PRISM-Break List is dangerously misleading

A couple of days ago a web site popped up called prism-break.org supplying a list of software and services with the statement

"Opt out of PRISM, the NSA’s global data surveillance program. Stop reporting your online activities to the American government with these free alternatives to proprietary software."

There is a big Electronic Frontier Foundation (EFF) logo at the top which led myself and according to EFF's Parker Higgins many other people to believe this was an EFF web site. As such I wrote to EFF last night expressing my concerns that the site is dangerously misleading - EFF replied that they shared my concerns and explained it was not their site. So after a little more investigation I emailed the actual publisher of the web site, a person called Peng Zhong asking him to bring the web site down until they have fully investigated all the services and software they list on the site as it is dangerously misleading. Peng Zhong has failed to either respond to my email or bring the web site down so I will now explain why it is misleading.

The web site makes a bold claim that by using the software and services listed, people can avoid the NSA from accessing their data and communications - this is completely false and as stated above, dangerously misleading. The web site lists a number of services and software provided by companies based in the United States - all US entities (whether they be global foundations like Mozilla, Tor exit node operators, non-profits or global corporations) are vulnerable to orders under Foreign Intelligence Surveillance Act (FISA) or USA PATRIOT Act via orders issued by the Foreign Intelligence Surveillance Court (FISC) or National Security Letters (NSLs). It is also important to note that no matter what these organisations tell you, you cannot take it as guaranteed truth because under these legal orders they are almost always subject to a legal "gag" which can result in prison terms should they disclose they have received such orders.

However much we might love organisations such as Mozilla (and believe me I am a huge fan and know their lead privacy guy Alex Fowler, personally) to state that they are safe from NSA surveillance orders is simply not true. The same with DuckDuckGo, Wordpress and any other service which is either US owned or has servers in US datacentres - these services and technologies simply are not immune to surveillance and should never be listed as such.

I urge people to do their own research before using any of the services or technologies in the list on PRISM-break.org - please understand that if it has legal links to the US (even a US parent company) then it is vulnerable to US surveillance laws and is simply not safe.

Comments

So we know what's unsafe. What's safe? It can't be as black and white as "outside the US = good; inside the US = bad."

No you are correct but certainly European laws are far more transparent than PATRIOT and FISA in the US, so whereas things are far from perfect, choosing EU based and owned services will offer protection against the US surveillance machine. I will try to work on a true list of safer technologies and services over the coming weeks.

If you are saying USA=BAD, then which governments do you trust? For example, if a company was based in the UK, would you trust them? Or France? Or Greece? Or Bulgaria? (all EU countries).

What about the Netherlands (your website host country) who have been criticised in connection with the SWIFT programme? Or the court rulings on BREIN v Lycos? Or the reccomendations of the MEVIS Committee? Or the PTC travel monitoring?

I wouldn't say I "trust" any government - in my experience they all have their corrupt elements, but I trust European regulations and oversight a lot more than I trust the US.

So what should we use? I mean, any cloud site hosting data in the US will as you say always be subject tot he patriot act.
So please, then, guide us on what software and cloud service provider we should use.

(btw, I cannot access prism-break anymore. Probably it's been taken down)

At the moment my only suggestion is to setup OwnCloud on a VPS in the EU. I will be offering such a service in the next month or so.

Lets be devils advocate - I believe the owner of Prism-Break.org has his heart in the right place. it is not like he is making money from his advice. I take your point that any US company is vulnerable. but so is any company in any country. I suggest due diligence is in order. Using a VPN is a starting point. I don't trust TOR since it was primarily engineered by the government, and it has been proven to have a back door. I suggest when on the internet have an alter-ego. Don't use your real name for insignificant things.

I am not entirely convinced his heart is in the right place, he has been contacted on multiple occasions by multiple people about the issues surrounding his site and refused to respond to them and initially many people thought his site was an official EFF site due to the misleading logo that was at the top right next to a donation link.

I wonder how much he has received in donations given the publicity the site has received?

I am very interested in this matter and I'm going to observe this site and also others that are concerned with this topic. Sadly, I am in no way well computer-educated (I am working on changing it right now, but it takes time!), so I miss to gather one thing from all this discussion. Let us suppose that there is a computer owner that uses all the right search engines, e-mail services and so on, and by "right" I mean with decent privacy policies and placed outside of US or US-based laws. Let us now also say that this person moves to the US with this computer which privacy is, in principle, well protected. Would just being on the US territory erase all the good effect of using the proper internet services?
I am sorry if this question is too naive, I just haven't seen it addressed anywhere. And thanks for an answer!

At the moment, with the US Executive ignoring the Constitution and preventing challenge of Patriot and FISAAA on constitutional grounds, it is difficult to see how anyone in the US can be considered as having Privacy. Even if you use the right services, they could simply seize your hardware and carry out forensic analysis on your data.

Even if you encrypt all the content on your system, with conflicting decisions in the US courts with regards to whether or not forcing you to divulge your encryption keys is a violation of the 5th Amendment - it is impossible to determine whether or not that data would be safe.

Furthermore, we already know that the NSA and FBI use malware and trojans against targets to gain access to their systems so they may not ever need to even decrypt your system as if their malware is running on your live system they already have access to the data (in most cases).

The US is currently not a good place to be or be involved with if you value privacy.

OK, so it's bad enough if they can just take away my HDD and search through all of it, and also use malware - if I'm a "target". But let us discuss a normal day-to-day situation, as in, I just wouldn't like anyone to have an access to the e-mails or messages I send to my boyfriend, friends, family etc., because I just feel bad about my correspondence being read. There is no reason for any US institution to keep an eye on me other than the sole fact that I'm not a US citizen and in general I'd just like my messages/e-mails/chats to be more private. Would then using the privacy respecting software be of any good? Or would just the fact that I am on a US land, using US internet connections etc., destroy all the efforts I could make in that direction?
(Again, sorry if this is a very naive question. I do have some notion of the fact that e-mails, chats, and so on are encrypted, and that a non-US service can protect its privacy this way, but I'm still pondering on the possibilities of just, I don't know, somehow searching my computer *just because* it's connected to a US network?)

I do realize the simple validity of your last statement, but sometimes one just can't avoid it.

Sadly, according to the NSA's own statements, if you encrypt your communications they believe that gives them the right to store it for even longer (upto 5 years) as it automatically makes you a suspect.

As much as I would like to alleviate you concerns, the fact is, the US Government make that impossible.

There is an old (I was told Chinese) curse that says; 'May you live in interesting times.' Yup, I was born in the US and well... not feeling too safe these days. Mr. Snowden will go down in History. I hope the rest of us can survive this nation...

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.