, this also has the no-legal-avenues problem: Two terrorists could actually use this approach to communicate securely, and thwart even a warrant (public or secret) to read what they said - because no one has the key to read it but them. If they can avoid legal avenues that would force them to divulge the key and technical avenues that would steal the key, they can communicate with total privacy - not what you want to hand to bad guys. That said, it's likely those bad guys could get that key stolen in one of the tinfoil hat scenarios, or stuff I've never heard of. Or the Bush/Obama/next administration
could just kill them. That happens a lot.
Mesh Communication
The best way to keep something from being read on the internet is to not talk about it on the internet. There are now free pieces of software, like
Serval for Android, to have a conversation entirely outside of the internet, but still use those cool smartphones we like using. Of course any cloud-based anything, like google maps, fast GPS positioning, documents you don't lose when the phone is destroyed - that stuff - that's all gone without an internet connection. If the way you're talking on Serval was active enough that a large group of people were using it, there's probably also the risk that one of their devices is hacked, or some jerk is listening to everything and broadcasting it all, or whatever. But the point is, you can text, email, have phone calls, etc with anyone you can get a wifi signal to if you both have Android phones, or more broadly you could do this with anyone with the right software in place. The range on this has to fundamentally be pretty limited, since you're probably not encrypting what you're saying, so as soon as anybody listens in, you're hosed. You could add in the Pre-Shared Key stuff above via software, with all its ups and downs.
HTTPS
One of the best pieces of news is there is no published viable attack on HTTPS, the technology that secures web connections when you've got that little lock icon in your browser's Address Bar. The technology is a bit amazing given it begins with a public conversation, and someone attempting to listen in could record every single interaction back and forth - and still be unable to understand (decrypt) anything you ultimately say over the secure connection HTTPS sets up. That said, there is one attack-like strategy a bad guy could use, and the NSA has even been documented as using it: Record all those interactions, store them for years while working on breaking the original HTTPS certificate the server you were talking to, then use that to decrypt all of the recorded HTTPS traffic you left behind.
The solution to this is slightly more obscure, but still easily accessible:
Perfect Forward Secrecy. Basically the service you're trusting needs to enable it, and you need to use a browser that supports it (like Chrome). HTTPS is a relatively long handshake process, and PFS adds several more back and forths to secure the connection even from this relatively exotic attack. So, any service you wanted to use privately would need to use HTTPS with PFS.
Securing the Service
So if HTTPS gets you data in and out of a service no problem, and your machine is virus free, the only remaining concern is the service itself - its servers, basically.
As mentioned in the Secret Warrants area above, one answer is to just put the service outside the reach of the United States. Lavabit, a company that attempted to provide secure email inside the US,
shut down and left behind a message:
I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.
What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.
This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.
Kolab uses this approach by putting their servers in Switzerland, which apparently has very few warrants served on its data (not clear if any are secret...).
So that's a fairly sad, if you're at all patriotic, solution.
Force All Warrants Into The Open
So the final, scraping the barrel possibility I want to propose requires more legal knowledge than I possess. I've broken it out into its own post:
Footnotes
1. PGP/GPG differ slightly from other methods described here, by being asymmetric rather than symmetric. In symmetric encryption, everyone shares a single key, which is used to both read and write whatever's being said, by all parties. In asymmetric encryption, each person has their own read ("public") and write ("private") key. As you connect with more people, you gather their individual public keys. Technically, this does change what kind of risk you're taking by using a given service, but in the end the risk is about the same: If anyone in the group gets hacked, all of the keys they have on their machine are taken as well, opening up everything you ever told them. If people quote each other in emails, what they said is largely opened up as well. The difference ends up being pretty irrelevant to an end user looking for privacy.