NSA Cramping Your Style? Use These Easy Encryption Solutions

Also, the NSA might not be the only ones checking in on phone call and e-mail data. Here is a basic guide to digital discretion.

Ever since we learned that the NSA and FBI are archiving metadata from America's mobile phone and email providers, we've become increasingly interested in encryption services. There is a vociferous subculture of cypherpunks (those who advocate broad use of strong cryptography) and dozens of for-profit and free products guaranteeing to keep communications secret. Yet, most members of the general public don't know where to start. This is a bad thing. Here's what to consider when cloaking communications.

First, Why Should You Care If The Government Reads Your Emails, Anyway?

Although the U.S. government only claims to be monitoring select communications from noncitizens, that should be taken with a grain of salt. One of the recurring themes of the Ed Snowden NSA and FBI revelations has been the lack of oversight of America's Internet surveillance regime. NSA chief Keith Alexander basically admitted before a congressional hearing that secret court warrants are rubber-stamped. For all we know, that means contractors and NSA employees have a green light to engage in insider trading, snoop in explicit emails, and listen in on celebrities' phone conversations. The NSA has shown a marked disinterest in disclosing the parameters of the surveillance regime and uses clever weasel words to hide the scope of their program and what they do with it.

There have been a host of op-eds written on many platforms about the dangers of thinking government authorities should be able to monitor your communications if you have “nothing to hide.” Two of the best are by danah boyd of Microsoft Research and Rebecca Rosen of The Atlantic. But legal scholar Daniel Solove wrote the best argument way before Snowden's disclosures became public knowledge. In a nutshell, if the government can be believed to store electronic communications in perpetuity and refuses to tell the public what their grounds for using them are, it's a safe bet to assume the government and contractors will misuse your personal data.

Even If The Government Isn't Monitoring You, Encryption Isn't The Worst Idea

If there aren't worries about being snooped on by the government, there are always worries about being snooped on by private parties. Are you a businessperson working on a sensitive deal? A parent going through a difficult divorce? A minor in the closet about your sexuality? Do you work with prominent public figures? Encrypting your email and phone communications might not be the worst idea.

It's important to note that there are also degrees of encryption. While some cypherpunks and security activists might vociferously disagree, different users have different security needs. A platform whose messages can be decoded with some difficulty might be appropriate for many users. The aforementioned parent going through a difficult divorce likely has different encryption strength needs than, say, a Chinese or Bahraini dissident.

You don't think parties besides the government love snooping in on phone calls? Just give a quick thought to that News Corp hacking scandal.

The Best Security Solutions

A quick caveat: Encryption and security developers have done a horrible historic job of implementing easy-to-use interfaces and creating engaging products. Whether because of the difficulty of making encryption products work or because security-product developers frequently assume others have their level of technical expertise, many encryption tools on the market are difficult to use for novices. Predictably, many of the easier-to-use ones cost considerable money as well.

Tor Project

The Tor Project runs a secure, anonymous network that is extremely hard to monitor and is beloved by free-speech activists worldwide. Tor is also filled with drug dealers and undercover law enforcement officials on the network's many hidden sites, but that's a whole other story. When used with conventional Internet sites, Tor adds a robust layer of anonymity. The downsides are that Tor slows down Internet speeds considerably and requires some technical knowledge to use. With that said, although footprints on Tor can be traced by intelligence agencies and others, it's the best free solution on the market.

RedPhone

For Android users, RedPhone is a drop-dead simple app that allows users to make encrypted calls and little else. Based around the ZRTP encryption protocol, RedPhone's genius is its ease of use: When callers on both ends have RedPhone installed, making encrypted phone calls is a snap. As a measure of good faith in RedPhone's encryption, their developers also made the software behind it open source on GitHub.

Cryptocat

Cryptocat, much like RedPhone, is extremely easy to use. The open-source product encrypts users' online conversations and plugs in to popular Web browsers. Despite early hiccups, Cryptocat has acquired a large user base. However, Cryptocat is good for conversations only—separate products are required for discreetly using the Web and visiting other sites. But sometimes encrypted instant messengers are all a user needs.

Silent Circle

Silent Circle, a pay smartphone app that Fast Company has written about previously, is also based around ZRTP for phone calls. Unlike RedPhone, it also allows users to send text messages and secure emails. While the company has made portions of its source code available on GitHub, other portions have not been made open-source yet—raising concerns from some privacy activists. Users of Silent Circle have to pay a stiff subscription fee, but the platform is the easiest way of putting mobile encryption in place within an enterprise setting with multiple users.

The Simplest Encryption Solution

People love to talk on the Internet. Even with the furor over NSA surveillance, people share intimate information over Facebook and Instagram that they would never voluntarily share with the government otherwise. OPSEC (Operations Security) is a military concept that has also carried over to portions of the financial sector. At its root, OPSEC involves not putting sensitive information in places where other people can see or infer it. Even the best protected encryption platform can be hacked—for truly sensitive information, keeping it off the Internet and not discussing it on the phone is still the best bet.

[Image: Flickr user Woodleywonderworks]

Add New Comment

5 Comments

  • Jim Kelly

    I have a couple of issues with this article.

    First you talk about the threat from metadata collection, but most of the options you suggest are worthless in their ability to counter this threat. Arguably TOR fits this bill but the other methods provide no security from metadata collection.

    Second one of the more obvious solutions (VPN) is not so much as mentioned.

  • Elegance

    1) The NSA & FBI consider encryption to be a suspicious activity, therefore, the use of encryption will increase the chances of an investigation

    2) The NSA is holding onto encrypted material until they have powerful enough computers to go back and decrypt. 

    Bottom Line: There is no escape. This article is reckless in its advice.

  • Ed Carp

    Not really.  Most information has a limited time value, so the encryption just has to be secure enough to outlast the information lifetime.  For example, if you're getting a divorce and you're using encryption to discuss the case with your lawyer, the information becomes useless to anyone once the case is over.  And a surprising number of people are already using encryption - PGP is a favorite, especially the older versions - and the more that use encryption, the more difficult it becomes to decrypt it all.  Ideally, every email and chat client would have encryption built-in, so encryption would be ubiquitous.

  • spandrelmatic

    What you say may be true, but that doesn't make the article "reckless," and for at least two reasons.

    First, people should be using encryption anyway for a subset of their everyday communications as a matter of course; not doing so, in fact, is what qualifies as reckless.

    Second, there is an argument to be made that making encryption commonplace will give individual encrypted communications a lower profile: in a crowd of a million people, it's a lot easier to focus on three flags than on 300,000.

    At the very minimum, making encryption standard practice in keeping communications private -- in other words, limiting their readers to their intended recipients -- would vastly increase the effort required for casual, sweeping intrusions into the privacy of Americans (and others), and thereby encourage those engaged in legitimate surveillance efforts to use more precise and relevant criteria in the first place.

    Just my $0.02...