The Weekly Sift

Can people like us make the NSA’s job harder?

Unlike Senator Lindsey Graham, I’m not “glad” the NSA is hoovering my data into a big database that they pledge (cross their hearts and hope to die) not to access without court authorization and Congressional oversight.

Last time I checked I wasn’t conspiring with terrorists, and off the top of my head I can’t think of any big secrets I’m hiding, but the whole thing just makes me uneasy, given what has happened in the past. The meaning of “terrorist” sometimes gets stretched from jihadist mass murderers to, say, environmentalists who sabotage bulldozers or maybe even Martin Luther King. And while I don’t know how seriously to take Steven Rambam’s claim that it’s “routine” for authorities to log all the cell phones at demonstrations like Occupy Wall Street, I can’t call it unbelievable either.

So, as I said last week, I’m inclined to monkey-wrench a little, and to encourage others to do the same.

The problem is, I’m not a hacker. I’m pretty good at finding things with Google, and I can usually follow step-by-step instructions as long as nothing (and I mean nothing) has changed since the author wrote them, but configuring software isn’t fun for me. I don’t think of it as an artistic outlet. Mostly, I just want stuff to work so I can get on with whatever I sat down to do.

In short, it’s very unlikely that anything I do as an individual is going to give the NSA much of a headache. But there are lots and lots of people at my middling level of sophistication. Are there simple things we could do collectively to make government surveillance more difficult?

That’s what I started playing with this week. Starting with some suggestions from Timothy Lee’s Five Ways to Stop the NSA From Spying On You, I tried out some simple anonymizing tools. I ignored the ones that depend convincing my friends to learn encryption, and focused on things I can do on my own.

I’d like to see more people use these and similar tools for a very simple reason: herd immunity. If only one person is trying to hide his information from the government, that by itself makes him look suspicious. But if lots and lots of people are doing it, then the people with nothing to hide provide cover for any Martin Luther Kings that the government tries to spy on.

Saying the same thing more technically: Data mining like the NSA is doing has a false-positive problem. It might identify a revolutionary (as this clever Paul Revere example illustrates), but it might also pick out a thousand other people who have nothing to do with whatever the government is investigating. So if we all start acting more suspiciously, maybe we can increase the false positives to the point that the whole program becomes useless.

TOR. TOR stands for The Onion Router. (No connection to the satire-news site The Onion. I think the image is supposed to represent something that has layers within layers and can’t be peeled.) Wikipedia says: “Tor directs Internet traffic through a free, worldwide volunteer network consisting of thousands of relays to conceal a user’s location or usage from anyone conducting network surveillance or traffic analysis.”

The Tor browser is free, and easy to install and use. It works with the Windows, Mac, or Linux operating systems. You can download it here.

The first thing I noticed using Tor is that it’s a little sluggish. It’s not agonizingly slow, but if you’re used to web pages popping up instantly, you’ll notice a lag — just long enough to make you realize that your data is zipping and zapping all over the world. (Like Louis CK says about cell phones: “It’s going to space. Can you give it a second?”)

Second — and this is so obvious in retrospect that I feel stupid mentioning it — remaining anonymous is the exact opposite of identifying yourself. So Facebook keeps asking me security questions, because (even though I’m on my home desktop machine) I don’t appear to be anyplace I usually log in from. And I can never guess what country’s home page CNN is going to serve up.

So whether I’m hiding anything from the NSA or not, I’m pretty sure I’m keeping Google confused.

Finally, some stuff is inherently insecure, so Tor either recommends you not install it or just won’t work with it. For example, using Flash with Tor kind of defeats the purpose. So I’ve been using Tor in combination with another browser. When I want to log in to something or watch a video, I’ll jump over to FireFox.

If you start using Tor regularly — or you just like the idea of it — you might want to contribute to the Tor Project.

TorMail. If you worry about Google or Yahoo turning your mail over to the NSA — email that sits on a server gets none of the constitutional protection of snail mail or phone calls — then TorMail is your answer.

It’s web-based email, just like you’re used to. But the system is designed in an admirably paranoid way. Your traffic goes through the Tor network, so you can only access it with the Tor browser. (People claim you can use the Thunderbird email client as a front end, but I wasn’t able to make that work. And you still need to be connected to the Tor network.) Mail servers that send and receive from the Tor network are pure relays that don’t have any mail sitting on them. So there’s nothing to seize and nobody to serve a warrant to.

LPS. This is the coolest thing I played with, and I was surprised how easily it worked for me. Lightweight Portable Security is something the Air Force wrote to allow their people to do secure work on insecure machines. Here’s the idea: LPS is a very small operating system that you put on a CD or a thumbdrive. Insert that disk into anybody’s machine and tell it to reboot. (You don’t even need their password, because you’re not using their operating system or opening their files.)

LPS takes about 3-5 minutes to load, and then you have a minimal Linux-based desktop with a FireFox browser. After you connect to the local network (maybe you’ll need a password there), you’re free to roam the internet. I checked my mail, edited files on my Google drive, and posted to Facebook. And when I shut down and took my disk, no trace of me remained on the machine I’d been using, because I’d never touched its file system. Likewise, my files didn’t pick up any of the viruses or spyware that might have been on the host machine.

I think the Air Force wants its LPS users to immediately log on to some super-secure Department of Defense network. I can’t do that, so my next project is to add a Tor browser to LPS. That should make me both invisible to the machine I’m using and anonymous to the web sites I visit. (OK, maybe I am starting to enjoy this a little.)

If you’ve been trying out anything the rest of us should know about, mention it in the comments.