Well it is all over the news, Prism has so many people worried, with the conflicting messages I have seen I wouldn’t want to make any judgment calls.
I’ve discussed the implications with people across all spectrums, those who it really doesn’t mean much to, but they “heard about it”, those that trust the authorities as “we are in a state of war so anything goes” of course we are not in a state of declared war, but it seems to be implied we are and those that are vehemently opposed to any government interference with their communications “especially by the current US administration”.
So I don’t want to discuss the political implications of whether GCHQ or CSE have legally bypassed or broken the law of the land by having potentially allegedly using data supplied by the NSA, or if The United States government and/or specific agencies appear to have breached Article 12. of the UN Declaration of Human Rights of large sections of the world’s population or even if Edward Snowden has breached the ISC2 Code of Ethics that I am subscribed to or was he actually enforcing the ethics by whistleblowing. These are all really great discussions to have; I’ve seen a number of bloggers, mostly highly suspicious of the whole situation express their views and a few calls for accountability.
But one particular discussion with a Lawyer friend reminds me and he has a good point, his communications with his clients are to be 100% confidential, I believe this is the case in all democracies, and this might now not be the case with what we now know or even more what we don’t know. Larger law firms will have their own security systems in place, and have had so for years, but even they will be reviewing their policies now. Smaller law firms are usually just one or 2 lawyers and don’t have these resources, other than going back to pen and paper and any postal service that might still exist. They do have options. I do not discuss commercially available solutions here, of which there is plenty, they do simplify security, but really need to implemented in a structured way.
Here are some resources for us non-criminal individuals who would like to keep their privacy and confidentiality of their communications beyond doubt and that they can implement themselves. Of course to be truly secure, both parties, i.e. a lawyer and his client need to be following the same practices. I have one client that goes to an extreme of using a unique throw away email address for each of their contacts or projects, which in their situation does make sense.
To anonymously browse the web, setup, send and receive email you need to be using a proxy service, this hides your location; in fact it changes the appearance of your geographical location. There are services such as HideMyAss, that really comes into its own as a paid service, but they do provide countless numbers of free proxies that you can use and they give instructions on how to use them (bottom of that page), they do change, but it is good practice that you also change them regularly.
Anonymous email accounts and they are only truly anonymous if you sign up for them, AND always log into them using a proxy service. PGP Desktop used to be provided free has now been bought out by Symantec, it includes encryption built into an email system leveraging the PKI which means there is no need to share passwords with the recipient and adds the benefit of nonrepudiation, it does not though provide an email address. A good introduction to Anonymous email was provided by Wired magazine earlier this year. Here are a few providers.
Hushmail is the most popular, and has a nice web interface
HideMyAss email accounts have expiration dates
Anonymous Speech claim to be extremely secure as it’s beyond US and EU jurisdiction but it’s not free.
Anonymous Chat Rooms. Speeka and Chatzy are a couple of simple to use free anonymous chat rooms which you simply setup and tear down as needed, . IRC chat rooms can also be anonymous, but are not as simple to use and have other security implications. In discussions in these chat rooms are not confidential, but they are anonymous.
Free Encryption software. Which is only as good as a strong password.
7-zip and Axanum are extremely easy to use file compression applications with 128 and 256bit encryption, good for simple file transfers and encryption of single files and folders.
Gnupg For Win and Mac, comes in 2 versions portable/stand alone and enhanced/installed providing extremely strong encryption of single files, folders, entire hard drives or operating systems.
TrueCrypt includes some very strong system encryption which is not really for single files, but has an option which provides Plausible Deniability.
Transferring larger files, keep in mind that the files themselves are public, but if they are encrypted, the sender and receiver are using proxies to upload and download as well as using anonymous email addresses, you are covered. I expect the services will release the email and ip addresses which should both be anonymized on production of a court order if it really came to it. These services of course require a credit card for their professional service, but not for the up to 2gb options. Complex one time passwords should be shared in a secure manner when transferring files in this manner. All these services are very similar, I only list three as I have no preference and some have disappeared over the years.
Further excellent reviews of solutions to large file transfers here at CloudWards