How to break out of PRISM

The remarkable disclosure of international surveillance activities by U.S. intelligence services over the last week has stirred much discussion and controversy. Whatever the legality of the situation, no matter the outcome of actions against the people involved, this has been an important wake-up call for us all, especially as the move to cloud computing gathers pace.

Everyone has something to hide — and the desire to avoid prying eyes doesn’t make you a terrorist or a criminal. Perhaps you wish to protect trade secrets from competitors or personal preferences from politically motivated investigators. What actions can you take to reduce the risk that your personal and business activities will become visible to nosey bureaucrats?

[ Also on InfoWorld: NSA, FBI collecting content from Google, Facebook, other services. | Your online privacy was doomed long before the NSA came around. | Thanks, NSA, you’re killing the cloud. | Track the latest trends in open source with InfoWorld’s Technology: Open Source newsletter. ]

As soon as news broke about the PRISM surveillance system, a website appeared, usefully collating details of software systems that reduce the risk of your communications being intercepted. Punningly named PRISM Break, the site includes a long list of open source software solutions that protect Internet privacy. It includes numerous projects at various stages of evolution. Some, like the Firefox browser, will be very familiar, but others are less known.

Everyday encryption

The solutions documented take several approaches. Most obvious, they apply encryption to communications we’re all used to conducting in the clear. For example, all the instant messaging systems offered by large providers are, inexplicably, unencrypted. The list proposes adding a plug-in called Off-the-Record (OTR) to your instant messaging. Of course, if you’re using “official” clients from big providers like AOL or Skype, the built-in client in OS X, or even Web-based messaging services like Google’s Hangouts, that’s impossible. None of those providers let you add your own encryption.

Fortunately, there are excellent open source alternatives, notably Pidgin and its OS X equivalent Adium. Both offer OTR as an option that’s well worth taking. OTR has stood the test of time and offers encryption that’s session-based (cracking the encryption on one conversation gives no access to others) and repudiable (cracking part of a conversation gives no proof the rest of the conversation is related). OTR operates directly on the message text itself, so it needs no adaptation to IM protocols. In addition to proprietary IM protocols, Pidgin supports XMPP, the open standard for messaging recently dropped by Google but still in use by millions of us worldwide. XMPP allows distributed messaging that does not require a centralized server.

Decentralized distributed systems

That switch to distributed systems is the second approach these systems take to privacy. It seems likely that PRISM works either by penetrating the servers of large providers or (more likely) by capturing and duplicating packet streams directed at those servers. Distributed systems with no central server are much harder to tap into. For example, the list includes Diaspora, a distributed alternative to Facebook that allows each user to choose whether to self-host their information or to trust one of many providers in the large community of servers. OwnCloud offers self-hosted cloud storage and calendaring; SparkleShare offers self-hosted file storage using Git as a medium.

At a more technically complex level, the clear and under-recognized Tahoe-LAFS offers an extremely resilient, distributed, cloud-based storage system that can be hosted on shared storage without exposing the data to inspection. There are plenty of other distributed systems on the list, giving hope to those of us who were beginning to worry that the only way was Amazon or Google, complete with the suspicion that secret interpretations of almost-secret laws are allowing officials to spy on all we do.

Obfuscate your access

The third important approach on the list is obfuscation, epitomized by The Onion Router (TOR), a network service that allows anonymized access to the Internet. It works by letting you proxy your connections through a large number of entry points into TOR, where your connection is then passed from hand to hand by many different servers, each with no knowledge of the route of the message before and after they see it. To those trying to track your Internet access, it’s as if a thousand servers are crying “I’m Spartacus!,” leaving watchers with a huge tracking task.

PRISM Break’s list is fascinating. There’s sure to be something you haven’t seen before, including a full roster of open source solutions that deserve your attention. Whether you simply end up installing a browser plug-in like HTTPS Everywhere — or go to the extreme of redesigning all your cloud and communications to use distributed, encrypted, and obfuscated services — PRISM Break is an education.

Most important, it shows we are not helpless. Acting together with an open source community approach, ordinary people all over the world can take responsibility for their own Internet safety and privacy, thus avoiding surrender to Big Brother, as well as big, corporate services.

This article, “How to break out of PRISM,” was originally published at InfoWorld.com. Read more of the Open Sources blog and follow the latest developments in open source at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.