US surveillance flap shines light on Web 'anonymizers'

Jun 16, 2013 by Rob Lever
A woman looks at a webpage on March 15, 2013 in Paris. News of a massive surveillance effort led by the secretive National Security Agency has sent Web users scrambling to find new ways to avoid tracking.

News of a massive surveillance effort led by the secretive National Security Agency has sent Web users scrambling to find new ways to avoid tracking.

It might have seemed paranoid not long ago when netizens used tools to hide their tracks, "shred" data or send self-destructing messages.

Web anonymizers, encryption programs and similar tools have been available for years, but have been often associated with hackers, criminals and other "dark" elements on the Internet.

"I think the notion of what is an unreasonable level of paranoia has shifted in the past couple of weeks," said Alex Stamos, an NCC Group security consultant and self-described "white hat" hacker.

Ironically, some tools for eluding detection come from US government-funded programs aimed at helping people living under authoritarian regimes.

"The technologies usable in Tehran or Phnom Penh are just as usable in New York or Washington," said Sascha Meinrath, who heads a New America Foundation program helping users maintain secure and private communications in totalitarian countries.

"The real problem is that many people don't know these tools exist and a lot of them are not usable to non-geeks."

One of the well-known programs used to hide online traces is Tor, a tool originally developed by the US military and now managed by the nonprofit Tor Project.

Tor, which has some 500,000 users worldwide, about 15 percent of whom are in the United States, can be used online to hide one's IP address, effectively blocking tracking by governments or commercial entities seeking to deliver targeted advertising.

Tor's development director Karen Reilly said the US government promotes the program in other countries, but noted that it also protects against snooping from US law enforcement.

"We get inquiries from law enforcement saying criminals are using Tor, and they want to know where the back door is," she said.

"There is no back door. We are protecting you not only from your (Internet provider) but from us. We never keep records that can identify our users."

Reilly brushed aside concerns about nefarious elements on the Internet hiding behind Tor and similar programs.

"Criminals are the ultimate early adopters of new technologies," she said.

If anonymous programs were not available, Reilly said "they would find another option."

People in the hacker and security communities say they are not surprised about the 's PRISM program, but that its scope and its ability to scoop up huge amounts of data—if reports are correct—are frightening.

"The problem is we are keeping 'gold' in databases and it's impossible to secure this," said Nico Sell, a founder of Wickr, a startup that makes an app to allow people to secure and "shred" data sent on mobile devices.

Sell said she has seen "a tremendous uptick in downloads over the last week" of the Wickr app.

"People are now realizing that they get more security and are switching over from Skype," she said.

"All of our messages self-destruct... everyone has wanted self-destructing messages since 'Mission Impossible.'"

Casey Oppenheim, co-founded of an online identity-masking program called disconnect.me, said he has surprisingly not seen a surge in downloads since the revelations, adding that it is not clear if understand the implications of PRISM.

Oppenheim said the databases of major firms contain history of Web browsing searching which he called "highly personal."

"It's a direct connection to your personal thoughts... all of that information is online, it's very easy to get a hold of. Most people don't understand the extent to which this happens."

Oppenheim said the software operates like Tor, but has "an extra layer of protection" that allows users to log into their personal accounts and still remain anonymous online.

Stamos said that on the corporate side, communications cannot be encrypted because they must be available in case of court actions or subpoenas.

He said individuals can encrypt their emails but that this was too complicated for most people, requiring an exchange of encryption "keys."

In the browsing area, the search engine DuckDuckGo, which does not store IP addresses, said it has seen record growth.

"I think since the story broke, people have been seeking out privacy alternatives," said DuckDuckGo founder Gabriel Weinberg.

"No one from law enforcement has ever come to us for data, but if they did we wouldn't have it."

Graham Cluley, a British-based independent security consultant, said people who use privacy tools should not be viewed as criminals.

"What would be troubling is if society begins to slide toward a viewpoint that paints the use of encryption and other tools that aim to protect our privacy as somehow 'dark arts,'" he said.

Meinrath of the New America Foundation said it would be ludicrous to try to ban online privacy tools.

"You would have to make illegal the pen or the computer or just about any other communication tool ever devised," he said.

The US Postal Service cannot open mail without probable cause "and yet the government is saying that if that is an electronic communication they have a right to surveillance," he said.

"The privacy of our correspondence is fundamental to our democracy."

Explore further: US Congress decriminalizes cellphone unlocking

add to favorites email to friend print save as pdf

Related Stories

Global netizens see worrying trend in US spying

Jun 08, 2013

Revelations that the U.S. government has been snooping on Internet users worldwide failed to shock global netizens, who say they've already given up on expectations of online privacy in the face of growing ...

Push for US Internet 'wiretap' law faces tough road

Jun 02, 2013

The FBI is stepping up its effort to get broader authority to put "wiretaps" on the Internet to catch criminals and terrorists. But the move is drawing fire from civil liberties groups, technology firms and others who claim ...

Wickr app aims to safeguard online privacy

Feb 02, 2013

Wickr co-founder Nico Sell is working toward "geek utopia," a world where people hold the power when it comes to who sees what they share on the Internet or from their phones.

Recommended for you

Scalping can raise ticket prices

Jul 25, 2014

Scalping gets a bad rap. For years, artists and concert promoters have stigmatized ticket resale as a practice that unfairly hurts their own sales and forces fans to pay exorbitant prices for tickets to sold-out concerts. ...

Study shows role of media in sharing life events

Jul 24, 2014

To share is human. And the means to share personal news—good and bad—have exploded over the last decade, particularly social media and texting. But until now, all research about what is known as "social sharing," or the ...

User comments : 12

Adjust slider to filter visible comments by rank

Display comments: newest first

Protoplasmix
1 / 5 (2) Jun 16, 2013
My guess is encryption is no obstacle if they eavesdrop the key exchange, and without a key it's not impossible to crack by utilizing the distributed computing platform of the Internet itself in conjunction with any of a number of available supercomputers.
CaptainSlog
5 / 5 (1) Jun 17, 2013
My guess is encryption is no obstacle if they eavesdrop the key exchange, and without a key it's not impossible to crack by utilizing the distributed computing platform of the Internet itself in conjunction with any of a number of available supercomputers.


You only exchange public keys. You do not exchange private keys
Protoplasmix
1 / 5 (2) Jun 17, 2013
Your only exchange public keys. You do not exchange private keys.

But the private key has to remain private. Do you trust some "antivirus" software or "firewall" for that? How about trusting the security that the former head of the CIA had for all the emails with his mistress? News of other breeches of secure government computers is commonplace.
And if the private key's not accessible there's the brute force method, as I mentioned. I doubt it would be called "Boundless Informant" if it wasn't.
Protoplasmix
1 / 5 (2) Jun 17, 2013
Breeches > breaches
scenage
not rated yet Jun 17, 2013
@Protoplasmix: If you are that paranoid, go open source apps and read the code so you are sure its secure.

Also, if you are scared they will brute force you, just make the keys longer with combinations of encryption algorithms and hashes ;)
dbsi
not rated yet Jun 17, 2013
Problem 1: Security is about paranoia, otherwise you just trust that nobody is interested to hack you and to get your data.

And you do not only have to trust Governments and it's agencies, with the vast data to be processed, more and more you need to trust "intelligent automated processes" used to filter and categorize your data. You need to worry about false positives! You just might loose your job or worse, without ever knowing it.

lf a society wants to protect itself from maniacs by listening to their communication, this is the price.
But you need transparency and you better have a good oversight of such programs and systems, in place (political and administrative).

antialias_physorg
3.7 / 5 (3) Jun 17, 2013
just make the keys longer with combinations of encryption algorithms and hashes

Either, or. Don't mix encryption schemes. Don't add encryptions on top of one another. Contrary to intuition an encryption is only as secure as its least secure part.

If you absolutely must us hashes then make sure you use a hashing function with no hash collisions - otherwise you're vulnerable to rainbow table attacks.

Example of the above: If your 500 character long password maps to the same hash as a 3 character long one then your password isn't as strong as you think (it can be cracked by trial-and-error of hashes in under a second). Your computer compares the HASH of a password to the hashes stored in the password database - not the word itself (it would be bad practice to store passwords on a system in plaintext).
dbsi
not rated yet Jun 17, 2013
Problem 2: Security tools are just to complex for normal users. So what you will have is just a very tiny portion of encrypted traffic, which can not be decrypted on the fly. There you try then using brute force or you investigate the source and target addresses.
dbsi
not rated yet Jun 17, 2013
@ Stamos: "Stamos said that on the corporate side, communications cannot be encrypted because they must be available in case of court actions or subpoenas."

Yes you can! You just need to be able to provide the keys to decrypt it. If you are not able to do this, then yes, you should not!
Protoplasmix
1 / 5 (1) Jun 17, 2013
If you are that paranoid, go open source apps and read the code so you are sure its secure.

Okay, and for the proprietary firmware? And where can I get open source hardware? Or should I simply reverse-engineer that in my spare time?
scenage
not rated yet Jun 17, 2013
@Protoplasmix: Hey, if you don't trust them to be secure, you'd have to learn it yourself right? That's all I'm saying.
scenage
not rated yet Jun 17, 2013
@anti: Correct for the most part.

For anyone who is interested in Cryptography and is thinking of combining encryptions:

http://blog.crypt...ion.html