

Ask HN: In light of the PRISM revelations how have you changed? - achalkley

I would like to ask have you altered since the revelations on PRISM and the NSA?<p>Have you moved your eMail off Google? Have you deleted your Facebook? Have your political views changed? Have you decided to contribute to a decentralised cryptography project?<p>Have you just thought of doing something or have you done something different?
======
bigiain
I've started using encrypted partitions on DropBox/GDrive/BTSync (using encfs
and BoxCryptor).

I've added JottaCloud - a Norwegian cloud storage provider, to get some
storage outside US/NSA jurisdiction (and I'm using encjs encrypted storage on
there too).

I've made sure all my published GPG keys are still working and have strong
passphrases. I've started using GPG again occasionally just for the LULZ - so
it'll not stand out quite so obviously if/when I need to use it in anger.

I'm considering my email options. I've got encrypting all non-encrypted email
on the way into a mail server working as an experiment, but the questions of
where to do that remain - my DigitalOcean VPS is no less likely to be under
NSA compulsion than gmail, I don't trust my local (Australian) government to
not be leaning just as hard on server hosting suppliers in Australia. I'm
currently leaning towards hosting my personal mailserver at home strongly
encouraging (or perhaps even enforcing) STARTTLS encrypted mail transport,
running via a VPN tunnel to an internet connection at an inexpensive VPS with
a non-US based provider. Since much of my mail is local (corresponding with
other people inside Australia), I'm trying to decide whether an Australia
based VPS perhaps under control of the local intelligence services but not
requiring the bulk of my inbound (probably unencrypted) mail to hit any trans-
ocean/crossing-national-boundaries backbones, would be a lower risk than a
Norwgian or Icelandic based VPS which is more jurisdictionally difficult for
ASIO and the NSA but which requires my inbound mail to cross those high-value-
target-for-firehose-sniffing cross border backbones.

I've been raising cloud data storage legal jurisdiction based on the cloud's
physical location and the cloud company's nationality whenever appropriate at
meetings (which gets interesting responses with health/financial/childcare
clients, and bored dismissiveness from just about everybody else… "Oh, you're
storing PII patient data? Does storing that on Amazon S3, even if encrypted,
meet your regulatory requirements?" I'm looking forward to the "Ahhh, so
you're providing information to pharmaceutical managed mental health patients.
Have you considered the privacy leak that Google Analytics represents? WHat
disclosures and/or provacy assurances have you made to your users?" discussion
next week…)

------
ewoodrich
For the last five or so years, I've used an encrypted primary partition, and
the occasional TrueCrypt vault when necessary. I also have recently moved most
of my personal storage to Dropbox and Google Drive, with no encryption for the
usability benefit.

And I've changed almost nothing since the "PRISM revelations". In fact, I've
begun to post more under my actual name, without any anxiety over "NSA"
activity.

It may have become a cliché, but I always identified with the logic of
continuing to fly after 9/11 to not let the "terrorists win". Us vs. them-
speak aside, the sentiment holds true that the best means to oppose a new
"threat" is to hold course.

If "government overreach" is really as bad as some claim, someone will be
jailed for posting some innocuous musings, and will serve as proof and
catalyst for meaningful change. But the far worse outcome would be to suppress
free expression based on a nebulous fear of government surveillance (the NSA
was formed from a WW2 era signals agency that at one point inspected almost
all telegraph transmission to and from the US). And yet we still have a
tendency to idealize the past as an embodiment of more pure "American values".

------
Irishsteve
Nothing really. Ever since I saw something such as
[http://news.bbc.co.uk/2/hi/sci/tech/437967.stm](http://news.bbc.co.uk/2/hi/sci/tech/437967.stm)

I realised that most likely these types of agencies can get access to your
data if they really want. If everyone moved from FB , Goog or whatever they
will simply start to spy on the new services people have moved to.

If a service is in Europe it really doesn't matter. They will still snoop or
ask another agency to snoop for them. The UK have been snooping on Ireland for
a long time [http://cryptome.org/jya/gchq-
etf.htm](http://cryptome.org/jya/gchq-etf.htm)

I guess one way to avoid these problems is that people become far more
understanding of other peoples dirty secrets, that way it cant be used as
leverage. That could hopefully devalue the process of snooping.

------
nicoschuele
To be honest, I didn't change a single thing about my digital life. Even it
didn't make the news before, I have been using the internet for the past 15
years or so and since then, have always been aware that what you do on it is
not completely private.

So, I didn't kill my Facebook account as I don't store personal info on it. I
didn't kill my Google services as I use encryption to transfer sensitive data
(trade secrets and such). Etc.

------
federicola
You can't do absolutely nothing, once you upload something(encrypted or not)
by default is public, dropbox/gdrive etc.., even if you send an email it is
public.

Is really naive thinking that "some storage outside US/NSA jurisdiction (and
I'm using encjs encrypted storage" will stop government to reach you, because
they really don't care about jurisdiction.

~~~
bigiain
I suspect you've made less favourable assumptions about the resilience of
OpenSSL and GPG than I have - but while I have _doubts_, I'm aware that I've
got nowhere near the expertise required to participate in discussions about
whether the NSA has working attacks against them - but that people who I trust
_do_ have the expertise mostly seem to be saying that they're both _probably_
safe, and are both _almost certainly safe_ against dragnet "intercept and
archive everything" surveillance.

"Is really naive thinking that …"

I think it makes somewhat more sense for me - since I reside outside the US.
I'm reasonably sure that SSL transported encfs encrypted files moving between
Australia and Norway - even when routed over US based or US company owned
backbones - is reasonably safe from dragnet surveillance.

At the same time, I have no doubt that if "government" becomes interested in
me specifically - all my privacy precautions will not stand up to nation-state
level scrutiny. The right combination of "leaning on" Apple, Dropbox, and
Agilebits (the company behind 1Password) would - given expertise the NSA no
doubt has, and sufficient time - eventually reveal almost all my keys,
passphrases, and passwords. But then so will the $5 wrench, the rubber hose,
or the threat of jail time.

------
junto
\- Deleted my Facebook account.

\- Looking for European alternatives for server locations:
[https://news.ycombinator.com/item?id=5993947](https://news.ycombinator.com/item?id=5993947)

\- Looking for a good alternative to GMail.

\- Looking for a good alternative to sharing photos with family (currently
Google Picasa and Google+)

------
vacipr
-deleted google account. -abandoned gmail,started using riseup. -trying out duckduckgo.

+already switched to Linux and started encrypting my hard drives long ago.

The only problem I still have is Facebook.I can't leave because of the groups.

------
yen223
Truth be told, I haven't changed a thing. Even before PRISM, it was always a
good idea to assume that any data uploaded to the net will be public. And as a
non-American citizen, being spied on by Americans is nothing new.

