Tag Archives: PRISM

Gave Privacy By Design Talk At eth0

eth0I gave my talk about privacy by design last Saturday at eth0 2014 winter edition, a small hacker get-together which was organised in Lievelde, The Netherlands this year. eth0 organizes conferences that aim at bringing people with different computer-related interests together. They organise two events per year, one during winter. I’ve previously given a very similar talk at the OHM2013 hacker conference which was held in August 2013.

Video

Here’s the footage of my talk:

Quick Synopsis

I talked about privacy by design, and what I did with relation to Annie Machon‘s site and recently, the Sam Adams Associates for Integrity in Intelligence site. The talk consists of 2 parts, in the first part I explained what we’re up against, and in the second part I explained the 2 sites in a more specific case study.

I talked about the revelations about the NSA, GCHQ and other intelligence agencies, about the revelations in December, which were explained eloquently by Jacob Applebaum at 30C3 in Hamburg in December. Then I moved on to the threats to website visitors, how profiles are being built up and sold, browser fingerprinting. The second part consists of the case studies of both Annie Machon’s website, and the Sam Adams Associates’ website.

I’ve mentioned the Sam Adams Associates for Integrity in Intelligence, for whom I had the honour to make their website so they could have a more public space where they could share things relating to the Sam Adams Award with the world, and also to provide a nice overview of previous laureates and what their stories are.

Swiss FlagOne of the things both sites have in common is the hosting on a Swiss domain, which provides for a safer haven where content may be hosted safely without fear of being taken down by the U.S. authorities. The U.S. claims jurisdiction on the average .com, .net, .org domains etc. and there have been cases where these have been brought down because it hosted content the U.S. government did not agree with. Case in point: Richard O’Dwyer, a U.K. citizen, was threatened with extradition to the United States for being the man behind TVShacks, which was a website that provided links to copyrighted content. MegaUpload, the file locker company started by Kim Dotcom, was given the same treatment, where if you would visit their domain, you were served an image from the FBI telling you the domain had been seized.

Speaking Truth to Power: Integrity in the Mainstream Media

RT Front page

Yesterday I watched a public discussion (last link in Dutch) on Sargasso between Jeroen Wollaars, NOS reporter, and Arjen Kamphuis, futurist, writer, and co-founder and CTO at Gendo. During his talk at OHM2013 (titled: Futureshock), someone asked Arjen a question that went somewhat like this: “If we cannot trust the mainstream media anymore to supply us with the information we need to act as informed citizens, what is the alternative?” To which Arjen replied that, if you want to be better informed about what happens in the Western world, RT (Russia Today) is pretty good.

Now it is important to be very nuanced here. You probably shouldn’t believe the RT reporting done on stuff that is happening in Russia, as RT is, just like any media organization, selective in the information they broadcast, and probably won’t be objective when it comes to Russia, just like the Western media aren’t objective on Western subjects. But on Western issues, and informing us about all the stuff the Western governments are doing, the RT reporting is very good because unlike the Western mainstream media, the Russians dare to ask the questions that need to be asked. Questions that you won’t hear from the Western mainstream media, and the Dutch media in particular.

So many questions..Collateral Murder

Why are the people who committed war crimes and crimes against humanity in an attack helicopter during the Iraq War under the Bush Administration still allowed to walk free, whereas Chelsea Manning was sentenced to 35 years for simply exposing those very same war crimes? How come Manning was sentenced to 35 years, while Anders Breivik was sentenced to just 21? Isn’t that a bit off? A man who ruthlessly and pointlessly murdered 77 people gets less years in prison than someone who exposed the dirty laundry of the powers that be?

When exactly did Dutch Prime Minister Jan Peter Balkenende know about the contents of the Downing Street Memos? Remember, these were the memos that proved definitively that “facts were being fixed around the policy” and that Governor Bush was set in his ways on provoking a war with Saddam Hussein’s Iraq. His administration claimed that Saddam had WMDs (which was a blatant lie, even then), and they even tried to connect Saddam to Al-Qaeda.

AIVDWhere is the coverage about our own intelligence agencies, like the AIVD, MIVD etc. in relation to the revelations on PRISM? Do they have the same capabilities, do they request data on Dutch citizens from their UK and US partners? What kind of data sharing is done with these inter-agency cooperations? We know the Americans spy on Dutch citizens as well (just like they do on every person on the planet connected to the Internet or phone networks), but where are the critical questions from the media? Where are the tough talk shows and debates that really question a few high-ranking politicians about these very important issues? The Germans have at least asked these questions to their politicians.

What is the underlying reason for the massive nation-wide push for the RFID OV-chipkaart public transport ticket (at the expense of normal paper tickets), the ANPR (automatic number plate recognition) cameras above the nation’s highways (which are also used by police), or the fingerprints on the RFID chip on our passports? The government seems intent on tracking our every move.

And these are just a handful of questions the Dutch media didn’t bother to ask and issues they didn’t bother to cover.

The problem with the Dutch mainstream media

The Dutch mainstream media are unfortunately excruciatingly bad at journalism. For instance, the whole Manning case is barely on the news here, but whenever the American presidential elections draw near, the whole Dutch mainstream media press corps gets their knickers in a twist in trying to report on the American ‘elections’ in excruciating and nitty-gritty detail.

There are more important things going on in the world than reporting on an election that is principally undemocratic to begin with. After the 2000 presidential election, Governor Bush squatted the White House for 8 years, while Al Gore won the popular vote. It sure was convenient that Bush’s brother Jeb happened to be Governor of Florida when the electoral votes for that state were the deciding factor in who would win the presidency. And there’s stuff like voter suppression and gerrymandering going on in the US as well, which can influence elections quite substantially. But this fixation the Dutch media has with the US elections has always surprised me, given the fact that the coverage is almost on par with our own elections!

The Dutch media stopped asking the critical questions, and are now almost exclusively broadcasting propaganda from Washington. No questions asked, no background stories, no critical analyses, no audi alteram partem. They now mostly copy-paste the press releases from PR departments, and I really miss the critical tone. Most articles are less than 3 paragraphs long.

I will gladly watch the NOS and other Dutch media again (online, for free, not behind a paywall, and using open standards to provide streaming video) when they start being critical of the government which decides on their budget, and start speaking truth to power.

And this is the main reason why I use RT (among others) to keep me updated on the stuff our Western governments are doing. Unlike the Western mainstream media, RT is asking the questions, they currently speak truth to (Western) power. And again, nuance is important: you shouldn’t believe RT too much when it comes to Russia, just like you shouldn’t believe the Western media too much when it comes to the West. It’s both propaganda, one way or the other. The Russians are at least open and frank about where RT gets their money from; in the West they are much more indirect and subtle about these matters. It’s always best to get your news from as many sources as possible, and make your own decisions on who is more likely to tell you the truth.

At the Crossroads: Surveillance State or Freedom?

OHM2013

When I went to OHM2013 last week, it was great to see such increased political activism from the hackers and geeks at the festival. I truly believe we are currently at a very important crossroads: either let governments the world over get away with crimes against the people’s interests, with programs like PRISM, ECHELON, TEMPORA and countless other authoritarian global surveillance schemes, or enter the path towards more freedom, transparency and accountability.

A good example of what not to do is Google Glass. A few weeks ago I came across the story of a hacker who modded Google Glass as to allow instant facial recognition and the covert recording of video.  Normally you need to tap your temple or use voice commands to start recording with Glass, all of which are pretty obvious gestures. But now people can record video and do automatic facial recognition covertly when they wear Glass. I even saw that there’s an app developed for Glass, called MedRef. MedRef also uses facial recognition technology. This basically allows medical professionals to view and update patient records using Glass. Of course having medical records available on Glass isn’t really in the interests of the patient either, as it’s a totally superfluous technology, and it’s unnecessary to store patient records on a device like that, over which you have no control. It’s Google who is calling the shots. Do we really want that?

Image above © ZABOU.

Image above © ZABOU.

As hackers, I think it’s important to remember the implications and possible privacy consequences of the things we are doing. By enabling the covert recording of video with Google Glass, and also adding on top of that, instant and automatic facial recognition, you are basically creating walking CCTV cameras. Also given the fact that these devices are controlled by Google, who knows where these video’s will end up. These devices are interesting from a technical and societal standpoint, sure, but after PRISM, we should be focusing on regaining what little we have left of our privacy and other human rights. As geeks and hackers we can no longer idly stand by and just be content hacking some technical thing that doesn’t have political implications.

I truly and with all my heart know that geeks and hackers are key to stopping the encroaching global surveillance state. It has been said that geeks shall inherit the earth. Not literally of course, but unlike any other population group out there, I think geeks have the skills and technical know-how to have a fighting chance against the NSA. We use strong encryption, we know what’s possible and what is not, and we can work one bit at a time at restoring humanity, freedom, transparency and accountability.

These values were won by our parents and grandparents after very hard bloody struggles for a reason. They very well saw what will happen with an out-of-control government. Why government of the people, for the people, and by the people, is a very good idea. The Germans have had plenty of hands-on experience with the consequences as well, first with the Nazis who took control and were responsible for murdering entire population groups, not only Jews but also people who didn’t think along similar lines: communists, activists, gay people, lesbians, transgenders, etc. Later the Germans got another taste of what can happen if you live in a surveillance state, with the Stasi in the former East-Germany, who encouraged people to spy on one another, exactly what the US government is currently also encouraging. Dangerous parallels there.

But you have to remember that the capabilities of the Stasi and Gestapo were only limited, and peanuts to what the NSA can do. Just to give a comparison: the Stasi at the height of its power, could only tap 40 telephone lines concurrently, so at any one time, there were at most 40 people under Stasi surveillance. Weird isn’t it? We all have this image in our minds that the prime example of a surveillance state would be East-Germany under the Stasi, while they could only spy on 40 people at a time. Of course, they had files on almost anybody, but they could only spy on this very limited number of people concurrently. Nowadays, the NSA gets to spy continuously on all the people in the world who are connected to the internet. Billions of people. Which begs the question: if we saw East-Germany as the prime example of the surveillance state, what do we make of the United States of America?

The Next Step?

I think the next step in defeating this technocratic nightmare of the surveillance state and regain our freedom is to educate others. Hold cryptoparties, explain the reasons and need and workings of encryption methods. Make sure that people leave with their laptops all configured to use strong encryption. If we can educate the general population one person at the time, using our technological skill and know-how, and explain why this is necessary, then eventually the NSA will have no-one to spy on, as almost all communication will flow across the internet in encrypted form. It’s sad that it is necessary, really, but I see no other option to stop intelligence agencies’ excess data-hunger. The NSA has a bad case of data addiction, and they urgently need rehab. They claim more data is necessary to catch terrorists, but let’s face it: we don’t find the needle in the haystack by making the haystack bigger.

Ubiquitous Tracking by Big Mega Corporations and What We Can Do About It

Nowadays, if you surf the web like any normal person, chances are your movements on the internet will be tracked. There are a lot of companies tracking you and building detailed profiles about your behaviour on the internet. With all the news about the revelations of Edward Snowden about the mass surveillance going on by the NSA, GCHQ and other Three-letter agencies, you might almost forget that there is a whole world out there with various corporate entities who also build profiles about you, either with or without your knowledge and consent.

Why big corporations are tracking you and building profiles about you

Profiles about your Internet behaviour most often get built by simply surfing unprotected, with your browser executing any and all JavaScript that it comes across, which usually does some data collection about your browser and operating system, which then gets sent back to third-party advertising networks who make money building profiles about every user on the internet. Now, of course they claim this is done to better target ads, so you get ads aimed specifically at your current interests and your geographical location or linguistic background, for instance. You see, when you search for something on the internet, you are revealing something very private indeed: you are revealing what you think at that very moment. What things you are likely interested in.

Google Anatylics Dashboard, giving an impression of things it can track.

Google Anatylics Dashboard, giving an impression of things it can track.

This information is worth a lot of money to marketers, who are always on the lookout for ways to target and market their products to just the right audiences. Knowing exactly what people are up to and what their interests are is something marketing departments the world over crave. For if you know exactly what your audience’s interests are, you can tailor the marketing of your products to exactly fit their needs, leading to more sales. Selling access to this information is Google’s main profit model. The major problem with this data collection is that it is all happening without our knowledge or consent. There are only a few large companies in the world who hold a virtual monopoly on acquiring a lot of data about people via the internet. An example would be Facebook; a lot of sites on the internet (tens of millions) have a certain link with Facebook, via their share buttons. Because these buttons are so ubiquitous, found on almost every other site, this causes Facebook to know quite a bit about your surfing behaviour, even if you’re not a Facebook user. Your data still gets collected and stored in a shadow profile, where it is then of course susceptible to acquisition by government agents as well.Filter Bubble

Major problems with personalized results

As more and more people discover their content and news through personalized feeds like those found on Twitter and Facebook etcetera, the stuff that matters gets pushed off the feed. People who live in the filter bubble, a term coined by Eli Pariser, can easily miss vital information about certain major events. I’ll give an example. During the Egyptian Revolution of 2011, two people may be getting two completely different results on Google. One, who is more interested in holidays, according to the profile built up by Google, may be getting more links in the search engine results page (SERP) about holidays to Egypt, and miss news about the revolution completely, whereas someone who is more politically active, may only get links to news sites with articles about the revolution. This is already a major difference in the results you get. You may be under the impression that the results generated by Google are the same for everyone where, evidently, they are not. They are generated based on your personal interests, information you and/or your computer shared with Google. The question is: is it really always a good thing that we only get to see stuff we are interested in? And that some big mega-corporation like Google is deciding that for us? This way we may miss vital information, as the information that reaches us gets censored transparently, without our knowledge or consent. If we only get our news from personalized news feeds like those provided by Facebook, Google and Twitter, we may miss out on a lot of information. Therefore it is prudent to always use as many different sources of information as possible, so efforts to filter our results and trap us in the filter bubble have as little effect on us as possible.

Steps we can take to arm ourselves

There are various things we can do to arm ourselves against tracking by and building up of profiles. First step is using a common browser. This may sound strange, but let me explain. There’s this tool written by the Electronic Software Foundation called the Panopticlick. With this tool you can check all kinds of information about what kind of fingerprint your browser leaves behind, and with how many computers it shares that fingerprint. By having a very large pool of potential computers, all with the same browser fingerprint, we make it harder for companies to track our movements on the internet, as the pool of possible targets will be larger. Browser fingerprinting Cookie Monsterworks without cookies, so it’s a big threat to your online privacy. In terms of browsers, Firefox is a good one. Chrome not so much, as it’s sharing information about which sites you surf with Google. I also recommend Firefox not only because it’s open source, but also because of the vast repository of add-ons available for it. Make sure you disable the setting of third-party cookies. Secondly, it helps if we install browser add-ons like Ghostery, NoScript and AdBlock Plus. These add-ons will specifically disable any Javascript tracking going on, either by completely disabling JavaScript completely (in the case of NoScript), or by having a list of common advertising companies and other various trackers, which it specifically blocks (in the case of Ghostery). AdBlock Plus removes all ads from the websites you visit. They don’t even get loaded. JavaScript is a programming language, with which we can do a lot of cool stuff and make web pages seem more responsive, have our webapps feel more like desktop apps, etc. A lot of stuff is possible with JavaScript. This is in part because it most often gets executed on the client, not on the server. Every browser capable of running JavaScript basically has a virtual machine like Google’s V8, or something similar with which it can run JavaScript. The problem is that with JavaScript the script writer can also get a lot of information back from the browser, and all kinds of nifty hacks are possible if JavaScript is enabled. So disabling JavaScript wherever possible is a very safe thing to do. And with NoScript, you can still enable JavaScript on a per-domain basis as well, if you need it. This will already prevent a large part of the tracking stuff from ever loading on your computer. Other add-ons like RefControl (which will forge or block the HTTP_REFERER header from your browser) also work to enhance your privacy. By reading the HTTP_REFERER header, a site can normally see from what site you came from, and by blocking or forging this header, we don’t reveal any information about our surfing behaviour in this way. HTTPS Everywhere is a good addon to have as well, as it enforces HTTPS (secure, encrypted) communications on sites that support it. Some sites, like Facebook for instance, do support HTTPS communications, but redirect all their links to the insecure HTTP variant. By installing HTTPS Everywhere, which is written by the EFF, we force sites like these to use HTTPS all the time. To check with what sites your browser has shared information about you, you can install Collusion. With this add-on, you can open up a tab with information about which sites you have visited during your browsing session, and with which sites your browser has shared information. This is often substantially more than the sites you actually visit. Many sites for instance use advertising networks, which load their ads from another domain, and data about you gets sent to these networks to track and profile you. To see whether and to what extent this is happening to you, you can install Collusion. To get better protection against tracking, we can change our surfing behaviour by avoiding certain US companies like Google for instance. You can instead search the internet using Startpage. Startpage uses the Google engine, but strips all identifying information from the request before it sends it off to the Google servers, allowing you to search tracking-free. They also don’t store any logs whatsoever, and they use encryption by default.

Right, am I done yet?

The tips above are only good advice in general, and will protect against most profiling attempts by advertising and other profit-oriented companies which try and sell your profile to their clients, but won’t protect you against a determined, well-financed adversary like an intelligence agency. For this, you need to encrypt the hell out of your life, and use crypto like AES, etc. (VeraCrypt) and PGP (GnuPG) as much as possible. Why should we be making it easy for the spooks? In that case, you might also read up on VPNs, and check out the Tor network (but keep in mind that many exit nodes are run by intelligence agencies, so always use end-to-end encryption (e.g. HTTPS) when using Tor). In this case, also try to avoid using any service made available by any US company whatsoever. Think SAAS providers, cloud services, etc. Because of the Patriot Act, US government agencies (and of course, through them, other, foreign intelligence agencies which cooperate with the Americans) can easily request any and all information some company with US ties stores about you. So try to avoid that as much as possible in this case. This is the reason why I’ve moved my online persona to Switzerland, and also running my mail on a mail server that I control. Also think about the security of your devices, and only run free software, so there’s less chance of a back-door hidden in the software you use. But you can read up more on the measures you can take when you’re up against a more powerful adversary. But with the above tips, you’ll be well on your way to better securing your communications. Notice: The above article also got published on UKcolumn.org. While I am very happy with the syndication, I don’t agree with everything published on UKcolumn.org.

Life, Liberty and the Pursuit of Snowden

Note: This article is also available in Portuguese, translated by Anders Bateva.

US Declaration of Independence237 years ago, 56 traitors to their King and country signed a document which outlined a new philosophy, that all men are created equal, that they are endowed by their creator with certain unalienable Rights. That among these are Life, Liberty, and the Pursuit of Happiness. This gave birth to a new nation, the United States of America. Funny how your perception can change depending on your viewpoint and background, isn’t it? In 1776, these 56 signatories of the United States Declaration of Independence did something very brave indeed. They took a stand against the Empire on which the sun never sets, the British Empire, because it failed to embody and represent what they believed in: that it should be the task of the government to secure the above rights, and that governments derive their just powers from the consent of the governed. And that whenever the government becomes destructive of these ends, it is the right of the people to alter or abolish it. These men are considered patriots by many Americans, because in defying the King of Great Britain in 1776, they founded the United States of America, a nation once conceived on these noble principles. A nation that sadly no longer adheres to the philosophy laid down it its Declaration of Independence. Had history played out differently, these men could have been tried for high treason and hung, drawn and quartered. These men took a huge personal risk based on what they personally believed in. You have to remember, back in 1776, the British Empire was a superpower, quite similar to the roles the United States, Russia and China play today. But history is written by the victors, as they say.

SnowdenEdward Snowden

Now, Snowden blew the whistle because he recognized the government failed to defend the rights of the people, failed to embody the spirit in which it was founded 237 years ago. This is an incredibly brave thing to do. Just think about it: he had to leave his friends and family and his entire life behind and can probably never visit his friends and family again, because he did what he felt was right: expose the crimes committed by the US government. By many he is now branded a traitor, similar to how those 56 signatories were viewed by a portion of the British people back in the day. I sincerely hope Snowden will stay safe. One of the things that struck me when following the Snowden story, is that the media spin machine is now in full swing, trying to come up with dirt on both Edward Snowden, and the journalist who published the story in the Guardian: Glenn Greenwald. The goal of course, is to slowly make the media shift their focus away from the main story, and onto petty things instead, like the obsession with Snowden’s girlfriend, or whether Greenwald should be charged with a crime or not. The goal of those manipulators behind the scenes is to discredit the source who has been leaking this classified but vitally important information, so that eventually people will start to no longer believe him. By discrediting the whistle blower, they hope to also discredit his story. Don’t they get it? Don’t they get that transparency, and democratic oversight, checks and balances are what any government that claims to be a government of the people, by the people and for the people desperately needs? Precisely those things that it is now sorely lacking. By having informed, intelligent citizens, we increase overall safety and national security. We don’t make our nations any safer by scaring our citizens and beating them into submission. But as of late, the truncheon is used in lieu of conversation more and more…

Meanwhile in Europe…

Here in Europe, we saw politicians finally taking a stand against the NSA PRISM program, but sadly only because it was in their own self-interest to do so. It wasn’t until Snowden released documents proving that the United States had been spying on European diplomats in Washington, New York and Brussels, as was published in Der Spiegel on July 1st, that we finally got some strong language from some European leaders, with François Hollande even threatened to suspend the trade pact talks with the US. This delayed reaction by European politicians seems to send the message to the European citizens that it’s apparently perfectly OK to spy on European citizens (politicians here were awfully quiet when the story broke), as long as the Americans are not spying on our diplomats and politicians. Oh, and if you’ve heard the NSA’s stories about ‘metadata’, and you’re wondering what ‘harmless metadata’ really means, be sure to check out German Green Party Member Malte Spitz’s six months of telephone records mapped on a moving map. It’s quite a humbling experience. 🙂 Update: Since I wrote this article on July 2nd, 2013, things have changed even more dramatically, as long-established diplomatic principles in international law have been grossly violated by denying President Morales’ plane access to French, Spanish, Italian and Portuguese airspace, causing it to have to divert to Vienna when the president was on his way home from a summit in Moscow. Of course, this caused massive anger in Latin America. The real problem we now have in Europe are leaders with rubber knees. We have our brain, and our sovereignty. Let’s start using it.

Dangers of the ‘nothing to hide, nothing to fear’ mentality

Note: This article is also available in Portuguese, translated by Anders Bateva.

With regards to the whole PRISM program recently unveiled by NSA whistleblower Edward Snowden, I had a discussion with someone a few days ago who still held to the view that if you have nothing to hide, you have nothing to fear from the government. This blog post is mainly aimed at dispelling some of these myths that keep cropping up in these discussions.

Change in Government

One of the biggest problems with this argument is that the government isn’t this all-good, benevolent entity that most people think it is. They actively and purposefully violate their own laws regularly. Now governments always have claimed that they work in the best interest of the people (which is the thing they should do), but who guarantees to me that this will always stay this way? Who guarantees that the Dutch government for instance, won’t turn into a full-blown police state in 5 or 10 years time, the way the British government already has? GCHQ is even worse than the NSA, as they’re tapping over 200 fibre optic cables indiscriminately. Who guarantees to me that there won’t be a dictator in 10 years time, maybe elected in a fit of fear, who then grabs power and starts abusing it to the fullest? Many people seem to laugh at the suggestion, but the danger is still very real. We don’t know what will happen in the future so therefore we should instead be proactive, and make sure that when a malevolent government does come to power (which I hope not), it has as little influence over the lives of the people as possible. An interesting story about changing governments, and sudden abuse of power is the story of Jacob Lentz. Lentz was a Dutch civil servant who worked on setting up the national resident registration system and designed the new national ID cards during the Second World War. In the summer of 1940, Lentz was convinced that Nazi Germany would win World War II, and he worked very hard at creating a watertight system. His ID cards were notoriously difficult to forge, even better that the German variant, the Kennkarte, making the lives of the Dutch resistance members a lot harder. His system registered a lot of information about the Dutch citizens, religion among other things. This make it ridiculously easy for the Nazis, when they conquered The Netherlands in May 1940, to see who was of Jewish descent and who wasn’t. And we all know the unimaginable horrors that led to. Now, Lentz thought he had good intentions. But the road to hell is paved with good intentions, as they say. If Lentz had thought it through just a little bit, had thought of the possible consequences, he might have chosen a different path. He could have saved the lives of thousands of Jews, with little to no danger to his own personal safety, or his family’s.

ProfilingSurveillance: Nothing to hide?

Now, it’s important to remember that you as a citizen usually don’t get to decide what constitutes criminal or suspicious behavior or not. You usually have no say in this matter, and governments habitually move the goal posts during the game. The average Dutchman can be found in well over 5,000 different government databases (link in Dutch). Now, with this much data on 17 million people, the government is bound to make mistakes. Because of the vast amount of information, they have to pattern match and profile you. This often leads to mistakes. If you buy a bag of fertilizer, are you simply a gardener, growing marijuana in your attic or maybe even a potential terrorist? This seemingly innocent act can suddenly raise a lot of flags in the numerous interlinked government databases. These databases aren’t perfect, and more often than not are failing to register the critical bits of context that might explain your behavior. The danger that your actions are registered while missing a lot of context, should be reason enough why we shouldn’t want to expand the surveillance state any further.

Feature Creep

Then there’s the problem of feature creep. When the government proposes a new law that enhances the powers of the surveillance state, they are always keen to solemnly promise to the MPs that these powers will of course only be exercised under strict conditions and regulations, with proper, independent oversight, with a court order, et cetera. In the end, this is almost never the case, and even your common neighborhood cop suddenly has access to sensitive information about you. This is exactly what happened in the case of RIPA (the Regulation of Investigatory Powers Act 2000) in Britain. This was an Act that was passed at the start of the War on Terror, expanding the powers of the British spooks significantly. (It’s interesting to note that a law expanding powers of the spooks has a name that seems to suggest that it seeks to regulate said powers) When it was passed into law, it was supposed to only be used by the spooks, while nowadays, local councils can exercise these powers as well. And this is happening in a lot of places. These dangers are very real, and we need to start speaking up, and start demanding proper oversight for the spooks and the rest of the surveillance apparatus. In the meanwhile, there are a lot of things we can do to at least make their work a bit more difficult. 🙂

My Move to Switzerland

Accelerated because of the recent exposure of the NSA’s horrible PRISM program by whistleblower Edward Snowden, I’ve decided to finally take the steps I’ve contemplated about for roughly a year now: moving my online persona to Switzerland.

Why Switzerland?Swiss Flag

The reason I chose Switzerland is because of United States policy, really. In recent years, the US administration has been flexing their jurisdictional muscles and have been putting several perfectly legitimate websites out of business because their owners published things the US junta didn’t like. This happens even when your servers aren’t located in the United States, and even when you don’t market your site to Americans. Having a .com, .net or .org is apparently enough to fall under US jurisdiction.

Examples are legion: Mega (previously known as MegaUpload), ran by the New Zealand citizen Kim Dotcom, whose domains have been seized by the US government because of vague copyright infringement allegations. Their website got defaced by the American government, and you can imagine the kind of damage this may inflict if you’re running a company or non-profit, and the image put up by the US authorities says your website was taken down because of, shall we say, ‘questionable’ content.

TVShacks, the website ran by the then 23-year-old Richard O’Dwyer, a UK citizen who faced extradition to the United States in 2011 because of copyright allegations, even when he was not doing anything illegal according to UK law. His website simply aggregated links to where copyrighted content could be found on the Internet, and he complied with proper notice and take-down requests. Yes, you’ve read it correctly: here is someone who actually faced extradition to the US, even when he didn’t do anything illegal under UK law, based on what exactly? Some vague copyright claims by Hollywood.

You have to be careful about which companies you deal with, and especially in which country they are incorporated. Because if you’re dealing with a US-based company, any US company, it will be subject to the US PATRIOT Act, NSLs (National Security Letters), FISA and legally required to put in back-doors and send logs containing your traffic to the US intelligence community, the NSA in particular. And in the order by the FISC (Foreign Intelligence Surveillance Court) it explicitly says that you can’t inform your clients about the fact that you have to send all their communications to the NSA. It also stipulates hefty prison sentences for the leadership of the US companies that are found to be breaching this stipulation in the order. And they aren’t collecting just meta-data: the actual content of your communications are recorded and profiled and searched through as well. But this wasn’t really anything new: the US plus the UK and her former colonies have been running the ECHELON program for many years. Its existence was confirmed by a European Parliament investigation into the capabilities and political implications of ECHELON in 2001.

What Can You Do?

The solution to this is quite complex and involves many factors and variables you have to consider. But here are some of the things I did:

Basically you want to have nothing to do with US companies. Basically don’t have any US ties whatsoever. Because as soon as there is a US link, your service providers are subject to US legislation, have to comply with the spooks’ orders and more importantly: can’t tell you about it. So avoid US companies, US cloud providers, etc. at all costs if you want to stay really secure. So no Google, Facebook, Twitter, LinkedIn, etc. without approaching this with a clear strategy in mind. Be careful when (if at all) you’re using these services.

Be sure to install browser plugins like HTTPS Everywhere (to use secure HTTPS connections wherever possible; providing end-to-end encryption) and Ghostery to prevent letting these companies track the web pages you visit.

The hardware and software you’re using also needs to be as secure as possible. Don’t order your new computer on the Internet, but go to a physical (brick-and-mortar) store (pick one at random that has the model you fancy in store) and buy one cash over the counter. The computer should preferably be running a free software (free as in freedom, not free as in ‘free beer’) operating system like GNU/Linux (there’s an easy to use distribution of GNU/Linux called Ubuntu) or BSD, and the software running on top of that should preferably be free software as well. This is done to ensure that the hardware cannot be compromised in the transfer from the manufacturer to you (since it’s impossible to tell which computer you’re going to pick at the store), and to ensure proper review of the source code of the software you are using. Or, as Eric S. Raymond said in his book The Cathedral and the Bazaar: “Given enough eyeballs, all bugs are shallow.” You cannot trust proprietary software, since you cannot check the source code, and it’s less flexible than free software because you cannot extend or change the software to fit your needs exactly. Even if you yourself don’t have the expertise to do so, you can always hire someone to do this work for you.

With regards to domain security (to prevent the US authorities from defacing your website) you can register a domain name that doesn’t fall under US jurisdiction. I chose Switzerland (.ch) because of the way they’ve been resisting pressure by the US authorities when they clamped down on Wikileaks. The server is also physically located in Switzerland. This server is also running my email, which I access through a secure, encrypted SSL/TLS connection.

Now, e-mail is basically a plain text protocol, so people still get to read them if they sniff your packets somewhere between source and destination. The best way to prevent this from happening, is to use encryption, not just for authentication, but encrypt the content as well whenever possible. I use GnuPG, an open source implementation of PGP, together with the Enigmail plug-in for Thunderbird. This works using asymmetric encryption, with two keys, a public key and a private key, which you generate on your machine. The public key can be published and shared freely, as this is what allows other people to send encrypted mail to you. You have to keep the private key secret. You can then send encrypted email to people if you have their public key.

If you want to read up some more on some of the practical measures you can take to increase your security, please visit Gendo’s Secure Comms webpage. It contains comprehensive practical advice and lots of links to the software you need to set up secure comms.

My plan is to write more articles on this website, so I’d like to thank you for your time, and hope to see you again soon!