AP:
Secret to Prism program: Even bigger data seizureArs:
Details emerge about PRISM, big tech companies release data request reportsAfter Facebook, Google, and Apple among other companies issued blanket refutations of that "direct access" claim, it was difficult to parse what PRISM really entailed. This morning, however, the AP published a long article with more details about how that program works.
The AP interviewed "more than a dozen current and former government and technology officials and outside experts," all of whom confirmed that PRISM was more of a mechanism to hone the waterhose of data that the NSA has been gathering. In fact, the AP reports that the NSA is tapping directly into international fiber optic cables and collecting all that information. PRISM, on the other hand, is used to “narrow and focus” that massive stream of information. Once the NSA decides on a target, it will contact Internet companies like Facebook and Google to pinpoint the suspect.
Haven't gone through the whole piece yet but if I read that right, it suggests they don't really need the companies' compliance at all unless there's encrypted information they want to access.
So if you're using HTTPS connections wherever possible (friendly reminder:
EFF offers an extension for Firefox and Chrome that will always request HTTPS if available), they'll be able to see what sites you're visiting but not what information you're sending through them. Useful for private messages on social networking sites and the like; they probably won't see your private messages on those sites unless you're specifically targeted for some other reason.
If you combine HTTPS Everywhere with a VPN, that'll make it harder for them to monitor what sites you're accessing as well as what you're doing on them.
As far as E-Mail, though: realistically, you're pretty much fucked. E-Mail is based on a series of 30-year-old standards and has no built-in mechanism for encryption; even if you store your E-Mails on an encrypted server (or delete them from the server when you download them, though that's becoming a less and less feasible option in an age where most people access their E-Mail from multiple devices) they're still cleartext in transit. And if you're storing E-Mail on a server you don't personally control, well, it's far too trivial for law enforcement to get incredibly broad warrants to access everything in your inbox. (While, as I noted, fewer and fewer people are downloading their mail and then deleting it from the server, the laws were written when that was common practice, and give a lot more leeway to access months- or even years-old E-Mail still stored on a server than they would if they'd been written with the assumption that everybody's entire E-Mail history would be stored server-side in perpetuity.)
And if you're not sending in cleartext, if you want to actually communicate via encrypted E-Mail, well, the recipient has to have the same encryption software set up on their computer too. If you really want your E-Mail to be secure, you're going to have to get every single person you correspond with to go along with it.
Depressingly, your private communications on Facebook and Google+ are probably more private than if you're using SMTP and POP/IMAP (or using Webmail which acts as a frontend to SMTP and POP/IMAP).