So in light of this, which BTW is pretty horrendous when one sees it laid out like this, does anyone publish "best practices" for the everyday citizen? Maybe EFF?
On the one extreme (my guess: 98% of the population) one shares anything and everything on social networks, no concept of encryption, or VPNs, lots of sensitive info sent unencrypted over email, ___location-enabled smartphone, etc etc.
On the other extreme I guess is the snowden/greenwald approach, only even boot into Tails onto a laptop that has been inspected for mal(hard)ware, only ever use Tor, always use PGP, never unencrypted email, etc. Only problem is that the everyday person cannot interface with the rest of society this way (e.g. their job).
So what are suggested best practices? ... and let's be realistic, the everyday person cannot for example host their own email (although I wish the day comes soon when this is possible)
For a completely average US citizen, I don't think NSA spying has a practical impact today, at least directly -- it's almost all future risk. It's very serious future risk, that NSA will start to use its capabilities for entirely unlawful and immoral things (political activities, repression) vs. just spying on too many people when going after a smaller number of people.
So, the correct thing for average individuals today is to stop this from going farther -- not trying so much to mitigate the effects today. There are two main tools for the individual: politics, and commerce.
I'm willing to vote single-issue on reigning in NSA; I'd vote for Brian Schatz or Ted Cruz based on this single issue, even though I hate them otherwise.
As for commerce: I'll choose companies which resist spying activities (Google, Twitter, Sonic) over companies which cooperate completely (Telcos, eBay, etc.).
(legal challenges kind of fall in between; if I had the resources, I'd certainly fight vs. settle on these issues, individually or as a company, but it's not fair to expect others to do so)
If I were a foreigner, I wouldn't be able to directly influence US politics. I would lobby my government to end EU Safe Harbor and any other pressure they can put on the US Government, and to fix my own crazy data retention laws. And I'd probably prefer domestic companies, even when they also spy, just to put pressure on the US.
> For a completely average US citizen, I don't think NSA spying has a practical impact today, at least directly -- it's almost all future risk.
While I think it's true. The keyword is direct. Though it should be mentioned that indirect impact is measurable, now.
> 1 in 6 writers has avoided writing or speaking on a topic they thought would subject them to surveillance. Another 1 in 6 has seriously considered doing so.
I have seen this survey before and I have to say I am a little suspicious of how they came up with this pullquote. I do not understand how the 11% who responded "have seriously considered" is presented as "1 in 6 have seriously considered."
This is from Question 12.a in the survey.[^1]
12 Over the past year or two, have YOU done or seriously considered
doing any of the following because you thought your communications
might be monitored in some way by the government?
12.a Avoided writing or speaking on a particular topic
%% | Response
------------------------------------------
16 | Yes, have done
11 | Have seriously considered
70 | No, have not
3 | Not sure/Not applicable
---+--------------------------------------
27 | NET Yes/Have seriously considered
73 | NET No/Not sure
"Have seriously considered" is not even "1 in 6 respondents excluding the respondents that answered 'Yes, have done so.'"
I hope I am missing something obvious but as far as I currently understand the survey/math this quote is fucking shameful. Getting popular support for privacy protections is not going to happen by giving up the moral high ground. It is hard enough to fight against the "weak on security issues" label, it is going to be next to impossible to overcome "weak on security AND cannot be trusted to tell the truth."
> "Have seriously considered" is not even "1 in 6 respondents excluding the respondents that answered 'Yes, have done so.'"
Interesting. Yes, correctly excluding those 16, 11/84 isn't even close to 1/6. Incorrectly dividing by the NO answers (11/73) is. I'm inclined to believe whoever came up with the quote made that mistake.
It depends. Do you believe that NSA is stifling citizen activism?
If that's the case, than NSA spying affects a large portion of Americans. If that's the case, that would put a dampening effect on democracy, which theoretically affects everyone in the entire system, immediately.
> Do you believe that NSA is stifling citizen activism?
Let's say you were preparing an Occupy 2.0 movement. Do you think the government would bring the NSA to bear on you? Do you think you might get "stifled?"
> Let's say you were preparing an Occupy 2.0 movement. Do you think the government would bring the NSA to bear on you? Do you think you might get "stifled?"
Perhaps it's just the nature of activist groups, but I've been reaching out to various groups of protesters and activists since the Restore the Fourth protests last year.
Anecdotally, I have yet to contact a single group that doesn't believe that they have experienced government surveillance, infiltration, or subversion. Now, perhaps this is due to the closeted nature of activist groups and the paranoia can go hand in hand with activism, so take it for what it is.
There's reports of JP Morgan offices inside the NYPD surveillance complex. The NATO 3 case is an indication to me that this type of activity (Surveillance, infiltration, disruption) may be widespread. Certainly, it seems to coincide with the attitude and perspectives that led to COINTELPRO and other Hoover-esque tactics such as blackmailing Martin Luther King.
This is all to say nothing of the Arab Spring, and the subsequent development of practices and technologies that have "stifled" activism on social media. The other thing to take into consideration is that protests and activism in the US may play into the narrative put out by Russia or other foreign national interests, in the same way that the United States covers Pussy Riot or stories of unrest in Ukraine.
I tend to think in the coming months, you'll hear more about this topic. We'll see, though.
Wish I could double-upvote this. Great comment that puts it in context. We are not seeing this abused at the average citizen level right now. What we've done is establish new standards where the government in the future will be able to do really bad things without oversight. That has to stop
>>I'm willing to vote single-issue on reigning in NSA
That's it, in a nutshell. The tech community, and those interested in not living in an Orwellian state in 20 years, needs to go single issue on this and ditch the traditional political parties. If we were to get serious on this the way the prohibitionists got serious on alcohol, politicians will listen. Otherwise it's going to be 50 years of bullshit with small gains made every few years just to keep the yokels happy.
I firmly believe that this is the worst change in the system of governance for the United States in its entire history. Our type of government was not made to be on a constant war footing, with the government mass trolling the net. It just wasn't made to operate like that. It won't work. It's not that there isn't a threat, or that we don't take the threat seriously enough, or that it's not a new world and so on. It's that it doesn't work. Right now the politicians and those in power are too ignorant to understand this. They think that the danger outweighs the damage they're doing. We're going to have to get a big club out and beat them over the head for that to change. Single-issue voting is that club. (Assuming a large-enough percentage of people buy into it).
I agree with you, but I find it weird that Goolge is seen as a privacy respecting company.
People happily give up privacy for neat services like Facebook or Google or whatever, and some of these have caused actual harm to real people by leaking data.
Google builds amazing security technology, but also amasses huge amounts of information which wouldn't otherwise be centralized and retained. That's a lot better than people who only amass lots of data but don't build decent tech, and worse than people who just build awesome tools. I'd still put Google as a strong net positive, including the performance multiplier the Google tools give everyone. Even Facebook, which builds none of those good tools, and is essentially just a huge data repository, is kind of a net positive in that it brings people together to communicate. (that's a bit more debatable)
> For a completely average US citizen, I don't think NSA spying has a practical impact today, at least directly -- it's almost all future risk
I keep trying to come up with a catchy term that describes this, and/or the phenomenon of carrying out really serious human rights violations against a very small number of people (e.g. Guantanamo). So far I've come up with "police microstate".
> over companies which cooperate completely (Telcos, _Microsoft_, eBay, etc.).
FTFY.
I don't mean to sound like a Microsoft basher (and if you look at my history, I frequently defend them), but they are perhaps the most highly-documented (esp. in regard to Skype, Hotmail, etc) at collaborating with the US IC. They absolutely deserve a mention in that list.
My personal opinion on this issue is that we already have a pretty good sense of public/private spaces in the physical world. The problem is that most people assume that if your computer is in a private space (ie your bedroom) then it is also private. This is obviously not the case.
What we need is to start building a culture of online privacy. Everyone should have access to an anonymizing VPN, should know how to use Tor and understand PGP. But just like it would be insane to never leave your bedroom and unlock your door, or always speak in a whisper, the same applies to online privacy.
And the important thing is just because you are in your private space doesn't mean you're doing anything wrong or shameful. People use private spaces to snort lines of coke and plan bank robberies, but also just to have some time when they can think and not be bothered... or watched. People need to start using Tor just to browse the web and know they aren't being watched, that neither the government nor advertisers are building a profile on you.
And just like physical privacy means less social, so does online. Online privacy should be about keeping anonymous. Don't talk about where you live, what your hobbies are etc. Be conscious of not leaving a trail of personally identifiable information (just like you close the blinds in your bedroom).
It's not a question of always watched or always hidden, but being conscious of when we are being watched, and when we are free to say and do as we please.
I don't think anyone can use the Internet in any normal way (email, Facebook, Hacker News, CNN.com, anything) without leaving a trail that can be tracked. Anything that can be encrypted must be decrypted at the other end. How can you use Facebook (even as an alias) and avoid revealing your true identity to any of your friends?
A strange game. The only winning move is not to play. How about a nice game of chess?
We need popular services to adopt end-to-end encryption, so it's "transparent" to the user and doesn't need to worry about it. Imagine if Gmail adopted the DarkMail protocol by default (or even as an obvious "turn on encryption" option), and Hangouts, Facebook Chat and Whatsapp would adopt Axolotl or OTR. That would be huge for privacy.
The everyday citizen is not computer savvy enough to know that the NSA is spying on them or that Windows needs regular security updates and antivirus updates, and that they need to pick a different password than 'password' for their account.
Most of them work a job for a greedy employer who gives them a Microsoft Windows PC locked down without administrative access with just the software they need to get their job done. No operating system updates or AV updates for three years and since they don't have admin access they cannot run them. They are stuck with an older Internet Explorer and cannot install a third party web browser that would be more secure and have less exploits and use Adblock or NoScript.
Most likely they use XP/Vista/7 in order to run some legacy Windows software, and management does not care about security and has fired all of the competent and experienced IT staff to hire college and high school dropouts to work for a bit over minimum wage to save money and maybe some H1b Visa workers.
But it is completely over their heads to understand it or how to install apps in Windows or even boot a Live Linux CD, and at work their PC is locked down and even if they knew how to do all of that, management would fire them if they did it because management sees making things secure as a waste of productivity.
Sure a lot of companies that post at Hacker News here are not everyday citizens, but experienced and competent IT workers and hackers who know security and most likely boot a version of GNU/Linux with the privacy programs already installed. The everyday citizens does not even read HN, because 'Eek hackers, they might give me a virus infection and steal my email account!' because the everyday person is told that 'hackers will infect you with a virus and steal all your data' and then point to an article about Target's POS systems being hacked by viruses, etc.
Nope those are 'crackers' and 'black hat' people. 'hackers' on hacker news are 'white hat' people who actually build useful software and operating systems and help people out. Then give you useful advice on security.
Most US corporations and colleges and universities have the same problem as the federal government. They fired anyone who was competent enough to implement a good security policy, and they went with an insecure security policy because it was easier to implement for the everyday person to be able to use their Microsoft Windows PC systems.
Heck I've been to some startup dotcom hackathons where they had very poor security and only focused on writing code and storing it on a server with a weak password of 'password' and overloaded the electrical outlets with a couple traps per outlet to power all of the PCs they used to write their code. Violating the fire code, weak security, virus infections, and nobody seemed to care as long as they had the potential to make some new IP and earn some money.
I get really bad, out of sync video streaming performance from them (from CloudFront, on Comcast Business 30M); it's weird because it's only an SD stream. (Sad because their content is amazing; I guess I'll find a torrent, although Part 2 isn't up anywhere yet)
Same here. There's an encoding issue with the video around 3 minutes in and the audio is off badly for the remainder of the video. I had to load the stream in VLC and offset the audio to somewhere around 2500ms using the keyboard shortcut (just keep hitting G until it matches up).
Why do they keep saying that ANY websites can track you through your cookies.
They also seem to imply that google purposefully made the PREF cookie so the NSA can use it to track people. If anything, google is a victim themselves here.
I love Frontline, but come on, this is just not accurate. Unless a lot of the things I understand about the browser is wrong.
Whenever I see inaccuracies in tech reporting, it makes me wonder if there are similar inaccuracies in other fields that I do not recognize because it's not my specialty..
If the NSA can track the request from your browser to the adsense/doubleclick servers, then they can track where you go around large parts of the Internet.
I didn't get the sense they were saying the NSA made Google make that cookie. Just that Google was denying that cookie was used for tracking, except 8 years ago when they said it was.
I suspect we don't fully understand the level of ability the NSA has to monitor a specific Internet user. It might be accurate to say that, if they want to track you, they will easily know every site you visit surfing around the web due to ad tracking cookies by all the various ad companies. I bet they can tie a Google PREF=ID to you by name and IP address.
Yes I understand that. And I agree the NSA is wrong for doing that. But I felt like the show is implying that google is purposefully doing it to allow the NSA to track you. When it seems to me that Google got outsmarted by the NSA.
Actually the summary of that whole segment seemed to simply be that,
1. google is really good at tracking users
2. NSA became very interested in that fact.
3. NSA piggybacked on Google's tracking without them knowing.
I didn't get that they were saying google knew that the tracking cookie was being used in this way. Only that they were setting the example of how best to spy on people.
We begin therefore where they are determined not to end, with the question whether any form of democratic self-government, anywhere, is consistent with the kind of massive, pervasive, surveillance into which the Unites States government has led not only us but the world.
This should not actually be a complicated inquiry.
On the one extreme (my guess: 98% of the population) one shares anything and everything on social networks, no concept of encryption, or VPNs, lots of sensitive info sent unencrypted over email, ___location-enabled smartphone, etc etc.
On the other extreme I guess is the snowden/greenwald approach, only even boot into Tails onto a laptop that has been inspected for mal(hard)ware, only ever use Tor, always use PGP, never unencrypted email, etc. Only problem is that the everyday person cannot interface with the rest of society this way (e.g. their job).
So what are suggested best practices? ... and let's be realistic, the everyday person cannot for example host their own email (although I wish the day comes soon when this is possible)