In 2013, former National Security Agency analyst Edward Snowden stunned the world by revealing top-secret details of the agency’s data collection practices. Ever since, individuals and companies all over the world have been trying to figure out how to keep their data safe from Uncle Sam’s prying eyes.
The NSA isn’t content to simply vacuum data out of cyberspace, although it collects enormous amounts of data that way. It also actively undermines data security in a variety of ways. For instance, what the NSA calls “active implants” are installed on “network infrastructure devices” to conduct “targeted copying.” In plain English, this means the NSA is using sophisticated hacking tools to subvert the Internet’s security architecture at its most basic level.
One response to the Snowden revelations was for companies formerly using Internet services in the US to seek out non-US solutions. That’s cost US cloud computing companies at least $35 billion, according to a 2014 study. Of course, since the NSA knows no borders, this precaution didn’t necessarily prevent surveillance by the NSA or US law enforcement agencies. But, it created some legal barriers against it, since the data protection laws of the hosting country would presumably apply.
One of the first companies to consider this tactic was US computing giant Microsoft. In 2014, it announced that it would offer its non-US customers the option to store their data outside US borders. Obviously, it hoped to recover some of the business it had lost to non-US companies offering cloud services. The company knew this precaution wouldn’t stop all NSA surveillance. But, it was a start.
Naturally, this didn’t sit well with the Obama administration. It promptly filed a lawsuit against Microsoft demanding that it give the government access to an e-mail account hosted at a facility in Ireland. The resulting ruling declared that US companies must turn over private information stored anywhere in the world when they receive a valid demand from the US government.
Microsoft appealed the decision, and the appeal remains pending. In the meantime, Microsoft—and the Irish government—suggested there was an existing mechanism prosecutors could use to legally obtain it. That mechanism is the US-Irish MLAT, or Mutual Legal Assistance Treaty.
MLATs facilitate information exchange and asset recovery by governments in criminal investigations. But, they also respect a concept called “comity,” and that fact doesn’t sit well with the US. Comity is a rule of courtesy in which one country defers to the jurisdiction of another. Under the rules of comity, domestic courts generally respect the laws and judicial procedures of foreign jurisdictions.
In the context of the case against Microsoft, Irish law is more restrictive than US law when it comes to data disclosure. It’s easier for US prosecutors to collect data directly from Microsoft than to make an inquiry under the MLAT. So that’s what they do.
While waiting for the results of the appeal, a legal bombshell emerged. Last week, the European Court of Justice (ECJ), the highest judicial body of the European Union, invalidated an EU-US data exchange agreement. The ECJ concluded that US companies can’t be trusted to maintain EU data protection standards, due to the massive surveillance programs Snowden revealed.
Under the now-defunct “Safe Harbor” agreement, US companies could self-certify that they were complying with EU data privacy standards when handling EU citizens’ data. But with the agreement nullified, US companies will have to go through a lengthy process to insure that EU data is adequately protected. Naturally, US companies are reluctant to do so, and have lobbied their friends in Congress to change the law. But barring the election in 2016 of 500 or so Edward Snowden clones to Congress, that’s not likely.
In the ongoing tug-of-war between the US and EU over data privacy, very little has been said about what ordinary citizens can do to protect themselves from surveillance. It really boils down to one piece of advice: encrypt everything.
Encryption scrambles data using mathematical formulas that make the message unreadable to anyone except for someone possessing the key to "decrypt" it. The programs and processes now used for this purpose are so sophisticated, according to Edward Snowden that even the super-computers used by NSA can't routinely decipher them (although the NSA is working on many fronts to subvert encryption any way it can).
There are three levels of encryption you should be using:
For email encryption, a good option is some variant of “Pretty Good Privacy” (PGP). A free basic version of PGP is GNU Privacy Guard. This program also lets you encrypt files on your PC. It can be cumbersome to work with, so add-ons and tools have been constructed to make encryption easier for newbies. One of the best is Enigmail, a plug-in for the popular Thunderbird email program.
Even if you encrypt the content of your messages, the “header” information (i.e., the recipient of the message and the date and time it was sent, along with other data) remains intact, even in encrypted emails. If the data stream between your PC and the Internet is not itself encrypted, your Internet Service Provider can monitor who you’re corresponding with, on what dates, and how often. If a law enforcement agency conducts this type of investigation, it doesn’t need a warrant – simply a subpoena stating that the data is relevant to an investigation. The best way to protect yourself from this type of privacy intrusion is with a “virtual private network,” or VPN. The one we use at The Nestmann Group is Cryptohippie.
Finally, you’ll want a non-US e-mail provider. A good one is ProtonMail. The company offers end-to-end encrypted email and is based in Switzerland. That means your stored emails are secure from US subpoenas and court orders. In addition, ProtonMail has no access to the contents of your email, because only you have the password used to encrypt your email messages.
Especially if you’re an American, your government has zero interest in protecting your privacy. Quite the opposite. If you value privacy, you’ll need to act on your own to protect yourself. Today wouldn’t be too soon to start.