By Joe Levi | October 14, 2013 7:29 AM
Do you remember when, if someone said a government agency was “listening in” on phone calls made by its citizens they were labeled a “crackpot”, a “whack job”, a “nut case”, or a “conspiracy theorist”? A government can’t possibly do all that, and even if they could, they wouldn’t because it’s just crazy, right?
Fast forward to today and we now know that the government agencies are doing exactly that. Verizon has admitted to an order to provide information on all telephone calls in its system to the NSA on an “ongoing, daily basis”. What’s more, all major carriers have either admitted to being ordered to do the same, or have refused to deny it. To make matters even worse, information has come forward that more than one government agency is doing the same thing. Thank you for making all of the “paranoid crazy people” look sane and rational.
Now that we know it’s happening, what are our carriers going to do to keep our communications private? At this year’s Cyber Security Summit in New York City, Marcus Sachs, Verizon’s VP of national security policy made an interesting statement:
“If you’re worried about (your privacy), do something about it. Take security on yourselves, and don’t trust anybody else to do it. Don’t look at us to protect your data. That’s on you. There are services out there (that offer privacy) up to a certain point. You want encrypted phone calls? There’s an app for that.”
Is there really “an app for that”? Before we get into apps, let’s look at how we use our smartphones, and what kind of personal information we’re giving up.
Hopefully it won’t come as a surprise to you that your cellular carrier knows where you are. What if you turn off your GPS? That’s fine, but you probably still have your WiFi on. Even if you’re not connected to a WiFi network, your device still has a rough idea where you are just by “looking” at the WiFi networks around you.
Even if you don’t have your WiFi on, and even if you’re using a “dumb-phone”, your carrier still knows where you are. You have to be connected to a tower for your cell phone to work. Your carrier knows what tower you’re connected to, and where that tower is located. Therefore, they know roughly where you are.
The only way to hide your location is to turn off your phone completely. Of course you can’t make or receive phone calls this way, but it’s the cost of geographical privacy, and there’s no app that can protect you.
Many of us use email on our smartphones. These messages are sent “in the clear”, just like postcards in the tangible world. You shouldn’t expect any privacy when sending or receiving a typical email.
If you’d like to secure your email, you can do that. Using technologies like x.509, PGP, and GPG, you can get a certain level of security, but it’s highly inconvenient (for both the sender and the receiver). And even then, you only get the same security as you’d have in a typical “security lined” envelope. To get really secure email you need to use a much higher level of encryption, and most of these services are closing shop due to pressure from government agencies.
To make matters worse, mobile solutions for even the most basic levels of email security aren’t very plentiful, and those that you can get aren’t all that user-friendly.
SMS, MMS, and voice
SMS text messages simply piggyback on the protocol that your phone uses to check in with the cellular tower. The messages are in the clear unless you’ve got some kind of encryption going on, and with only 140-or-so characters to use, your texts aren’t going to be very lengthy. There are some services which send encrypted text messages but do so using a TCP/IP network rather than stock SMS. This is something different entirely.
GSM communications does use a type of encoding, but you’re still sending date and time, as well as information about each party with every call you make (or receive). This is the “meta-data” that’s got privacy activists up in arms. And rightly so. This information is potentially more dangerous than government agents actually listening to phone calls, since the content of the conversation isn’t actually heard (or so they tell us) and is therefore inferred by context.
Making encrypted phone calls requires an app, but it also requires that app to be running on the receiving end as well, and it still doesn’t solve the problem with meta-data.
Anything you ask for that lives on the Internet is traceable by your service provider. Who is that? In this context it’s the same cellular provider who is already handing over your data to virtually anyone that asks for it and says “we’re from the government”. As such, the corresponding meta-data is very readily available. What’s more, because of the way the Internet works, every stop along the route has the potential to inspect your packets. This is why most sites that deal with your personal information ( any site that you log in to) is moving over to SSL to encrypt your data along the way.
No magic bullet… or is there?
I started researching this article with the intention to provide you with a list of apps, services, techniques, and/or methodologies that you could use to do exactly what Verizon’s VP of national security policy said: take your privacy upon yourself. The more I researched, the more I found that there simply is no magic bullet. There are several rough, and questionably reliable apps and services that may help, but nothing I felt confident enough to mention.
Then it hit me. Perhaps we’re talking about too wide a net when we consider each service separately. When we take them all together, however, one solution becomes plausible: do everything over the ‘Net. No, this won’t help with geo-location, but if you forego all your “telephone” solutions (voice, SMS, MMS, etc.) and replace them with TCP/IP equivalents, privacy gains an extra layer. When you add VPN on top of that, a somewhat secure package starts to take shape.
Unfortunately, to fully service this, the VPN provider would need to be outside the geopolitical influence of the US and other governments, but it’s the best I can come up with.
I haven’t yet set up a secure, totally IP solution for my smartphone. Carriers currently make data-only plans somewhat expensive when compared to their “traditional” siblings. I’m sure there are solutions out there, but that’s where you come in! What tools, tips, or solutions do you use to ensure your privacy? Apps? Services? A combination of both? Let us know what you use, along with the benefits and disadvantages, in the comments below!
Source: DSL Reports