Can You Hide Anything from the NSA?

You may be making things worse

Efforts to protect your data from prying eyes may actually earn you even more government scrutiny, according to new leaked documents from the U.S. National Security Agency (NSA).

If you try to protect your online privacy, encrypt your communications or even engage in discussions of cybersecurity, it appears that you're treated as a possible terrorist, criminal or foreign spy by the agency.

In light of this revelation, is it even worth it to try to protect your privacy online?

Security and encryption expert Bruce Schneier paints a bleak picture of what it would take to be truly safe from governmental surveillance:

"Throw away your credit card, put a nail in your cellphone [and] throw your computer into the ocean."

Technically, U.S. persons should already be safe from NSA surveillance. The NSA is not supposed to target a U.S. citizen or a documented resident of the United States at all. Just being on U.S. soil is supposed to offer some form of security: The NSA is supposed to treat all people known to be on U.S. soil as U.S. persons until proven otherwise.

According to its own procedures, any data the NSA has on U.S. persons was acquired accidentally, as collateral damage during the process of targeting non-U.S. persons, and should be destroyed.

However, the NSA's procedures for determining whether a potential target is a U.S. person are vague and replete with exceptions and loopholes. The same is true of the NSA's procedures for minimizing the amount of data "accidentally" collected from U.S. persons.

What, exactly, does that mean for U.S. persons? What kind of data does the NSA gather and retain on them?

"It's sort of like a puzzle that those of us who are in [the digital security] field have been trying to put together for years," said Jennifer Granick, director of civil liberties at Stanford Law School's Center for Internet and Society.

Encryption does work — with a catch

In a live "Ask Snowden" event on The Guardian's website on June 17, Edward Snowden, the former NSA technical contractor turned whistleblower, said that encrypting your data can protect you from surveillance:

“Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around [encryption].”

Still, Granick said, "encryption and decryption is probably the best answer we have so far," she told TechNewsDaily.

How could the average citizen go about implementing encryption? Say you don't want anyone to be able to read your emails except for the intended recipient. The process involves running your emails' content, or plain text, through an algorithm that scrambles it.

Only a person with the proper cipher — also known as a key — can unscramble the message and read it. To anyone else, your message looks like a random sequence of characters.

It's important to note that encryption protects your messages' content, not their metadata.

That means that any snoops will not know what you said in a message, but they will know from which IP address you sent it, where and at what time you sent the message, to whom you sent the message, what email provider and online connection you used to send the message, and so on.

Most email providers already encrypt messages. However, this encryption is only in play while the message is in transit: The sender types an email in plain text and hits send, at which point the email provider encrypts the message and sends it along. Once the message arrives in the recipient's inbox, the message is decrypted.

At these two "endpoints" — the sender's and receiver's devices — the messages are stored in plain text, which means snoops can avoid encryption entirely by accessing the sender's or receiver's device, installing spyware on it or otherwise breaking into an endpoint device's security.

This is what Snowden meant in his Guardian interview when he said "endpoint security is so terrifically weak that NSA can frequently find ways around [encryption]."

There are other ways to encrypt your data. PGP, for example (short for Pretty Good Privacy) is a free encryption and decryption service for texts, emails and files.  It's used in various types of in-house software programs, but is less common among individual users, because all parties of an electronic communication need to use PGP for the encryption to work.

Encrypting your emails protects your content, not your metadata. But Schneier says that if your encryption algorithm — and more importantly, your key (similar to a password) — is strong enough, it's a pretty good defense against the NSA's prying eyes.

"The NSA is limited by computation [power]," he said. "So even mediocre encryption can help because it's a strain on resources." However, Schneier added, encryption can't ensure your privacy — it can only make you "a little harder" to spy on. If the NSA really wants to crack your encryption, they can do it— the encryption's strength only determines the amount of time it'll take them to crack it.

While the encryption does work to prevent (or at least delay) anyone from reading your emails, it can be a double-edged sword: By making your data harder to read, you're also calling attention to yourself.

Despite the wealth of information Snowden provided to the public, many of the details surrounding the NSA's activities and the way the agency implements the policies outlined in the Snowden documents are still unclear.

Here's what we do know: the NSA is not supposed to target U.S. persons — the word "target" here means:  reading emails, listening to phone conversations or surveilling in any other way. Nor is the NSA allowed to store any of this information on government servers for later review.

There is no evidence that the NSA targets U.S. persons in any capacity.

However, documents signed by U.S. Attorney General Eric Holder and dated July 2009 — "Procedures Used by NSA to Target Non-U.S. Persons" and "Procedures Used by NSA to Minimize Data Collection from U.S. Persons" (both made available by Snowden via The Guardian) suggest that the NSA maintains some type of database of U.S. persons' metadata:

"In order to prevent the inadvertent targeting of a United States person, NSA maintains records of telephone numbers and electronic communications accounts/addresses/identifiers that NSA has reason to believe are being used by United States persons."

This may seem alarming, but it's important to note that the system described in the above passage does not constitute "targeting" U.S. persons. Not in the way the NSA defines the word.

Despite this, these Holder memos specify quite a few loopholes that the NSA can invoke when it comes to retaining information tangentially acquired from U.S. persons during the course of targeting non-U.S. persons.

The NSA is supposed to "destroy inadvertently acquired communications of or concerning a United States person at the earliest practicable point in the processing cycle," according to the second of the two aforementioned documents. The same document defines acquisition as "the collection by NSA or the FBI through electronic means of a nonpublic communication to which it is not an intended party."

However, the NSA is allowed to retain these "inadvertently acquired" U.S. conversations in several different circumstances, including: If the conversations are encrypted, and/or if they are of immediate relevance to cybersecurity.

"Maintenance of technical data bases requires retention of all communications that are enciphered or reasonably believed to contain secret meaning," Section 5 of the "Procedures Used by NSA to Minimize Data Collection of U.S. Persons" states.

Further, the ambiguous way that the NSA defines "collection" allows the agency to hold these encrypted conversations for an unlimited period of time.

According to the Department of Defense's "Procedures Governing the Activities of DoD Intelligence Components that Affect United States Persons" (viewable as a PDF here): "Information shall be considered as 'collected' only when it has been received for use by an employee of a Department of Defense intelligence component… Data acquired by electronic means is 'collected' only when it has been processed into intelligible form."

That means that if a message is encrypted, or even just automatically stored on a database without a human ever laying eyes on it, it's not considered "collected"; instead, it's considered merely "acquired."

So is there any way to hide from the NSA when the act of protecting yourself apparently makes you all the more noticeable?

Schneier did have one other piece of advice aside from throwing your electronics into the ocean: "Vote. Vote for people who won't do this. What else can you do? Never use a credit card? Turn your cellphone off? This isn't sound advice. But that's what we're reduced to."

Follow us @TomsGuide or on Facebook.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects.