Data and Goliath: Four Ways You Can Protect Yourself From Digital Surveillance

Good defense will force those who want to surveil us to choose their targets, and they simply don't have the resources to target everyone.
This post was published on the now-closed HuffPost Contributor platform. Contributors control their own work and posted freely to our site. If you need to flag this entry as abusive, send us an email.

If a policeman sits down within earshot, it's within your rights to move your conversation someplace else. If the FBI parks a van bristling with cameras outside your house, you are perfectly justified in closing your blinds.

Likewise, there are many ways we can protect our personal data and defend ourselves against surveillance. I'm going to break them down into categories.

1. Avoid Surveillance. You can alter your behavior to avoid surveillance. You can pay for things in cash instead of using a credit card or deliberately alter your driving route to avoid traffic cameras. You can refrain from creating Facebook pages for your children and tagging photos of them online. You can refrain from using Google Calendar, webmail or cloud backup. You can use DuckDuckGo for Internet searches. You can leave your cell phone at home: an easy, if inconvenient, way to avoid being tracked. More pointedly, you can leave your computer and cell phone at home when you travel to countries like China and Russia and only use loaner equipment.

You can avoid activating automatic surveillance systems by deliberately not tripping their detection algorithms. For example, you can keep your cash transactions under the threshold over which financial institutions must report the transaction to the feds. You can decline to discuss certain topics in email. In China, where automatic surveillance is common, people sometimes write messages on paper, then send photographs of those messages over the Internet. It won't help at all against targeted surveillance, but it's much harder for automatic systems to monitor. Steganography -- hiding messages in otherwise innocuous image files -- is a similar technique.

2. Distort Surveillance. I have my browser configured to delete my cookies every time I close it, which I do multiple times a day. I am still being surveilled, but now it's much harder to tie all those small surveillances back to me, and ads don't follow me around. When I shop at Safeway, I use a friend's frequent shopper number. That ends up distorting the store's surveillance of her.

Sometimes this is called obfuscation, and there are lots of tricks, once you start thinking about it. You can swap retailer affinity cards with your friends and neighbors. You can dress in drag. In Cory Doctorow's 2008 book, Little Brother, the lead character puts rocks in his shoes to alter the way he walks, to fool gait recognition systems.

There is also safety in numbers. As long as there are places in the world where PETs keep people alive, the more we use them, the more secure they are. It's like envelopes. If everyone used postcards by default, the few who used envelopes would be suspect. Since almost everyone uses envelopes, those who really need the privacy of an envelope don't stand out. This is especially true for an anonymity service like Tor, which relies on many people using it to obscure the identities of everyone.

You can also, and I know someone who does this, search for random names on Facebook to confuse it about whom you really know. At best, this is a partial solution; data analysis is a signal-to-noise problem, and adding random noise makes the analysis harder.

You can give false information on web forms or when asked. (Your kids do it all the time.) For years, well before consumer tracking became the norm, Radio Shack stores would routinely ask their customers for their addresses and phone numbers. For a while I just refused, but that was socially awkward. Instead, I got in the habit of replying with "9800 Savage Road, Columbia, MD, 20755": the address of the NSA. When I told this story to a colleague some years ago, he said that he always gave out the address "1600 Pennsylvania Avenue, Washington, DC." He insisted that no one recognized it.

You can also get a credit card in another name. There's nothing shady about it; just ask your credit card company for a second card in another name tied to your account. As long as the merchant doesn't ask for ID, you can use it.

Deception can be extremely powerful if used sparingly. I remember a story about a group of activists in Morocco. Those who didn't carry cell phones were tracked physically by the secret police and occasionally beaten up. Those who did weren't and could therefore leave their phones home when they really needed to hide their movements. More generally, if you close off all the enemy's intelligence channels, you close off your ability to deceive him.

3. Block Surveillance. This is the most important thing we can do to defend ourselves. The NSA might have a larger budget than the rest of the world's national intelligence agencies combined, but it's not made of magic. Neither are any of the world's other national intelligence agencies. Effective defense leverages economics, physics and math. While the national security agencies of the large powerful countries are going to be able to defeat anything you can do if they want to target you personally, mass surveillance relies on easy access to our data. Good defense will force those who want to surveil us to choose their targets, and they simply don't have the resources to target everyone.

Privacy enhancing technologies, or PETs, can help you block mass surveillance. Lots of technologies are available to protect your data. For example, there are easy-to-use plug-ins for browsers that monitor and block sites that track you as you wander the Internet: Lightbeam, Privacy Badger, Disconnect, Ghostery, FlashBlock and others. Remember that the private browsing option on your browser only deletes data locally. So while it's useful for hiding your porn viewing habits from your spouse, it doesn't block Internet tracking.

The most important PET is encryption. Encrypting your hard drive with Microsoft's BitLocker or Apple's FileVault is trivially easy and completely transparent. (Last year, I recommended TrueCrypt, but the developers stopped maintaining the program in 2014 under mysterious circumstances, and no one knows what to think about it.) You can use a chat encryption program like Off the Record, which is user-friendly and secure. Cryptocat is also worth looking at. If you use cloud storage, choose a company that provides encryption. I like Spideroak, but there are others. There are encryption programs for Internet voice: Silent Circle, TORFone, RedPhone, Blackphone.

Try to use an email encryption plug-in like PGP. Google is now offering encrypted email for its users. You'll lose some search and organization functionality, but the increased privacy might be worth it.

TLS -- formerly SSL -- is a protocol that encrypts some of your web browsing. It's what happens automatically, in the background, when you see "https" at the beginning of a URL instead of "http." Many websites offer this as an option, but not as a default. You can make sure it's always on wherever possible by running a browser plug-in called HTTPS Everywhere.

I'm not going to lead you on; many PETs will be beyond the capabilities of the average person. PGP email encryption, especially, is very annoying to use. The most effective encryption tools are the ones that run in the background even when you're not aware of them, like HTTPS Everywhere and hard-drive encryption programs.

The current best tool to protect your anonymity when browsing the web is Tor. It's pretty easy to use and, as far as we know, it's secure. Similarly, various proxies can be used to evade surveillance and censorship. The program Onionshare anonymously sends files over the Internet using Tor. Against some adversaries, web proxies are adequate anonymity tools.

There are more low-tech things you can do to block surveillance. You can turn location services off on your smartphone when you don't need it, and try to make informed decisions about which apps may access your location and other data. You can refrain from posting identifying details on public sites. When Snowden first met journalists in Hong Kong, he made them all put their cell phones in a refrigerator to block all signals to and from the devices, so they couldn't be remotely turned into listening devices.

Sometimes surveillance blocking is remarkably simple. A sticker placed over a computer's camera can prevent someone who controls it remotely from taking pictures of you. You can leave the return address off an envelope to limit what data the post office can collect. You can hire someone to walk behind your car to obscure your license plate from automatic scanners, as people do in Tehran. Sometimes it is as easy as saying "no": refusing to divulge personal information on forms when asked, not giving your phone number to a sales clerk at a store and so on.

4. Break Surveillance. Depending on the technology, you can break some surveillance systems. You can sever the wires powering automatic speed traps on roads. You can spray-paint the lenses of security cameras. If you're a good enough hacker, you can disable Internet surveillance systems, delete or poison surveillance databases or otherwise monkey wrench. Pretty much everything in this category is illegal, so beware.

Some of these methods are harder than others. Some of us will be able to do more than others. Many people enter random information into web forms. Far fewer people -- I've only ever met one who did this -- search for random things on Google to muddle up their profiles. Many of these behaviors carry social, time or monetary costs, not to mention the psychological burden of constant paranoia.


I rarely sign up for retail affinity cards and that means I miss out on discounts. I don't use Gmail, and I never access my email via the web. I don't have a personal Facebook account and that means I'm not as connected with my friends as I might otherwise be. But I do carry a cell phone pretty much everywhere I go, and I collect frequent flier miles whenever possible, which means I let those companies track me. You'll find your own sweet spot.

We should all do what we can because our privacy is important and we need to exercise our rights lest we lose them. But for Pete's sake, don't take those silly online surveys unless you know where your data is going to end up.

This is an edited excerpt from Schneier's new book, New York Times bestseller Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World.

The Human Face Of Big Data

Popular in the Community


What's Hot