When using a computer, the normal activities of day to day local (not internet) use are generally typing documents, gaming, and copying files. By nature, anything that you type in a locally running program (such as an office application for word processing or a spreadsheet) will not be copied to a surveillor automatically unless your computer is infected with malware (a virus or trojan) that is purposefully doing so. If you unplug your network connection (the cable that probably goes to a switch, router, or modem), then nobody is able to actively (in real time) watch what you’re doing unless they’re physically looking over your shoulder. Keep in mind that once you reconnect to the network, anything you’ve done or continue to do is subject to surveillance. I once made a joke that the only perfectly secure system is one that isn’t plugged in and is buried a few feet down in the ground. As technology advances, this is becoming more true.
I consider computers to be inherently insecure. There are compensating controls (things that you can do and install to make them less insecure), though if you have installed any software, you have to trust the company that developed the software not to be performing any surveillance on your activities. Unfortunately it’s not just the company that developed software, but all of the developers as well. Considering the size and complexity of most software these days, there are a lot of different ways that a developer could hide surveillance mechanisms or back doors in their software.
Take for example the recent (early 2014) issues with OpenSSL, which is the basis of most mainstream encryption. Nobody noticed that one of the developers added code with a vulnerability for almost two years. Most people tend to believe that it was an error, though many conspiracy theorists believe that it was added maliciously. Others believe that there are organizations who were using that vulnerability since it was introduced to perform espionage (governments for surveillance and traditional espionage, and business for industrial espionage).
Even if companies that develop software and the developers themselves are trusted, the software has to be hosted and distributed to people. The system administrators of the servers that host the software can make modifications to it as they have access to everything on their servers. The certificate authorities who issue code signing certificates could issue rogue certificates to make your computer believe (trust) software that may look like what you expect, though in fact is just malicious code. The companies and administrators of web accelerators, proxies, caching servers, and the software the serves up data (web servers, FTP servers, and others) are also all vectors of attack.
I used to make a joke that the only secure computer is one that has the power off, has been dropped into a 10 foot hole in the ground, and has been covered by cement. It may sound funny, but it’s actually true.
There are things that you can do in order to reduce your risk, and I’ll go into more detail in the pages to follow.