Technology to Protect Against Mass Surveillance (Part 1)

In the past several weeks, EFF has received many requests for advice about privacy tools that provide technological shields against mass surveillance. We've been interested for many years in software tools that help people protect their own privacy; we've defended your right to develop and use cryptographic software, we've supported the development of the Tor software, and written privacy software of our own.

This article is part one of a two-part series. In this part, we'll take a brief look at some of the available tools to blunt the effects of mass surveillance. In the second part, we'll discuss the big picture, reasons Internet users have been slow to adopt cryptographic software, and some limitations of existing technology's ability to defend us against government snooping.

I. The things users want to keep private

There are many different kinds of electronic surveillance and many aspects of our communicative activities we may want to keep private. The online privacy landscape can be daunting in part because each different tool addresses different kinds of monitoring and privacy threats.

For example, most web browsers now include a "private browsing mode" which limits the web history kept on your own computer, preventing others who access your computer from learning about your browsing, but which has no effect on the data that's transmitted over the Internet, and doesn't try to stop, say, your Internet service provider from knowing where you went online.

Similarly, some privacy settings on services like Google and Facebook limit the display of some account history and information either to you or to your friends, but don't do anything at a technical level to stop Google or Facebook themselves from accessing or recording the communications and activities you send through their sites.

Even when we use cryptography to hide the content of our communications, there's a distinction to be drawn between transport encryption (protecting the communications as they travel between your computer and a service provider, like Gmail or your cell phone carrier) and end-to-end encryption (protecting them all the way between your device and the device of the person you're talking to, so that no intermediaries can read them at any stage). Accessing a webmail account over a secure HTTPS connection is an example of the former; it prevents your ISP, as well as people on your wifi network, from reading your mail as it travels between you and your mail provider. Using email encryption software like PGP is an example of the latter; it prevents even your webmail provider itself from reading the mail.

As we'll discuss in more detail in part two of this series, it's relatively easy to use transport encryption to prevent network operators from reading your communication. It's more work to use end-to-end encryption to keep communications private from an intermediary like an IM provider, cell phone carrier, or email service. And it's quite difficult to conceal the fact that communications happened between one user and another—it's much easier to hide what you said in an IM, phone call, or email than to conceal that you contacted a particular friend via IM, phone, or email at a particular moment.

Finally, you might want to hide your physical location when you're communicating. By default, Internet service providers along the way see, and most Internet sites you interact with store, your Internet protocol address (IP address), which can be used to figure out where you connected to the Internet from. This gives services a potential profile of your whereabouts over time, and even the potential to infer other information such as who else was with you and where you spent the night.

Here, we'll look at a few options to increase the use of cryptography to protect the contents of your on-line communications. As we'll discuss in Part 2, these technologies can't offer complete protection against every kind of surveillance, or against every possible eavesdropper; still, making encryption mainstream should help increase everyone's privacy baseline.

II. Privacy for Connections to Web Sites: HTTPS Everywhere

The technology we use to secure our communications with web sites against eavesdropping as our data travels over the Internet is HTTPS. Major web sites have been gradually migrating toward supporting or requiring HTTPS connections, which provide an important kind of protection against mass surveillance targeted against the Internet infrastructure itself.

Your web browser already supports HTTPS, but for some sites you might or might not use a secure connection. (For example, a secure connection for Google Search or for Wikipedia is available, but is optional.) To address this problem, EFF developed HTTPS Everywhere, a browser add-on that tries to make sure your connection to web sites is secure whenever the web site you're visiting supports it.