How PRISM Is Ruining The Internet [updated]

Foreword: Please note that I don't often write about things so tangential to digital marketing as PRISM, but when I do it's with good reason. For example in the past i've written about why I live life openly and how that choice shouldn't effect the choice of others etc etc (link in footer to that post). Today's post is my opinion of how the NSA is ruining the internet for you and me, let me know your thoughts in the comments.

What is PRISM?

prism-nsaWithout going into the detail of how the PRISM system works, though i have on social media previously, I want to quickly explain what each system / program does. PRISM is ran by the NSA (National Security Agency) in the USA, PRISM apparently started in 2007 under the Protect America Act (Bush). It has come to light thanks to Edward Snowden, a whistleblower now on the run in Russia (at this time).

You can read about PRISM here on WikiPedia.

PRISM is a passive system, which basically sits near the "backbone" of the internet or close to high throughput servers (usually without the owner of the server knowing, eg Google and Facebook). This system then basically creates a copy of all data being transferred through that pipe into a huge database, apparently for later analysis. Again, I wont go into the in's and out's of how it is used but the why is simply to protect the USA from terror attacks (officially).

If you want to know how it works, check out Security Now #408 - where security expert and hero Steve Gibson talks about PRISM in depth, at that point the theories he put forward were best guesses, since then many have proven true.

PRISM's Chilling Effect on The Web

With the media storm surrounding PRISM now calming down, reality is beginning to set in across the world. If you use a service such as Facebook or Twitter or even Google, who have servers in the USA (and probably in your country) the reality is that some of your traffic will go through the USA. The way the web is designed to work i such that it will find the most efficient (not necessarily the fastest) path to the server and return. This means that any service hosted across multiple locations could load from any or all of them, it makes the web faster and stops bottle-necking near servers of high traffic throughput (such as Facebook or Google). Also just because you took one route to a server to load a packet of data doesn't mean it will take the same route back.

By "route" I am talking about the jumps and path your request and data take, from your pc, to your router, to your isp, to a router, to DNS servers, to a router, to a router, to the end server > and back by a different path of routers. The reality is you will hit likely hundreds of "routers" (hubs / crossing points) on the web just loading a single item. This is why the web is called a web.

web

As you can see from the diagram above if you were the computer at the top right, you'd need to pass through 3 computers before getting to a server - the computers would be hubs on the web. This is just a small overview to give you a taste of how the web works, there are many billions of these hubs in use across the web and world.

So, this chilling effect. Lets take Germany as an example of this. Germany are known to like their privacy, when streetview came out they went on a blitz to protect themselves - they had Google blur out their houses and cars... consequently earning the country the nickname blurmany. It has come to light that some people in Germany (as well as elsewhere) are advocating the non-use of any service routing via the USA or controlled by a US company. Basically, don't use Facebook, Twitter, Google or anything even Microsoft Office 365 - already there are holes in this from the view point of "do you have something to replace that service" in most cases the answer is no.

But a larger problem is that by telling users not to use (say) Facebook, or even blocking it from your country, you are basically censoring the internet. I am an internet marketer and having a population drop off from a huge service you use to market other companies would be hellish. But that isn't my main problem with this kind of thing though - I am an advocate of the Open Web, a neutral itnernet not controlled by any single entity or country. I want an world wide web on which anyone can access anything, I don't want a second "china" where for the most part it doesn't exist on social media and i don't want an internet where we fear being watched by the NSA. Both ideas are wrong through and through. Right now we've no idea what PRISM is ignoring and isn't ignoring.

Are You Being Tracked?

Recently it came to light that NSA "touched" at 1.6% of internet traffic in the USA - but lets face it with 75% of the US traffic being youtube and netflix, that can be ignored - a further say 10% is simply spam. So thats 25% (being generous) that they really want to look at. Suddenly 1.6% of 25% doesn't look such a small amount that they are looking at. Lets face it, it sounds like if you use facebook or google, it sounds like you are being tracked in some way or other by the NSA.

The reality is that at some point your data has been recorded, it doesn't mean it's been viewed though. The reason they want this data is yes to one day "get specific" and track down a user they are interested in (aka suspected terrorist) but its actually so they can aggregate data and find trends based on keywords and what not. They can from those trends spot anomylous data points and view that data, if its of interest they have meta data about that data collected and can then begin the process of tracking it through and sending requests to the service to get more data about you.

The truth as always if you've nothing to hide, you've nothing to fear... but either way start encrypting your traffic.

By encrypting your traffic and data you protect yourself from the NSA, you protect yourself from "man in the middle" attacks (someone listening between you and your end point) which can effect all traffic including emails text and you in general are more secure online.

The important bit is that if the world encrypts the data it gets all of the above and it means the web doesn't break, certain countries won't need to block websites because its from another country and as an advocate as the open web it would mean the web stays open and works as it was always designed to - as a web, free for all to use and transit.

How to Encrypt Your Web Traffic

The first thing to do is ensure that your Facebook and Google both operate in https mode (the green lock in your address bar). You need to sign in to activate it, but if you've a new account it should be already on - for facebook go to https://www.facebook.com/settings?tab=security and under secure browsing select enable. Google has it turned on by default.

With email you need to be careful though, emails are generally sent "in the clear" this means without encryption - basically anyone can see who sent what to who and what the content of that email was if they are sat in the middle listening (a man in the middle attack). This happens because (relatively) few email servers offer secure transit of emails (secure SMTP). This means, if for example my server didn't offer SSMTP it could not receive or send such a message, which means even though GMail offers the service it couldn't be used. However, if both servers use it they can send encrypted data / emails to each other without fear of a man in the middle attack.

As i say the problem is that most emails don't provide it and so we need to look at other options. The most common option, is somewhat technical, but uses Open PGP, this is basically a public and private key (as with any encryption) such that your public key is verified and made public - for example on your website. Then when you send an email you encode/encrypt it using your private key and you send it to the receiver ... they then use your public key to decode that message (ok it's more technical than that but you get the gist). One of the more common implementations is GNUPG which is free and open source. PGP / PG tend to work with applications like outlook and thunderbird, for browser based emails like GMail you need to look for a browser extension to do the job, there a few good ones out there.

I should make you aware at this point that you MUST use the strongest encryption you can, basically anything PRISM see's as encrypted will be recorded and held - if you use a weak encryption it would be broke easily (and so they can see your content), so the stronger the better.

Lets Not Break The Internet

encryptLet me be honest, I too wonder whether I am being tracked in one way or another by the NSA, or GCHQ, or any other "secret service" type institute or even a government directly (China?) - but I have nothing to really hide. I don't mention "where to plant a bomb in manchester" or the such on blogs *whooops* and I don't really care if the NSA can see a status with a link to twitpic.com of what I just ate, be honest do you? If you answered "no" then stop worrying and just start encrypting.

Ok, encrypting can slow things down, it can be cumbersome across multiple devices but it secures your traffic and means if you are concerned about privacy it can be hidden from the man in the middle and the NSA type agencies. It's not 100% secure but its the best you've got and save for diving off the internet and never using any form of "online" electronics (eg phones) it is the best you can do. It also means in general you are safer from attacks - after all if you weren't why would your bank use it?

So get safe, get savvy and encrypt - don't break the internet and censor the web!

Some Interesting Reads

Password Encryption - why it matters and some unique passwords (just for you)

Google Encrypts at 2048 bits - july 2013

Facebook allows for super-tough SSL - june 2013.

Security Now Podcast - the best internet security podcast on the web

-- UPDATES

29/8/13 - A few weeks ago Lavabit closed down. Lavabit was an encrypted email solution which stored emails very securely and even passed the Steve Gibson GRC test. It shut down because of what now seems to be a request from the US governemnt to be able access emails on and ongoing basis, something Ladar Levison (owner and founder) wasn't happy with, so he shut it down very quickly to stop the US Gov't doing anything silly. It turns out he was right they are now trying to claim he broke the court request for access by closing the service... whoops seems the secret it out they want in to the encrypted data. (i did warn you its being recorded and held).

Another worrying update is the stopping of Glenn Greenwalds partner at an airport under "terror" laws. Greenwald is the reporter for the gaurdian who was in contact with Snowden and has been releasing PRISM notes. It's an interesting move and quite scary that somehow the UK Gov't think this is ok. A further update from the gaurdian is that their offices were stormed and hard drives destroyed by the UK Gov't / GCHQ all in the name of PRISM, (will get the full story on here soon). It seems GCHQ for all the great work they do are ignorant to the fact that the PRISM docs are somewhere in the cloud, and as with stopping Greenwalds partner search the physical drives won't do you any good - it simply isn't going to be there. (it being the bunch of files the expect to see).

Andy KinseyComment