The Senate votes for warrantless surveillance. Here’s what you can do.
The U.S. Senate recently voted to allow law enforcement and intelligence agencies to access people’s web and search history without a warrant.
In this article, we’ll unpack what that means for people living in or visiting the United States — and we’ll tell you what you can do about it.
The legal background
The vote was part of the debate over the re-extension of the Patriot Act, an Act of Congress passed shortly after the September 11 terrorist attacks.
The law grants government agencies broad surveillance powers when conducting investigations that bear on matters of national security — including the ability to ask telecoms and Internet Service Providers (ISPs) for their customers’ web browsing and search history data. Significantly, the government is not required to obtain a warrant or demonstrate probable cause in order to request such information. They only have to deem it “relevant” to an ongoing investigation.
Over the years, the Patriot Act has been strongly criticized by civil liberties and privacy groups as intrusive and unconstitutional. Many members of Congress have also called for reforms — including the law’s original author, Congressman Jim Sensenbrenner.
The Wyden-Daines Amendment
In an attempt to curb potential privacy abuses, Senator Ron Wyden (Democrat) and Senator Steve Daines (Republican) proposed a bipartisan amendment to the law that would require the government to obtain a warrant before collecting an individual’s web browsing or search history information. Although the Wyden-Daines Amendment was widely supported in the run-up to the vote, in the end it fell one vote short of the 60 required to pass.
At this point, the bill (H.R.6172) will head back to the House of Representatives for further review and debate. Civil liberties organizations are calling on House leadership to reinclude the amendment in the bill or at least put it to a floor vote. The final vote is expected sometime before the end of May.
How to protect your privacy
Whatever your political views or party affiliation, you may not like the idea of the government looking over your shoulder while you’re online — and as the Wyden-Daines Amendment shows, digital privacy is far from a partisan issue. If you feel strongly about the matter, take a moment to contact your House representative and tell them where you stand.
In addition to political action, there are also some technological steps you can take to protect your privacy online:
Use a “no-log” VPN
Using a VPN, or “Virtual Private Network”, is one of the best ways to safeguard your digital privacy. When you use a VPN, all of your network traffic — including the details of your search queries and web browsing activity — is encrypted and routed to a VPN server before being sent on to the site or service you’re actually accessing.
Anyone monitoring the network, including your ISP, will know that you’re contacting a VPN server — but that’s all they’ll know. If the government or anyone else looks at the ISP’s records of your web activity, they’ll only see multiple encrypted communications with a VPN server.
Of course, if your VPN provider is keeping records of your online activities, then the government could simply demand that they hand over your web history. That’s why it’s very important to use a VPN with a strong “no-log” policy — which means that they don’t maintain detailed records of their customers’ activity on their servers. If there’s nothing about you stored in their files, then there’s nothing for the government to request.
Use an E2EE messenger
Most of us rely on mobile devices to communicate with the people in our lives. But the messaging apps and features on these devices vary — widely — in terms of the level of security and privacy that they provide.
Traditional SMS messages and unencrypted messaging apps are inherently insecure, and should be avoided for sensitive communications. Somewhat better are messaging tools that offer partial encryption, such as Slack’s chat feature.
But if you truly care about your privacy, the best thing to do is use a messaging app that offers end-to-end encryption (E2EE) by default. If you’re only communicating with other Apple devices, iMessage can provide this — but your chats with non-iOS users won’t be encrypted. If you need a cross-platform messenger, tools like Signal offer E2EE by default and work on both iOS and Android.
Encrypt your devices (and maybe your backups too)
The encryption on iOS devices is so strong that it has caused friction between Apple and the U.S. Department of Justice. But it’s also possible to harden macOS devices by making use of a native feature called FileVault, which will encrypt the contents of the startup disk. In addition, you can set a firmware password for your Mac, which can significantly enhance its ability to withstand physical access attacks.
If you’re backing up your devices (and you should definitely be doing this), be aware that iCloud backups are not protected by end-to-end encryption. Apple holds the decryption keys, and can be forced to give them to the government if asked. In addition, since many people back up their iMessage chats to the cloud, this also negates the effectiveness of using iMessage as an E2EE messaging solution. If that worries you, it’s possible to disable iCloud backups and instead manually back everything up to a FileVault-protected macOS machine.
However, there are also some good reasons you might not want to disable iCloud backups. Like so many things in personal digital security, in the end it comes down to a risk-reward calculation that individual users have to make for themselves.
Use an anti-malware tool
Several years ago, WikiLeaks released a trove of documents called “Vault 7”. One of the more interesting revelations to come out of this had to do with the government’s efforts to circumvent E2EE messengers. But initial reports that the CIA had “broken” the encryption standards of these messaging tools turned out to be incorrect: The government had simply found ways to infect its targets with malware in order to observe everything that happened on their devices. Apple quickly moved to patch the relevant iOS vulnerabilities that allowed this to happen, but the leak was a good reminder that even an organization with the resources of the CIA is not all-powerful — and as a result will often take the path of least resistance. After all, why bother trying to break strong encryption when you can just install a keystroke logger on someone’s device? Despite what you may have heard, Macs can and do get malware, and Apple’s native protections are extremely basic. For this reason, it’s a good idea to use a reputable malware detection and removal tool on macOS devices. As for iOS devices, the best thing to do is keep them updated and trust Apple to patch vulnerabilities when they’re discovered.
Nothing is foolproof, but the above advice can go a long way to keeping your Internet activity safe from prying eyes. Remember, though, that these more advanced measures can easily be undermined if you’re not also following general best practices for digital security and privacy. So keep on top of your updates, practice good password security, and use two-factor authentication whenever possible!