What can I do about PRISM?

Now that the most powerful nation states of the world have been caught performing wholesale surveillance on us, their citizens, and have responded with a “so what?”, the question arises… what are we, the citizens caught in a surveillance society to do?

It seems to me there are five broad strategies:

1. Retreat

Leave the big cities. Stop using credit cards and mobile phones. Live off the land. Read only paper books. Send snail mail. Use cash. Deny your children education in and enjoyment of modern technology.

2. Ignore

Carry on your life as if PRISM did not exist. Suppress the inconvenient knowledge that you have acquired. Hope it’ll all be okay, since you will always toe the line of whatever establishment you happen to operate under. Leave your children uninformed about what’s going on, or just tell them “that’s normal, that’s how it’s always been”. Carry on using Facebook, surf the web while being logged into Yahoo!, Google or Hotmail, carry on syncing all your Apple iThings content to “the cloud”. Chat with your loved ones over Skype/Google Talk/FaceTime/WhatsApp/MSN/Facebook and all the other “freebie” services that are surveillance chambers. Have photos of your kids online.

3. Hide (with technical means)

Use Tor for surfing the web, PGP to encrypt your email, ZRTP to encrypt your voice/video calls, OTR to encrypt your chats, learn how to manage your keys securely, use secure operating systems like Qubes OS. This approach is inconvenient, difficult to do properly even for experts, network effects penalise you because others will not communicate with you in compatible (private) ways and therefore it will be difficult to communicate with them. Loathing by others because you’re visibly putting barriers between them and you. A losing battle, but buys you and (if you manage to convert them to your cause and if they are capable of following) your loved ones some privacy and decency, even though what you are practically doing is hiding.

4. Fight (within the system)

Become a member and donate as much as you can to organisations like the Electronic Frontier Foundation (EFF, US-focused), the Open Rights Group (UK-based), EDRI (Europe-focused) etc. Write to your politicians. Write to newspapers. Publish articles on your blog. Talk to your friends to raise awareness. Join demonstrations. Vote accordingly whenever you’re given the chance.

5. Fight (with all you’ve got – also known as civil disobedience)

“Cast your whole vote, not a strip of paper merely, but your whole influence.” Subvert the system in any (non-violent) way possible. Stop obeying the rules of a system that is immoral. Become as vocal as possible and follow your words with actions. No matter what the consequences to you personally, it’s worth it if we all fight together. Remember that “A minority is powerless while it conforms to the majority; it is not even a minority then; but it is irresistible when it clogs by its whole weight.”

Most people will want to do a combination of different elements of the above – although a clear strategy that balances pain to you with protection for your family is difficult to describe.

Some excerpts from Evgeny Morozov’s “The Net Delusion”

Evgeny Morozov’s “The Net Delusion: How not to liberate the world” is a refreshing note of realism amongst the cheerleading majority that promise us that “the Internet” or “information” will somehow magically transform our lives for the better.

Here are a few excerpts from the book which I found particularly pertinent:

Chapter “Orwell’s favourite lolcat” (Morozov’s book chapters are too funny and to the point to not mention)

On the “mash-up” of attitudes towards “freedom” between West and Rest (here personified in China):

[...]as the writer Naomi Klein puts it, “China is becoming more like [the West] in very visible ways (Starbucks, Hooters, cellphones that are cooler than ours), and [the West is] becoming more like China in less visible ones (torture, warrantless wiretapping, indefinite detention, though not nearly on the Chinese scale).”

On the modus operandi of modern dictatorships:

It seems fairly noncontroversial that most modern dictators would prefer a Huxleyan world to an Orwellian one, if only because controlling people through entertainment is cheaper and doesn’t involve as much brutality. When the extremely restrictive Burmese government permits – and sometimes even funds – hip-hop performances around the country, it’s not 1984 that inspires them.

Chapter “Censors and Sensibilities”
On how most citizens of “The Rest” do not necessarily share the ill-defined dreams of “democracy” as portrayed in the West:

Most citizens of modern-day Russia or China do not go to bed reading Darkness at Noon only to wake up to the jingle of Voice of America or Radio Free Europe; chances are that much like their Western counterparts, they, too, wake up to the same annoying Lady Gaga song blasting from their iPhones. While they might have a strong preference for democracy, many of them take it to mean orderly justice rather than the presence of free elections and other institutions that are commonly associated with the Western model of liberal democracy. For many of them, being able to vote is not as valuable as being able to receive education or medical care without having to bribe a dozen greedy officials. Furthermore, citizens of authoritarian do not necessarily perceive their undemocratically installed governments to be illegitimate, for legitimacy can be derived from things other than elections; jingoist nationalism (China), fear of a foreign invasion (Iran), fast rates of economic development (Russia), low corruption (Belarus), and efficiency of government services (Singapore) have all been successfully co-opted for these purposes.

Chapter “Hugo Chavez Would Like to Welcome You to the Spinternet”

On enforced jingoist nationalism in China:

In 2009 millions of customers of the state-controlled China Mobile, who perhaps were not feeling patriotic enough on the country’s National Day, woke up to discover that the company replaced their usual ringback tone with a patriotic tune sang by the popular actor Jackie Chan and a female actress.[...] These days even the website of China’s Defense Ministry has a section with music downloads; one can enjoy jingoistic music all one wants.”

On propaganda reusing the West’s “liberating” technologies:

The use of text messaging for propaganda purposes – known as “red-texting” – reveals another creative streak among China’s propaganda virtuosos. The practice may have grown out of a competition organized by one of China’s mobile phone operators to compose the most eloquent Party-admiring text message. Fast forward a few years, and senior telecom officials in Beijing are already busily attending “red-texting” symposia.
“I really like these words of Chairman Mao: ‘The world is ours, we should unite for achievements. Responsibility and seriousness can conquer the world and the Chinese Communist Party members represent these qualities.’ These words are incisive and inspirational.” This is a text message that thirteen million mobile phone users in the Chinese city of Chongqing received one day in April 2009. Sent by Bo Xilai, the aggressive secretary of the city’s Communist Party who is speculated to have strong ambitions for a future in national politics, the messages were then forwarded another sixteen millions times. Not so bad for an odd quote from a long-dead Communist dictator.

Chapter “Why the KGB wants you to join Facebook”

On why databases are better (at their job) than Stasi officers:

The Lives of Others, a 2006 Oscar-winning German drama, with its sharp portrayal of pervasive surveillance activities of the Stasi, GDR’s secret police, helps to put things into perspective. Focusing on the meticulous work of a dedicated Stasi officer who has been assigned to snoop on the bugged apartment of a brave East German dissident, the film reveals just how costly surveillance used to be. Recording tape had to be bought, stored and processed; bugs had to be installed one by one; Stasi officers had to spend days and nights on end glued to their headphones, waiting for their subjects to launch into an antigovernment tirade or inadvertently disclose other members of their network. And this line of work also took a heavy psychological toll on its practitioners: the Stasi anti-hero of the film, living alone and given to bouts of depression, patronizes prostitutes – apparently at the expense of his understanding employer.
As the Soviet Union began crumbling, a high-ranking KGB officer came forward with a detailed description of how much effort it took to bug an apartment:

“Three teams are usually required for that purpose: One team monitors the place where that citizen works; a second team monitors the place where the spouse works. Meanwhile, a third team enters the apartment and establishes observation posts one floor above and one floor below the apartment. About six people enter the apartment wearing soft shoes; they move aside a bookcase, for example, cut a square opening in the wallpaper, drill a hole in the wall, place the bug inside, and glue the wallpaper back. The artist on the team airbrushes the spot so carefully that one cannot notice any tampering. The furniture is replaced, the door is closed, and the wiretappers leave.”

Given such elaborate preparations, the secret police had to discriminate and go only for well-known high-priority targets. The KGB may have been the most important institution of the Soviet regime, but its resources were still finite; they simply could not afford to bug everyone who looked suspicious. Despite such tremendous efforts, surveillance did not always work as planned. Even the toughest security officers – like the protagonist of the German film – had their soft spots and often developed feelings of empathy for those under surveillance, sometimes going so far as to tip them off about upcoming searches and arrests. The human factor could thus ruin months of diligent surveillance work.
The shift of communications into the digital realm solves many of the problems that plagued surveillance in the analog age. Digital surveillance is much cheaper: Storage space is infinite, equipment retails for next to nothing, and digital technology allows doing more with less. Moreover, there is no need to read every single word in an email to identify its most interesting parts; one can simply search for certain keywords – “democracy”, “opposition”, “human rights”, or simply the names of the country’s opposition leaders – and focus only on particular segments of the conversation. Digital bugs are also easier to conceal. While seasoned dissidents knew they constantly had to search their own apartments looking for the bug or, failing that, at least tighten their lips, knowing that the secret police was listening, this is rarely an option with digital surveillance. How do you know that someone else is reading your email?

On wholesale surveillance using cameras and face recognition software:

[...]the Chinese government keeps installing video cameras in its most troubling cities. Not only do such cameras remind passersby about the panopticon they inhabit, they also supply the secret police with useful clues[...]. Such revolution in video surveillance did not happen without some involvement from Western partners.
Researchers at the University of California at Los Angeles, funded in part by the Chinese government, have managed to build surveillance software that can automatically annotate and comment on what it sees, generating text files that can later be searched by humans, obviating the need to watch hours of video footage in search of one particular frame. (To make that possible, the researchers had to recruit twenty graduates of local art colleges in China to annotate and classify a library of more than two million images.) Such automation systems help surveillance to achieve the much needed scale, for as long as the content produced by surveillance cameras can be indexed and searched, one can continue installing new surveillance cameras.
[...]
The face-recognition industry is so lucrative that even giants like Google can’t resist getting into the game, feeling the growing pressure from smaller players like Face.com, a popular tool that allows users to find and automatically annotate unique faces that appear throughout their photo collections. In 2009 Face.com launched a Facebook application that first asks users to identify a Facebook friend of theirs in a photo and then proceeds to search the social networking site for other pictures in which that friend appears. By eary 2010, the company boasted of scanning 9 billion pictures and identifying 52 million individuals. This is the kind of productivity that would make the KGB envious.

(ed: Note that automatic face recognition technology is now a standard feature of Facebook, as well as popular products like Google’s Picasa and Google Web albums)

On government “open-source” surveillance via social sites like Facebook:

One gloomy day in 2009, the young Belarusian activist Pavel Lyashkovich learned the dangers of excessive social networking the hard way. A freshman at a public university in Minsk, he was unexpectedly called to the dean’s office, where he was met by two suspicious-looking men who told him they worked for the KGB, one public organization that the Belarusian authorities decided not to rename even after the fall of communism (they’re a brand-conscious bunch).
The KGB officers asked Pavel all sorts of detailed questions about his trips to Poland and Ukraine as well as his membership in various antigovernment movements.
Their extensive knowledge of the internal affairs of the Belarusian opposition – and particularly of Pavel’s own involvement in them, something he didn’t believe to be common knowledge – greatly surprised him. But then it all became clear, when the KGB duo loaded his page on vkontakte.ru, a popular Russian social networking site, pointing out that he was listed as a “friend” by a number of well-known oppositional activists. Shortly thereafter, the visitors offered Lyashkovich to sign an informal “cooperation agreement” with their organization. He declined – which may eventually cost him dearly, as many students sympathetic to the opposition and unwilling to cooperate with authorities have been expelled from universities in the past. We will never know how many other new suspects the KGB added to its list by browsing Lyashkovich’s profile.

On using “technology” as the proposed solution to anything, denying our responsibility for real decisions and action:

Since technology, like gas, will fill any conceptual space provided, Leo Marx, professor emeritus at the Massachusetts Institute of Technology, describes it as a “hazardous concept” that may “stifle and obfuscate analytic thinking”. He notes, “Because of its peculiar susceptibility to reification, to being endowed with the magical power of an autonomous entity, technology is a major contributant to that gathering sense… of political impotence. The popularity of the belief that technology is the primary force shaping the postmodern world is a measure of our.. neglect of moral and political standards, in making decisive choices about the direction of society.”

Highly recommended to help us re-focus on the things that matter and stop waving around the “technology, technology, technology!” magic wand, hoping that it fixes the world.

Private online communication – a matter of decency

I feel there is something inherently indecent about having a private conversation, while someone else is listening in. With modern Internet communication, that “someone else” is usually a corporation or a government.

It’s not the-STASI-is-listening-so-we-better-behave feeling that bugs me. It’s more the “I am a decent human being and I have the right to share my thoughts with my loved ones, and just with them!” feeling.

In that spirit, I encourage as many people as possible to use tools like Jitsi. Not allowing others to snoop on your private life is a matter of human decency, and you deserve it.

Get Jitsi:

Use Jitsi for private voice calls that do not allow eavesdropping:

Anyone with a Google account can make encrypted, private voice calls by using Jitsi as shown above. If you don’t have a Google account, you use any of the (many) other services Jitsi supports (MSN, Yahoo!, AIM, ICQ, SIP, XMPP, but not Facebook – they don’t support secure calls).

Spread the word!

Echelon: a global system for the interception of private and commercial communications

Conspiracy theory, right? Something like this would never happen in our free, democratic world…

Well guess what. I borrowed the title of this post from a European Parliament report, published in 2001!

Here is a copy of the report in English: “REPORT on the existence of a global system for the interception of private and commercial communications (ECHELON interception system) (2001/2098(INI))” [PDF]

This report gives us a very high degree of confidence that such a global interception system has been operational since the 1990′s.

Think about that the next time you think to yourself “Nah, the current snooping legislation and practice is fine – intelligence services around the world could never monitor and collate all this chaos of information”.

Using your taxes to monitor you

Oh wait… government doesn’t really need to do that.

As explained by Charles Farr, head of the UK’s “Office for Security and Counter-Terrorism” while giving evidence for the new Communications Data Bill in the UK:

  • it’s easier (faster, cheaper) to get your emails, chats, web pages visited, people you talked to etc straight from communications service providers (CSPs) such as Google and Facebook. Why bother relaying SSL or launching man-in-the-middle attacks against our citizens when we can just our friendly Googles, Facebooks, Apples, Microsofts and Yahoos of this world to simply hand us over the data? As the article’s subheading says: “We fully expect Google, Facebook and Twitter to hand over your data”
  • If that fails, we have DPI (Deep Packet Inspection) technology that the government would need to deploy in so-called “black boxes”, like the FBI “Carnivore” system in the USA… but wait, Internet Service Providers (ISPs – BT, Virgin, O2 etc) are already using such black boxes “as a matter of course”. So no problem, the technology is there, all we need to do is align the law to make it completely legal for the government to tap into this valuable source of surveillance information as well.
  • On the issue of how much Internet users (also known as citizens) can hide their personal communications, Farr said: “Not very much [...] If you have the right kind of data, issues of anonymisation cease to be a problem. [...] If people take greater efforts at anonymisation, it could become a problem [...] but I’m satisfied by the techniques being developed. Many workarounds can be defeated [...]” Farr admitted “there will still be workarounds” but claimed by 2018 that that gap could be tightened with a new law.
  • Over £900m is being budgeted for storage – presumably to keep historical communication information. That kind of money can buy the government a lot of space to keep our emails, discussions and online habits on file for a long time.

Source: http://www.theregister.co.uk/2012/07/11/communcations_data_bill_joint_committee/

What can you do to protect yourself from this wholesale surveillance?

  1. Act. Speak. Make people aware. Don’t fall for the popular myth that you’re surrounded by apathy. You’re not.
  2. Think. Do you really need to use Google Mail and Google Chat? Do you really need to interact with your friends on Facebook and talk to them over Facebook Chat? Ditto for Yahoo!, Hotmail, Skype, Apple services… you ought to know that you are speaking in a room full of microphones and cameras, and what you say and do is recorded for a very long time and made available to governments and private corporations alike.
  3. Seek alternatives. Expect that it won’t be easy. This is a multi-billion industry you’re trying to escape. For chatting online, use Off The Record technology (built into chat programs like Jitsi, Pidgin, Gibberbot for Android, ChatSecure for iPhones/iPads etc). For Skype alternatives (for voice/video chatting) use ZRTP products like Jitsi and Zfone
  4. Smarten up on the broader issues of how you are constantly under surveillance when using your phone or computer. Read up on EFF’s Surveillance Self Defense guide.
  5. Demand change from your leaders. Employing countermeasures that enforce your privacy will only be cumbersome in the long run. The law needs to change. Engage with your local community and reach out to groups like the Electronic Frontier Foundation (USA), the Open Rights Group (UK), La Quadrature du Net (France) and EDRI (EU) to get started.

A Skype alternative worth its salt: Jitsi

I’ve been using Skype, Google Talk and Facebook chat for years to communicate with friends and family. They’re all convenient, reliable and easy to use. But there is a big problem: They are all very easy to record and monitor by 3rd parties. We now know that:

  • Microsoft (owner of Skype) keeps records of who talked to whom and for how long. We also have very good reason to believe that there are tools out there (built by private companies and sold to governments) that can eavesdrop on Skype voice calls. Skype executives have been unable to deny that they comply with local law enforcement requests to eavesdrop on Skype calls.
  • Google definitely record all of your text chats. They don’t deny they do that, even when you use the “Go off the record” option in Google Talk. We’re not sure what recording they do with voice calls but can be certain that they comply with the law – therefore building “legal intercept” capabilities into their products.
  • Facebook record and analyze all of your text chats and will report you to the police if they see anything “suspicious” (source: Reuters). We don’t know what they do with voice/video calls, but again can be certain that they comply with the law – therefore building “legal intercept” capabilities into their products.

So if you happen to live in a surveillance state (think countries of the Arab Spring, think UK with their repeated attempts to introduce surveillance of their citizens, think USA with their record-breaking demands for your personal data from all of the above service providers (Microsoft, Google and Facebook)) then you can expect that all your online communications with your loved ones (voice calls, video calls, text chats) are recorded and stored, or at least eavesdropped upon. They’re all great free services that allow you to keep in touch with people, with one caveat: the government is listening in.

If you have no problem with that, perhaps because you subscribe to the flawed “I have nothing to hide” school of thought, read no further.

If you feel that being spied upon constantly, and having no reasonable expectation of privacy for your online life is not cool, read on.

The work of thousands of visionaries (starting with people like Richard Stallman in the 70′s) has today given us the free tools to protect our online communications to a reasonable degree. These are not tools to stop a police investigation against you from succeeding – these are tools that empower you to opt-out from the surveillance-by-default communications channels most of us use, and instead keep your private thoughts and words only between yourself and your loved ones.

Jitsi main window
The easiest one to get us started is Jitsi.

Jitsi gives you voice calls, video calls, instant text messages and group chats. It therefore covers 100% of the communication capabilities of Microsoft’s Skype, Google Talk, Facebook Chat, IRC channels and the like. Use Jitsi, and you don’t need to use any of these again.

Why switch to Jitsi?

Because it protects your privacy as much as possible. If you and your loved ones use Jitsi, you can:

  • Have end-to-end encryption of your voice and video calls – guaranteeing that nobody is listening in or recording.
  • Have end-to-end encryption of your text (instant messaging) chats with Off The Record (OTR) technology – the world’s finest in preserving your privacy with unique features like Perfect Forward Secrecy and Deniability.

As an additional benefit, it’s great to have all of your instant messaging contacts in one window, and Jitsi gives you that. It also runs on Windows, MacOSX and GNU/Linux.

encrypted video call

Start using Jitsi instead of Skype, Google Talk and Facebook Chat and stop corporations and governments collecting, storing and analyzing the thoughts you share with your loved ones.

PS: You can only have private communications if both ends of the chat/voice/video call support this. If both you and your loved ones use Jitsi, voice & video calls are private by default. For text chats, you will have to click the lock icon in your chat window (as shown below) until it displays a closed “lock” state.

this conversation is NOT private
PPS: No “lock” icon? That probably means that the person you are chatting with is not using Jitsi or a similar program that can protect your chats with OTR. You can only have a private conversation if both ends support OTR.

PPPS: Looking for something like Jitsi for your smartphone? For private text messaging (using the Off The Record protocol) look at ChatSecure for iPhones or GibberBot for Android phones. For private voice calls on the Android, look into csipsimple and Moxie Marlinspike’s RedPhone. Remember, both ends of the conversation need the same technology to create a private channel.

Simple use of Bitcoin

Executive summary

  • Create a Mt.Gox account
  • Add funds to your Mt.Gox account using traditional currency
  • Send bitcoins from your Mt.Gox account to your personal wallet.
  • Send bitcoins from your personal wallet to anyone you like.

Disclaimer 1: Bitcoin does not provide strong anonymity. Do not count on it for life-or-death situations.

Disclaimer 2: I am a Bitcoin newbie

On with the show…

1. What is Bitcoin?

Bitcoin

Bitcoin is a digital currency. Just like countries use national currencies ($, €, £ etc), Internet users can use digital currencies. One of these digital currency systems is Bitcoin. It is not well understood by the general population and is still considered an experimental system, but using it for simple tasks like making a single transaction is quite straightforward, as detailed below.

Why would you want to go through the trouble of learning how to use a new currency system?

Well, it has some unique advantages:

  • Better anonymity than traditional non-cash transactions. Transactions are linked to the unique identity of the wallet you are using at the time, but wallets can be created easily and do not require human identity validation. This is not strong anonymity (e.g. against the state monitoring you specifically), but is much better than the current payment processing systems (guy on the street buys a coke using a plastic card in Moscow, 30” later Washington knows). Read also a precautionary note with funky graphs about how Bitcoin is not anonymous. (hat tip to hypnos)
  • Transactions are instantaneous. There are no intermediaries involved. No banks. Bitcoins move instantly and directly to their destinations. Bitcoin is a peer to peer system with no central authority.
  • Transactions can not be blocked by the usual payment processors – e.g. when in 2010 Visa, Mastercard and Paypal blocked donations to Wikileaks, it was still possible to donate using bitcoins.
  • There are no fees to transfer bitcoins.

In short, Bitcoin is an alternative to the traditional currency system that does not appear to be controlled by banks or payment processors like Visa or Mastercard.

2. Exchanging traditional currency for Bitcoins

Most people will want to convert a small amount of traditional currency into bitcoins to test the system first. You can use a Bitcoin exchange for this. One such exchange is Mt. Gox: https://mtgox.com

After you have created an account on the Mt. Gox website you will want to buy some bitcoins. To do that, go to “Funding Options -> Add Funds”. There you are given the bank details you can use to send money with a traditional bank money transfer or other methods. You have not started using bitcoins yet, so this is a very traditional transfer of funds between your bank and Mt. Gox.

Once Mt. Gox have received your funds, your Mt. Gox account will reflect them. Say for example you instructed your bank to send Mt. Gox $10 with a method that did not incur any charges. Your Mt. Gox account will show you have $10 available to spend.

You can now go to Trade -> Buy Bitcoins and buy some bitcoins at the going rate for USD to bitcoin conversion. Let’s say you manage to buy 2.31 bitcoins with your $10. You can send these bitcoins directly to the person/organisation you wish to pay, which is the quick option, but leaves a clear trace of your transaction, since Mt. Gox know who you are and who you paid. Alternatively you can transfer your bitcoins to a digital wallet on your personal computer, which means that Mt. Gox no longer know where the money is.

To do that, you need to setup your bitcoin wallet on your personal computer.

3. Creating your Bitcoin digital wallet

Download and install the latest Bitcoin client from http://bitcoin.org

For the following examples I will be using Bitcoin-Qt version 0.6.2

Please note that there is a 8+ hour startup time for this client, as it synchronises with the global transaction database. Once it’s up and running (and fully synchronised), you’re good to go.

Click on “Receive coins”. You will there find your digital wallet’s address, which will look like a string of random characters similar to this:

1ES2sNEfjmCZJt3yE6jdE31L1QgqnrVcmn

4. Transferring Bitcoins to your wallet

In your Mt. Gox account, choose “Funding Options” and then “Withdraw funds”.

Enter the amount you want to send to the wallet on your computer, and your wallet’s address (which you found out above).

After confirming the transaction, the Bitcoins should appear in your computer’s digital wallet within a few seconds.

5. Sending money to another Bitcoin user

So you have bitcoins on your computer now. How do you send them to other people? Simple, all you need is their bitcoin address. Ask them for it, check their donations web page etc – you’re looking after a bitcoin address that looks similar to yours (a long string of random characters).

Once you have the address you want to send the bitcoins to, click the “Send coins” button in the bitcoin application, enter the amount and address, and click “Send”.

That’s it, the money has been transferred!

If you want to let them know it was you who send them the money, you might want to send them an email notifying them – otherwise from the bitcoin transaction alone they won’t know.

Free tools to protect your privacy online

Most schools, companies, service providers and governments record and analyse as much as they can of your online behaviour: All your emails, chats with your friends, web pages you visit, things you search for, photos you look at and more – all are stored and linked with your identity.

By using these free tools you make it harder for others to observe your online life:

  • Tor – browse the Internet without revealing your location
  • Jitsi – make free voice calls without anyone listening in on your calls. Also, chat with your friends via Google Chat or Facebook chat without your conversations being recorded.
  • TrueCrypt – encrypt your files before storing them online (e.g. on DropBox or Google Drive), so that only you can read them
  • CryptoCat – have private text chats online, wherever you are (video)
  • GnuPG – encrypt your emails so that only your recipient can read them [ADVANCED]
  • TAILS – use computers of other people without compromising your security or privacy [ADVANCED]
  • Want guidance on how to use any of these tools? Have more to add to the list? Leave a comment.

    Book review: “Free Culture” by Lawrence Lessig

    I enjoyed reading Lawrence Lessig’s book “Free Culture” – which is freely available online.

    Professor Lessig takes the reader through a fascinating trip that drives a single point home: The current blanket copyright protectionism is hurting our culture.

    Passages from the book I enjoyed:

    A Cold-war era propaganda film, courtesy of the Internet Archive:

    Want to see a copy of the “Duck and Cover” film that instructed children how to save themselves in the middle of nuclear attack? Go to archive.org, and you can download the film in a few minutes—for free.

    The asymmetry of our reaction to content sharing:

    The obvious point of Conrad’s cartoon is the weirdness of a world where guns are legal, despite the harm they can do, while VCRs (and circumvention technologies) are illegal. Flash: No one ever died from copyright circumvention. Yet the law bans circumvention technologies absolutely, despite the potential that they might do some good, but permits guns, despite the obvious and tragic harm they do.

    Never in our history have fewer had a legal right to control more of the development of our culture than now.

    Some fascinating statistics that show how the law penalises the vast majority of culture, just to allow a tiny subset of it to keep on cashing in for their rights holders:

    In 1930, 10,047 books were published. In 2000, 174 of those books were still in print. Let’s say you were Brewster Kahle, and you wanted to make available to the world in your iArchive project the remaining 9,873. What would you have to do?

    Forget all the works from the 1920s and 1930s that have continuing commercial value. The real harm of term extension comes not from these famous works. The real harm is to the works that are not famous, not commercially exploited, and no longer available as a result. If you look at the work created in the first twenty years (1923 to 1942) affected by the Sonny Bono Copyright Term Extension Act, 2 percent of that work has any continuing commercial value. It was the copyright holders for that 2 percent who pushed the CTEA through. But the law and its effect were not limited to that 2 percent. The law extended the terms of copyright generally.

    [...] most books go out of print within one year. The same is true of music and film.

    As one researcher calculated for American culture, 94 percent of the films, books, and music produced between 1923 and 1946 is not commercially available.

    A smart fix to blanket copyright law by professor Lessig: Make long-term copyright opt-in:

    [...] I proposed a simple fix: Fifty years after a work has been published, the copyright owner would be required to register the work and pay a small fee. If he paid the fee, he got the benefit of the full term of copyright. If he did not, the work passed into the public domain.

    How “the industry” has opposed the above proposal and what that shows about the war on culture we’re currently going through:

    The opposition to the Eldred Act reveals how extreme the other side is. The most powerful and sexy and well loved of lobbies really has as its aim not the protection of “property” but the rejection of a tradition. Their aim is not simply to protect what is theirs. Their aim is to assure that all there is is what is theirs.

    So when the common sense of your child confronts you, what will you say? When the common sense of a generation finally revolts against what we have done, how will we justify what we have done? What is the argument?

    On the cool BBC Creative Archive pilot that ran till 2006:

    the BBC has just announced that it will build a “Creative Archive,” from which British citizens can download BBC content, and rip, mix, and burn it.

    On the Public Library of Science:

    The Public Library of Science (PLoS), for example, is a nonprofit corporation dedicated to making scientific research available to anyone with a Web connection. Authors of scientific work submit that work to the Public Library of Science. That work is then subject to peer review. If accepted, the work is then deposited in a public, electronic archive and made permanently available for free.

    On Peter Wayner’s freely available book “Free for All”:

    Peter Wayner, who wrote a book about the free software movement titled Free for All, made an electronic version of his book free on-line under a Creative Commons license after the book went out of print. He then monitored used book store prices for the book. As predicted, as the number of downloads increased, the used book price for his book increased, as well.

    This passage made me think again about stuff I’ve published online (blog posts, photos etc) – I am ditching the default “all rights reserved” and going for less restrictive Creative Commons licenses:

    Finally, there are many who mark their content with a Creative Commons license just because they want to express to others the importance of balance in this debate. If you just go along with the system as it is, you are effectively saying you believe in the “All Rights Reserved” model. Good for you, but many do not.

    On how the term of copyright just keeps being extended:

    The term of copyright has gone from fourteen years to ninety-five years for corporate authors, and life of the author plus seventy years for natural authors.

    On avoiding knee-jerk reactions and focusing on what matters:

    This point about the future is meant to suggest a perspective on the present: It is emphatically temporary. The “problem” with file sharing—to the extent there is a real problem—is a problem that will increasingly disappear as it becomes easier to connect to the Internet. And thus it is an extraordinary mistake for policy makers today to be “solving” this problem in light of a technology that will be gone tomorrow. The question should not be how to regulate the Internet to eliminate file sharing (the Net will evolve that problem away). The question instead should be how to assure that artists get paid, during this transition between twentieth-century models for doing business and twenty-first-century technologies.

    You know how the RIAA and MPAA are crying “piracy kills music”? This, of course, has happened before:

    See Cap Gemini Ernst & Young, Technology Evolution and the Music Industry’s Business Model Crisis (2003). This report describes the music industry’s effort to stigmatize the budding practice of cassette taping in the 1970s, including an advertising campaign featuring a cassette-shape skull and the caption “Home taping is killing music.”

    On how copyright is being misused for reckless profiteering, killing creativity:

    Jon Else is a filmmaker. He is best known for his documentaries and has been very successful in spreading his art. He is also a teacher, and as a teacher myself, I envy the loyalty and admiration that his students feel for him. (I met, by accident, two of his students at a dinner party. He was their god.)

    Else worked on a documentary that I was involved in. At a break, he told me a story about the freedom to create with film in America today.

    In 1990, Else was working on a documentary about Wagner’s Ring Cycle. The focus was stagehands at the San Francisco Opera. Stagehands are a particularly funny and colorful element of an opera. During a show, they hang out below the stage in the grips’ lounge and in the lighting loft. They make a perfect contrast to the art on the stage.

    During one of the performances, Else was shooting some stagehands playing checkers. In one corner of the room was a television set. Playing on the television set, while the stagehands played checkers and
    the opera company played Wagner, was The Simpsons. As Else judged it, this touch of cartoon helped capture the flavor of what was special about the scene.

    Years later, when he finally got funding to complete the film, Else attempted to clear the rights for those few seconds of The Simpsons. For of course, those few seconds are copyrighted; and of course, to use copyrighted material you need the permission of the copyright owner, unless “fair use” or some other privilege applies.

    Else called Simpsons creator Matt Groening’s office to get permission. Groening approved the shot. The shot was a four-and-a-half-second image on a tiny television set in the corner of the room. How could it hurt? Groening was happy to have it in the film, but he told Else to contact Gracie Films, the company that produces the program.

    Gracie Films was okay with it, too, but they, like Groening, wanted to be careful. So they told Else to contact Fox, Gracie’s parent company. Else called Fox and told them about the clip in the corner of the one
    room shot of the film. Matt Groening had already given permission, Else said. He was just confirming the permission with Fox.

    Then, as Else told me, “two things happened. First we discovered . . . that Matt Groening doesn’t own his own creation—or at least that someone [at Fox] believes he doesn’t own his own creation.” And second, Fox “wanted ten thousand dollars as a licensing fee for us to use this four-point-five seconds of . . . entirely unsolicited Simpsons which was in the corner of the shot.”

    Else was certain there was a mistake. He worked his way up to someone he thought was a vice president for licensing, Rebecca Herrera. He explained to her, “There must be some mistake here. . . . We’re asking for your educational rate on this.” That was the educational rate, Herrera told Else. A day or so later, Else called again to confirm what he had been told.

    “I wanted to make sure I had my facts straight,” he told me. “Yes, you have your facts straight,” she said. It would cost $10,000 to use the clip of The Simpsons in the corner of a shot in a documentary film about
    Wagner’s Ring Cycle. And then, astonishingly, Herrera told Else, “And if you quote me, I’ll turn you over to our attorneys.” As an assistant to Herrera told Else later on, “They don’t give a shit. They just want the
    money.”

    Else didn’t have the money to buy the right to replay what was playing on the television backstage at the San Francisco Opera. To reproduce this reality was beyond the documentary filmmaker’s budget. At the very
    last minute before the film was to be released, Else digitally replaced the shot with a clip from another film that he had worked on, The Day After Trinity, from ten years before.

    Stop Google recording your chats

    Many Gmail users also use Gchat to talk to their buddies. Why not – the Gchat window is right there, next to their emails and very easy to use.

    Problem is, Google automatically analyzes everything Gmail users are emailing or chatting about. It’s obvious that Google stores your emails, but if you’re sceptical about how much of your chats Google records, just go to any of your Gchat contacts and click “More” -> “Recent Conversations”.

    Recent Google Chat conversations

    Bringing up your recent chats with another Google user

    You can now see the contents of all conversations you’ve had with this user. This should make it obvious that everything you type in Google Chat is recorded and stored.

    Why is Google recording our chats?

    But why do Google record all this? Because by knowing everything you talk about, Google can perfect your “behavioural profile”. The better this profile, the higher its market value.  Remember, if you’re not paying for it, you’re not the customer, you are the product! And everything you say or do while logged on to Google services is used to make you a higher-yield product. Google then charges marketing companies (Google’s real customers) for access to this massive data set. Marketers are aching for an opportunity to directly target the more than 350 million Gmail users (as of Jan 2012) with personally targeted, customised ads. Of course this is done automatically with software, and Google is not the only “free services” provider to sell your data for profit. Facebook follow the same business model, and it appears to be working out quite well for them. Facebook recently reported $3.7 bn (yes, that is billions of US dollars) in revenues. There is a lot of money to be made for companies that turn our entire lives into sellable products.

    This is one of the two reasons you would want to stop Google recording your chats.

    Why is this dangerous?

    The second reason why Google recording your chats is not a good idea is that Google hands over this information (your emails, chats, things you have searched for, YouTube videos you have watched) to the law enforcement agencies of your country. They have no choice – they have to. Google provides a “Transparency Report“, which is commendable. Unfortunately it falls short of giving us a clear view of just how much personal information has been handed over to government agencies due to the way the numbers are presented.

    The following table attempts to answer the question:

    “For how many user accounts was Google asked to hand over data to government agencies between January – June 2011″?

    Country

    # of users (approximate)

    USA 11,057
    UK 1,444
     Spain  709
     Italy  1,263
     India  2,439
     Germany  1,759
     France  1,552
     Brazil  1,822

    You can look up your country by following any of the links in the table.

    Given just how much Google knows about us, our friends, and our friends’ friends, it is a troubling thought that all this data, all of our contacts, the videos we have been watching, our chat messages, things we +1′ed, services we use from other service providers (Flickr etc) are recorded by Google and therefore being handed over to government agencies all over the world at this unprecedented rate.

    If you believe that nothing you ever type or click on will be of interest to any law enforcement agency, government or court around the world until you and your entire family pass away (but what about your grandchildren? Think 40 years ahead. Could someone in 2052 dig up a record of an internal joke with one of your buddies back in 2012, cast it as proof of extremism and use it to harm your family?), AND you subscribe to the “I have nothing to hide, therefore I have nothing to fear” camp, you can stop reading here.

    If you are genuinly uncomfortable with how your online life is harvested and recorded and wish to take steps to protect what little parts of it you can, read on.

    Going “Off the record” in Google Chat

    Google provide a mostly-hidden feature on their Gchat client that allows you to indicate you want to go “Off the record”. You can see it under the “Actions” menu when you are chatting with someone on Google Chat.

    Google say that going “Off the record” means that “Chats [...] aren’t stored in your Gmail chat history…” which sounds good, but does not actually promise your chats are not being recorded.

    Google Chat: You are now off the record

    Google Chat: You are now off the record

    Given that Google “will share personal information with [...] organizations [...] outside of Google if [...] preservation or disclosure of the information is reasonably necessary to meet any [...] enforceable governmental request“, it is a safe assumption that Google Chat’s “Go off the record” option does not really buy you any privacy.

    Getting some real privacy for Google Chat

    We will use Free Software tools that allow you to be reasonably confident that Google is not recording what you say over chat.

    Before you continue, please understand:

    1. To have a private chat, both you and the person you wish to privately chat to, need to follow these steps.
    2. If you use multiple computers to chat (e.g. a work computer and a home laptop), you have to repeat these steps in every computer before you use it to chat. You will only have to “prepare” every computer once.

    First, download and install the Pidgin instant messaging software

    Get the software from http://pidgin.im and install it on your computer.

    Done installing Pidgin? Great. Continue to the next step.

    Download and install the OTR plugin

    The Off The Record (OTR) plugin allows Pidgin users to encrypt their communications. Get it from http://www.cypherpunks.ca/otr/ and install it on your computer.

    Configure Pidgin for Google Chat

    The first time you start Pidgin you will see this:

    Click on “Add…” – a new window comes up. (this may happen automatically before you even press “Add”)

    Adjust the settings as shown, using your Google username and password:

    Pidgin Google Chat settings – basic

    Click on the “Advanced” tab and adjust the settings as shown:

    Pidgin Google Chat settings – advanced

    Almost there! Now click on “Add” to complete setting up your account.

    You should now be connected to Google chat! A list of your online contacts (or “Buddies”) will come up right away:

    Pidgin buddy list when logged onto Google Chat

    If you see something like the above, congratulations – you are successfully connected to Google chat.

    If you get error messages, likely causes are:

    1. You didn’t type all settings exactly as shown above
    2. You are using Google’s two-step authentication. In that case your “main” Google password is not accepted. You need to create an application-specific password for Pidgin on the computer you’re currently setting up. Why?
    3. Your (corporate or national) network firewall is blocking the chat protocol XMPP. It may be possible to bypass it with Tor.

    Activate and configure the OTR plugin

    From the Pidgin “Buddy List” window go to Tools -> Plugins as shown here:

    Scroll down the list until you find “Off-the-Record Messaging”. Tick the box next to it – this will enable the plugin:

    Now click on the “Configure Plugin” button:

    In the new window that comes up, configure the default OTR settings as follows:

    Congratulations! You can now chat privately with buddies who also use the OTR plugin.

    You have just made it very difficult for Google or anyone else to eavesdrop or record what you say. Just point your Google chat buddies to this page and get them using the OTR plugin!

    Start a private conversation

    Note: You can communicate privately only if the chat buddy you’re communicating with has followed the above steps, or is using other software that uses the OTR plugin.

    Double-click on a buddy’s name to bring up the Conversation window. Notice the “Not private” button on the bottom right?

    This means you have not activated the privacy features yet. But you’re about to!

    Click on “Not private” and ask Pidgin to “Start private conversation”:

    Pidgin will now attempt to create a secure channel and should display the following:

    This is the result we want. “Unverified” is not a problem (but see Improvement 2 below). Pidgin tells us that it has established a secure channel to the other end, and you can use it to chat with your buddy without Google being able to read & record your messages.

    Remember to always check the bottom-right OTR status icon. If it says “not private”, you should assume that Google is recording everything you type in that window.

    Improvements (optional)

    Improvement 1: Ask OTR to always try to initiate private messaging

    You can ask OTR to always try to “automatically initiate private messaging” from the OTR plugin configuration menu you used above. Here’s the option you need to tick:

    Improvement 2: Verify the identity of people you chat with

    You have stopped Google reading, analysing and recording what you discuss with your buddies. But if you have reason to believe someone might be trying to read what you say (e.g. if you’re a whistleblower, journalist, activist,  lawyer, live in the wrong country etc) you can not yet be 100% certain that the person you are talking to, is indeed your buddy and not an impostor, pretending to be your buddy.

    To rule out this possibility you should always verify the people you chat with. You only need to do this once for every buddy you wish to chat with.

    To do this, click on the “Unverified” button:

    Encrypted, but not authenticated. You are talking to someone through a protected channel, but you don’t know yet who that “someone” is.

    This brings up the following menu, allowing you to “Authenticate Buddy”:

    Asking Pidgin to authenticate the buddy you’re chatting with

    You are now presented with the easiest option to authenticate your buddy – asking them a question, and checking that they know the right answer. There are other methods as well, like entering a secret passphrase you have agreed on in advance.

    Go ahead and type a question and its answer. It should be something obvious to your chat buddy (example question: “what’s the name of my dog?” or “who did we discuss about last time we met?”) but not to potential impostors. (If you have reason to believe someone is targetting you specifically, using a pre-shared secret is the best way to ensure you are talking to your real friend. After all, any serious adversary can find the name of your dog without too much hassle.)

    Example of a question/answer pair

    After you click on “Authenticate” you will have to wait for a few moments for your friend to answer the question using his computer:

    Waiting for response to authentication challenge

    Once your friend successfully answers the question you set, you will see this message:

    If you get a “Authentication failed” message instead, your friend probably mistyped something. Please remember (and remind your friend too!) that the answer is CaSe SenSiTive – so in this example the answer “Maxx” is correct, but “maxx” is wrong!

    Congratulations! You can now be confident you are talking to the right person! This is an additional benefit to what you achieved already - stopping Google (or anyone else) from monitoring & recording what you say!

    A private & authenticated conversation over Pidgin. You know the person you’re talking to is who they say they are, and you know that noone else can eavesdrop on your conversation.

    Next time you wish to talk to this person, you will just need to click on the OTR button on the bottom right and the conversation will immediately switch to “Private”. No need to re-authenticate,  unless you or they are using a different computer.

    Now the only thing Google knows is

    • Who you chat with
    • When you chat with them

    …which is a significant improvement from before.

    What, you still don’t like that? What are you doing chatting on Google Chat then?! Go use CryptoCat over Tor at http://xdtfje3c46d2dnjd.onion/, or if your enemies are pros (and you trust your hardware), TAILS.

    Improvement 3: Use Google’s two-step verification & an application-specific password for Pidgin

    It’s a good idea to use Google two-step verification. This means that Google will ask you for two pieces of proof that you are the legitimate owner of your account whenever you log in from an unrecognised device. This is an improvement in security, but means that external applications (like Pidgin) can not access your Google account.

    Google’s solution is application-specific passwords. These are passwords that only work for one designated application and can not provide full access to your Google account (e.g. to change your account settings).

    See Getting started with Google 2-step verification and after you’ve activated it, create an application-specific password for Pidgin on your device.

    Then, on Pidgin’s main “Buddy List” window go to Accounts -> USERNAME@gmail.com -> Edit Account, input the password you just created, ask Pidgin to remember it, hit “Save” and you should be all done.

    Now starting Pidgin will automatically log you into Google Chat, without asking for your password.