nsa

The National Security Agency has hardly been out of the news since the leak of internal documents revealed the extent of its online operations. Here’s our guide to what’s known about the agency’s Internet monitoring and how you should respond.

Where did the leaks come from?

Former National Security Agency contractor Edward Snowden left his post and shared an extensive collection of internal NSA documents with several newspapers. They then checked through the documents, consulted security officials where appropriate to see if their publication would constitute a genuine threat to security, then published them one by one over time. That’s in sharp contrast to outlets such as WikiLeaks which simply make entire collections of documents public without filtering.

Are the leaks reliable?

Naturally officials have been reluctant to publicly confirm any of the claims in the reports are true. However, both the newspapers that dealt with Snowden and other media outlets that reported on the stories say trusted sources confirm the documents as genuine.

What do the leaks reveal?

The big revelation was the existence of PRISM, a program by which the NSA gathers large amounts of data (much of it supposedly private) that travels through the servers of major US tech firms such as Google, Facebook, Apple and Microsoft. The documents suggested the NSA had the ability to retrieve data directly from the companies rather than have to ask the companies to hand it over.

While many people assumed security agencies collect Internet data, the most fundamental shock in the revelations was that the NSA appears not to simply pick a target and then begin monitoring specific communications for evidence. Instead it seems its general policy is to gather as much data as possible about all users, store it on a long-term basis, then look back through the data as and when it selects a target individual. In other words, it stores data even when it doesn’t yet have any reason to believe it may be evidence.

The NSA later revealed to Congress that its collection of data allows it to carry out a “three hop query”. This means that once it identifies a target, it can retrieve all communications the target had with contacts, all communications those contacts had with other people, and then all communications those other people had with anyone else.

Were Google and company complicit?

It’s hard to say. Most firms involved have vigorously denied allowing the NSA access to their data. The problem is that they may be under secret court orders that ban them from admitting they have allowed access.

Am I safe in the US? Surely the constitution protects Americans?

In theory, the Fourth Amendment should mean the government can’t read American citizens’ e-mails without a court order based on reasonable cause for suspicion. When the story broke, government officials insisted security staff could not look at domestic communications unless they had a warrant.

It later emerged that the system the NSA created took advantage of a major legal loophole. The rules under which the NSA operates (laid down by the secretive Foreign Intelligence Surveillance Court) allow security staff to examine the contents of an intercepted e-mail solely to check whether it is domestic or foreign, and thus whether either party can be monitored without a warrant.

However, if the security staff do notice anything suspicious during this check they can permanently store and use the e-mail as evidence, even though it was gathered without a warrant.

Is Prism the only project uncovered by the leaks?

No, another leaked document revealed Project Optic Nerve, in which the NSA was habitually intercepting Yahoo webcam chats and capturing a still image from the video every five minutes, whether or not the participants were under suspicion. The spies got a bit of a surprise from doing this as around seven percent of the images featured “undesirable nudity”!

I’ve done nothing wrong. Should I be worried about the NSA?

This is really something of a philosophical issue. From a purely practical perspective, the NSA may have data on you, but it’s highly unlikely it will have the time or inclination to do anything with it unless it has cause to suspect you of being a security threat. From a principled perspective, you may certainly believe the NSA gathering data on you is a breach of your rights and reject the old line that “you’ve got nothing to worry about if you have nothing to hide.”

It’s worth noting that the NSA doesn’t just follow-up evidence of illegal activity. For example, a memo in the Snowden files shows staff considering leaking records that suspected Islamic terrorists had (legally) accessed pornographic websites in an attempt to discredit them among their followers.

What can I do to keep my data secret? Is it practical to do so?

This is really a balancing act between security/secrecy and privacy. There are three main practical tools you could consider using.

1) TOR, or The Onion Router. This is free software that helps disguise your web browsing. It does so by changing the way your data travels to and from a website by routing it through hundreds of different computers, making it much harder and more time-consuming to trace. It doesn’t guarantee privacy, but does mean security agency staff will have to be very determined to find out what you are up to. One big downside is that it can slow down your traffic, particularly when using filesharing services.

2) Encrypt your e-mail. There are plenty of services out there for this, the best-known being Pretty Good Privacy. Encryption means anyone intercepting your e-mail won’t be able to read it, but it only works if both the sender and recipient are using the same system. Be wary of encryption services from large security software firms as it’s suspected some of them may be set up to allow the NSA a “backdoor” to access the messages without encryption.

3) Use secure web connections. Tools such as browser plug-in HTTPS Everywhere will make sure your connection to a website is automatically secure whenever a site supports it. That gives you the same protection against interception by snoopers that you get when connecting to services such as online banking.