In this chapter: Keep your communication private encrypted apps; VPNs and online anonymity; Find a safe VPN; Tor is one option; What if I'm paranoid?; Encryption and PGP
Given current events, I felt it was a good time to provide three chapters of this book and the corresponding resources for free, for whomever might need the information. I often describe this book saying, "it's like Smart Girl's Guide to Privacy goes to college," and was written with a team of professional hackers, in the spirit of our reaction to the 2016 US election.
The amount of surveillance we're under from corporations and authorities alike should be worrying to anyone, regardless of your politics. Spying on us is big business.
Internet companies have reshaped the world into an economic system dependent on monetizing the ways they can track and surveil us. Then they try to smooth it over with doublespeak about "improving your experience" or "keeping our communities safer." In just one example, smart TV company Vizio had to pay $2.2 million in 2017 to the FTC for its unprecedented spying on customers.
Facebook has been an arrogant foe of privacy advocates since it launched, and its data coffers fuel surveillance by authorities. In 2016 the company announced its plans to track which physical stores people shop at and report that information to advertisers. Where do you think that information ends up? Everywhere developers want it to be.
We're out of bounds with spying on each other, as well. Surveilling each other with the use of apps has been happening for as long as consumers have had tech in their homes. In 2017 two commercial cellphone surveillance products, FlexiSpy and Retina-X, were hacked revealing that everyone was spying on someone; parents, construction workers, lawyers, jealous lovers, and more.
Authorities are routinely overreaching with surveillance too, regardless of the law. In a 2016 oversight report, we found out that warrantless spying on Americans had more than doubled since the NSA disclosures of 2013. In 2015, New York police were caught lying about the use of Stingrays to intercept citizens' phone signals, doing so without court oversight.
Politicians see it as their duty to actively help those they think matter most—the wealthy and powerful people, corporations, and countries. Coming full circle, in 2017 the White House made it free and legal for our internet service providers (ISPs) to track, record and sell all the information they can grab about our online habits.
Defying surveillance isn't about being a liberal, conservative, socialist, or anarchist. It's about standing up for our rights to keep our personal information and our secrets private, and to insist on consent. You need to communicate safely and learn how to defy surveillance every day, whether you're gearing up for a rally, keeping your parents out of your personal life, or angry as hell about corporations and cops stepping all over your rights.
If you skipped Chapter 3 ("Hack-proof your life") and Chapter 4 ("Your phone is a tracking device") then skip right back and read those first. Then you'll be ready for the next level: Anonymity and encryption.
Keep your communication private
When you want to message friends and family but want to make sure your communication isn't being spied on, you'll want to avoid regular SMS (text messages) and apps like WeChat or Snapchat. That's because neither of these messaging methods use what's called "end-to-end encryption."
Think of end-to-end encryption as if you're sending your messages in a sealed canister, where only the outside of the container is seen by anyone except your recipient. At various points in its journey, the canister is checked to make sure it's sealed, and it verifies its identity. The only person that can open it is the person you send it to. The companies handling your message can't see it or open it.
End-to-end encrypted apps
Encryption is complicated to set up and maintain if you're not technical, so it's not the kind of thing you can necessarily do yourself. Fortunately more apps are using it than ever before, so you just need to pick the right one.
For most people, apps like WhatsApp, Facebook Messenger, and Signal will do the job nicely. However, WhatsApp and Messenger are owned by Facebook. The company has been pretty obvious about the fact that it scans the content of communications in Messenger, and have been facing some legal heat over it. If you use Messenger, be sure to turn on "Secret Conversations" to activate encryption.
As of this book's publication, a German consumer group is suing Facebook over its decision to link and track users’ profiles between the two services (it matches your WhatsApp account with your Facebook profile) to gather more data for its advertisers.
Signal, which comes in phone and desktop versions, is seen as safer and more secure than the Facebook owned alternatives.
One app that gets it all right is Threema. With this app, you can be as anonymous as you like, and it gives you fine-grain control over who knows you're on the service, or not. You don’t have to let it scan your contacts, and you can create a random profile username, among many other great details. Telegram is another popular encrypted app, but many hackers and security professionals don't trust it. If you use it, be sure to turn on encryption and know that it doesn't work on group messages.
VPNs and online "anonymity"
Websites and their advertisers are continually making a record of your unique IP address and tracking what computer or cell phone you’re coming from. This means they have a very good idea of your physical location. They could also stitch together information about your online activity. In worst-case scenarios, authorities can contact your Internet Service Provider (ISP) and obtain your identity.
If all that is something you want to keep private, you should know that you can’t trust these businesses (and probably not their employees) with that information. You’ll need to decide if it is important for you to hide your IP address when you visit certain websites or during certain activities or time periods.
Most people prefer to only protect their IP address when they’re using WiFi or Internet access they don’t know or trust. Some people are careful to hide their IP address when they use their laptops in public, like at a café (it helps safeguard against malicious hackers), but they don’t bother to hide their IP at home on their own network. Some people don’t mind if their IP address/location is known to websites and their partner businesses. Others find that trying to keep their IP address private is such a pain in the ass that they make peace with taking the risk.
If there was a show on Netflix about stealing candy from babies, it would look a lot like using public WiFi without a VPN. All advice about attending (or getting anywhere near) a hacker conference begins with "Get a good VPN for all your devices and use it at all times." Turns out there are some scary-good reasons for that.
See also: Spies, lies and data thieves: It's time to get a VPN (Engadget)
A VPN, or virtual private network, masks your computer’s IP address. You can use a VPN to secure access to your own network as well as to public WiFi or Internet access spots. It’s a great way to keep your browsing private, your IP secret, and you attack-proof. A VPN is also a handy way to protect your identity if you want to leave a comment or browse secretly without the website you’re visiting knowing your location.
In companies, a VPN is typically used to connect employees who aren’t at the workplace to a computer at work; they connect remote employees to central work servers. Many companies have VPNs so workers can access files and other resources over the Internet. Outside of company use, VPNs are being used more and more by people who just want to make their Internet use more secure from attackers.
Using a VPN might feel like insider infosec knowledge at this point, but so was making complex passwords not too long ago. When you use a VPN, the only thing an attacker sees is your computer talking to it—they can't see the connection to the sites you're visiting. Your Internet connection travels encrypted from computer to VPN server; from there the user's connection travels unencrypted to their final destination (a website). This way, websites only see the VPN's IP address and not yours. The ability of anyone to spy, intercept, attack, or steal information stops at the VPN.
When you use public WiFi in a café, plane, or airport without turning on a VPN first, you can be hacked by anyone who's downloaded any of the many, excellent, free, open-source network traffic analysis tools (like Wireshark or TCPDump). The risk of being scanned like this is typically low in private networks, and extremely high in public ones.
Without a VPN, someone with one of these tools who is on the same network as you can see the URLs you're looking at, metadata, and any information transmitted between you and the sites you're visiting. They can also maliciously inject traffic, where you visit a trusted web page that's spiked with code to infect you with malware, which typically steals your banking and identity credentials.
Even if the connection is encrypted (yet you're sans VPN), the attacker is limited to the URL you're visiting and any leaking metadata. But if it's not an "https" site, they'll be able to see and capture plain-text passwords.
If you turn off your VPN to watch Netflix, and leave browser tabs or online apps with active sessions running in the background, you're handing over to malicious hackers anything that's being transmitted while you're watching Netflix.
How to install a VPN:
1. Choose a reputable service
2. Sign up/subscribe
3. Install it on all your devices
4. Adjust your settings
5. Open and surf!
Once installed, a VPN is simple to use: just turn it on before you go online (before you open your email, open a browser window, and so on), and you’re all set. In a public WiFi environment like a café or airport, you’ll need to log in to the WiFi first and then open your VPN before making another move.
I love how much better I feel using a VPN when I’m at hacker conferences! I can’t imagine life without using a VPN, and I can’t recommend VPN use strongly enough.
Find a safe VPN
Selecting a VPN you can trust already took research and consideration, weighing connection speeds and pricing, learning about who keeps records and for how long and more. VPN services are also like any other in that they change their record-keeping policies and privacy practices over time, so that's another thing to keep up with.
In addition, these services can accidentally be misconfigured by the VPN itself. Just over a year ago, VPN provider Perfect Privacy found a massive security hole in many services called "Port Fail." It was a bug that de-anonymized users, and most VPN services ignored the problem until the press made noise about it. Many took weeks to put in a fix. One of those was a service endorsed by Lifehacker, which just shows that anyone can have problems finding a reputable VPN.
It can be overwhelming. It's not as simple as using whatever VPN the security cool kids say is "the one," because even popular services have been behaving badly. For example, popular service Hola VPN once got caught selling user traffic to a botnet.
Fortunately like most infosec topics, VPNs are a bit of a fetish unto themselves for people who are into them. If you want to know what the hallmarks of a trustworthy VPN service are, I have a controversial suggestion for you: the website Torrent Freak. Every year the site writes a post asking, "Which VPN Take Anonymity Seriously?"
In these extensive posts, TF talks to dozens of top VPN services and asks them what their record keeping policies are, as well as "various other privacy related issues." If a VPN gets a great review one year, has a less great review the next, and then drops off the list completely (like TigerVPN did), then definitely take that as a "buyer beware."
Less controversial is Restore Privacy, a review site that does a ton of work on finding safe VPNs, and they keep a current list of the best. If you want to get down and nerdy about it, a very thorough chart of VPN comparisons can be found at That One Privacy Site.
So if a VPN is recommended somewhere, do a little homework before you fork over your data (and your cash). Names that come up as trusted include Perfect Privacy, Freedome, TorGuard, Tunnelbear, ProtonVPN, Black VPN and others. It's generally considered best to use a paid (rather than free) VPN service, and there are a lot of great inexpensive ones to choose from. Your home Internet service provider might even offer a reputable one for free.
I use Perfect Privacy, Tunnelbear, and occasionally the free VPN provided by my internet service provider, Sonic.net. (My ISP is diligent about disposing of all its customers' traffic logs and history every two weeks. Sonic.net is locally described as the "hacker's choice" in ISPs.)
Should you have one for your phone? Absolutely, and most VPNs have mobile apps—though look out for the bad ones. Google's Project Fi (the company's phone service provider) automatically secures users on a Google VPN in every public WiFi situation.
The drawbacks? They can slow your connection down, and they may not work with services like Netflix that want to know where you're physically located. Some public places block the use of VPNs, which should be your sign that the network isn't safe to use anyway.
Once you're all set up with your new VPN, use the steps in this post on Lifehacker to test your VPN to make sure the outside world can only see your VPN's IP address, and make sure you're not leaking your actual IP.
Tor is one option
One way to protect your identity as you cruise around the Internet is to use the free Tor ("The Onion Router") tool or apps that use Tor, like Orbot for Android. Tor is software that allows users to browse the Internet anonymously—most of the time.
Tor is often recommended for dealing with totalitarian regimes and targeted surveillance, rather than people who want to prevent getting hacked or surveilled on public WiFi, want to use torrents, or want to hide their IP address. I am not a fan of Tor, and it has had many problems, but it must be included because that's what you'll see the loud infosec kids in the room telling you to use. When it's time to undertake sensitive tasks online, it's best to have several privacy and security options at your disposal rather than automatically turning to Tor.
You certainly wouldn't want to use Tor for everyday browsing. Bouncing traffic between relays will considerably slow down your internetting. If you're uploading or downloading media for an event or are in the middle of developing news (like a protest), you'll need to be very patient.
It is not easy to set up (or troubleshoot) if you’re not particularly tech-savvy. As the Tor Project notes, it "does not protect all of your computer's Internet traffic when you run it. Tor only protects your applications that are properly configured to send their Internet traffic through Tor." They add, "To avoid problems with Tor configuration, we strongly recommend you use the Tor Browser."
If you must use it, here's how to install Tor:
1. Download the Tor Browser Bundle
2. Double-click to extract the folder
3. Open it and click “Start Tor Browser”
4. Decide where to keep it
5. Click "Install"
When Tor sends your traffic bouncing around through different relays, it eventually comes out through a single one before sending you to your final destination. The last relay is called the "exit node." Because Tor doesn't encrypt your traffic between an exit node and the destination server, any exit node is in a position to intercept any traffic passing through it.
An example of what this can mean happened in 2007 when a security researcher intercepted thousands of emails sent by human rights groups by surveilling the connections coming out of an exit node he was running.
This problem can be solved by using end-to-end encryption on everything while you're using Tor.
Take extra care opening files downloaded via Tor, as they may access the Internet behind the scenes and give away your true IP address. Digital Rights Management (DRM)-protected media files can be used to reveal Tor Browser users’ actual IP address and therefore possibly reveal their identity. If your situation is truly dire, do your research to ensure that you're not vulnerable to threats like DNS leaks and attacks designed to cross-reference your Tor activities with your non-Tor activities to track you down.
If you only want to stop websites and advertisers tracking you online then hardening your browser with plugins like Privacy Badger or NoScript will do the trick without drawing attention to yourself. If you're not concerned about anonymity but simply want to stop people eavesdropping on sensitive information, then secure HTTPS connections and/or a VPN should keep your secrets safe.
Likewise, if you're primarily concerned about the metadata retention scheme but have nothing significant to hide, then Tor is overkill. A correctly configured VPN should be enough to mask your IP address, so efforts to track online activities back to you come to a dead end.
What if I'm paranoid?
The most complete way to go to blocked sites and avoid Internet surveillance is to use an operating system called "Tails" (or The Amnesic Incognito Live System). Like the Apple, Windows, or Android operating systems, Tails is an environment within your computer that you switch to using instead of your computer's regular operating system. It forces all outgoing connections through Tor, and non-anonymous connections are blocked.
The Tails website explains you can:
- Use the Internet anonymously and circumvent censorship;
- All connections to the Internet are forced to go through the Tor network;
- Leave no trace on the computer you are using unless you ask it explicitly;
- Use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.
Like Tor, Tails is not a "silver bullet" against spying or getting around censorship. A "Warning" page on the Tails website explains what Tails doesn't protect you from, including user missteps and certain kinds of targeted attacks. For instance, it won't protect you from compromised hardware, firmware exploits, man-in-the-middle (MiTM) attacks, or being targeted by a global adversary.
Your ISP or your local network will see that you're connecting to a Tor relay, so be cautious about drawing attention by using Tails. It also doesn't protect you form yourself, meaning that it won't remove metadata in documents or photos, nor will it separate your identities. To keep identities separate while using Tails, only use one identity at a time and shut down/restart Tails when you switch identities.
Tails can be installed and run on a DVD, USB stick, external drive, or SD card. Once you turn off your computer (or in case of danger, just unplug the USB stick), your Internet activity and disappears without leaving a trace, not even on the external drive. Conveniently, Tails has a great setup assistant on its website that walks you through the installation process (tails.boum.org/install/index.en.html).
Encryption and PGP
When the U.S. government's widespread surveillance by the National Security Agency (NSA) was revealed through leaks in 2013, most people learned that governments can spy on anything they want to. And when government authorities fail at spying on us, they make private companies hand over information about users.
It's no longer a matter of finding a microphone in a lampshade; we seldom know we're being tracked. In fact, companies like Facebook, Yahoo!, Microsoft, and others have been pretty up front about the fact that this happens every day.
Company employees and agencies like the NSA also do bad things for their own purposes all the time. In 2013, U.S. officials confirmed to the Wall Street Journal that NSA officers and employees used the agency’s eavesdropping tools to spy on their love interests. The practice has a typical NSA spy-ops name: LOVEINT, short for love interest.
It’s enough to make anyone want to have truly private communication, regardless of whether or not you want to join a protest. You can protect your email, instant messaging, texting, and Internet browsing from attacks like these, and more, when you start adding encryption to your digital life.
Without encryption, anyone with a few minutes of access to your computer, tablet, or smartphone can spy on, copy, or steal your files.
Encrypting your computer lets you protect your files with a virtually uncrackable password, and Windows, Mac, iOS, and Android all offer ways to encrypt your local storage. Search online to find out how to turn encryption on for your system. Look for Apple’s built-in encryption program FileVault and BitLocker on Windows.
That takes care of your startup drive, but what if you have other drives or files? Locking a folder is a simple barrier that puts a basic level of protection on your files, but encrypting the folder is much better if you really want to keep it private—this process uses a cipher to make the data contained within completely unreadable, so it can’t be circumvented as easily. Multiple internal drives, partitions on a single drive, external drives or thumb drives are not included in FileVault or BitLocker, so if you want to encrypt those you have to do it manually.
When it comes to email, there are a range of ways to secure what you send and receive.
When selecting an email provider, choose a major company that offers web-based email, and make sure it uses Secure Sockets Layer (SSL) to send email securely. SSL establishes an encrypted link between a web server and a browser, creating a secure connection. You can tell when a website uses SSL because the address bar (where the URL appears) will show https instead of http.
If an email service (or website in general) doesn’t use SSL, it’s not taking your security seriously at all. So if you fill out a form, press Submit, and the website doesn’t have the s, it means that attackers could read all the information you just submitted to the website. If instead the website is using https, the information being sent over the Internet is encrypted, and it can’t be read by anyone snooping on WiFi—or any network—traffic. Needless to say, you should never ever enter your credit card number into a website that only uses http.
I recommend installing the plug-ins and extension HTTPS Everywhere, which turns your browser into a privacy shield by enabling encryption automatically on sites that support it.
You can take it further. The only way to truly, 100 percent keep your email private is to use something called OpenPGP. This is email encryption, which protects your email so that the only person who can read it is the one you’re sending it to. (PGP stands for “pretty good privacy.”)
GPG Suite is an open source (Mac only) plugin for Apple Mail that's incredibly easy to install and use. With a few simple clicks, you can encrypt, decrypt, sign and verify email.
You can purchase commercial PGP software or use free plugins like Mailvelope. If you’re more technically inclined, download the open source version that uses the OpenPGP protocol, such as GPG (GNU Privacy Guard). No matter what, if you want to send an encrypted email, you need your recipient’s public key (if they have one).
Many PGP implementations have plug-ins for different email clients, such as Outlook on PCs or Mail on Apple computers. As with all software, this can be problematic when system updates and PGP implementation updates don’t come at the same time. Also, it’s important to note that you might be restricted from using PGP at work or on your employer’s network.
With free services such as Mailvelope, any recipient you send an encrypted message to will have to enter a password to read it—and without the password, your message will just look like a bunch of garbage. Gmail/Google Apps, Outlook, Yahoo!, and GMX are all supported, and the app can be configured to support others.
Mailvelope is a browser extension for Google, Chrome, and Firefox that allows secure email communication based on the OpenPGP encryption standard. The framework of Mailvelope and products like it is relatively straightforward. First, install the plug-in. Next, you’ll generate a key pair, which means you’ll use the plug-in to make two sets of code. One set is called your public key, and this is the one you’ll publish. Each contact in your address book who uses PGP or products like Mailvelope will have their own public key, too.
The next time you open Gmail, Yahoo!, or whichever email brand you use, you should notice a lock icon in the compose area when you begin an email. When you’re done writing and ready to send, just click on the lock icon, and Mailvelope should encrypt the message with the recipient’s public key (if they have one) when you hit send.
When you get an email that’s encrypted, the process goes in reverse. You should see the encrypted message with a lock on it, so just click it to enter your key as a password to open it. Mailvelope will then search your saved keys to find the right one and decrypt the message for you.
You have options when it comes to encrypted chat apps. Signal is considered the best choice by far, with iPhone, Android, and desktop versions. With Signal you can also make encrypted phone calls. iMessage is for Apple iOS only, but it's a great choice.
I use Signal and when I want to be hardcore, I'll use Threema. For end-to-end encrypted video calling, I prefer to use either Google's Duo, or Apple's FaceTime. However, I will "meet people where they are" when it comes to communication choices; meaning, if someone prefers regular SMS, I'll use that and just adjust what I talk about accordingly. My only "hard limit" is anything owned by Facebook or running on any of Facebook's code. That's a big nope.
WhatsApp is another popular choice, and it runs on Signal's secure protocol—though WhatsApp is owned by Facebook. WhatsApp updated its terms of service in August 2016 to begin sharing names and phone numbers with its parent company, Facebook—which is under investigation for lying about automatically matching WhatsApp users to their Facebook profiles when it acquired WhatsApp in 2014. One app to flat-out avoid is Telegram, which has a laundry list of security problems.
There's another way keep your online messaging secure: A tool called Off-the-Record (OTR) messaging. OTR encrypts your instant messages when you use services like Google Hangouts and Facebook Chat.
Chat/IM software clients like Adium and Xabber all come with OTR messaging, and there are OTR plug-ins you can get if you use clients like Pidgin. OTR encrypts your messages so they can’t be read if someone intercepts them, but it doesn’t let you save your chats—which might be a desirable thing, depending on how private you want to make your communication. Using OTR means that even the service sending and receiving your IMs and chat can’t read the content.
Although it’s the best tool we have today, PGP encryption (and OTR) isn’t bulletproof. If the NSA really wants to spy on you, it has the resources to figure out a way to break OTR (if it hasn’t already). But that takes money, time, staff and a really good reason. Unless you’re hiding state secrets or doing something really nefarious that will make the authorities hunt you down, PGP and OTR should do the job for you, because you probably care more about keeping your messages confidential than about evading authorities.
It’s important to also consider that there are ways for people interested in digging up dirt on you to use information that PGP doesn’t encrypt. Like the recipient of your message, when you messaged them, their IP address, and so on. That said, if you’re an activist (or journalist, blogger, or writer) in a country where you’re a government target, use encrypted communications with caution. Reports of activists “flagged” for targeting because they use encryption (or privacy tools such as Tor) are not uncommon.
Like everything in privacy and security, it pays to be cautious and slightly paranoid. Still, it's easy to get caught up in surveillance hysteria, or feel like an outsider when limelight-addicted activists one-up each other about who knows more, or has better "OPSEC" (shorthand for "operational security").
Ignore the hype and posturing, and listen to your gut. Fighting surveillance is a very personal experience, and unique to each person's situation and needs. Take what you've learned in this chapter, its tools and information, and assess what's best for you.
Image via Tunnelbear.