Fighting CISPA

Remember the Cyber Intelligence Sharing and Protection Act (CISPA) that was introduced last year? Guess what, it’s back. For those of you who weren’t following CISPA the first time around it is a piece of legislation that would introduce exceptions into current privacy laws if those exceptions fell under the vague category of cyber security. Effectively it would render all privacy laws null and void as anything can be twisted into a cyber security threat. The Electronic Frontier Foundation (EFF) is urging people to contact Congress and demand that they vote against CISPA. Unfortunately such a strategy is, at the very best, temporary. The bill was shot down last year only to be reintroduce again this year and if it fails again it will almost certainly be reintroduced at a later date. Until the bill passes there will be a continuous cycle of the legislation getting voted down and reintroduced. This cycle will continue until the bill can be passed, likely as an amendment to a “must pass bill” (think the National Defense Authorization Act) or in a lame duck session on some Christmas Eve.

Fortunately there is good news, the tools to render CISPA entirely irrelevant already exist. Government spying powers become irrelevant if they can’t read acquired data or connect acquired data to real people. Making data unreadable is relatively easy to do using strong encryption tools. All major modern operating systems have built-in full drive encryption capabilities. Microsoft call their drive encryption technology BitLocker, Apple calls theirs FileVault 2, and Ubuntu has the same technology minus a fancy marketing term. When you fully encrypt your drive you make the data inaccessible to anybody who doesn’t have the proper decryption key. What if you don’t have a modern version of Windows, OS X, or Ubuntu? No problem, there’s a wonderful tool called TrueCrypt. TrueCrypt allows you to fully encryption a Microsoft Windows disk or creation encrypted volumes on Windows, OS X, and Linux. You can even use the tool to create a hidden encrypted volume that stores your secure information while keeping junk data in the regular encrypted volume. Doing this allows you to “decrypt” the volume to comply with state demands without having to decrypt your important information.

Encryption shouldn’t stop at your local system though. Every day you probably communicate with other people online and those communications are likely stored on third party servers or can be intercepted en route. There are tools that greatly reduce the risk of both problems. OpenPGP is an e-mail encryption tool that has been around for ages and is still a very effective tool to prevent prying eyes from reading your electronic correspondences. OpenPGP works by using asymmetric encryption. For OpenPGP to work there needs to be two keys, a public certificate and a private certificate. You distribute your public certificate to individuals you want to securely communicate with and, as the name implies, keep your private certificate private. E-mails encrypted with your private certificate can only be decrypted with your public certificate and vise versa. For instant messaging there is a tool called Off-the-Record Messaging (OTR). OTR works on top of currently existing instant messenger services so you can use it to communicate without having to convince all of your friends to switch services (I still have friends who refuse to move away from AOL Instant Messenger).

What about the second problem? How does one stop the state from connecting data to you? Simple, by anonymizing your data. The most popular tool for anonymizing data is Tor. Tor is an onion router, which is a not-so-fancy term for software that encrypts data at an entry point (in the case of Tor, your computer), bounces that encrypted data between multiple nodes on the network, and decrypts the data and sends it to its destination at an exit point. Unless you provide identifying information the exit node is unable to link the data it decrypts to its originator and none of the middle nodes are able to read the data or link it to its originator. Likewise, neither the exit point or intermittent nodes are able to link data that is returned from the receiver. In addition to anonymizing regular Internet traffic Tor allows an individual to run a hidden service. Hidden services only exist on the Tor network and all information communicated between a client and a hidden service is encrypted and bounced between multiple nodes in the network. This means communications between a hidden service and a client are hidden from outside sources and neither the hidden service or the client can identify one another (unless one submits identifying information to the other). If you need a demonstration of the effectiveness of hidden services take a look at Silk Road, a hidden service that allows individuals to sell illegal drugs. Silk Road is so effective that the Drug Enforcement Agency (DEA) has been unable to take it down.

Speaking of buying goods anonymously, let’s discuss payment systems. Silk Road and other “black” market hidden services generally rely on Bitcoin for transactions. Bitcoin is an electronic peer-to-peer currency that is both secure and relatively anonymous. Transactions are performed by sending Bitcoins to published public keys asymmetric encryption at your service, again). The public keys are anonymous unless the holder choose to reveal his identify or his identify is somehow compromised. Information between a sender and receiver of Bitcoins need only know the other person’s public key. Once again the effectiveness of Bitcoin can be demonstrated by the fact that the DEA has been unable to use Bitcoin transaction information to identify sellers on Silk Road.

There are many other tools out there, including I2P and Freenet, that can help denizens of the Internet render CISPA irrelevant. The state can’t do anything with information it can’t read or tie to a real person, which is why the United States has long held a policy prohibiting the export of strong cryptographic technology.