Can You Hide Anything from the NSA?

You may be making things worse

Efforts to protect your data from prying eyes may actually earn you even more government scrutiny, according to new leaked documents from the U.S. National Security Agency (NSA).

If you try to protect your online privacy, encrypt your communications or even engage in discussions of cybersecurity, it appears that you're treated as a possible terrorist, criminal or foreign spy by the agency.

In light of this revelation, is it even worth it to try to protect your privacy online?

Security and encryption expert Bruce Schneier paints a bleak picture of what it would take to be truly safe from governmental surveillance:

"Throw away your credit card, put a nail in your cellphone [and] throw your computer into the ocean."

Technically, U.S. persons should already be safe from NSA surveillance. The NSA is not supposed to target a U.S. citizen or a documented resident of the United States at all. Just being on U.S. soil is supposed to offer some form of security: The NSA is supposed to treat all people known to be on U.S. soil as U.S. persons until proven otherwise.

According to its own procedures, any data the NSA has on U.S. persons was acquired accidentally, as collateral damage during the process of targeting non-U.S. persons, and should be destroyed.

However, the NSA's procedures for determining whether a potential target is a U.S. person are vague and replete with exceptions and loopholes. The same is true of the NSA's procedures for minimizing the amount of data "accidentally" collected from U.S. persons.

What, exactly, does that mean for U.S. persons? What kind of data does the NSA gather and retain on them?

"It's sort of like a puzzle that those of us who are in [the digital security] field have been trying to put together for years," said Jennifer Granick, director of civil liberties at Stanford Law School's Center for Internet and Society.

Encryption does work — with a catch

In a live "Ask Snowden" event on The Guardian's website on June 17, Edward Snowden, the former NSA technical contractor turned whistleblower, said that encrypting your data can protect you from surveillance:

“Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around [encryption].”

Still, Granick said, "encryption and decryption is probably the best answer we have so far," she told TechNewsDaily.

How could the average citizen go about implementing encryption? Say you don't want anyone to be able to read your emails except for the intended recipient. The process involves running your emails' content, or plain text, through an algorithm that scrambles it.

Only a person with the proper cipher — also known as a key — can unscramble the message and read it. To anyone else, your message looks like a random sequence of characters.

It's important to note that encryption protects your messages' content, not their metadata.

That means that any snoops will not know what you said in a message, but they will know from which IP address you sent it, where and at what time you sent the message, to whom you sent the message, what email provider and online connection you used to send the message, and so on.

Most email providers already encrypt messages. However, this encryption is only in play while the message is in transit: The sender types an email in plain text and hits send, at which point the email provider encrypts the message and sends it along. Once the message arrives in the recipient's inbox, the message is decrypted.

At these two "endpoints" — the sender's and receiver's devices — the messages are stored in plain text, which means snoops can avoid encryption entirely by accessing the sender's or receiver's device, installing spyware on it or otherwise breaking into an endpoint device's security.

This is what Snowden meant in his Guardian interview when he said "endpoint security is so terrifically weak that NSA can frequently find ways around [encryption]."

There are other ways to encrypt your data. PGP, for example (short for Pretty Good Privacy) is a free encryption and decryption service for texts, emails and files.  It's used in various types of in-house software programs, but is less common among individual users, because all parties of an electronic communication need to use PGP for the encryption to work.

Encrypting your emails protects your content, not your metadata. But Schneier says that if your encryption algorithm — and more importantly, your key (similar to a password) — is strong enough, it's a pretty good defense against the NSA's prying eyes.

"The NSA is limited by computation [power]," he said. "So even mediocre encryption can help because it's a strain on resources." However, Schneier added, encryption can't ensure your privacy — it can only make you "a little harder" to spy on. If the NSA really wants to crack your encryption, they can do it— the encryption's strength only determines the amount of time it'll take them to crack it.

While the encryption does work to prevent (or at least delay) anyone from reading your emails, it can be a double-edged sword: By making your data harder to read, you're also calling attention to yourself.

Translating the NSA's legal doubletalk

Despite the wealth of information Snowden provided to the public, many of the details surrounding the NSA's activities and the way the agency implements the policies outlined in the Snowden documents are still unclear.

Here's what we do know: the NSA is not supposed to target U.S. persons — the word "target" here means:  reading emails, listening to phone conversations or surveilling in any other way. Nor is the NSA allowed to store any of this information on government servers for later review.

There is no evidence that the NSA targets U.S. persons in any capacity.

However, documents signed by U.S. Attorney General Eric Holder and dated July 2009 — "Procedures Used by NSA to Target Non-U.S. Persons" and "Procedures Used by NSA to Minimize Data Collection from U.S. Persons" (both made available by Snowden via The Guardian) suggest that the NSA maintains some type of database of U.S. persons' metadata:

"In order to prevent the inadvertent targeting of a United States person, NSA maintains records of telephone numbers and electronic communications accounts/addresses/identifiers that NSA has reason to believe are being used by United States persons."

This may seem alarming, but it's important to note that the system described in the above passage does not constitute "targeting" U.S. persons. Not in the way the NSA defines the word.

Despite this, these Holder memos specify quite a few loopholes that the NSA can invoke when it comes to retaining information tangentially acquired from U.S. persons during the course of targeting non-U.S. persons.

The NSA is supposed to "destroy inadvertently acquired communications of or concerning a United States person at the earliest practicable point in the processing cycle," according to the second of the two aforementioned documents. The same document defines acquisition as "the collection by NSA or the FBI through electronic means of a nonpublic communication to which it is not an intended party."

However, the NSA is allowed to retain these "inadvertently acquired" U.S. conversations in several different circumstances, including: If the conversations are encrypted, and/or if they are of immediate relevance to cybersecurity.

"Maintenance of technical data bases requires retention of all communications that are enciphered or reasonably believed to contain secret meaning," Section 5 of the "Procedures Used by NSA to Minimize Data Collection of U.S. Persons" states.

Further, the ambiguous way that the NSA defines "collection" allows the agency to hold these encrypted conversations for an unlimited period of time.

According to the Department of Defense's "Procedures Governing the Activities of DoD Intelligence Components that Affect United States Persons" (viewable as a PDF here): "Information shall be considered as 'collected' only when it has been received for use by an employee of a Department of Defense intelligence component… Data acquired by electronic means is 'collected' only when it has been processed into intelligible form."

That means that if a message is encrypted, or even just automatically stored on a database without a human ever laying eyes on it, it's not considered "collected"; instead, it's considered merely "acquired."

So is there any way to hide from the NSA when the act of protecting yourself apparently makes you all the more noticeable?

Schneier did have one other piece of advice aside from throwing your electronics into the ocean: "Vote. Vote for people who won't do this. What else can you do? Never use a credit card? Turn your cellphone off? This isn't sound advice. But that's what we're reduced to."

Follow us @TomsGuide or on Facebook.

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
7 comments
Comment from the forums
    Your comment
  • sicofante
    Why do you put so much emphasis on the issue of American citizens? I know this is an American website, but it makes it seem like it's OK for you to spy on anyone else in the world.

    Also, the meme that "encryption will put more attention on you" is only true while only a few encrypt their communications. The industry should make efforts to make encryption default. There's no excuse for the behavior of the USA and the rest of the world needs to wake up and show you Americans a huge encrypted finger.
  • Jill Scharr
    Hi, sicofante, thanks for your comment! You're right that this article emphasizes the issue of NSA spying on American citizens. The reason for that is there are laws in place saying that NSA should not spy on "U.S. persons." The laws around non-U.S. persons are a lot more wide-open, unfortunately, because international espionage is loosely policed by the U.N. so the U.S. has a lot more leeway to act. I did not mean to imply in the article that it's "OK" for the U.S. to spy on any one else in the world. If it came off that way, then I apologize.

    Your second point about how encryption is only attention-grabbing while a few are doing it is also absolutely true! The problem is training people to know what encryption is, how it works and how to implement it for their personal data. Something like PGP, for example, only works if both the sender and receiver of a message are using PGP to encrypt/decrypt messages. I don't think that's the corporate sector's job, if that's what you mean by "industry." It has to come from education and personal volition. We've done articles on how to encrypt data before and it's certainly going to be a continuing area of focus in the future.
  • baracubra
    I love how even Jill managed to double post! :D
  • KelvinTy
    You probably can't hide you stuffs from the NSA if they are determined to get you... With all those server racks they put in ISPs... Man in the middle attack is probably unavoidable. Many traditional methods work but the metadata is really difficult to be covered since the protocol didn't take in account of that level of encryption...
    IEEE, copying Cisco proprietary protocols and make it own. I guess it's up to Cisco to develop some new protocol. XD
  • Jill Scharr
    @baracubra I know, I double-posted, I'm so ashamed. I hit 'refresh' and it just happened :(
  • pocketdrummer
    Wake up sicofante, do you honestly think the US government ISN'T spying on Americans simply because they said so? How naive.

    Here's a big fleshy middle finger from Americans to you.

    Instead of being a douche, why not work WITH THE AMERICAN PEOPLE in pushing for encryption in nearly everything. We don't want our government snooping on us OR YOU! However, it doesn't seem that our elected politicians care what the people want.

    Also, I'm assuming you're in the UK, possibly Australia... your government is in on this too, so stop the self-righteous bullshit.
  • Bud Mulqueeney
    All this technical stuff and NOT one mention of prison time for those who consistently VIOLATE our Bill of Rights of PRIVACY (under the guise of "national security!!! " A new euphemism of the elitists in the in, around the beltway and soon in Utah too, of "screw you, Mr/Mrs. America, we are the modern-day Gestapo and can do anything and everything we want !!!