There has been a lot of talk lately about the surveillance of internet traffic after the leaking of information about the top secret Prism project by American Edward Snowden. I figured this was something the public assumed was going on anyway and that the USA in particular would have access to most of my online activities since the majority of online services I use are hosted there. However it seems that many many people were completely unaware.

On hearing about the Prism project, it reminded me of a conversation I had with my friend Chris Laing in 2010. Most of the conversation was not for public consumption, but I’ve published a small edited section of it below where Chris rather accurately predicts the presence of a Prism like program. I always assumed Chris’s prediction was too far reaching and that it was not possible for the USA to collect all of the data travelling across the interwebz, but it appears that I was wildly wrong based on recent reports that the USA are building a data center which is potentially capable of handling yottabytes of data for the Prism project.

My conversation with Chris Laing in March 2010

Ryan: hello

Chris: hello

… private conversation removed ….

Chris: Not at all man. You realise there’s a decent chance that this convo has been flagged already?

Ryan: I figured not. Surely they wouldn’t track every conversation on gChat? That would be a lot of data to process.

Chris: Well it’s algorithms, right? the acronyms “SAS” and “AOS” within a few words of each other probably sets off some kind of automatic monitoring.

Ryan: Well yeah, but that’s still a lot of data.

Chris: Data mining is big business 😉 And you’d be surprised at how much of it NZ does.

Ryan: Where on earth would they be intercepting it? I assumed there’d be a clean pipe from here to ISP, and then from ISP to overseas. And if government wanted to data mine, they need to do it via the ISP.

Chris: Oh no way, few people remember but NZ has been monitoring stuff since the early 80s. We’re one of the biggest relays for US intel in the world we do more data monitoring than Iran. Seriously, look it up.

Ryan: Not on our own people though I’d have thought. As far as I was aware, we were just relaying data around the world.

Chris: You’d be surprised, especially since the terrorism suppression act 2003.

Ryan: So where would they intercept the data? Via the pipes before they exit the country? That would take a lot of computing power to process all that data.

Chris: Again, not so much as you’d think. They use statistical methods to weed out a lot of stuff. e.g. where the communication comes from and is going to, whether it’s encrypted and what encryption etc.

How does Prism work?

Steve Gibson provides an excellent explanation of how the Prism system probably works on the Security Now podcast. He explains that the USA are most likely using some sort of beam splitter to siphon off a proportion of the fibre optic light entering upstream providers for the major USA based internet companies like Google, Yahoo!, Microsoft and Facebook. This explains why those companies are all claiming to be unaware of the situation since they would have no way to know and would have had no way to prevent it.

How to protect yourself ….

There is most likely no way to avoid some level of monitoring without severely limiting how you use the internet. You can mitigate some of the effects of the monitoring, most notably by encrypting as much data as you can, but avoiding monitoring in it’s entirety is not a viable option for most people in my humble opinion. For a convenient way to communicate with another person in a reasonably secure way,

I recommend trying Cryptocat which was recommended to me by Thomas Hedderwick.Support for CryptoCat has stopped since I posted this

If you want to learn more, I recommend following the Security Now podcast (and check out their show back catalogue too). They provide a nice explanation of the basic nuts and bolts of online privacy and how to protect yourself. If you don’t consider yourself a geek, then this podcast is most likely not for you though. It is squarely aimed at those with an active interest in online security and not for Joe blogs who doesn’t want to learn the ins and outs of how the internet works.