FLOSS alternatives for the post-PRISM era

In this post, I'll describe a few alternative FLOSS programs for any proprietary software you might be using to handle your sensitive data. Exactly how FLOSS makes life harder for peeping toms I'll describe in a follow-up post.

(Edit: You'll find  that follow-up post here.)


In recent months we've learned about how the national security services of various countries have been spying on their citizens -- and using the citizens' own computers to do it. What's more, the largest IT companies (household names like Google and Microsoft) have admitted to assisting the security services in their quest to monitor everything we do online. Understandably, many people don't approve. But hey, what can you do? If the government wants to break into your computer or listen in on your Internet transmissions, is there really anything you can do to stop them?

I suppose espionage has been with us so long it's just a fact of life -- after all, some call spying the second-oldest profession -- so it won't be going away any time soon. But if you're concerned about your data being available to anyone who cares to try and grab it, using FLOSS (Free, Libre or Open Source Software) offers a way to combat snoopers and eavesdroppers.

Why not consider the following alternatives?

Operating System: Linux

The operating system is the ultimate master of a computer. It manages everything your computer does at every level and so is responsible for authorising access. This makes the choice of operating system a critical part of IT security.

Tux: The Linux Mascot

It therefore pays to know what an operating system is doing. Most computer users today have some form of Microsoft Windows installed on their machine. But, since Windows is a proprietary program (i.e. you can't read the source code) it's extremely difficult to know exactly what Windows is up to. Is there a little piece of functionality somewhere that secretly opens up a back door or reports some unauthorised information back to a server somewhere? It's exceedingly hard to tell.

With a FLOSS operating system like Linux, such a question is easier to answer because all of its source code is publicly available to read. Yes, you personally might not be able to read computer code, but there are thousands of coders who routinely read through Linux's source. Assuming no vast conspiracy exists among these largely voluntary programmers, we can imagine that the whistle would be blown pretty quickly if someone tried to sneak some spy-friendly routines into Linux (an example of which occurred in 2003).

Still, there are many flavours of this flagship operating system to choose from. Even in the world of Linux, privacy issues turn on your choice of flavour. Ubuntu Linux for example, arguably the most popular and user-friendly, recently rubbed many users up the wrong way after introducing a "feature" that automatically shares some of your information with Amazon.

Email: Kolab -- Cloud Storage: ownCloud

What can you do to stop people reading through your mail? There are actually two main issues here. One is related to what I've already been talking about: namely, if the source code to your email program is a secret, you can't know for sure what it's doing.

The second is: where is your data? In today's world of the cloud, your data -- whether it's emails or files shared via a service like Dropbox -- is probably stored on some anonymous, remote server thousands of miles away rather than your own machine. Someone else is therefore managing access to your data. In such cases, as recent allegations have suggested, it is possible for them to grant access to people whom you know nothing about.

For email and cloud storage, I nominate Kolab and ownCloud as alternatives respectively. Kolab (as I've written about elsewhere) is an email service that prides itself on being built from 100% free software. OwnCloud is a file-sharing web application whose entire codebase is available on GitHub. So how can you get hold of them?

In both cases, professional IT companies host the application on their servers and you can set up an account with them and use the software. Admittedly, just like with GMail or Dropbox, you're taking the word of these organisations that your data is safe with them. But with Kolab and ownCloud, you're not forced to trust such companies. If the want to take greater steps to protect your data, then you can do something that isn't possible with Google and Dropbox: you can set up your Kolab email or ownCloud storage on your own server and thus empower yourself with responsibility for your data. Many organisations are beginning to do this, thus taking on the responsibility and becoming the sole gatekeepers to their own data. What's to stop you doing the same?

VoIP: ?

The other great revelation from the PRISM scandal was the collection of data from Skype calls. Skype is one of the most popular VoIP programs and I've seen it used regularly by universities, companies large and small, as well as private users by the million. So what FLOSS alternative exists as a more secure alternative?

To be honest, I'm not sure. Alongside the operating system, email and cloud storage, VoIP is one of the most important components for addressing IT privacy. But I also think it's one of the weakest sectors in which FLOSS competes. I'd love to hear recommendations and success stories in the area of open source VoIP, but sadly even my very geekiest of friends use either Skype or Google Hangouts.




4 thoughts on “FLOSS alternatives for the post-PRISM era

    1. No, but I’ll check them out, thanks Matthias.

      I’m particularly interested in Skype replacements that are as simple to use, since most of my skyping is done with family, some of whom are not-so-computer-literate. (No names mentioned.)

  1. For backup storage I highly recommend Arq http://www.haystacksoftware.com/arq/. It’s not open source, but it has an open documented file format and uses strong encryption. This way you’re able to backup your important data on Amazon S3 with all it’s benefits (probably safer and cheaper than a RAID array at home) and still be sure (if you trust the developer of Arq to properly implement encryption – which I do) that the data is worthless without your key.

    For sync stuff you could even build your own system entirely. The sync functionality in ownCloud is based on SabreDAV https://fruux.com/opensource, which is also an open source project and can be run independently. If you don’t want to tinker with it yourself, the company behind SabreDAV also has a hosted offering.

    Oh and while I am on it, also install GPGMail https://gpgtools.org on your Mac for encrypted emails. Great plugin, also open source.

    1. For backups I’ve already tried quite a few solutions and so far I’ve settled for:

      – Duplicity for my laptop (pushed over SSH to my own server)
      It does GPG encryption and supports all sorts of backends. I use it in a combination with FCron (and advanced cron) and Duply (a CLI wrapper for Duplicity), but you can also use it via a GUI called DejaDup (or simply “Backup” in Ubuntu)

      – RSnapshot for my server (pulled onto a separated disk), no encryption but it can be *very* easy to locate and copy specific files from it.

      If you have several boxen to backup, Bacula is an obvious choice.

Leave a Reply

Your email address will not be published. Required fields are marked *