The reasons why the collection of all this data was relatively easy is because the way we use the Internet has broken it.
Googlisation of teh Interwebs
Getting user data is easier when service providers participate. Getting service providers to participate is easier when they are few in numbers and big in market share.
Because most users are clustered around a very small number of service providers the situation is perfect. For email; Gmail, Microsoft and Yahoo would cover most of your surveillance needs. Add some Facebook, Twitter and a zest of Apple if you want more.
The Email Trap: It's a Trap
Even if you run your own mail server, the unfortunate reality is that most email accounts are controlled by Google, Microsoft and Yahoo. That means that if most of your correspondence is with users of such services then most of your correspondence is available to PRISM or any similar program.
Either you stop communicating with most people, or you censor yourself. I'd love to hear some ideas actually because I must admit that too many people I know and care for use privacy leaking user exploiting products.
Certificate Authorities are Broken
One of the most broken things out there is the fact that almost everyone's browser is designed to trust a vast amount of Certificate Authorities to authenticate SSL certificates. The lock that says "this connection is secured and verified" means your browser checked that the certificate has been signed by one of the CAs it trusts.
The goals of certificates are to certify the identity of the website and encrypt the data transfered between the user's browser and the server. Any certificate for any domain will appear to you as valid and verified if it is signed by any one of the CAs that your browser trusts.
In corporate environments, some companies will add their own root CA to their users systems to allow them to intercept SSL traffic. One of the most widespread corporate malwares is called ProxySG from BlueCoat Systems, a company dedicated to breaking the Internet.
Certificate verification is as reliable as the weakest CA you trust, it takes only one compromised CA to void the whole system.
A Few Things You Can Do
Break Your "User Experience"
Request Policy acts by blocking all content that does not come from the site you are visiting. If it may drive some users insane it will at least give a tangible sense of how many connections your browser is asked to make to load a single page. For those armed with calm and patience you can set up permissions as you go, temporary or permanent. The result is that you load what you want, not what the website wants.
Trust No One
We've seen that trusting random CAs is bad, you can remove/untrust them. This depends on your browser so you may need to look in to that. With Firefox it is possible to compile yourself a version without any built-in CAs, I wont get into details with that as the experience and documentation for this is .... . not so up to date and so far doesn't work for me in more recent versions.
Regardless, I was inspired by this Life without a CA post and it has been a few years since I've been living like that. I cope by having at least 2 browsers. One with no CAs, this is the secure browser, I can manually verify certificate signatures, if they change I will be informed.
I use a second browser that will trust any CA included with it, a default Firefox (Iceweasel). I will consider that HTTPS via this browser is not verified and by default broken, I wont log in to anything here.
You can and/or use Certificate Patrol, this helps keep track of certificate changes. This can be very useful especially on the browser with all the default CAs.
Run Your Own Services
Internet was designed to be decentralised, to allow everyone and anyone to run their own services. To allow peers to communicate directly to each other. The term "web" was coined because if represented visually (web/Internet) it would look a bit like a web.
The software required to do so exists, there's plenty of quality Free Software out there for this task. By quality software I mean that most of the Internet already uses such software. It works, there are shitloads of documentation, it's free, and mostly it is Free. Free as in freedom and not free as in advertisement supported services that monetise users and their privacy.
Currently things are looking more like a wheel, big service providers are gathered in the centre and most users have an exclusively passive role in the structure. There's nothing wrong with a service becoming popular, like a good search engine. What's wrong is when that search engine is also your email, calendar, photo gallery, social web, maps, news, documents, and you get the picture by now.
As a community we've been letting the Internet down. It was built to allow everyone to have their space, but generally speaking we elected a few companies to run the whole thing for us. They promised they wouldn't do evil and some still believe them. That said, I don't think they deserve all the blame, the users were not forced into this situation, they were seduced. It's time for a cold shower.
Running your own services puts control of your Internet in your hands.
Because of our negligence, some ISPs don't even provide Internet access, what they provide is access to certain Internet services. They do not allow you to host services, they block ports, hijack DNS queries and regulate bandwidth according to where your traffic is going. That is not an Internet connection, it's a connection to Internet services.
Remove Tracking Devices From Your Websites
Users may employ Request Policy to avoid loading these things, the better solution would be for website design to take their user's privacy into account.
None of this is news to those who've been following. The news is relevant to many people because PRISM has reflected a lot of colourful light on a tangible bothersome aspect, privacy.
Some suggest using things like Tor and VPNs, encrypting emails and chat messages. I think those are very good tools (Tor is insanely beautiful), however they are not the solution to this problem we face today. Email encryption does not hide meta data (from/to/date/subject/IPs in some cases), using Tor to connect to Yahoo mail does not make your conversation private, it makes it anonymous on the condition that you never use your real name or other real details. OTR does not hide your relations and conversation timestamps, only the content of the messages.
Other solutions could be Meshnet(s), I really like this idea. The only thing that bothers me is having to re-invent and re-build The Network (Internet).
We need to think about what we want to do with our Internet while it still can be ours. Do we really want to cut off connections ? The goal of the Internet is to have one network open to everyone, do we want to replace that with multiple internets ?