How to protect your online privacy against PRISM

Michael Tschannen

Since the first interview with whistleblower Edward Snowden was published by The Guardian, people around the world have speculated about how much of the leaked information on the NSA's PRISM surveillance program are true.

Google, Facebook,Apple, AOL and many other online service providers have all denied participation in such programs which, in-turn, has led to speculation as to how one should interpret these statements (e.g. here, here, here and here). One question that arises is:

How can we as "normal Internet users" protect our online privacy?

As long as we do not know exactly how PRISM and other governmental surveillance programs work, it is extremely difficult to protect against them. Bruce Schneier once wrote as part of the article Security in 2020:

"There’s really no such thing as security in the abstract. Security can only be defined in relation to something else. You’re secure from something or against something."

However, there are some precautions we can take to increase our online privacy:

1.) Check where the company that provides your online service is located

There are huge differences in the local laws of different countries. While the US for example has the "Patriot Act", this law does not apply to European countries. Generally speaking, European countries usually have stronger privacy protection laws than the US does. There are of course international agreements between some countries.

2.) Look for strong authentication

Two-factor authentication (usually with an SMS code) is far more secure and efficiently mitigates against many attacks targeting authentication (though not all of them). From a risk perspective, a simple password authentication is no longer sufficient protection. To get access to your stored data, an attacker only needs one single token to do so. While you can of course choose some extremely long and strong passwords, this does not help against active and targeted attacks such as phishing or similar.

3.) Check how your data is encrypted

Look for services that are provided over TLS-secured channels only and that encrypt their data additionally on the application level (on the client or on the server). Between the moment of sending some data to the Internet and when they are stored somewhere, there are two important areas that require encryption: during the transport of the data (i.e. "between the PC and the server") and on the target server itself. Beware that there are many providers that just encrypt their server's disks and claim that "the data is encrypted" - this is true when the server is going to be switched off, but as soon as the server starts running again, the whole disk is provided to the operating system in unencrypted form.

4.) Choose the right service provider for sensitive data

Categorizing your data by confidentiality and choosing the right online service provider for each data type will go a long way to protecting the privacy of your data! While it is perfectly OK to upload some holiday photos to Facebook or Flickr, these obviously wouldn’t be the best places to store sensitive documents such as your bank account statements or insurance policies.

5.) Remember that the Internet does not forget

Think twice which information to share online. The Internet does not work as most non-technical media we know. Publicly accessible data (e.g. an image on a website) is backed-up, replicated, copied, linked, used somewhere else or even cached for increased performance. That means that once information has been published, it cannot be removed easily.

Our mission is to protect your online privacy!

At SecureSafe, our customer's privacy has been a critical factor to us from the beginning. We have not only developed a highly sophisticated cryptographic architecture to optimally secure your data from even our own personnel, we are working hard every day to provide you with a secure place on the Internet where you can safely store your most sensitive data.

As a Swiss online storage provider, our customer's data is exclusively stored in some of the most highly secure Swiss data centers and in no other country. For each piece of data we store (this includes user names or account history), we carefully evaluate whether we need to store the information and, if the answer is yes, then we store it fully encrypted.

We are excited to welcome all the new users who have chosen to move their data to SecureSafe over the past few days to ensure that they are protected against PRISM and other similar projects. Welcome to the SecureSafe family!