Efforts to protect your data from prying eyes may actually earn you even more government scrutiny, according to new leaked documents from the U.S. National Security Agency (NSA).
If you try to protect your online privacy, encrypt your communications or even engage in discussions of cybersecurity, it appears that you're treated as a possible terrorist, criminal or foreign spy by the agency.
In light of this revelation, is it even worth it to try to protect your privacy online?
Security and encryption expert Bruce Schneier paints a bleak picture of what it would take to be truly safe from governmental surveillance:
"Throw away your credit card, put a nail in your cellphone [and] throw your computer into the ocean."
Technically, U.S. persons should already be safe from NSA surveillance. The NSA is not supposed to target a U.S. citizen or a documented resident of the United States at all. Just being on U.S. soil is supposed to offer some form of security: The NSA is supposed to treat all people known to be on U.S. soil as U.S. persons until proven otherwise.
According to its own procedures, any data the NSA has on U.S. persons was acquired accidentally, as collateral damage during the process of targeting non-U.S. persons, and should be destroyed.
[See also: How the NSA Sends Your Private Data Overseas]
However, the NSA's procedures for determining whether a potential target is a U.S. person are vague and replete with exceptions and loopholes. The same is true of the NSA's procedures for minimizing the amount of data "accidentally" collected from U.S. persons.
What, exactly, does that mean for U.S. persons? What kind of data does the NSA gather and retain on them?
"It's sort of like a puzzle that those of us who are in [the digital security] field have been trying to put together for years," said Jennifer Granick, director of civil liberties at Stanford Law School's Center for Internet and Society.
Encryption does work — with a catch
In a live "Ask Snowden" event on The Guardian's website on June 17, Edward Snowden, the former NSA technical contractor turned whistleblower, said that encrypting your data can protect you from surveillance:
“Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around [encryption].”
Still, Granick said, "encryption and decryption is probably the best answer we have so far," she told TechNewsDaily.
How could the average citizen go about implementing encryption? Say you don't want anyone to be able to read your emails except for the intended recipient. The process involves running your emails' content, or plain text, through an algorithm that scrambles it.
Only a person with the proper cipher — also known as a key — can unscramble the message and read it. To anyone else, your message looks like a random sequence of characters.
It's important to note that encryption protects your messages' content, not their metadata.
That means that any snoops will not know what you said in a message, but they will know from which IP address you sent it, where and at what time you sent the message, to whom you sent the message, what email provider and online connection you used to send the message, and so on.
Most email providers already encrypt messages. However, this encryption is only in play while the message is in transit: The sender types an email in plain text and hits send, at which point the email provider encrypts the message and sends it along. Once the message arrives in the recipient's inbox, the message is decrypted.
At these two "endpoints" — the sender's and receiver's devices — the messages are stored in plain text, which means snoops can avoid encryption entirely by accessing the sender's or receiver's device, installing spyware on it or otherwise breaking into an endpoint device's security.
This is what Snowden meant in his Guardian interview when he said "endpoint security is so terrifically weak that NSA can frequently find ways around [encryption]."
[See also: Encryption: What It Is, and How It Works for You]
There are other ways to encrypt your data. PGP, for example (short for Pretty Good Privacy) is a free encryption and decryption service for texts, emails and files. It's used in various types of in-house software programs, but is less common among individual users, because all parties of an electronic communication need to use PGP for the encryption to work.
Encrypting your emails protects your content, not your metadata. But Schneier says that if your encryption algorithm — and more importantly, your key (similar to a password) — is strong enough, it's a pretty good defense against the NSA's prying eyes.
"The NSA is limited by computation [power]," he said. "So even mediocre encryption can help because it's a strain on resources." However, Schneier added, encryption can't ensure your privacy — it can only make you "a little harder" to spy on. If the NSA really wants to crack your encryption, they can do it— the encryption's strength only determines the amount of time it'll take them to crack it.
While the encryption does work to prevent (or at least delay) anyone from reading your emails, it can be a double-edged sword: By making your data harder to read, you're also calling attention to yourself.