Monthly Archives: June 2013

Dangers of the ‘nothing to hide, nothing to fear’ mentality

Note: This article is also available in Portuguese, translated by Anders Bateva.

With regards to the whole PRISM program recently unveiled by NSA whistleblower Edward Snowden, I had a discussion with someone a few days ago who still held to the view that if you have nothing to hide, you have nothing to fear from the government. This blog post is mainly aimed at dispelling some of these myths that keep cropping up in these discussions.

Change in Government

One of the biggest problems with this argument is that the government isn’t this all-good, benevolent entity that most people think it is. They actively and purposefully violate their own laws regularly. Now governments always have claimed that they work in the best interest of the people (which is the thing they should do), but who guarantees to me that this will always stay this way? Who guarantees that the Dutch government for instance, won’t turn into a full-blown police state in 5 or 10 years time, the way the British government already has? GCHQ is even worse than the NSA, as they’re tapping over 200 fibre optic cables indiscriminately. Who guarantees to me that there won’t be a dictator in 10 years time, maybe elected in a fit of fear, who then grabs power and starts abusing it to the fullest? Many people seem to laugh at the suggestion, but the danger is still very real. We don’t know what will happen in the future so therefore we should instead be proactive, and make sure that when a malevolent government does come to power (which I hope not), it has as little influence over the lives of the people as possible. An interesting story about changing governments, and sudden abuse of power is the story of Jacob Lentz. Lentz was a Dutch civil servant who worked on setting up the national resident registration system and designed the new national ID cards during the Second World War. In the summer of 1940, Lentz was convinced that Nazi Germany would win World War II, and he worked very hard at creating a watertight system. His ID cards were notoriously difficult to forge, even better that the German variant, the Kennkarte, making the lives of the Dutch resistance members a lot harder. His system registered a lot of information about the Dutch citizens, religion among other things. This make it ridiculously easy for the Nazis, when they conquered The Netherlands in May 1940, to see who was of Jewish descent and who wasn’t. And we all know the unimaginable horrors that led to. Now, Lentz thought he had good intentions. But the road to hell is paved with good intentions, as they say. If Lentz had thought it through just a little bit, had thought of the possible consequences, he might have chosen a different path. He could have saved the lives of thousands of Jews, with little to no danger to his own personal safety, or his family’s.

ProfilingSurveillance: Nothing to hide?

Now, it’s important to remember that you as a citizen usually don’t get to decide what constitutes criminal or suspicious behavior or not. You usually have no say in this matter, and governments habitually move the goal posts during the game. The average Dutchman can be found in well over 5,000 different government databases (link in Dutch). Now, with this much data on 17 million people, the government is bound to make mistakes. Because of the vast amount of information, they have to pattern match and profile you. This often leads to mistakes. If you buy a bag of fertilizer, are you simply a gardener, growing marijuana in your attic or maybe even a potential terrorist? This seemingly innocent act can suddenly raise a lot of flags in the numerous interlinked government databases. These databases aren’t perfect, and more often than not are failing to register the critical bits of context that might explain your behavior. The danger that your actions are registered while missing a lot of context, should be reason enough why we shouldn’t want to expand the surveillance state any further.

Feature Creep

Then there’s the problem of feature creep. When the government proposes a new law that enhances the powers of the surveillance state, they are always keen to solemnly promise to the MPs that these powers will of course only be exercised under strict conditions and regulations, with proper, independent oversight, with a court order, et cetera. In the end, this is almost never the case, and even your common neighborhood cop suddenly has access to sensitive information about you. This is exactly what happened in the case of RIPA (the Regulation of Investigatory Powers Act 2000) in Britain. This was an Act that was passed at the start of the War on Terror, expanding the powers of the British spooks significantly. (It’s interesting to note that a law expanding powers of the spooks has a name that seems to suggest that it seeks to regulate said powers) When it was passed into law, it was supposed to only be used by the spooks, while nowadays, local councils can exercise these powers as well. And this is happening in a lot of places. These dangers are very real, and we need to start speaking up, and start demanding proper oversight for the spooks and the rest of the surveillance apparatus. In the meanwhile, there are a lot of things we can do to at least make their work a bit more difficult. 🙂

My Move to Switzerland

Accelerated because of the recent exposure of the NSA’s horrible PRISM program by whistleblower Edward Snowden, I’ve decided to finally take the steps I’ve contemplated about for roughly a year now: moving my online persona to Switzerland.

Why Switzerland?Swiss Flag

The reason I chose Switzerland is because of United States policy, really. In recent years, the US administration has been flexing their jurisdictional muscles and have been putting several perfectly legitimate websites out of business because their owners published things the US junta didn’t like. This happens even when your servers aren’t located in the United States, and even when you don’t market your site to Americans. Having a .com, .net or .org is apparently enough to fall under US jurisdiction.

Examples are legion: Mega (previously known as MegaUpload), ran by the New Zealand citizen Kim Dotcom, whose domains have been seized by the US government because of vague copyright infringement allegations. Their website got defaced by the American government, and you can imagine the kind of damage this may inflict if you’re running a company or non-profit, and the image put up by the US authorities says your website was taken down because of, shall we say, ‘questionable’ content.

TVShacks, the website ran by the then 23-year-old Richard O’Dwyer, a UK citizen who faced extradition to the United States in 2011 because of copyright allegations, even when he was not doing anything illegal according to UK law. His website simply aggregated links to where copyrighted content could be found on the Internet, and he complied with proper notice and take-down requests. Yes, you’ve read it correctly: here is someone who actually faced extradition to the US, even when he didn’t do anything illegal under UK law, based on what exactly? Some vague copyright claims by Hollywood.

You have to be careful about which companies you deal with, and especially in which country they are incorporated. Because if you’re dealing with a US-based company, any US company, it will be subject to the US PATRIOT Act, NSLs (National Security Letters), FISA and legally required to put in back-doors and send logs containing your traffic to the US intelligence community, the NSA in particular. And in the order by the FISC (Foreign Intelligence Surveillance Court) it explicitly says that you can’t inform your clients about the fact that you have to send all their communications to the NSA. It also stipulates hefty prison sentences for the leadership of the US companies that are found to be breaching this stipulation in the order. And they aren’t collecting just meta-data: the actual content of your communications are recorded and profiled and searched through as well. But this wasn’t really anything new: the US plus the UK and her former colonies have been running the ECHELON program for many years. Its existence was confirmed by a European Parliament investigation into the capabilities and political implications of ECHELON in 2001.

What Can You Do?

The solution to this is quite complex and involves many factors and variables you have to consider. But here are some of the things I did:

Basically you want to have nothing to do with US companies. Basically don’t have any US ties whatsoever. Because as soon as there is a US link, your service providers are subject to US legislation, have to comply with the spooks’ orders and more importantly: can’t tell you about it. So avoid US companies, US cloud providers, etc. at all costs if you want to stay really secure. So no Google, Facebook, Twitter, LinkedIn, etc. without approaching this with a clear strategy in mind. Be careful when (if at all) you’re using these services.

Be sure to install browser plugins like HTTPS Everywhere (to use secure HTTPS connections wherever possible; providing end-to-end encryption) and Ghostery to prevent letting these companies track the web pages you visit.

The hardware and software you’re using also needs to be as secure as possible. Don’t order your new computer on the Internet, but go to a physical (brick-and-mortar) store (pick one at random that has the model you fancy in store) and buy one cash over the counter. The computer should preferably be running a free software (free as in freedom, not free as in ‘free beer’) operating system like GNU/Linux (there’s an easy to use distribution of GNU/Linux called Ubuntu) or BSD, and the software running on top of that should preferably be free software as well. This is done to ensure that the hardware cannot be compromised in the transfer from the manufacturer to you (since it’s impossible to tell which computer you’re going to pick at the store), and to ensure proper review of the source code of the software you are using. Or, as Eric S. Raymond said in his book The Cathedral and the Bazaar: “Given enough eyeballs, all bugs are shallow.” You cannot trust proprietary software, since you cannot check the source code, and it’s less flexible than free software because you cannot extend or change the software to fit your needs exactly. Even if you yourself don’t have the expertise to do so, you can always hire someone to do this work for you.

With regards to domain security (to prevent the US authorities from defacing your website) you can register a domain name that doesn’t fall under US jurisdiction. I chose Switzerland (.ch) because of the way they’ve been resisting pressure by the US authorities when they clamped down on Wikileaks. The server is also physically located in Switzerland. This server is also running my email, which I access through a secure, encrypted SSL/TLS connection.

Now, e-mail is basically a plain text protocol, so people still get to read them if they sniff your packets somewhere between source and destination. The best way to prevent this from happening, is to use encryption, not just for authentication, but encrypt the content as well whenever possible. I use GnuPG, an open source implementation of PGP, together with the Enigmail plug-in for Thunderbird. This works using asymmetric encryption, with two keys, a public key and a private key, which you generate on your machine. The public key can be published and shared freely, as this is what allows other people to send encrypted mail to you. You have to keep the private key secret. You can then send encrypted email to people if you have their public key.

If you want to read up some more on some of the practical measures you can take to increase your security, please visit Gendo’s Secure Comms webpage. It contains comprehensive practical advice and lots of links to the software you need to set up secure comms.

My plan is to write more articles on this website, so I’d like to thank you for your time, and hope to see you again soon!