- ~ posted 18 October 2015 at 15:54
For organizations, resisting surveillance is about protecting yourself, your customers, members and supporters from government and service provider collection of data. In today's world, these are steps every organization or group should take; not just those that seemingly handle more-sensitive data. Protecting the privacy of your members is a sign of respect for their privacy and not just an indication that you feel your information deserves to be private.
While I think these are steps every organization should take, they are especially critical if your organization is one that is outwardly promoting privacy. If you are telling the world that government mass surveillance is wrong but you aren't transparently encrypting inter-organization email traffic with STARTTLS, you cannot expect your message to be credible.
It is also worth viewing the steps listed below through the lens of either a passive attacker or an active attacker. A passive attacker is someone that collects but does not interact with the data, traffic or computers sending the data. An active attacker, on the other hand, takes active steps to interfere with the computers, traffic or data in order to suit their needs; typically to further their surveillance goals or compromise specific users or computers.
Going from passive to active is an enormous leap in terms of investment for the attacker. Similarly, resisting an active surveillance-enabling attack is a much more difficult yet less likely challenge.
With that in mind, this post focuses on resisting passive surveillance which represents the largest risk.
Step 1: Use HTTPS to encrypt your websites, and do it well
HTTPS provides confidentiality of web traffic as it transits the network. This not only protects potentially-personal information that your visitors send to your site, but it also hides the specific web content that your visitors view from prying eyes. You may not feel that which of your web pages a person views reveals much about them to a network watcher; however, we need to consider that information about your web pages would be viewed alongside many other web pages this person also viewed and in that context, the collection of sites and pages the person viewed may actually say quite a lot about them.
Deploying HTTPS is easy and well documented and I am not going to describe how to do it here—there are plenty of other sites that do that. But I will say that you shouldn't merely deploy HTTPS, you should do it as strongly as possible. This includes using HTTP Strict Transport Security (HSTS) and HTTPS Public Key Pinning (HPKP).
Step 2: Use STARTTLS to encrypt email as it crosses the Internet
While a large cross-section a person's web traffic can describe them very well, a single email can reveal their closest secrets. STARTTLS is a technique that can enable SSL or TLS encryption for historically insecure protocols. STARTTLS should be used between mail servers over the Internet. While it isn't perfect it is a huge step forward and an effective technique against the passive collection of surveillance data.
Step 3: Avoid outsourcing functions to places that aid surveillance
This one can be harder for organizations to grapple with, especially because reducing costs can be a competing factor. That said, it is important that organizations not outsource information technology functions to companies or geographies that enable surveillance.
For example, if you host your own email, a government or law enforcement agency may have to request access to those mails directly through you. However, if you have hosted mail-related functions to a third party, they can simply request access via the provider who may or may not be able to notify you of the request.
It is also important to consider hosting very holistically. For example, for email, just as important as the service provider that hosts core email functions, providers that provide "inline-like" services that only hold email temporarily for services like spam or anti-malware are equally important to consider.
Here are a few other example services that should be examined for their surveillance aiding properties:
DNS server hosting
Web proxy or inspection services
Distributed Denial of Service services
Virtual private network services
All of these are services that can be self-hosted by an organization and there are companies that are happy to help an organization deploy just about any service in-house.
Making the privacy of your users and the privacy promoting reputation of your organization part of the decision for outsourcing can go a long way. And even more, if you decide against an option that provides increased privacy, tell your users or partners and let them decide how best to interact with you going forward. Again, it is about respecting your users or members privacy.
Step 4: Deploy HTTPS Everywhere to your workstations and laptops
HTTPS Everywhere is a browser extension for Chrome, Firefox and Opera that attempts to use HTTPS in place of HTTP for many websites. By doing so, this improves the confidentiality of the connection's contents ensuring that passive network monitors cannot view the content of communications. This typically works for websites that support HTTP and HTTPS, but for some reason have not switched to entirely using HTTPS.
By deploying HTTPS Everywhere, organizations will instantly make the work and personal web browsing of their user's more private.
Bonus: Offer your site as a Tor Hidden Service
I am including this one as a so-called bonus largely because I don't expect many but the most progressive organizations to take this step. That said, offering your organization's website as a hidden service offers some significant surveillance-resisting properties. Facebook does it—here is why they do— and I do it to promote user choice and awareness; and you can too.
Promoting user privacy is about respect for your users, not your opinion about the sensitivity of your data. Which of these steps will your organization take?