How to protect your PC from PRISM surveillance

You have the right to be secure in your electronic communications. Here's a few tips on how to do it.

Thursday afternoon, a bombshell dropped: Two leading reports claimed that the U.S. government has been spying on emails, searches, Skype calls, and other electronic communications used by Americans for the last several years, via a program known as PRISM.

According to the reports, the Web's largest names--AOL, Apple, Facebook, Google, Microsoft, Skype, PalTalk, Yahoo, and YouTube--participated, perhaps unwittingly. (Dropbox will reportedly be added as well.) The report claims that the National Security Agency had "direct access" to servers owned by those companies. Most, if not all, of those companies have denied participating in PRISM, although it's unclear whether they were unaware of the NSA's spying, or simply turned a blind eye.

According to The Guardian and The Washington Post, the data covered included: "email, video and voice chat, videos, photos, voice-over-IP chats, file transfers, social networking details, and more."

If nothing else, however, the PRISM disclosure is worrying and deeply shocking. If the report is accurate, the government may simply listen in on virtually any electronic communication you've made, in the interests of national security. Is this something that should be encouraged to fight domestic terrorism, or is this sort of government intrusion something that should be deeply distrusted? For the purposes of this story, we're going to err on the side of the latter; whether you take advantage of our advice is up to you.

Note that there is absolutely no guarantee that our tips will make your PC PRISM proof. One of the generally held beliefs in the security world is that, with enough resources on the part of the attacker, any secrets that are known about can eventually be unearthed. But let's say that you support an "Arab Spring" movement in a country whose interests parallel those of the U.S. government. It's this sort of political uncertainty that encrypting personal communications is designed to liberate.

So what can you do? Here are some tips.

Avoid using popular Web services

This is an easy one. If you're concerned about the government watching your moves online, simply avoid making Microsoft Bing and Google your search engines of choice; try DuckDuckGo instead. The site promises not to track or store your searches, which should provide some degree of confidence that you're not being tracked online. Both reports from  the Post and the Guardian indicate that the PRISM program is expanding, although for now DuckDuckGo seems to be safe.

Naturally, this also means ditching a Gmail or Hotmail account, and deleting your accounts from those sites. Instead, it's time to think about laying low and skipping around services that you might have forgotten about: Mapquest for maps, for example. You may as well stop social networking altogether, unless it happens to be direct, person-to-person communications.

And there's no sense in surfing using Chrome, Internet Explorer, or Safari, either. Sure, there's Firefox and Opera, but the PCWorld's review of the Tor browser shows it to be a slow but anonymous way of browsing the Internet.

Ditch your smartphone

If we assume that Apple, Google and Microsoft are being monitored, then the safest way to avoid being tracked is to ditch your smartphone. A number of services already ask for your location, in the name of providing better search results or services. And BlackBerry, of course, is no better; that company has already acceded to requests to allow foreign governments access to its data, so the paranoiacs should ditch them, too. Feature phones may be no better, but the amount of information that can be captured is much smaller.

Encryption, encryption, encryption

Eventually, however, you're going to have to start communicating with someone, probably electronically. If you'd like to think those conversations are private, it's time to start thinking about encryption.

To start out with, you'll want to encrypt your hard drive and existing files. Alex Castle's piece discusses using TrueCrypt and other tools to start securing your files. Note that some of the tools he recommends are from the providers that PRISM is reportedly monitoring; you'll have to decide if you want to go elsewhere for encryption protection.

From there, protect your email by encrypting it. To secure your email effectively, you should encrypt three things, Eric Geier notes: the connection from your email provider; your actual email messages; and your stored, cached, or archived email messages. If you want to take it even further, consider using a secure email service. Email will travel over the Internet, where it can be accessed by theoretically just about anyone. Companies like Silent Circle (founded by PGP creator Paul Zimmermann) profess to offer secure voice, email, voice communications via dedicated connections between subscribed devices.

Subscribe to a VPN

In the same vein, consider signing up a virtual private network, which creates an encrypted "tunnel" to another server, which then acts as an agent on your behalf. Eric Geier's piece on how to set up a VPN explains how to do this. Note that the performance of your PC may suffer somewhat, as the latency to funnel communications back and forth (some solutions use servers based in the EU, for example) may take some time. But security layered upon the encryption applied by other solutions may provide some additional reassurance that your communications are private.

Watch those hotspots

Wandering from coffee shop to library to free cafe may provide another layer of security, as your client IP address will vary by location. Just make sure that when you're roaming from location to location, someone isn't trying to sniff your PC--or worse. Preston Gralla's story on protecting yourself at hotspots also contains advice tailor-made to protecting your privacy while on the go, including nailing down older apps that might allow an intruder inside your PC.

Obviously, block that malware

Let's face it: the first and most obvious thing you should do to secure your PC is to lock it down from malware. Our tests from January provide you the best antimalware solutions, empirically tested to ensure that no Trojan or other worm sneaks inside your PC and provides its own spying eyes on your online activities. Your PC should be your castle, and antimalware is the first line of defense. Frankly, if you're concerned about the safety and well-being of your PC, you should have taken care of this long ago.

Tie it up together with a hard password knot

The last thing you'll want to do is make sure that all of your encrypted services are tied up neatly with a unique, easy-to-remember-but-impossible-to-crack passphrase. PCWorld has some tips to manage passwords, including what's coming down the pipe. But the best practice right now seems to be to find a good password manager like LastPass, and create your own unique password. Bruce Schneier's "Schneier scheme" recommends that you create a passphrase ("Man, those six flights of stairs to my New York apartment were killer.") and then abstract it, possibly with the first letters. ("M,tsfostmNYawk.") It's not perfect, but it's a lot better than random words and phrases that can be easily guessed.

Will these tips make your PC PRISM proof? No, not necessarily. But if you're concerned about the recent PRISM disclosures, they'll go a long way to help you sleep better at night--outside of smashing your PC to bits, distributing the pieces randomly among a dozen scrap heaps, and moving to the woods, that is.

Join the CSO newsletter!

Error: Please check your email address.

Tags National Security Agencydropboxwashington postWebsitesprivacyyoutubeFacebookAppleYahooskypeGoogleMicrosoftsecurity

More about AOLAppleBlackBerryDropboxEUFacebookGoogleHotmailMicrosoftNational Security AgencyNSAPalTalkPGPSkypeYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mark Hachman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts