The Bytemark guide to dodging spies

I’ve seen dozens of outraged headlines today from Privacy International’s investigation into the UK “Tempora” spying programme. Privacy international stated that this was

the first time the Government has openly commented on how it thinks it can use the UK’s vague surveillance legal framework to indiscriminately intercept communications through its mass interception programme, TEMPORA.

that is to say, they were trying to find out what messages can be legally intercepted by the UK Security Services.

Charles Farr (The Director General of the Office for Security and Counter Terrorism) was unambiguous in his statement:

Facebook and Google communications would be permitted [for warrantless interception] under law because they are defined as ‘external communications’

the only practical way in which the Government can ensure that it is able to obtain at least a fraction of the type of communication in which it is interested is to provide for the interception of a large volume of communications, and the subsequent selection of a small fraction of those communications for examination by the application of relevant selectors.

He’s correct on this last point – if we allow our security services to intercept “external” communications, there is no way they won’t get a large portion of “internal” communications as well. And that’s going to make a lot of people very cross.

A few big pipes

Farr explains further in his witness statement, Google is the destination, at least temporarily. They’re the switchboard for everyone’s messages, wherever they are in the world. Messages between Brits head out for processing to one of Google’s locations (none of which are in the UK), and are then sent back again. Google’s capacity to filter junk mail, store your messages, work out what adverts to show you- all of that is centralised, and they don’t do it in the UK.

Here’s a map of the 30-odd cables that carry data out of the UK (courtesy of submarinecablemap.com). When an email goes to or from Google, it goes over one of these:

For all the traffic that passed into, out of and through the United Kingdom, these exit points are huge targets for interception and meddling.

What makes them even more tempting for spies is that the cables are managed by large companies disproportionately subject to government regulation. Whatever the law might say, the companies are soft targets for blackmail and secret orders. None of them want substantial business disrupted on a point of principle. This isn’t just theory – the scale of government interception was revealed back in July 2013. So as a UK internet user, we already knew our data was being read.

What we didn’t get from these reports was how to better guard our privacy, without in-depth security knowledge.

Here are my tips:

1: Keep your data in the UK

Don’t send anything private over Facebook, Yahoo, GMail, Fastmail or any other provider outside of the UK. Your data will be caught in the existing, well-documented trawls. If you want your email intercepted, those providers will be the closest-watched, and give the security services the most information for the least effort.

Host your email in the UK – not just a UK-incorporated company but one with its own wholly-owned UK data centre, and no interests outside of the UK. That’s a pretty short list, but amazingly you’ll find that Bytemark are on it, and here’s our data centre!

Why so specific? (apart from naked self-interest)

Microsoft is currently fighting a court order forcing it to disclose data held in Ireland to US authorities. And a Canadian court has just ordered Google to erase search results worldwide. If your data is on servers in the UK, but owned by a multinational, I’d not bank on it staying private from any other country’s government in which that  multinational trades.

Of course UK spies can tap cables within the country, but for them to obtain the same amount of data as they could get on Google, they need to expend more effort, and they’ll get less for it. That’s because there are no “big pipes” within the UK, we have cables criss-crossing the land between hundreds of private companies.

There are few central points (e.g. LINX) in the UK, but these points are run by a ruggedly informal and well-networked group of engineers. The close technical co-operation and technical difficulties of tapping a peering point make a dragnet both expensive and harder to hide from a peering point’s many members. It’s not impossible, just harder.

2: Use free software – at both ends

Use Mozilla Firefox instead of Chrome, Safari or Internet Explorer. It is the only capable, popular modern browser that’s also free software. That means that it’s the hardest one for a security service to infiltrate, i.e. to introduce a secret vulnerability allowing them to intercept traffic.

I’d also recommend using Adblock Plus and other privacy-enhancing extensions to Firefox to reduce the amount of tracking data that you will otherwise accumulate, as well as using a privacy-respecting search engine like DuckDuckGo.

Apple, Microsoft and Google are vulnerable to secret government orders and economic disruption in the same way that undersea cable operators are. And because we can’t see the complete source code that makes up their browsers, we can’t see (without difficult reverse-engineering) when it is compromised. A subtle but deliberate vulnerability would be all but impossible to spot.

Open source software, in contrast, is open to inspection by amateurs and experts alike. While Heartbleed was a high-profile lapse by the underfunded OpenSSL project, industry reaction to the problem was fast. IBM, Intel, Microsoft, Google, Facebook and others agreed to fund a new “Core Infrastructure Initiative” – an initial $4m to fund an unglamorous, essential overhaul of OpenSSL’s 15-year old code base that almost all significant free software depends on.

This community effort will leave free software demonstrably more secure against spying, but we may never know the details of many vulnerabilities in Microsoft, Apple or Google products.

When it comes to choosing an email provider, there are plenty out there (including Bytemark!) who make a point of preferring and promoting Linux-based software solutions, where the inner workings of any system are on show (to you). Our Symbiosis system is proudly part of an open global security infrastructure, and built on top of Debian, whose security record is equally on show.

So on the same basis ask your email provider, and walk away if the system isn’t based on 100% free software.

3: Check you’re using encryption (for what that’s worth)

You’ll never stay ahead of the arms race between software vendors and security services trying to find exploits in security software. Encrypted connections are safer than non-encrypted, but can you tell when you’re using an outdated cipher? It’s probably not worth most people’s effort to find out.

The best you can do is to understand when a browser is presenting a genuine security warning, when you’re not protected by encryption, and who is responsible for updating their software (these days it’s usually automatic).

If you want to go to even more effort, you might start to look at using PGP regularly – this is heavy duty and well-studied encryption for emails. The only down side is that it’s complicated and difficult to use properly, though again, even used a little clumsily, it’s better than none. I’d encourage you to take a look at your options.

How we do it

Bytemark’s solution to most of this problem is Symbiosis on a BigV server from £10/month. Unlike lots of other products, you can know that:

  • your data is hosted in York or Manchester, and won’t be moved around (Google relocate data between countries if they need to);
  • your data is not subject to any other country’s jurisdiction (as Microsoft are struggling with);
  • your data is being processed by 100% free software where the source can be inspected for bugs (which is how we found the widely-covered Heartbleed bug – who knows what security holes are in software you can’t see?).

I like and trust BigV, but it is a hosted service – you are sharing hardware with other people to bring the cost down. So if you can justify the cost, I would always use a dedicated server (we have some from £60/month right now).

Don’t be the low-hanging fruit

If an attacker is willing to lie to you consistently, send someone to interfere with your computers, or tap cables specifically to get your personal, or your company communications, this advice is nowhere near paranoid enough. If you suspect you have that kind of problem, you need a full-time security specialist managing whatever computers or phones you use.

But everyone in the UK has the capability to keep their data inside our borders, and to choose a hosting provider and software that doesn’t expose them to undue risk of spying. Keep your data off those undersea cables to Google, and you are already ahead of the pack.

And if this seems like too much? Embrace the spying, keep your real secrets offline and consider support for the Open Rights Group, who are at the forefront of campaigning against undue surveillance and ensuring digital privacy.