How to protect your online privacy

[Guest guest]

-

Misty

Friday, November 30, 2001 6:04 PM

How to protect your online privacy

 

 

 

Print this story <http://www.alternet.org/print.html?StoryID=11986>

| E

<http://www.alternet.org/story.html?StoryID=11986#email> -mail this

story <http://www.alternet.org/story.html?StoryID=11986#email>

Confounding Carnivore: How to Protect Your Online Privacy

Omar J. Pahati, AlterNet <http://www.alternet.org/>

November 29, 2001

Ever since the FBI confirmed the existence of their Internet

wiretapping

device -- a device they named Carnivore -- cyberprivacy activists have

been up in arms. Carnivore promised to be their worst nightmare: a

technology that could track and record every email sent, every Web

page

browsed, every chat room visited.

 

Today, those fears are more likely to come true than ever before. The

passage of anti-terrorism laws in the wake of Sept. 11, and the

extended

powers of the FBI, CIA and police agencies everywhere, make it likely

that Carnivore will see more use in the near future. Congress has been

quite willing to trade some privacy for security, and the Bush

Administration -- especially Attorney General John Ashcroft -- has

been

no defender of online privacy. With Constitutional protections being

chipped away, what can civil liberties-minded citizens do to maintain

their privacy online?

 

Though the technology behind the mysterious Carnivore box (officially

renamed DCS1000 in early 2001, though that name hasn't stuck) has been

portrayed as quite sophisticated, it's actually very simple. When

attached to server computers at an Internet service provider (ISP),

the

device records the details of all traffic coming through that ISP. It

can snatch email headers and content, and keep a history of Web pages

accessed. This data can then be saved onto disk and admitted as

evidence

in court.

 

Similar devices have long been used in private enterprise, allowing

cautious business administrators to monitor the Internet activity of

employees. In network security circles, these devices are referred to

as

" sniffers. "

 

As common as this technology is, its potential uses give security

specialists great power to track electronic communications. Sniffers

can

produce a list of Web sites visited so that ISPs can block access to

sites deemed questionable or subversive. Carnivore can also keep track

of whom you send email to and who sends you email, shedding light on

the

company you keep and potentially tying you to activities you know

nothing about. Aside from these scary scenarios, the mere fact that

someone is watching is disconcerting.

 

But before you panic about the government tracking those flirty emails

you sent to a co-worker last year, consider that the FBI is reported

to

have used Carnivore only 13 times between October 1999 and August 2000

(the latest figures available). That's not very much, given the

enormous

amount of Web traffic. So the chances that Carnivore has been watching

you are incredibly low -- you're much more likely to have been sniffed

by your employer.

 

Nevertheless, with the passage of the USA Patriot Act, Carnivore's use

is very likely to increase. In addition to committing unprecedented

resources to security, the new law drops some of the checks and

balances

once required for getting permission to eavesdrop. Futhermore, rumors

that Osama bin Laden has used encrypted messages, images, and Web

sites

to communicate with the global Al Qaeda network, and fears that

unknown

terrorists are using the Web as a tool, has upped Carnivore's value in

law enforcement's eyes. The FBI has even begun to enhance Carnivore,

effectively broadening its net and fortifying its encroachment into

once

private sectors of cyberspace.

 

Cyber-libertarians determined to maintain anonymity have already found

ways to circumvent Carnivore's watchful eyes. Most of the methods were

developed by hackers to cover their tracks when engaging in

questionable, sometimes illegal activity. But these techniques work

just

as well for the law-abiding citizen who wishes to uphold the right to

privacy. And thankfully, you don't have to be a hacker to use these

tools effectively.

 

Controversial, but legal, encryption software has been publicly

available for years. Encryption allows users to maintain a high level

of

secrecy when sending email or files over the Internet.

 

The most storied of encryption tools is a free program called PGP. PGP

stands for Pretty Good Privacy, but it's a whole lot more than just

pretty good. PGP is " strong crypto, " geek speak for encryption that is

nearly impossible to break. PGP is so strong that after releasing PGP

to

the public in 1991, Philip Zimmermann, the program's creator, drew

immediate attention from federal prosecutors intent on preventing its

distribution.

 

Zimmermann says, " PGP empowers people to take their privacy into their

own hands. There has been a growing social need for it. That's why I

wrote it. "

 

And that's why governments are so afraid of it. As a result,

Zimmermann

became the target of a three-year criminal investigation that

questioned

the legality of exporting PGP to users in other nations. But by 1996,

the investigation had produced no evidence of wrongdoing and PGP had

become the most widely used encryption program in the world.

 

A few versions later, PGP is stronger in popularity and security. PGP

works by scrambling the data such that only the recipient can

descramble

it. Even the sender cannot descramble the data because only the

recipient has the descramble key.

 

Part of the reason behind PGP's strength is thorough peer review. The

original programming source code for PGP is publicly viewable for

anyone

and everyone to scrutinize. The openness allows engineers to point out

flaws, back doors or any other kind of weakness.

 

By using PGP to encrypt transmissions, one can ensure with high

confidence that only the person intended to see its contents actually

has access to it. Even if someone intercepts the transmission it would

be completely unreadable unless that person has the decryption key.

This

would not prevent Carnivore from biting email off the network, but it

will prevent prying federal agents from reading your private

communications.

 

" You may be planning a political campaign, discussing your taxes, or

having an illicit affair, " says Zimmermann. " Whatever it is, you don't

want your private electronic mail or confidential documents read by

anyone else. "

 

Zimmermann acknowledges that PGP could be used to conceal illegal

activity but believes the right to privacy supercedes this concern.

 

A warning: Encryption is illegal in many countries. It is also illegal

to export encryption tools from the U.S. without authorization. So

you're best using PGP only in the United States or checking your local

laws before using PGP.

 

PGP Freeware will get your messages across the Net safely, but it

cannot

stop Carnivore from watching what Web sites you are viewing. Most

people

surf from Web site to Web site not knowing that every click they make

can be recorded not just by the government, but by more than one

monitoring system. Your ISP, your ISP's ISP, and every Web site has a

record of where Web traffic comes from and where it goes. Even if

Carnivore is not watching you, federal agents can subpoena ISP logs to

track you down. Whether you're merely looking at NYTimes.com or

AlterNet.org or one of Osama bin Laden's alleged

<http://www.usatoday.com/life/cyber/tech/2001-02-05-binladen.htm>

porn-fronted Al Qaeda Web

<http://www.usatoday.com/life/cyber/tech/2001-02-05-binladen.htm>

sites, you are being watched.

 

There are several ways to keep your surfing habits hidden. Most

involve

placing a computer on your network between you and the Internet. This

computer is called a proxy. Proxies work by taking your request for a

Web page, getting the page from the Internet and then passing it on to

you. With a proxy installed, the Internet knows the proxy is there,

but

doesn't know who is behind the proxy. While proxies are common in

corporate networks, average home users don't have this luxury, unless

they have the economic resources and technical know-how to set one

up.

 

However, in the last few years, services have been created to provide

Web surfers with a virtual proxy. In this case, instead of setting up

a

proxy on your own network, you connect to a virtual proxy over the

Internet. One that works very well is Anonymizer

<http://www.anonymizer.com/> .com. <http://www.anonymizer.com/> The

Web

service effectively allows users to surf anonymously without

additional

hardware or software.

 

You connect to Anonymizer with your Internet browser, tell it what

site

you want to see and it takes you there anonymously. If Carnivore is

watching you, it will know that you are connected to Anonymizer, but

not

where Anonymizer has taken you. If the Web site you visit is recording

your vital signs (your computer address, operating system, browser

type,

and the page you last visited), all it sees is the Anonymizer server.

 

Singapore, Vietnam, Iran, Algeria, Yemen, Bahrain, the United Arab

Emirates, Saudi Arabia and China have banned sites like Anonymizer.

Each

country has attempted to block citizens' access to such services;

testament to the technology's ability to keep government eyes from

peeking into private activity.

 

Another way that people are surfing anonymously is by using someone

else's network proxy. Hackers often do this surreptitiously, hacking

into a private network and hiding behind its proxy. While this is

effective, it may not be completely legal. You should only use someone

else's proxy with their expressed permission. Also, not all proxies

will

be effective anonymizers out of the box, so it is best to coordinate

the

setup with the proxy's rightful administrator.

 

CyberArmy, a network of tech savvy privacy activists, has a list of

known proxies scattered about the globe (www.

<http://www.cyberarmy.com/lists/proxy/> cyberarmy.com/lists/proxy

<http://www.cyberarmy.com/lists/proxy/> /

). If you are able to obtain permission to use one of these proxy

computers, go to your Web browser preferences and enter the proxy

address under " Proxies. " You will need to enter both the address and

the

port number. If possible, set the proxy method to " Tunnel " -- which

creates a secure connection between you and the proxy. All current Web

browsers in any operating system, from Netscape and Internet Explorer

to

Opera and Mozilla, have this functionality built in. With those

settings

in place you can surf the Web anonymously just as you would with your

own in-house proxy.

 

In addition to their proxy list, CyberArmy has a lot of information

about Internet privacy. A lot of it is geared toward hacker-types but

one useful tool for everyone is the Environment Check ( http://www.

<http://www.cyberarmy.com/cgi/whoami.pl> cyberarmy.com/cgi/whoami.pl

<http://www.cyberarmy.com/cgi/whoami.pl> ). This page will tell you

just

what kind of information you are broadcasting to the world when you

surf

the Web. Information culled by the Environment Check includes what

kind

of computer you have, the version and type of browser you use, the Web

address of your ISP and your computer's network address. Try

Environment

Check with a proxy and then without a proxy to see anonymity in

action.

 

For the less tech-experienced activist, PGP and proxies may not be the

best way to fight Carnivore. Organizations like StopCarnivore, ACLU

and

Electronic Frontier Foundation are good places to start for finding a

grassroots solution to a digital problem.

 

<http://stopcarnivore.org/> StopCarnivore.org

<http://stopcarnivore.org/> has been leading the charge to de-fang

the

device and the over-zealous legislators pushing its use on innocent

Americans. The organization's founder Lance Brown says, " It may be a

generation or two before the stifling effect of Carnivore manifests

itself in ways that can be measured. By that time, America will have

been able to spread its use around the globe. "

 

Brown's Web site offers ways to get in touch with lawmakers and law

enforcement agencies to express concern over Carnivore. The site also

lists ways to find out if Carnivore is tapping your ISP.

 

Privacy activists say that as a matter of patriotism and democracy,

everyone must fight to protect privacy. As Zimmerman says, " If we do

nothing, new technologies will give the government new automatic

surveillance capabilities that Stalin could never have dreamed of. "

 

The latest version of PGP Freeware is now available for Windows

95/98/NT/2000 and the Macintosh, as well as UNIX-based computers.

Download it at MIT's distribution Web site (http://web.

<http://web.mit.edu/network/pgp.html> mit.edu/network/pgp.html

<http://web.mit.edu/network/pgp.html> ).

 

Omar <oj@a...> J. Pahati <oj@a...> is

the associate editor of AlterNet.org.

................................................

Be the change

you want to see in the world.

-- Mahatma Gandhi

--- End forwarded message ---