Last week, Vodafone, the world’s second largest mobile operator, made startling revelations about secret wiretaps that allow government agencies to listen into and record live telephone conversations.
These revelations come a year after American whistleblower Edward Snowden revealed the extent of US and UK government surveillance of electronic networks, of how those countries’ intelligence agencies scoop up the world’s communication in the name of defeating terrorism.
The Internet is basically made up of millions of computers and servers. It should not come as much of a surprise that there are vulnerabilities. Unscrupulous individuals and groups, and now governments, use this to tap into private data.
Many of these vulnerabilities are used by hackers to breach secure systems. They do so by gaining access, often using malicious software.
“Absolutely, you should be very concerned,” says Dominic White, chief technology officer at information security firm SensePost about the implications of government surveillance on citizens.
His advice is simple: if you have information that could be life threatening, or if you are worried about information getting out, do not share it online.
In 2013, Snowden brought to light a series of global surveillance programmes which showed that America’s National Security Agency (NSA) and Britain’s equivalent, GCHQ, were harvesting and storing the communications of millions of ordinary people as well as political leaders around the world.
Snowden’s leaks showed that billions of e-mails, text messages, phone calls, credit records and even webcam recordings were collected.
White says that the most worrying information to come from Snowden’s leaks is the exposure of global dragnet surveillance — the complete capture and archiving of people’s communications. The data that was captured was not only from US citizens, with the NSA placing emphasis on capturing the data of non-US citizens. “That’s pretty scary,” says White.
He says that Vodafone’s recent wiretapping revelations “don’t mean anything new”.
“We know telcos cooperate with law enforcement agencies. This is just a display of scale. That said, Vodafone had no results for South Africa, so we’re no more illuminated as a country.”
White says people should take greater precautions online to protect their personal information and safeguard their privacy.
He has many suggestions about how Internet users can shore up their defences and ensure their communication is not intercepted.
The first step is to “recognise that the tools you employ need to be appropriate for the threat you are facing”, he says. “If you are worried about the random distribution of your e-mail, or the dragnet surveillance of your data, it is a different threat to being actively targeted by intelligence services.”
True privacy against an advanced attacker is difficult, White says. “A lot of people confuse the difference between secrecy and privacy.”
He says users interested in knowing just how their data can be used should visit Don’t Track Us. This website shows how users’ search data could work against them when privacy is ignored and their data is sold. It shows how “innocent” search data can be used to profile and ultimately prejudice people.
In order for e-mail to travel securely over the Internet, the message needs to be encrypted at both ends. Transport Layer Security (TLS) is a protocol that encrypts and delivers e-mail securely. However, if the recipient’s server does not use TLS, the message is left open for potential snooping.
The Transparency Report is a website that Google uses to show the data that sheds light on on how laws and policies affect Internet users and the flow of information online.
The report highlights, among other things, that many e-mail providers do not encrypt messages when they are in transit, leaving them open to interception. Google says this is changing slowly as service providers enable TLS on their networks.
About 65% of messages sent by Gmail users are encrypted during delivery, meaning that the other 35% of encrypted messages are received unencrypted as the recipient’s mail server does not support encryption. Of the messages received, 50% of Gmail’s inbound traffic has encryption enabled.
Google recently announced End-to-End, an extension for its Chrome Web browser. When it is released in a few months’ time, it will help users encrypt, decrypt, digitally sign and verify signed messages using OpenPGP. This has traditionally been reserved for tech-savvy users, but Google hopes to make the technology accessible and easy to use.
“The problem with PGP (Pretty Good Privacy), the current decryption program used by most e-mail platforms, is that it is difficult to manage over time. You have to be cognisant that it’s not a transparent encryption technology,” says White. “Google End-to-End is not a particularly new idea, but it is interesting to see Google pushing it.”
There is another promising solution called Dark Mail which was announced late last year, says White. Dark Mail is being developed by Silent Circle and Lavabit, the secure e-mail service which closed its doors rather than hand over government-requested privacy keys to its users’ e-mail. The two companies are pioneers in the encrypted communications industry. Dark Mail, which has not yet been released, provides an end-to-end encryption platform for e-mail and it is looking promising.
Messaging and voice calls
When it comes to the encryption of instant messages on the Internet, there are a lot more options available compared to e-mail.
Telegram is one of the more popular applications for cross-platform messaging and is available on Android and iOS, although unofficial third-party versions of the app are also available for Windows Phone. Telegram sends encrypted and self-destructing text messages, video, photos and any other file type.
Seecrypt is another encrypted messaging application, developed in Pretoria by the privately owned and funded software development company of the same name. The Seecrypt platform not only provides secure messaging, but also supports secure voice calls between Seecrypt-enabled devices.
The application is available on many platforms, include iOS, Android, Blackberry 10 and Windows Phone. Seecrypt uses double-layer AES-256 and RC4-384 end-to-end encryption and produces new session keys for each voice call or message.
Silent Circle is a multi-function, multi-device secure communications platform. It handles encrypted texts, phone calls, video calls and file transfers from any mobile or desktop platform. Silent Circle was created in 2011 when one of the founders of PGP and cryptography legend Phil Zimmermann as well as the creater of Apple’s Whole Disk Encryption, Jon Callas, were approached by former US Navy Seal Mike Janke to create a private encrypted communications network.
The company has also developed a secure mobile phone with encryption technology built in. The device is called the Blackphone and runs a modified version of Android called PrivatOS, which was built around encryption and security to ensure that no information leaves the device unsecured. The Blackphone sells for US$629 and includes a number of Silent Circle subscription services to allow secure calling and messaging.
On the Web
The DuckDuckGo search engine promises to keep its users’ searches private and prevent search results that profile and target them based on what they look for. This is a practice that is common with search engines such as Google, which use “profiling” to target users with customised search results and targeted ads.
White Hat Aviator is a private and secure web browser that uses DuckDuckGo as its primary search engine. It also disables ads and media files from playing automatically, which can be a source of malware attacks. Aviator blocks tracking software used by many search engines and also blocks “HTTP referrers”, preventing servers from tracking the websites you come from when browsing.
One of the more advanced tools employed by people who want anonymity online is called The Onion Router, or Tor for short. This software was originally developed with the US Navy in mind and its primary function was to protect government communication. Tor provides a network of virtual tunnels that protect users’ privacy and blocks their location from snoops.
White says Tor hides users’ Internet protocol address, but a problem with it is that it is very slow and many online services block access if they detect that traffic is coming from Tor nodes.
Although applications such as these assist with users’ privacy and anonymity, changes need to be made at an architecture level, says White “We need engineers responsible for the Internet to build better protocols for users to ensure privacy and anonymity.” — © 2014 NewsCentral Media