Skip to main content

Privacy in the Era of Mass Surveillance: Tools You Can Use

What's At Risk?

There are easy ways to improve your privacy online; there are many more complex ones. What you decide to do will be a combination of what works for you in terms of convenience and what risks you face. The Electronic Frontier Foundation suggests we ask these questions:

  1. What do you want to protect?
  2. Who do you want to protect it from?
  3. How likely is it that you will need to protect it?
  4. How bad are the consequences if you fail?
  5. How much trouble are you willing to go through in order to try to prevent those?

For a dissident working in a repressive country or an investigative reporter who's communicating with vulnerable whistleblowers, the threat level is high, so they must adopt the most stringent steps to protect themselves and their sources. For most of us, the threat is more abstract and ambiguous. The tools in this guide are recommendations for those of us with relatively low levels of threat.

Self-Check

Don't Get Pwned

Go ahead, be paranoid. Don't open that attachment unless you're absolutely sure it's legitimate. Don't click on links in emails from people you don't know. Don't respond to requests for your password over email. Don't get pwned!

Workshop Materials

Feel free to reuse, adapt, modify, or build on these resources.

Easy Steps for Surveillance Self-Defense

Use a search engine that doesn't rely on gathering your personal data (cough, Google, cough) as its business model.

Tor Want additional privacy? Install the Tor browser. This "onion" browser passes your traffic through multiple servers distributed around the world and run by volunteers. It's a little slower than most browsers but it's harder for others to read over your virtual shoulder.

Use browser extensions to block ads that might carry malware or to block third-party trackers. NOTE: be cautious when choosing browser extensions. Sometimes the way they are coded makes them insecure and subject to "man in the middle" attacks. Only install extensions from trusted sources.

Use strong passwords that are long and complex. Don't use the same password for different accounts - it's not safe. The easiest way to manage strong passwords is to use a password manager. They not only store your passwords securely, they can generate extra-strong ones.

Use two-factor authentication. This means to log into an account, you need two things such as a bank card and a pin number or a password and a verification sent to your cell phone. At Gustavus, Duo is a program used for two-factor authorization of Gustavus employee logins. A number of sites make two-factor authorization available. See the EFF's explanation of twelve of the most common sites.

Finally - simple housekeeping advice: keep all of your programs updated with the latest releases and patches. This isn't just a matter of having the latest improvements; software companies need to update programs when they discover vulnerabilities. And that can happen anytime.

(In)Secure Surfing on Public Networks

A VPN can help you keep your search history private from your ISP. When you're at a cafe or airport and use their free wifi, you're definitely at risk. Using a VPN - a virtual private network - can keep others from watching your online activity.

VPNs are generally subscription-based. If you don't want to pay for a subscription but still want to browse the web without being watched, try installing and using the Tor browser. It may slow your search a little, but that gives you time to enjoy your coffee.

 

Encryption

https

image courtesy of Wikimedia Commons

Encryption is a process of encoding a message so that only the sender and receiver can read it.

secure site iconOn the web: ideally websites have security certificates that guarantee you're communicating with a website without anyone else getting between you and the site you're trying to reach. Sites that are encrypted have https:// at the start of their URL; your browser may also indicate the status of a site with a green lock icon.

Not all sites have this protection. Sometimes you will get a warning from your browser that a site is insecure. That's a sign you're better off not using it, especially if you were planning to enter any information into it.

Some sites are partly, but not entirely secure. The EFF has a browser plugin, HTTPS Everywhere, that will make your browsing more secure on those sites. However, it won't make sites that have no encryption secure.

On your computer: If you have a Mac, you may be able to turn Filevault encryption on for your computer, which will encrypt the files on your hard drive. Windows 10 only offers its Bitlocker encryption program for Pro or enterprise accounts; you would have to upgrade. Veracrypt is an open-source encryption tool you can install and use, but it's a bit more work.

In the Cloud: Google Drive and Dropbox are popular ways to store, sync, and share files. But what if you want a service that is so private it can't access the files you store on their servers - only you can? Try Sync or pCloud.

On your phone: Unless you have a very old iPhone, you're covered automatically. Android phones have encryption available as a setting.

What about email? Gmail has encryption available (though for non-academic accounts, Google algorithms read your mail to include information from emails in their advertising program). Microsoft Outlook has an encryption feature. If your risk level is high, you might want to invest some time in learning how to use PGP - but it's not simple. There is a plugin for the Thunderbird email client that makes it easier, or you can install the Encrypt If Possible add-on, which detects and handles encrypted messages. You can also sign up for a free email security certificate from Comodo.

If you want to occasionally send encrypted email for sensitive information with little effort, you can sign up for one of these free European email clients. (Europe has better legal protection for privacy than the US.) You will have to share a secret password with your recipient for them to open it.

What About Your Phone?

It's a good idea to use a passcode on your phone, the longer the better.

As with your laptop, keep your operating system up-to-date, watch out for emails from suspicious sources, and consider using a VPN whenever you're on a public network.

Turn on limited ad tracking. Enable encryption (if you have an Android phone; all but the oldest iPhones are always encrypted, though anything stored in their cloud can be accessed by Apple.)

Be wary of installing free apps; many of them collect way too much information from your phone. Read the details and back away slowly from apps that demand access to too many things.

Want to maximize the privacy of your phone calls and messages? Use an app that encrypts your communication end-to-end (so long as the people you communicate with use it, too).

Want to keep your phone completely safe from surveillance? Here's a sewing lesson.

Check your settings on your phone to protect your privacy. These ultra-privacy instructions come from the Library Freedom Project.

iOS settings:
Settings → Touch ID & Passcode
Settings → Spotlight Search (off)
Settings → Keyboard → Predictive Text (off)
Settings → Keyboard → Enable Dictation (off)
Settings → Privacy → Location Services
Only give access where necessary
Settings → Privacy → application data requests (review)
Settings → Privacy → Diagnostics & Usage (don’t send)
Settings → Privacy → Advertising → Limit Ad Tracking

Android settings:
Settings → Connections → turn off all
Settings → location (off)
Settings→ more → Security
Password
Encrypt device
Device administrators
Unknown sources (uncheck)
Verify apps (check)

At a Protest?

Think before you post: Social media has made it easier to organize and publicize protests, but it also can be used against dissidents. Before you post photos or video of an action, consider who could be harmed. Law enforcement scans social media and uses facial recognition to identify and prosecute participants. Respect the privacy of your fellow-demonstrators.

Know your rights: Filming or photographing police in a public place is constitutionally protected and has been valuable in holding the police accountable. However, officers will often threaten people who are filming them with arrest or may find some other pretext to detain them. The ACLU has your back.

Memorize the phone numbers you may need in a crisis or write them on your arm. If you are detained at a protest, your phone will likely be confiscated.

Crossing Borders

Currently, US Customs and Border Patrol claims a right to search electronic devices at border crossings without a warrant as well as to confiscate and/or copy the contents of devices. The ACLU disputes the legality of this claim and offers advice for travelers. Depending on your status and risk level, there are steps you can take to ensure you aren't forced to surrender sensitive information at the border.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License