It’s a chilly spring morning in 1987, and things aren’t going so well for you. The threats and stalking weren’t your fault, but you’re genuinely afraid for your safety and the police couldn’t help much. After thinking long and hard, you’ve decided your best option is to disappear and start over. You pack your family’s belongings into your Fiero, empty your bank accounts (a couple grand in cash), close out your accounts without forwarding, and hit the road. You’re sick to your stomach scared to leave, but you’re also relatively confident – you can find cash work and lodging pretty much anywhere, (under an assumed name with counterfeit papers, if necessary). Go far enough and keep your head down, and it’s not likely he’ll find you again without a good PI or a string of bad luck.
★ ★ ★
It’s 30 years later, and the business of fleeing an abuser has changed dramatically. Many elements of our world are still familiar, but the nature of personal privacy has changed dramatically. The internet, mobile phones, and social media brought the world closer, often in incredible and inspiring ways, but also in ways that fundamentally harm our ability to keep any element of our daily activity private or secure. The field of network security has grown from an afterthought to a standard college degree program and a major element of global military forces. News coverage shows us terrifying ways our personal data and digital devices can be abused, constantly bombarding us with reminders to restrict access to our data and internet presence.
Yet, the “common sense” security and privacy advice we offer frequently carries costs. Security experts can tweet about an Android version being obsolete and horrifically vulnerable to snooping a thousand times, but billions of people in the world simply can’t go out and buy a good quality new phone. There are wonderful commercial identity monitoring and digital privacy services available, for a yearly fee that might cut into many people’s medication budget. Even finding quality security education has tangible and intangible costs.
Whenever I tackle an extremely complex and contentious security topic, I endeavor to offer a variety of differing expert views to readers. Through a series of eight scenarios, I’ve invited seven security and digital privacy professionals to join me weighing in on the fundamental question of how much of a privilege digital privacy, and the abilities to “restrict” or “remove” our digital footprint, really are. The discussion is generally North America-centric – international privacy laws vary greatly. However, many of our privacy and personal security solutions are not specific to any country. Our general conclusion is that while convenience and absolute anonymity can be a privilege that comes with resources, there are many effective low-cost ways to drastically improve personal digital privacy.
My colleagues, who generously contributed their time and knowledge to this article without compensation or sponsorship, are as follows:
- Viss / Dan Tentler – Founder of Phobos Group. Dark Wizard. Breaker of things. Essentially a static analog for “targeted, skilled espionage for hire”.
- Munin / Eric Rand – Blue team consultant; amateur blacksmith; consistently paranoid
- Krypt3ia – Old Crow, DFIR, Threat Intel, Targeter: krypt3ia.com @krypt3ia
- Lloyd Miller – Managing Director at Delve, a competitive intelligence, research, and policy consulting firm
- plum / Chris Plummer – Former IBM, DoD, now staff at exeter.edu. Oxford commas at 603security.com, chasing120.com, and @chrisplummer.
- CiPHPerCoder / Scott Arciszewski – CDO at Paragon Initiative Enterprises, writes and breaks cryptography code. https://paragonie.com/blog/author/scott-arciszewski – @CiPHPerCoder on Twitter
- evacide / Eva Galperin – Director of Cybersecurity at the Electronic Frontier Foundation.
Question 1: Mobile Device Privacy
Smartphones are woefully vulnerable to compromise and surveillance by numerous sources, from advertisers, to criminals, to suspicious spouses, to nation state adversaries. As our “second brain”, they contain massive amounts of our sensitive information, such as where we’ve been, our contacts, and our account logins. The common security boffin recommendation is to always own an up to date phone (often specifically an iPhone), replacing it whenever it becomes obsolete. Good quality phones aren’t cheap, but smartphones are frequently a necessary part of modern life. What are your privacy and security suggestions to somebody who can’t afford a new iPhone every few years, but needs a smartphone for work or school?
Munin – Limit your threat surface. Only install those apps that are essential for what you need, and avoid random web browsing on it. Don’t open attachments on it – set your email client to text only. Apply updates if they’re available for your platform. Don’t root or jailbreak it – yes, it lets you do a bunch of cool things, but it also opens up significant maintenance problems.
Lesley – Even if you can’t afford a new phone, please routinely check the version of Android or iOS you’re using. Once the phone is out of date and no longer receiving updates, reset it to factory and treat it as cautiously as you would a public computer. No matter the age of your phone, avoid installing any apps with too many permissions, including access to your microphone, GPS, camera, contacts, or phone identification. Keep location services turned off.
On another note, while the ubiquitous iPhone has pretty good security “out of the box”, there are also very good arguments for using an up-to-date Android phone from which the battery can be physically removed, if privacy is a big concern. There are few things more reliable than physically breaking a circuit.
Viss – There are carrier free phones that you can buy that cost half of what carrier phones do. A OnePlus2 will cost you around $300, and they get software updates several times a year. You can also get a Google Nexus or Google Pixel. All of these non-carrier phones get software updates way way more often than any phone that a carrier will try to sell you. That alone is a pretty huge improvement, even before taking personal measures to secure a mobile device. Also, a OnePlus, Nexus or Pixel will likely last years, and remove the need to buy a new phone every 12 months.
Lloyd – I don’t think good security comes cheap with phones, but Munin gives the best advice – if nothing else, only do the bare minimum necessary to accomplish what you need to do, and cut out the rest.
plum – In theory, devices purely for work or school should not be all that demanding in terms of features, so they should be remotely affordable. The carrier market is white hot right now. Chances are, there’s at least one in your region with a pretty compelling deal on a handset. This is difficult because for short money you’re into a new phone that you may not necessarily understand how to secure. To that end, don’t go out on an island – buy something your friends and family are familiar with, so they can help you. While many are averse to working with salespeople, you may find one that knows quite a bit about keeping your handset locked down. It’s worth the ask; there are really good people out there who know a lot more than simply how to sell you a phone. You may not get it perfect, but it will be better than out-of-the-box.
Krypt3ia– Phones, like much of the technology today we buy and use that could lead to compromise of significant amounts of our data are coming down in price in certain spaces while going up in others. So if you want to have a burn phone (and now you can get smart phones too cheaply) you can try to firewall yourself off by only doing certain things with a burner phone. I guess the thing is that generally here any phone at any time could be that device that leads to your data being open to attack.
It may also be of use to have a phone that has less functionality like a flip phone to carry out some tasks as the lesser the technology level the less the adversary has to work with as attack surfaces go. The reality however is no matter what you do you are subject to technologies that you do not have control over completely. As an example, I recently gave up a phone that I liked quite a bit because the provider did not update the operating system for security patches and had not done so in over a year. They just don’t really care, so I had to move on to a system that I could push the updates on. Still though, if you are relying on technology to protect you and YOU aren’t in control of every aspect of that, and are competent at it, it is a null sum game. Best I can advise you is to compartmentalize as much as you can. Use code words for things (i.e. appointments in calendars, names in phone books, etc) to obfuscate and make it that much harder for the adversary to get a toe hold.
CiPHPerCoder – Non-carrier phones like One Plus are a good idea, as Viss said, but one important obstacle is how purchasing is structured. If you get a carrier phone, you probably aren’t dropping $800 right then and there; instead, they roll the cost of the device into your monthly payments. If you get a non-carrier phone, you have to purchase it yourself. I believe it’s worth it to find a way to overcome this obstacle (so that you won’t be left vulnerable when an Android vulnerability surfaces if your carrier is negligent) but this comes down to a cost-benefit decision.
A related concern for most people is data privacy. For example, using a secure, private messaging app like Signal or WhatsApp instead of an insecure choice (Telegram, unencrypted SMS) to communicate with your friends is a great move. Encrypting your phone with a passphrase (to be clear: not a PIN code, swipe pattern, or fingerprint; you want a passphrase) prevents anyone (for example, at the airport) from accessing your private data while it’s powered off. I recommend a longer passphrase (e.g. 20 lowercase letters, generated randomly) instead of mixing different character classes, to minimize frustration and typos.
evacide – (most of the useful technical advice has already been given, so I am going on a bit on a tangent here) Phones are one of the most clear-cut examples of money buying security, but when you’re making digital security/privacy decisions, always keep in mind the attacker in mind. Your most up-to-date iPhone will not help you if you’ve been coerced into giving your password to your abusive partner or that partner has installed an app (covertly or otherwise) on your phone that allows them to spy on you. For these cases, it may be appropriate to covertly purchase a cheap second burner phone, which may not be as secure against hackers, but which may allow you to covertly communicate without alerting your abuser.
Question 2: You, on the Internet
Companies like FamilyTreeNow and Intelius collect data about every US citizen they can; even ones who don’t regularly use a computer. This data often includes addresses, phone numbers, social media profiles, criminal history, as well as family member names and birthdates. Obviously, this data can be very damaging when used inappropriately, and generates global privacy and security concerns far beyond simply being in a local phone book. Removing this data from hundreds of these companies is a huge undertaking, but commercial subscription services that do it reliably aren’t cheap. What’s the best option on a tight budget?
Viss – https://www.abine.com/deleteme/landing.php – spend $129.
Munin – Do what you can to minimize the harm – that’s the name of the game here. If you can’t afford a good service, do what you can by yourself. It won’t be perfect, but reducing the threat surface to a minimum will help. Remember, you don’t always have to outrun the bear – you can last a lot longer if you can outrun the other campers.
Lloyd – I don’t believe takedown notices are an effective strategy in the whack-a-mole world of personal data aggregation. You can send them, but the sites can ignore them. Additionally, a lot of that information including birth, property, voter registration, and criminal/legal records are government-generated and legally protected public records. There are several very reputable services, including Intelius (get it?), you can pay to do help remove some of this information, but I would ensure they offer guarantees and other identity/credit protection services.
Lesley – Third party privacy services are out of many people’s’ price range, but certainly the most effective solution for everyday privacy concerns short of a new identity. Privacy is also a constant battle – you need to look at a subscription service more than a one-time removal. If you absolutely can’t afford one, you can opt-out of many services for free, but it’s a time consuming and convoluted process. As a last resort, at least remove your data from the top 20-25 services to try to delay and frustrate people trying to research you. Don’t make a harasser’s life easy.
plum – Two years ago I discovered a downloadable database of voter registration data that included DOB from eight US states, and it had already been online for several years and mirrored in Europe. For the individuals in these states, through no fault of their own, their identities are permanently at risk. In truth we’re talking about mitigation, not prevention. Anyone’s best hope is an annual ID theft monitoring service. Some employers actually offer these free of charge. Tight budget? You’re left to pull a free credit report once a year and hope you catch something. The system is pretty broken here.
Krypt3ia– The ONLY way to avoid this is to not be you any more. So, you fake your own death after getting decent documentation with another name. Get credit set up for that person, a whole “new suit” as they say and then live that life and never talk to anyone from your past.
But oh wait… Now you have a new name and series of datapoints to worry about!
Best bet, go live off the grid in the woods or become homeless.
Another null sum game.
CiPHPerCoder – I’ve got personal experience with the downside of these services. When I was a teenager, my mother’s hobby (which consumed most of her waking hours when not working) was genealogy research through websites like Ancestry.com. It’s kind of funny in that, as I taught myself more about computer security and online privacy, she was unwittingly working hard to ensure that I would never have privacy online. Many years ago (either 2009 or 2010), an Internet troll had used this publicly available data to send me harassing emails, demanding that I take my blog offline forever.
Despite that experience, I don’t have a solution here.
It’s obviously an extortion racket; using the threat of public exposure to get people to pay up. The alternative to reaching into your wallet is playing whack-a-mole with third parties that mirror your personal information. The first option provides this industry with the incentive and resources to continue harming people’s’ lives. The other maximizes the harm they cause your own life (by wasting time trying to achieve a modicum of the privacy you should, rightfully, already have).
However, like many other areas of security, layered defenses work wonders to fend off attackers. Making a new pseudonym and linking it to a false persona is challenging and requires a ton of discipline to be successful. Even if you can’t protect your personal information, you can prevent malicious parties from connecting your screen name to your real name without drowning in a moral quandary.
Question 3: Traveling Abroad with Digital Devices
Travel is often considered a privilege, but people from all backgrounds do travel internationally. There are firm warnings from security professionals about bringing mobile devices and computers into less friendly countries (especially ones that conduct extensive monitoring and seizure) as they may conduct forensics on them or insert surveillance hardware or software. This adds a layer of risk to somebody who is trying to remain unseen. The blanket advice is usually to bring a separate, disposable computer and phone if they’re required. Computers and phones aren’t cheap. What would you recommend to somebody who needs to travel overseas to a dubious location but doesn’t have a big budget?
Munin – If you’re travelling for business, see about having your company handle the purchase of separate, designated equipment. If you’re there for a conference or just visiting, see if any of your friends in that country [social media’s great for making friends in foreign parts] will be willing to let you borrow equipment while you’re there. Remember that any kind of electronics you bring across a border – especially these days – is probably going to get searched, so avoid the problem if possible. Also, take some time ahead of time to set up a benign social media profile – put some noncontroversial or patriotic looking activity on it, and lock down or suspend your real accounts before you travel. If you end up being forced, coerced, or pressured into giving up online activity, refer to that account as your only account. Part of being safe is looking like you’re not worth harassing – so keep the lowest profile possible.
Viss – Do you HAVE to travel with your phone? Or your laptop? Can you use a chromebook, and just buy a burner phone while you’re in another country? Do you feel that you’re in a position where customs here or there will try to get into your phone? Here’s a fun trick: Select a cloud backup provider (Spideroak, Box, Dropbox, ec2, whoever, doesn’t matter). Make a titanium backup or nandroid backup of your phone. Make sure to use the encryption option. Put your encrypted phone backup into cloud storage before you leave. Format your phone in the air on the plane. If anybody wants to look at your phone, they can see it – there’s nothing on it. Have fun. When you get to your destination, pull down your phone backup and restore it. You may want to remove all your downloads and stored media beforehand. If you take the time to either A) have a dedicated travel phone that you do this to, or B) just occasionally trim your phone storage down you can get this to under a gig.
Lesley – Echoing Viss, consider very carefully if you really need the phone, or you just feel irrationally naked without it. Payphones may be rare, but they still exist in most transportation hubs, as do calling cards that work internationally (they are often sold in airports), and paper maps. If there is no way you can function without a phone, there are relatively cheap (<$40) options for unlocked disposable phones such as BLU’s, and SIM cards can usually be purchased a convenience stores when you arrive at your destination. Leave your sensitive personal data, including your fingerprints, off of any burner phone. Use it for travel essentials only. Stick to a “dumb phone” if you can.
Lloyd – For short term use, you can get used smartphones off Craigslist, get a prepaid SIM card, install just the contacts and apps you need for the trip, and then toss it on your way home. And, as everyone else has said, if you don’t need it, don’t bring it.
plum – I would never travel internationally with personal devices. Everyone has done well to discuss the risks, and from a practical perspective the logistics alone of getting a lost device returned to you from across a border – presuming a scenario that involves total honesty and goodwill – we’re talking long odds.
Krypt3ia – A USB stick with TAILS and an internet cafe or other access to a PC. Light footprint or you are in trouble. At this point you are dealing with nation states, and you will not win. INFIL and EXFIL into and out of countries is best done with very little on you. A mini USB (32 gig) can easily be tossed or eaten or destroyed. Not so much any other more expensive and luggable assets. For that matter you can cache them and in some cases secret them in your luggage where the color X-Ray and other schemes of detection can be obfuscated.
CiPHPerCoder – These are all good answers, so the only thing I can really offer is my setup. For domestic travel, I just have an encrypted laptop and encrypted mobile phone. If I’m traveling internationally, however, I’ll do the following:
- Rent a throwaway Virtual Private Server (VPS) from one of the providers on LowEndBox.
- Configure the VPS so that I can only SSH in via a Tor Hidden Service, using public key authentication (no passwords) with a SSH keypair unique to that server. (Ed25519.)
- Encrypt anything I need and store it on the server. (Veracrypt.)
- Purchase or repurpose a new laptop with a fresh Windows install for traveling purposes.
- Carry a USB or SD card with a Veracrypt-encrypted file containing the SSH private key.
TAILS can be procured on-site, and verified through other channels. I’d leave the phone at home.
Total cost: less than $10 if you already have the hardware on hand.
evacide – If you’re traveling for business, your business should have a policy in place your digital devices and travel. If they don’t already have one, this is the time to encourage them to do so. If you are crossing the US border, I recommend reading the advice EFF has written up as part of Surveillance Self Defense on this subject: https://ssd.eff.org/en/module/things-consider-when-crossing-us-border. In general, I would make sure my devices are password-protected, encrypted, and turned off when crossing the border. Particularly sensitive information should be removed from the device in advance, encrypted, and stored on a server for (secure! encrypted!) download if you need it when you arrive at your destination.
Question 4: Credit and Identity Theft Monitoring
Identity goes hand in hand with privacy. More Americans have had a credit or debit card stolen in the past couple years than those who have not, and data breaches and identity theft are huge problems. Services that proactively monitor and protect against this come with a monthly or yearly fee. What’s an affordable and effective solution for responsibly keeping an eye on your identity and credit? Are there solutions for people who can’t get a credit card?
Viss – Most credit cards these days come with alerting capabilities that will tell you if a charge comes through past a certain amount. Turn that on and set it to like $50. Anything over $50 and you get a text or an email. INSTANT notification if something sneaky is going on. You can’t do much about it not getting stolen in the first place, for example in the case of Target, the malware was in the cash registers and nobody knew. But you can know immediately if an attacker tries to use your card for evil, and you can call it in right away. Simply do this with every card.
Munin – If at all possible, do -not- use a debit card for anything. Every transaction is a gamble – so gamble with the bank’s money, not your own, and use a credit card if at all possible. An affordable alternative to paid services is to be ‘lucky’ enough to be in a breach – haven’t we all, at this point, received several years’ worth of “credit monitoring” to compensate us for the time and stress of having our identities compromised? More seriously, though, follow Krebs’ advice – lock down your account with the major credit bureaus, and unlock it if you have a specific need for a credit check. It’s not perfect, but it’s affordable and will reduce harm.
Lloyd – Using anonymizing services like Sudo, Blur (Abine), or Privacy.com allow you to make purchases with credit cards you have 100% control over. Therefore, if an online store’s is comprised, you can just delete the card and move on. Lock down your credit reports and do that for any of your children as well – people don’t monitor their children’s credit, making them vulnerable to identity theft as well. You can also get prepaid credit cards using very little information. You should research which features you prefer like ease of reloading, low or no monthly fee versus per-purchase fees, or usability. Generally, Chase and Amex are great introductory options. For international travel, Kaiku offers a prepaid card with no foreign transaction fees, great for short trips abroad. Keep in mind Know Your Customer laws make it very difficult to access to U.S. banking system and stay anonymous from the U.S. government for very long or while handling large transactions.
plum – The OPM breach, the Target breach, the Home Depot breach have really paid off for me; the past few years of free monitoring have been nice. LastPass actually bundles free credit monitoring, so that is worth exploring when this is done.
And as Munin mentioned, debit cards are cast from pure evil in a mold of good intentions. Never gamble on a retailer’s security posture with real money. Charge everything. If you don’t have access to credit, use as much cash as possible and be very judicious in your check writing. Every check you write says “hi, here’s my full name, here’s where I live, and here’s where I keep all of my money; in fact here’s my account number”. That’s a lot to hand over to a complete stranger.
Krypt3ia – Most banks do this now for you at no charge. I would not trust these companies to protect my data anyway. It is just adding to the complex web of your data being out there for others to abuse. Keep an eye on your accounts regularly and make sure your credit card/bank has your current number to call. Don’t waste money.
Lesley – Cash is your friend. Otherwise, a few people have already correctly noted how very risky bank debit cards are for your privacy and money. Unfortunately, many people are financially unable to get credit (or credit that promotes responsible use). There are a few options out there. Prepaid debit cards are one – although they may not have fraud protection, the amount of money which can be stolen from them is limited by the amount of money the purchaser loads them with. They can also lend some anonymity. Another option is a reputable credit card designed for people with low or no credit, designed to theoretically build credit over time. Legitimate options tend to be low limit, from a reputable creditor, with some security deposit required, and should always be designed to be paid off every month in full. Unfortunately this is a security blog, so I recommend you seek some free financial advice.
CiPHPerCoder – The credit bureaus are not your friend. Do not count on them correcting any mistakes on your credit history. Do as Munin and Viss suggested. Normally, the saying goes, “An ounce of prevention is worth a pound of cure,” but in this case prevention is your only recourse: There is no effective cure.
evacide – When you make online purchases, consider not storing your credit card number as part of your account. The same goes for storing your credit card number in your browser. Use 2FA whenever possible to protect your accounts and a password manager to create strong, unique passwords, so that if one account is compromised, the rest of them are still safe.
Question 5: On the People Still Using Windows XP
Tons of people have computers. Some of those computers are so old they are no longer patched or remotely secure. While operating system vendors have gotten better at forcing security updates in recent versions, security (especially in the era of the cloud) doesn’t necessarily indicate personal privacy. In terms of fundamentals from operating system, to browser, to antivirus, what are your suggestions to somebody who wants to upgrade their computer in a privacy-friendly way, but can’t afford more than a couple hundred dollars?
Viss – Microsoft gives updates to small businesses and students. Linux is free. Running linux is generally fine for people who simply need “a browser so they can Facebook and Gmail”, and that will keep them from the vast majority of exploits, drive by downloads and other attacks that by and large only target Windows. From the perspective of the operating systems, it tends to get a little hairy because they are designed to spy on people at this point. Github has several examples of an “unfuck script” that one can run on a Windows 10 installation to turn off all that telemetry. Once that’s done, I wager a combination of Windows Defender, EMET, and Malwarebytes for ransomware run all together and cranked all the way up should be a pretty good start. It’s surely more than most consumers would do on their own reconnaissance.
Munin – Most folks will be fine with a Chromebook. They’re kind of stuck in the Google ecosystem, which I don’t like, but they get continual patching and have a vastly lowered threat surface. If you’re OK with the whole “webapps for everything” thing – and let’s get real; that’s 90% of everyone’s usage these days anyway – then a Chromebook will likely meet your needs.
Lloyd – Chromebooks sacrifice some measure of privacy to Google in exchange for affordable computing experience. If you are not concerned what Google knows about you, this is a fine option. It is very difficult to keep operating systems up to date long term without regularly upgrading your computer.
plum – Basic, cheap ($200-ish), new systems seem easy enough to find. Certainly my best advice here concerns the disposal of old systems, as the general public is almost entirely in the dark when it comes to sanitizing equipment they don’t want anymore. I say this a lot – the lifecycle of personal computing is so incomplete. It’s so easy to get a new system, but we never really talk about how to get rid of the old one. Getting familiar with a utility like DBAN, which for $0 will wipe any trace of your existence from a hard drive, is a great first step.
Krypt3ia – Become more savvy about how your systems work. Keep them patched and try to keep up with the attacks out there. However, for the average normal person out there these things I just said sound like the teacher on Peanuts. Once again, do not trust any operating system unless you have complete control over it and frankly no one out there can do this. It is thus important that you learn some OPSEC lessons. But again, try getting this through to Gramma, it is not that easy. It takes education and not the once a year kind.
CiPHPerCoder – If you’re still on Windows XP, this probably means one of the following:
- You lack the capital to purchase a newer computer.
- In this case, make the switch to Ubuntu or Linux Mint, which are great and user-friendly GNU/Linux operating systems.
- If you’d like to get familiar before you commit to a new OS, get Virtualbox (it’s free).
- You’re a company that needs to use software that doesn’t work on newer versions of Windows.
- Consider switching to something like Qubes and running your Windows XP-dependent software inside of an isolated virtual machine to minimize the risk of a full system compromise.
Otherwise, you should just upgrade to a newer version of Windows. Laziness is incompatible with security.
Lesley – Part of this comes down to a distinction between privacy from companies, privacy from governments, or privacy from traditional criminals and the average nosy Joe or Jane.
An updated version of Chrome OS or Windows has a professional security team behind it releasing patches and responding to reports of vulnerabilities. This is really important. Of course, those companies rely heavily on cloud computing and telemetry – that’s how they provide the user experience which their customers expect. We’ve been focusing heavily on solutions for people facing criminal / stalker-type privacy concerns. In those situations, Chrome OS is an affordable option (assuming associated Google accounts are well-secured). Up-to-date Windows (while pricier) can be a good choice, too.
If you’re worried about privacy from companies, commercial options probably aren’t a great choice. This is where more user friendly versions of Linux like Mint or Ubuntu may be feasible. Of course, these distributions of Linux are ostensibly free, but that’s somewhat offset by the amount of time required to learn to configure and secure them.
If you’re worried about sophisticated actors, not only should you keep sensitive data off the internet, but you should restrict sensitive work to full disk encrypted systems without any speakers or network, Bluetooth, or wireless adapters physically installed.
Question 6: Private Digital Communications
There are numerous reasons to use encryption, and communicate and browse the internet privately. Abuse and harassment victims, whistleblowers, celebrities, journalists, and even government and military personnel may have to contend with being targets of surveillance, physical threats, or blackmail. Beyond overt risk, we have a fundamental right to privacy from the massive networks of data collection of advertisers and marketing firms that buy and sell our intimate details. While some services like Signal, Tor, and Protonmail are free, trustworthy VPN often isn’t. What are your suggestions for somebody non-technical who wants to communicate and browse with minimal potential for interception, without paying a lot?
Viss – Wire is free. Signal is free. Tor is free. VPNs are not. I run a small VPN service for exactly this reason. It’s IPSEC not SSL. That’s an important distinction, as well as it’s not “an app”. My VPN service uses Cisco hardware, not just “some cloud instances”. Do some homework on any VPN provider you elect to choose and try to steer clear of SSL based VPNs. They usually collect data about you and where you go, so while it may protect you from the skiddies in the coffee shop, it’s not protecting you from the vendor collecting your data for your $5 VPN account. If you’re a bit more technically inclined you could simply use an SSH tunnel. For that same $5 you could spin up a Digital Ocean host and use that as an SSH tunnel endpoint. Or you could stand up your own VPN. If you’re concerned about a private messenger on your phone being an indicator of you doing something shady, then install a bunch of them and use them for silly things. I have a wire room setup for “only gifs, no talking allowed”. There are nearly 40 people in there and nobody says a word, we just post silly gifs. So while it looks like there may be discussions happening to any outside viewers who can’t see the messages, it’s just noise. If you make lots of noise, it’s super easy to get signal through it. You just have to make sure the patterns of signal to noise aren’t super obvious.
Munin – “Use Tor, Use Signal” is the cliche in our world now, but it’s really going to depend on your specific needs. Harassment victims have different threats than whistleblowers, than celebrities, than journalists – there’s no one-size-fits-all solution. Perhaps talk to one of us, or some other trusted source, to figure out what your threat surface is, and work out what tools you have available that can best be used to manage it?
Lloyd – Depending on who you’re concerned about watching you, Signal, Wickr, and WhatsApp are fine for communication. I’m also a big fan of a pen and a piece of paper, and old fashioned face-to-face meetings. And never use a free VPN.
Krypt3ia – Use Signal, Use TOR Browser, and understand that everything you do on the net, everything you put out there is a threat to that privacy. For that matter, every device is giving up your private data and giving the companies and governments a portrait of “you” that can be used against you. How would I obfuscate this data? There are some means such as add-ons to FireFox (TrackMeNot and uBlock) You may also want to read Obfuscation: A User’s Guide for Privacy and Protest (MIT Press), which had some good ideas on how to use digital chaff to try and limit the real data these corporations have on us. If you have an adversary though that is directly in opposition, then use encryption (GPG, Protonmail, etc) but always know that the endpoints are always suspect (those you email with and the company serving you the service) so really, own the end point, forget the secrecy.
plum – Great points have already been made. I’ll add that it is critically important to remember to assess all of your online activity and electronic communication through the lens of litigation. If it exist(s)(ed), it can be subpoenaed. If this presents an unacceptable operational risk for you, hash things out face-to-face. If the logistics are not practical, follow Lloyd’s golden rule above: never use a free VPN. Tor is a go-to. While a little different, I would also keep an eye on Brave.
CiPHPerCoder – The only VPN you can trust is the one you’ve setup and administer. Most users aren’t technical enough to do this, and therefore shouldn’t use VPNs.
That said, there isn’t a winning concoction here that doesn’t require some user education to provide robust security against sophisticated threats.
Tor is great, but only if you understand its limitations. Tor + unencrypted HTTP means the exit node can sniff or alter your traffic.
Signal is great, but only if the person you’re talking with also uses it; otherwise, you’re communicating over unencrypted SMS. (You can turn the SMS fallback off.)
Whatever technology you choose, take 5 minutes to read through the documentation. The better you know your tools, the less likely you’ll make a fatal mistake when using them.
evacide – Before you choose a secure or private communications tool, think about your threat model: are you trying to protect your communications from criminals? From the government or law enforcement? From your parents or your spouse? These are all very different models. How important is it to you that the message should be secure? How important is it that the message actually gets to you in a timely fashion? (I’ve lost track of the number of arguments I’ve gotten into with my friends and family because a Signal message didn’t go through). Are you OK with giving out your phone number for this communication? Seriously, and I cannot emphasize this enough, Signal is not always the answer.
Lesley – A lot of differing opinions and options have been provided with regards to this problem – hopefully providing a starting point for consideration and discussion about private communications. I want to stress again that no matter what options you choose, noise is critical. Most of the private communications methods listed above hide the message, not the fact that you’re hiding a message. If you use VPN or encrypted messaging only for sensitive conversations or browsing you’re trying to hide, anybody watching will immediately start to look at that specific communication in more detail. For this reason, one of the first things I check in a computer under forensic investigation is the private / incognito browsing history. It usually contains only activity the user wanted to hide.
Whether want to prevent an angry ex or a multinational criminal organization from intercepting your sensitive communications, make sure they are lost in a sea of everyday benign private traffic. That’s why Tor usage is so highly encouraged by privacy advocates for everyday communication – if only foreign journalists under death threat by rogue dictators used it, their traffic would be easy to spot and target.
Question 7: Authentication
Online accounts are always a target, and passwords are generally easy to guess by casual criminals and advanced actors alike. So, we frequently advise people to enable two-factor authentication on their accounts through an app or (less desirably) SMS. The problem is, not everybody has a smartphone of their own – particularly one that works everywhere reliably. What are your suggestions to somebody who uses online accounts, but doesn’t own their own phone?
Viss – get a Google voice number, and set up hangouts to accept SMS messages. DO NOT SHARE THIS NUMBER WITH ANYBODY. You can set up 2FA SMS for everything that uses it, and those texts will hit Google hangouts. You can get them on a desktop/laptop, or through hangouts on your phone. The connection between your phone and Google is cert-pinned SSL, and the ‘secure texts’ will come through over data not SMS. It’s not a silver bullet, but it defeats Stingray attacks and mobile phone “man in the middle” attacks. You can also configure Google voice to either forward those SMS messages to another number, or email them to you, or another email account. There are many options.
Lesley – An alternative option is a physical two-factor security key, a tiny object which is inserted into the USB port of the computer you are using while you log into a wide range of web services. U2F keys are well under 20 dollars, easily purchased from many online retailers, and should theoretically last far longer than many electronic devices. The downsides are that if you lose the key you may be in trouble, it won’t be usable in places which block the use of USB ports, and it could potentially be seized.
Lloyd – U2F keys aren’t a cheaper option than what Viss recommends. I like physical keys but they have weaknesses: your key can be stolen, there is still limited support for physical keys, and they cost money. If you’re someone who forgets things, leaving your key at home or in the wrong bag can cost you a day of work if you aren’t careful.
plum – Without a true “something you have”, 2FA starts down a road of compromise. Like Viss, I have not completely criminalized the use of SMS, and he presents a creative solution. Burner phones can serve this purpose well. For five bucks, a refill card for a thousand text messages could last a while.
CiPHPerCoder – This came up a lot in the discussion of the Guardian’s terribly misleading WhatsApp article. In the real world, a lot of users share phones and swap out SIM cards rapidly. In the WhatsApp case, this makes public keys change rapidly, which could create a UX nightmare for people who have used WhatsApp for years and never even heard of encryption. Many of the 2FA assumptions break down in a shared-device scenario.
If you’re in dire straits here, Viss’ Google Voice number suggestion is probably your best bet. I’ve not heard any other realistic solutions for folks who share phones and don’t own security keys. If 2FA isn’t available, outright, consider making it more of a point to use a password manager (KeePassX, LastPass, 1Password, etc.) than if you had 2FA.
Munin – This particular question’s been giving me problems for a few days now. The long and short of it is that, as far as 2FA is concerned, the users are entirely at the mercy of the vendors as to what nature of 2FA solutions the vendors support – for instance, though I really, -really- want to use a yubikey with twitter, twitter declines to support this option and only allows SMS based second-factor auth.
Unlike the other questions here, this is one in which the user has very little control over whether or not they can effectively follow the advice given.
The ‘correct’ solution would be to only use services from vendors that support proper 2FA – but when those services won’t “do the job” – e.g. all your contacts are on a service that doesn’t do this correctly – you’re inherently limited in what you can do.
So my ultimate advice here would be – if you -can- follow the solutions given above, do so; if you’re not able to, then do the absolute best you can with what you have available. If you don’t have a unique device available for a second factor, it’s best not to push for a compromised second factor over a non-compromised single factor. Control what you can, and look for opportunities to make it better; and pay special attention to those things you cannot control – monitoring is a kind of mitigation.
Question 8: You, in the Real World
We’ve discussed our online lives in detail, but what we do every day in the physical world leaves a huge digital footprint as well. This includes all kinds of activities, like shopping, banking, and our hobbies and work. Let’s think in terms of our introductory example of a victim of stalking and abuse (this time, in 2017). What are feasible actions he or she can take in day-to-day life, with a small budget, to reduce the digital footprint left by his or her activities (while still remaining a part of modern society)?
Viss – Use a combination of personal travel and ridesharing applications or public transit to mask surface travel. Combine using different credit cards with paying in cash. Change travel routes to not consistently use the same path to get to destination. Make random stops (at shops, for coffee, etc, whatever) to make it harder to determine where you are going. Turn off your phone from time to time (yank the battery if you can). Don’t spend a lot of time walking on the street in the open. Travel in a vehicle or on public transit as often as you can. Do not dress to impress. Do not stand out. Plain shoes, jeans, t-shirt. If you want to blend in, then blend in. You can look spectacular later. Pay attention to your surroundings. See if people are pointing cameras at you. Take detours and see if you see the same people over and over again. If you think you are being followed, validate that feeling by taking more detours and seeing if the same people are there. If you are confident you are being followed, let the people following you see you taking their photo or recording them. It helps if you have more than a phone – like a GoPro or a camera of some kind. Usually in that scenario they’ll have no idea WTF to do. The easiest way to not be a victim is to not simply lie down and take it. If you feel you’re being victimized, complaining about it on Facebook or writing a longwinded gif-riddled post on imgur will solve nothing. Get evidence of stalking or abuse. As much as you can. Confront the problem head on. If your abuser is physically abusing you get a restraining order and back that up with video evidence. http://www.wikihow.com/Be-More-Perceptive This is a good start.
TL;DR: everything on the internet leaves some kind of log. Don’t post stuff online then try to remove it. Just don’t post it in the first place. Don’t openly volunteer information for the sake of small talk. If someone asks how your day was, tell them – but don’t feel obligated to explain that it’s going poorly because your car insurance carrier dropped you because you were unable to make your last payment, and that was because trouble at work led to you being fired. That’s a lot to unpack and gives random people WAY WAY MORE INFORMATION than they need to just chat you up. It takes a bit of practice, but you can usually turn those kinds of conversations around onto them, and have them tell you a life story while not saying a word.
- Enhance your situational awareness
- Understand where the cameras are and seek places with less of them to do business
- Understand where the cameras are and seek to obfuscate their seeing you (hat, glasses, scarf etc and look down, not into them.
- Randomize your routine, in fact do not have a routine
- Read up and practice counter-surveillance techniques (I can recommend books) but really having real practical experience and mentorship is key
- Take all of the advice above in this document and use it.
- Leave your digital equipment behind or put them in Faraday bags
- Understand the precepts of OPSEC with regard to the internet
- Be vigilant
plum – Endeavor to use more cash. Every time you use a credit card, you’re generating data about where you are and what you’re doing.
Don’t allow mobile apps to use your location automatically, or at all. Don’t check in. The world doesn’t need to know you’re going for a run on your lunch break *right now*. Tell them later about how you had a great run today, without mentioning where and when. Small things like this. You’re not hiding your habits, you’re just removing the unnecessary precision in describing them.
Augment your digital protection strategy with self-defense skills. You may never need to use them, but you’ll feel a hell of a lot more confident. And when you’re confident, you carry yourself better, you’re more aware of your surroundings, and you turn the tables on being vulnerable.
Lloyd – Privacy and security are practice, and can’t be done alone. Your information, even your home address, is known and stored in devices and on paper by your friends, family, and coworkers. Most “hacks” occur via social engineering, where unsophisticated people are exploited for the information they keep. Educating the people around you should always be a part of any physical security practice.
CiPHPerCoder – If you can, turn your phone off and take the battery out when traveling or discussing anything sensitive with your friends or family. Try to practice common sense at all times. Don’t, for example, take needless selfies and then share them publicly on social media if you’re trying to attain better privacy. Simply put: They don’t need to know, so don’t tell them.
Paying with cash has two benefits: It’s not directly linked to your bank account, and it promotes better money management discipline than debit/credit cards (which in turn will allow you to save money toward some of the solutions discussed above that might be out of your budget).
evacide – A lot of the advice above means making major changes to the way you live. Think about how much you’re willing to change in order to avoid your stalker/abuser. A lot of victims are trying to balance their desire for privacy and distance from their abuser with a desire to continue living their lives in a normal fashion. Some simple steps such a person can take include using a pseudonym on social media accounts, locking down one’s social media accounts so that content can only be viewed by trusted friends, and making one’s trusted friends aware of the situation so that they can alter you if they are contacted by your stalker/abuser trying to get information out of them.
Munin – The advice above is all good, but ultimately, the real problem is in balancing proper paranoia with the ability to function as a person. This is very difficult.
Balancing the need to stay hidden with the very real psychological dangers of isolation is difficult even for trained professionals – so maintaining such a cover will necessarily cause stress and strain. If you have anyone that you can trust, make sure you can stay in contact with them to keep an even keel. That will help with balance, and help you remember how to use the other advice appropriately.
★ ★ ★
(Additional credit on this article goes to Bill Sempf, who contributed extensive expertise on skiptrace investigative methodology.)
All opinions in this article are that of the individual contributors, and do not necessarily reflect the views of their employers, past, present, or future.