Does encryption really shield you from government's prying eyes?

Encrypting data may not guard against surveillance, some experts say, while others argue in favor of taking steps to protect privacy

The NSA has been watching.

The NSA has been watching.

If you're thinking about encrypting email in light of revelations about U.S. government spying, you may be wasting your time.

Recent leaks about surveillance efforts by the secretive National Security Agency have sparked a wide range of questions during the last week over online privacy, or lack thereof, as well as possible violations of the Constitution. But at this stage, the exact methods employed by the nation's top intelligence agencies to gather information in the interest of national security are still fuzzy.

At the very least, the NSA has confirmed that it is collecting Verizon phone records to examine their metadata and analyze call patterns between people. The NSA's Prism system apparently goes even further, reportedly accessing servers at Google, Apple, Microsoft, Facebook and other major companies, to collect data that the agency is storing for possible surveillance and investigations.

With such large amounts of personal data at stake, one question is the extent to which encryption -- a process for scrambling digital information so only certain groups of people can decipher it -- can succeed in shielding consumers from government surveillance.

The answer is complicated, and depends on the definition of "government surveillance," which is still not entirely clear. But for some security experts, encryption is a non-issue, period.

For instance, if the government is doing only what it claims to be doing with cellphone calls, which is performing traffic analysis to look at patterns and see where calls are coming from and going to, there are no good avenues for encrypting that, some say.

"The fact that I called you, or you called me, that has nothing to do with encryption," said security expert Bruce Schneier. "This is not communications eavesdropping. This is eavesdropping at the endpoints," he said.

Encrypting those endpoints is a lot harder than encrypting, say, emails or phone calls themselves, if not impossible outright, said Seth Schoen, senior staff technologist at the Electronic Frontier Foundation. "You still have to tell the ISP that we want to talk to each other," he said. "You can't really scramble a phone number, because the company needs to know how to complete the call," he said.

There are services for encrypting phone calls end to end, like Silent Circle, which announced discounts citing "overwhelming demand" for their services following the NSA spying reports. In addition to calls, the company also offers encrypted video, texting and email over its network. End-to-end encryption aims to encrypt information through all phases -- at rest, in transit and in use.

There is also RedPhone and TextSecure, two mobile apps made by open source developer WhisperSystems, for end-to-end encryption of phone calls and text messages, respectively. Cryptocat is another player.

But the thinking goes that if you take the government at its word, then the NSA is not listening in on phone calls anyway, at least not in a blanketed way. Instead, it's more like the government is saying to telecommunications companies, "Hey, so-and-so sent out 100 billion text messages. Send those to me," Schneier said.

There are legal avenues to gain access to encrypted data and some of these would oblige companies to either provide the keys or provide the unencrypted data.

In its privacy statement, Silent Circle acknowledges that its servers "generate log files that contain IP addresses," and notes that every six months the company will post how many data requests from worldwide law enforcement agencies it has received, how many customers were involved and what agency or organization made the request.

But gag orders may not accomplish much if the data is truly encrypted end to end, which is what companies like Silent Circle try do. However, end-to-end encryption is hard to achieve and increases costs.

Government metadata analysis alone should raise concerns among U.S. residents, said EFF's Schoen. The practice of looking at who is contacting whom might sound boring to some, or prompt the question, "what's the privacy harm there?" said Schoen. But if the government can track a person's IP address, that information can be used to, say, reveal a love affair, if one person were to log on to his or her email account from a new IP address, he said.

"It can show where someone spent the night," EFF's Schoen said. "The privacy concerns here can be much graver than you would think."

For those reasons and others, some privacy groups, like the Electronic Privacy Information Center, have questioned the legality of the NSA's Verizon data-collection scheme.

Meanwhile, when it comes to encrypting actual content like email messages, chats, videos and photos, there are generally two ways to go: There are services for encrypting information sent between people, like Silent Circle and RedPhone, and there are applications for creating secure connections between people and across networks. For instance, there are open source services like OpenVPN, which is designed to establish an encrypted virtual private network (VPN) between computers.

There is HTTPS Everywhere, a plug-in extension for Firefox and Chrome browsers that is designed to automatically employ the Hypertext Transfer Protocol Secure (HTTPS) program for websites that offer it. HTTPS is designed to build on top of standard SSL/TLS cryptographic protocols to protect against eavesdropping of data by third parties, and to help ensure that the website being accessed is legitimate and not operated by a bogus group.

There are also cloud storage encryption services like Mega, or SpiderOak, which claims to have zero-knowledge of users' data.

But on a practical level, people need to consider that if the company cannot read their files, that can limit the features and convenience afforded by the service. It's a little hard to filter out spam, for instance, if the email client can't see your emails, said EFF's Schoen. Researchers at the Massachusetts Institute of Technology are trying to solve this problem with "homomorphic encryption," which would let Web servers process data without decrypting it.

This smorgasbord of encryption services is what makes things tricky. "There are very specific things we mean when we talk about privacy," said Eben Moglen, a professor of law at Columbia University and chairman of the Software Freedom Law Center. Surveillance of communication endpoints is the "anonymity" type of privacy, but when people start talking about the actual contents of messages or files, that falls under a different category called "secrecy."

"A message is secret if its contents are known only to the sender and the recipient," he said. But as far as whether the government is listening in on those messages -- encrypted or not -- and how much it is listening, and which governments are listening, the answer could be yes, no or maybe, Moglen said.

One of the biggest questions right now is how powerful the government's code-breaking tools are, and the extent to which they are capable of cracking the algorithms, and at what speed, that power modern encryption programs.

"The U.S. government doesn't tell us how many codes it can break," Moglen quipped.

"I can't tell you what encryption methods the government can defeat," he said. "I can tell you it's as good, if not better, than the best stuff in the world."

But even if the government can't crack the codes just yet, there is still the anonymity problem of the government seeing who sent what to whom.

And there's still a whole other layer of privacy concerns related to what Moglen calls "autonomy," which deals with how people change their behavior or self-censor what they say online because they're fearful of who is listening.

Experts agree that the aforementioned services and software generally work well as a guard against more incidental eavesdropping or keeping less tenacious hackers out of Internet communications in open Wi-Fi environments like coffee shops.

In the computer security world, "who exactly we are trying to protect ourselves against is one of the key questions," said EFF's Schoen. "Some are easier to protect against than others."

But are Internet users really fearful of snooping? Or have events like 9/11, and high-profile laws like the Patriot Act and the Foreign Intelligence Surveillance Act, which is at the heart of the alleged Prism program, made people too cynical to care?

Some do seem to live and die by encryption. Here's what Michael Goldstein, a computer science student at the University of Texas at Austin, does: He chats on Facebook with the open source Jitsi communicator. He chats with Cryptocat. He uses the PGP (Pretty Good Privacy) software for encrypting certain emails. His hard drive is encrypted with TrueCrypt. He's a fan of Tor, which is designed to keep people's anonymity intact, for accessing the Internet. He also likes Mega for cloud storage. There's RetroShare for encrypted chat, email, forums and other social networking with "certain friends." TextSecure too.

"Whenever possible, I encrypt my communication," he said. Clearly.

And let's not forget Bitcoins, a digital currency designed to allow decentralized and anonymous payments, which Goldstein also uses.

"To me, and many people of a more libertarian persuasion, recent news has been more of a validation of prior beliefs than a shocking revelation," he said.

"This is not a big shock. It's an open secret in my business," said John Kindervag, an analyst with Forrester.

Some tech entrepreneurs agreed.

Prism "is an important reminder that what we share online and communicate to others via technology can, and sometimes will, be seen by people that we didn't intend to see it," said Justin Johnson, co-founder at Late Labs, a crowdcoding startup based in San Francisco.

Others are less Orwellian. "It's more likely that a hacker is trying to guess your password than the NSA is coming after you," said Robert Banagale, CEO at secure messaging app maker Gliph.

But, while using encryption might be good for keeping accounts secure, using it to try to dodge the NSA is probably futile, he added.

How receptive Internet users are to government surveillance in the interest of fighting terrorists is harder to gauge, but what's clear is that online privacy is at risk.

If privacy isn't dead, it's certainly on life support, said John Simpson, director of the Privacy Project at Consumer Watchdog. "These tech companies, and the government, know more and more about people's private lives," he said.

Others say the fundamental philosophy behind the Internet, that of an open network for the free-flow exchange of information and ideas, renders encryption moot, especially given the nature of the U.S. economy.

Why don't most people just encrypt everything end to end? "Because that's not in capitalism's interests," said Columbia's Moglen. "When the economy is primarily about consumption, the behavior of consumers is the most important information it has. That's what information technology is about as far as capitalism is concerned."

People like the man behind the NSA leaks, Edward Snowden, "who think the technology revolution is about freedom," Moglen said, "they're characterized as traitors."

Zach Miners covers social networking, search and general technology news for IDG News Service. Follow Zach on Twitter at @zachminers. Zach's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicesFriendstersocial networkinginternetprivacyFacebookAOLYahooGoogleMicrosoftsecuritylegaltwitterdata protectionsocial mediasearch engines

More about AppleEFFElectronic Frontier FoundationElectronic Privacy Information CenterFacebookGoogleIDGMassachusetts Institute of TechnologyMicrosoftNational Security AgencyNSAPGPPretty Good PrivacyPrismTechnologyVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Zach Miners

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts