How to keep prying eyes at bay

Data security expert Graeme Batsman on the measures you can take to keep your data and communication private

EARLIER this month, news broke of an alleged surveillance scheme by the US National Security Agency (NSA) that claims to have access to emails, searches, internet phone calls, and other forms of web-based communication. If recent reports are to believed, NSA’s Prism programme has been active for a few years and its reach extends far beyond the borders of the US.

Reports suggest the US federal government has direct access to data collected by global internet giants such as Google, AOL, Apple, Facebook and more. If these reports are true, entire lives could be open to eavesdropping and recording by the government.

Even without Prism, vast amounts of data – phone records, loyalty cards, bank statements, Oyster card logs and social media – are posted or made available without a second thought. When combined, such data can easily reveal details such as age, education, religion, ethnicity, location, past jobs, football teams, political views, even that you’re having an affair. Discretion when it comes to posting online is vital.

FOR THE WARY
Location, location, location
Every country and political union has its own rules. Switzerland, since it is fiercely independent and neutral, will make it harder for court requests from other countries. Most mass market service providers are US-owned so the data is likely to be held there. This makes access easier to government agencies since it comes under the Patriot Act or alleged surveillance schemes like Prism. So...

Avoid US-owned companies and internet giants
Just because your data is in the UK or even the EU, doesn’t mean a US-owned service provider cannot access it. Giant providers like Google, Hotmail and Yahoo Mail do not have the best privacy policies and it is hard to know where your data is based. Private email providers do exist but typically offer a low storage amount or charge. These will often guarantee your data is held in a specific city or country and that staff are vetted. Avoid mainstream search engines. Less well known private ones are out there, for example Duck Duck Go.

FOR THE CAUTIOUS
Use a virtual private network (VPN) service
VPN services re-direct your internet traffic to a server in your own country or elsewhere. All traffic is encrypted and typically no logs are kept. This means that websites do not see your real IP address and people trying to sniff out data only get scrambled information. Using a VPN provider outside of the EU can sometimes increase privacy since there is reduced co-operation with outside countries. VPNs have been used in China and Iran for years. It is recommended to use a VPN when using public Wi-Fi.

Encrypt your backups
Many backup providers may claim to have government grade encryption but the encryption keys are usually tied to your username and password. If someone cracks the username, password or server, any encryption becomes a waste of time. Also, government agencies can request access to your data rendering an encryption useless. A few let you specify your own encryption key, which is held locally thus cutting out the government or service provider.

FOR THE PARANOID
Encrypt your emails

Even if you use a mass market email provider like Google, emails can be made private and secure by using an encryption method. The Pretty Good Privacy (PGP) programme is well known but expensive, and there are some free encryption tools such as GNUPG privacy guard and Comodo. The setup can be fiddly, but once you’re up and running it is simple and quick to use. Some email providers exist with web based encryption. This adds privacy, but it is not as good as when you do it yourself, such as with Open PGP.

Encrypt your phone calls and texts
Telephone calls and text messages can be recorded or logged at the Government’s request, so why not go the whole hog and use Bond-style voice and text message encryption? From £2.50 a month, services are available to heavily encrypt your phone calls, text messages and file transfers, thus vastly reducing the logging capability at mobile networks, making it virtually impossible for government agents to listen in to phone calls.

Will these measures help protect you one hundred per cent? No – nothing can do that – but they may help you sleep at night.

Graeme Batsman (CEH, CHFI, Security+, ASyl) is an ethical hacker and security director of EncSec which provides private client cyber and comms security