With increased State sponsored surveillance and changes in the political tenor even in formerly moderate countries more people are asking “how to I keep my communications secure?”.
Sadly for most people the complexities of being totally opaque are too onerous, add too much complexity, or are simply not worth the effort.
But there’s no need to give up totally and just roll over. There are still things you can do to keep some of your communications at least less likely to be exposed.
If you’re in a vulnerable group - which sadly in the US today potentially means people of color, (im)migrants, women and those who don’t fit into conventional gender roles - then maybe it’s time to start taking a bit more care about your digital footprints…
The following are some suggestions. Over time their efficacy may change so please be diligent - do your own research, and keep your eyes open for red flags in mainstream and technology news that may indicate things have changed. If you find better solutions, or know of failings in any of these (I’m no expert), please comment and I’ll be happy to update this.
First of all, Facebook and other social media are not your friends. While Facebook does now offer encryption of messages and Snapchat deletes your snaps they are corporate entities and if push comes to shove there’s no reason to assume they will act in your best interests. Obviously anything you post on Facebook or Twitter is pretty much fair game.
Web Browsing exposes a huge amount of data about a user, and potentially anything you send online is visible to your ISP and others who may have visibility to your connection (eg on a public WiFi). There are a few things you can do though to reduce the number of eyes watching what you do:
- Ensure you always browse with HTTPS by default (most modern browsers can enable this for you either using built-in settings, or using a plugin like HTTPS Everywhere from the EFF, more on them in a moment). If the server you are talking to also supports SSL then the data sent between you and the server is obscured. There are techniques to nullify this protection - man-in-the-middle attacks, certificate spoofing etc - but it's enough to deter casual inspection.
- Use encrypted DNS. The Domain Name Service (DNS) is the 'address book' of the internet, and tells your browser how to find the server that's actually going to respond to the friendly name you type in. If you use your ISP's default DNS, or a public unencrypted one, then like using HTTP instead of HTTPS anyone watching your connection can see what sites you are looking up. It's a little daunting but visit DNSCrypt.org to find the client for your operating system.
- Ad Blocking is a pretty contentious subject, but when it comes to anonymity many sites and advertisers go way beyond what is reasonable in efforts to track you - both to sell to you or to monetize your behavior. While I agree with the argument that sites, if their content has value, deserve to get paid there are many who go too far creating a poor experience. For desktop computers I like uBlock Origin, though if you have clicked the link you'll see it's a little daunting. For mobile users Brave is an alternative browser with built-in ad blocking.
- Visit the Electronic Frontier Foundation (EFF.org) to read up on a bunch more of these things, and check out Privacy badger (their form of ad blocking)
- Think about what you're searching, what sites you're visiting, and what that says about you. A search engine like DuckDuckGo is as good as Google or Bing and doesn't track any info, but not visiting sites that highlight you as worthy of more investigation is probably a good idea.
- TOR - The Onion Router - is a protocol originally designed by US Navy scientists, which breaks up every request into small pieces and routes each over a different path. The goal is to make it very hard to identify who is doing what, and what you are looking at. Sadly TOR has become a haven for people looking to hide what they do for nefarious purposes so there are risks with using this tool in that you may be targeted because portions of anonymised traffic use your machine as a node while you are using someone else's. It's a little technical and can be daunting, but if you have the time and inclination worth experimenting with.
- VPN - Virtual Private Network - is a dedicated, encrypted connection from your machine to an exit node which can be anywhere in the world. Because some providers offer a service where they maintain no logs or tracking it is a fairly robust way of accessing a resource and not being associated to it. Respected providers such as Private Internet Access (PIA) even allow you to pay with gift cards to make it even harder to associate activities to any specific user. PIA have clients for iOS, Android, Windows and OSX and the performance is very good. PIA also has built in ad blocking capabilities.
Email is insecure by historical design - it predated the sorts of concerns that are now rampant. Email lives on your machine, and on the server, largely unencrypted. Over the wire most offerings protect it (look for the https:// prefix in your browser) but there are ways around that, and there have been a number of cases of Governments simply requiring the ISP/Mail Provider to provide access to the servers. If you are looking for a more secure email solution something like ProtonMail may work for you, offering Android, iOS and Web clients it makes some strong claims about both it’s security and it’s independance. Obviously though if you send email to someone using a conventional server then the content is, once again, insecure.
Messaging is the other obvious area. I mentioned Facebook and Snapchat earlier but there are other options such as Skype, Telegram and Signal which all offer differing levels of protection. With the exception of Skype all of these tie back to a phone number which, in my opinion, is a flaw.
- Facebook Messenger, part of the Facebook experience, does now offer end-to-end encryption but per my earlier comment about them, they are a US based commercial entity with all that entails.
- WhatsApp, owned by Facebook, has enabled End-to-End encrypted messaging, but because it's a closed-source app and they do not disclose what encryption they use it may or may not be a robust solution.
- Skype, owned by Microsoft, is a proprietary, closed source, messaging platform that over the years has moved from a distributed peer-to-peer model to a centralized server based solution. It has clients for iOS, Android, Windows and OSX. I've not seem much about the security of their end-to-end encryption, but historically Microsoft has made a point of standing up to Government interference.
- iMessage, from Apple, is restricted to iOS devices but within that limited ecosystem has a strong champion against Government access as Apple, like Microsoft, have taken a strong and very public stance on user privacy.
- Telegram is largely open source, and their Secret chats, though not the default mechanism, are end-to-end encrypted using a proprietary algorithm (not yet demonstrated to have been broken, but a possible cause for concern). Their default message option is stored on their servers (encrypted, but see earlier caveat) but that does give the advantage that, like Skype or Facebook Messenger) you can reply to a message thread from multiple places
- Signal, from Open Whisper Systems, is currently the most secure messaging client in wide use. They are very open about how they protect messages and it has stood up strongly to peer review. Because of the messaging architecture they have no visibility on messages between users, though that level of security comes with some of the same restrictions as Telegram's Secret chats.
- SMS/MMS is the traditional default for phones. Sadly, like the original web protocols, this has proven to be very susceptible to eavesdropping and so while solutions like a rapid turnover of burner phones or use of ciphers in communication provides some protection it's not as convenient as some of the other messaging solutions available today
For any account, if it offers two factor authentication (ideally using a phone app not SMS) turn it on. Have a look at TurnOn2FA for more info. As some recent cases have shown it’s not a guarantee, but it makes it harder for people to gain access.
Don’t use a fingerprint to unlock your phone. It’s more convenient for sure, but unlike passwords which you can’t be compelled to share your fingerprint is not afforded the same protections.
If you don’t want people knowing where you’ve been turn off location services (GPS) on your phone. While it’s easy enough for the right people to pull cell tower records and track/locate you that way it’s more work and creates a paper trail. As well as GPS, disable WiFi and Bluetooth if you’re not using them, as then can be used to track and identify your phone.
Also, I hopefully don’t have to tell you this, don’t re-use userid/password combinations on different sites/services as that just makes things way too easy (see this great article for more on that topic). Use complex passwords and a password manager to help you manage them (this site can help you generate them, or LastPass can help you generate them, and manage them).
Nag your friends. If you’re using secure tools to communicate, and they just copy and paste into regular email or their Facebook wall then it’s going to be less effective.