Encrypting The Web To Defend Against NSLs And Government Meddling

There has been lots of chatter around companies placing back doors in their products and government spying on the average citizen. A lot of this started with the Snowden ordeal. One possible reason a backdoor may find its way in a product  is due to a National Security Letter (NSL). The people at Express VPN provided me a interesting article explaining their thoughts on NSLs. Its a good read to be aware of. Here is their write-up.

A National Security Letter (NSL) is U.S. government request to a company, usually for information or encryption keys, but can also mandate alteration of systems (e.g., forcing an encryption backdoor into products).

NSLs do not require the approval of a judge, can be sent to any company in the United States, and have a gag order attached to them. It is illegal to mention NSLs, or their contents until they are overturned.

On January 10, the Electronic Frontier Foundation revealed it had spent the last three years fighting such a National Security Letter served to content delivery network, Cloudflare.

The EFF was successful in defending Cloudflare against this particular National Security Letter, but it’s unclear how many legal fights have been unsuccessful in the past, and how many are still outstanding.

In short, we don’t know who has been served a National Security Letter, and which systems have been compromised as a result. A judicial review, in which a federal judge looks at the legality and necessity of the letter, is possible, but expensive and take a lot of time.

While the defense against National Security Letters is easy for end consumers (don’t choose services based in the United States), there are larger dynamics at play that challenge the integrity of the entire web.

Centralization through Content Delivery Networks is bad for privacy

Content Delivery Networks (CDN), such as Cloudflare or Akamai, use extensive server farms and premium Internet Service Provider (ISP) routes to deliver fast content, such as videos and images, to the end user.

CDNs are the online equivalent of Amazon building a warehouse in every town to allow for faster shipping.

This, however, allows Cloudflare and Akamai, to inspect (or copy) the contents of the “shipments.” Such a diverse vault of data is of high interest to spy agencies, so no wonder there are NSL’s being sent so the government can see what’s inside this traffic.

Defending Privacy: HTTPS is a good starting defense

“Hypertext Transfer Protocol Secure” is a mechanism that uses encryption to keep the traffic between you and the site you’re using secure and private.

HTTPS, in theory, protects equally well against rogue Wi-Fi routers, spying Internet Service Providers, and (to some extend) authoritarian regimes that want to keep online tabs on their subject.

When HTTPS is properly deployed on the server of a web service or site, a new cryptographic key is generated each time the page is loaded. This encrypts all the traffic, no matter it’s a chat, a video, or financial information.

If a spy agency wanted to obtain personal information from an HTTPS site, they would have to ask the owner of the site to personally hand it over. Many sites are not located within reach of a particular agency, and most agencies do not have the resources to go to every website to force a data handover.

The Virtualization of the Internet Infrastructure keeps your data in your hands

Unfortunately, the law in this case is not meant to protect us, instead it actively harms our fundamental rights and interests. For our own protection, we must take things into our own hands to render privacy attacks from law enforcement useless.

One interesting way to defend against attacks on identity profiles and private communication is to hop on a VPN that doesn’t collect logs, is located outside of the United States, and accepts Bitcoin. A VPN makes it impossible for ISPs or rogue Wi-Fi spots to insert code into your non-HTTPS traffic, or otherwise employ Man-in-the-middle Attacks.

While this creates additional costs for the consumer, it is far easier to find a good VPN provider than it is to find a good ISP, as the choice is often limited by geography. For example, it is impossible for an American to find a non-American Internet Service Provider, but it is easy to shop for a foreign VPN service that can credibly claim to put users’ privacy first.

A VPN and a good personal privacy strategy helps not only fight against surveillance, but also violations of net neutrality principles, and censorship.

Surveillance agencies might still be able to compromise information upstreams to websites and critical infrastructure, such as switches, it is extremely difficult to identify people online. A VPN will herd data anonymously around the planet while hiding behind pseudonymous IP addresses.

The Decentralization of Internet Infrastructure is the best solution

In the long run, handing our information from one centralized entity to another will not be enough. There is the fear that as these surveillance attempts grow, it will eventually become possible for snoop-friendly laws to creep into every aspect of our infrastructure.

The most promising long-term solution to surveillance and vulnerable infrastructure is the decentralization of the internet. The entire physical and virtual infrastructure is controlled by just a few power Internet Service Providers, Content Delivery Networks, and analytic platforms.

Mesh networks might help us build a more distributed net of data channels. A mesh network makes the entire internet more resilient to attacks, while simultaneously removing the ability of any large actor to spy on users.

Proxy networks, like Tor, might also become fast enough to allow for a good user experience, while taking anonymity to a maximum.

We shall see where the future takes us regarding our privacy while on the Internet.