Going Dark: How to Attain Privacy on the Internet
In the early 1970s until about 2005, the US government forbid the export of cryptographic software, considering it a munition, and interfered with academic research in the field of cryptography. In the 1990s, the government attempted to prosecute a man named Phil Zimmermann for creating a suite of email privacy tools he called “Pretty Good Protection” (PGP) after someone else exported this software illegally outside of the United States. (Notably, they allowed Bruce Schneier to export the same exact information on the PGP disk in OCR-friendly text in the book, Applied Cryptography.) The Zimmermann case ended when the government realized that PGP was protected by the First Amendment to the Constitution of the United States of America.
Most recently, however, the FBI has announced its goal for the year 2013 is to address what it calls the “going dark” problem, which means because criminals are increasingly using the internet to conduct their activities, and because services are increasingly making use of TLS and legal forms of strong cryptography for peer-to-peer and client-server communications, it is becoming increasingly difficult for the United States government to obtain useful leads or evidence from tapping the encrypted data across the wire.
Their solution is to mandate service providers (which encompasses ISPs like Comcast and Verizon, as well as online service providers like Google, Facebook, Twitter, Skype, et al.) to build backdoors into their products to make them more “wiretap friendly.” Failure to comply after a short period where government assistance is provided will result in a steep fine every day until compliance is met.[[MORE]]
“What’s the problem? I have nothing to hide.”
Many people feel that privacy invasions are fine because they don’t have anything to hide. But if that were true, they would be enthusiastic about the notion of joining a nudist colony. Privacy is a fundamental component of any functioning society. “Privacy is the power to selectively reveal oneself to the world,” says Eric Hughes, the author of the Cypherpunk Manifesto, which was authored around the time of the Zimmermann case.
“But we have to stop the [hackers/criminals/terrorists].”
I’d hate to be the one to break it to you, but hackers and career criminals already know how to use all of the tools on this page. In fact, they can go a step further than anything outlined here by writing malware, infecting thousands of computers, forming a botnet, and doing all their misdeeds over a remote desktop protocol (such as VNC) so all the evidence is on someone else’s machine (and most of the connections would connect back to there).
Furthermore, creating mandated backdoors in existing services and software, for the purpose of being wiretap friendly, will actually decrease the overall security of the internet. All it would take is a bored programmer to go spend a few weeks on http://www.binary-auditing.com and develop a knack for reverse engineering before the law enforcement backdoor becomes a backdoor that hackers everywhere can use.
So without further ado, here are some of the tools that netizens can use to drop off the surveillance grid and enjoy some privacy.
TOR – The Onion Router
The Tor Project is a free software and anonymity research group, consisting of a few employees and many volunteers, whose main purpose is to improve and distribute anonymity software– namely, the Tor Browser Bundle.
Tor is arguably the most important piece of software on this page: It offers you location-based privacy and a form of online anonymity: The websites and services you communicate with using the Tor Browser Bundle will not know where you are (and unless you accidentally reveal your identity, they will not know who you are, either). Additionally, someone snooping on your connection locally (a hacker, a script kiddie using Firesheep, the government, etc.) will not know what services you are communicating with or what you are saying.
In simplest terms, Tor works by creating several layers of protection (like an onion). Tor creates circuits out of many available relays, then encrypts your outgoing packets multiple times with the public key of each node in the circuit before sending them to their destination. Each node will decrypt the data and carry the packet to the next destination. Circuits are only used for a short period of time before a new circuit is built.
To get a better understanding of how Tor works, visit the Tor Project: Overview page. To better understand how Tor can protect you (especially when used with websites accessed over HTTPS, such as Keenotes), see this helpful interactive page by the Electronic Frontier Foundation.
If you are an Android user, you may also wish to obtain a copy of Orbot: Tor for Android.
How do I get Tor?
Head over to https://www.torproject.org (for the paranoid, the SHA-1 fingerprint of their SSL/TLS certificate is1F:9D:30:6E:8B:FC:CF:CB:03:98:1A:71:A2:7A:9F:5D:1E:08:76:CE). Click the big “Download Tor” button, then download the Tor Browser Bundle for your operating system.
Windows users should run the .exe to extract Tor to a location on your computer, or to put it on a flashdrive. Press “Extract” then go to the location you just extracted the file (by default, open the Start Menu, click on your user name, then go to Downloads, and look for a folder called “Tor Browser”).
Linux users should use whatever archive manager their distro provides to accomplish the same task. For Ubuntu users, the Tor Browser Launcher is a handy tool to have.
Mac users should extract the contents of the compressed folder and follow the instructions in the README file.
Launch the Tor Browser and you’re in.
If this screenshot looks like your computer, then you have successfully installed Tor.
How do I use Tor?
There was a long warning on the download page for the Tor Browser Bundle; I highly recommend reading it. There are a few things to keep in mind:
- Without HTTPS, the Tor exit node can sniff your traffic, so be sure to check for the https:// in the URL
- Browser plugins (such as the ones used to play videos, stream music, etc.) can be tricked into revealing your IP
- Tor is not suitable for peer-to-peer networks with large data transfer volumes, such as BitTorrent!
- Tor changes your exit node every few minutes (it actually rebuilds the entire circuit), so some websites may log you out frequently if they lock sessions to a particular IP address. (Keenotes doesn’t, since we employ HTTPS.)
Please watch the video below to learn more about using Tor:
VPN – Virtual Private Networks
A Virtual Private Network (VPN) allows users to forward all of their internet traffic through a proxy server (usually over SSL). Although less theoretically private than Tor, a VPN will almost always offer better performance than an anonymity network, which makes it better suited for downloading large files and connecting to peer-to-peer services.
Be conscientious when choosing your VPN provider, however. One VPN provider, HideMyAss.com, turned over information about one of their users to federal law enforcement. Ideally, a VPN provider would not even have the information to hand over to the government in the first place. TorrentFreak has a great article on which VPN providers claim to advocate user privacy (available here). Some common VPN providers include: PrivateInternetAccess, AirVPN, SwissVPN, iPredator, and TorGuard.
However, a VPN provider’s promise to not log information is at best hollow. There is fundamentally no way of knowing whether or not they are being honest with their claims without being able to access their system, so if you use a VPN you should always assume your traffic is being logged heavily.
If you require a greater deal of privacy, consider using one of these solutions:
- Just use Tor or i2p and learn to be patient
- Install OpenVPN server on an offshore VPS (purchase using Bitcoins over Tor if possible) and use it no more than once
- Chain multiple VPNs together using Virtual Machines
- Connect to your VPN over tortunnel, creating a You -> Tor node -> VPN -> internet situation
Please watch the video below to learn more about using OpenVPN (one of the more popular VPN protocols):
Crypto.cat – Private Chatrooms
Want to talk to a bunch of people at once, and not have anyone on the outside be able to read what you’re saying? Get crypto.cat! Just install the Cryptocat browser plugin, select a room name and username, share the room name with your friends over another medium (in person, or one of the communication methods detailed below), and have at it.
Cryptocat encrypts all of your messages such that even the Cryptocat server that relays messages between conversation participants cannot decipher anything that was said. When used with Tor, it provides a great way to plan a protest or form a secret club that even the government doesn’t know about.
Please watch the video below to learn more about using Cryptocat:
RedPhone – Private Mobile Phone Conversations
Open Whisper Systems’ RedPhone is an Android (and soon to be iPhone) app that allows you to make phone calls over a “secure line” for free. No more worrying about illegal phone-hacking (such as that perpretrated by News International). If you are an Android user, you should be using RedPhone (and you should be getting others to use it, too). If you’re an iPhone user, the same will soon apply to you.
Please watch the video below to learn more about using Redphone:
TextSecure – Private Mobile SMS Text Messaging
TextSecure, from the makers of RedPhone, allows you to have text message conversations with your friends in such a way that your mobile provider cannot read what you are saying. Highly recommended for Android users.
OTR – Off-The-Record Instant Messaging
OTR is essential to online privacy: Not only does it encrypt your communications with another party, it does so in a way that is deniable— that is to say, anybody can forge messages after the conversation ends. To use OTR, first install Pidgin then download pidgin-otr from http://www.cypherpunks.ca/otr/.
Please watch the video below to learn more about using OTR:
i2p -The Invisible Internet Project
In a nutshell i2p is the leading alternative to Tor. The main difference between Tor and i2p is that i2p is uses a distributed peer-to-peer architecture (which makes it more suitable than Tor for handling BitTorrent traffic).
Please watch the video below to learn more about using i2p:
PGP – Pretty Good Privacy, Email Encryption
PGP is a software suite and industry standard for email encryption and authentication. PGP works, in simplest terms, by using a pair of keys for each participant: A public key which you should share with as many people as humanly possible, and a private key, which should be password-protected and kept far away from anyone else’s hands.
When you send an email out to another PGP user, you encrypt the message with their public key, and sign it with your private key. When they receive the email, they should first verify the signature with your public key before decrypting with their private key. If the signature doesn’t match, the email is considered to be forged and should be discarded.
Please watch the video below to learn more about using PGP:
TrueCrypt – Full Disk Encryption
Disclaimer: Many security professionals do not trust TrueCrypt since its development isn’t fully open. However, I do not know of any better cross-platform alternatives as of the time of this writing. Further, law enforcement has shown itself time and again to be unable to break TrueCrypt in their investigations, so it’s probably good enough until the industry produces something superior.
Although it has many other features, the main attraction to TrueCrypt is that it encrypts your entire hard disk outside of the Operating System (whereas competitor software like BitLocker is integrated with the Operating System). TrueCrypt is also open-source and doesn’t cost any money to own or use.
Please watch the video below to learn more about using TrueCrypt:
I hope you took the time to read this entire article, download and experiment with the software, and watch all of the video tutorials. The tools provided on this page should serve to help remove yourself from the surveillance grid, but only if you use them properly. Some of this information may also be obsolete by the time you read it. However, it is my hope that this article gives everyone an idea of how to get started.