Following China’s example, France has banned anonymizing software, open WiFi, and private cryptographic keys under the auspices of security. In the wake of the Paris attacks, several high-ranking American federal officials criticized surveillance roll-backs and suggested encryption should be banned despite no evidence that it played a role in the tragedy — to the contrary, the attackers in this case communicated in the clear, and the top intelligence lawyer recently lamented that the government lacks a single good example of terrorists relying on cryptography to do their dirty work.
One case of that won’t prove the argument, either. Guns, not cryptography, kill increasing numbers of Americans in near-daily mass shootings. And neither guns nor crypto are the real global security crisis. Rather, better information security practices tend to enhance security.
Continuing from 29 Nov., world leaders continue convening in Paris this week under the resultant martial clouds of fear and grief to discuss a far greater — but faceless — threat to global security than violent extremists or other reptiles: climate change. And in the wake of revelations about surveillance of world leaders, fear of environmental activists driving illegal mass surveillance programs like PRISM, and reports of climate scientists experiencing campaigns of threats and harassment, you can bet that at the United Nations Conference on Climate Change (COP21), the U.S. government will be listening. Surveillance of legitimate political leaders, dissidents, and scientists threatens democracy and diplomacy by undermining rule of law, enabling intimidation, and fostering a climate of fear that constrains expression.
The good news is that electronic communications surveillance is easy to break. As I’ve written previously, art, information, and information security (infosec) tools routinely circumvent multi-trillion dollar surveillance programs. But infosec, often referred to by the subcategory name encryption or name of the related field of cryptography, can itself intimidate newcomers. Like any practice, learning better infosec is a process, not an endpoint. Far from being a spy tool of the trade, it has lots of everyday security benefits, like reducing individuals’ and businesses’ vulnerability to cybercrime and interpersonal violence.
Here are seven easy steps anyone can take today to begin practicing better infosec.
1: Use basic phone encryption for basic calling and texting.
The same context of illegal dragnet surveillance and easy to use encryption tools that break it applies to smartphone communications. Download Signal for iPhone or TextSecure and RedPhone for Android using the instructions here.
Installing Signal is probably the single easiest thing you can do today to enhance your information security. It takes minutes and is very user-friendly.
2: Use VPNs, Tor, or Tails for more secure communications.
VPNs are virtual private networks that encrypt and secure the data you transmit over them in the way you probably already think it’s secure. Tor is a free browser and network that helps users defend against surveillance. Tails is a live operating system that uses Tor and encryption.
These are all good options for more secure communications, and choosing among them is context-dependent. VPNs are a better choice if you live in a country that blocks Tor entry nodes, like China. Tor is a good choice if you’re able to download it from your home Internet or put it on a USB drive from a public place, like a library or Internet cafe. Tails is the most secure option of all, and you need to use it if you may be dealing with nation-state level infosec threats (e.g., police state surveillance), or handling data from or about sources who may be at risk of nation-state level targeting (e.g., Syrian resistance fighters).
As an added bonus, Tor will also help you stop hemorrhaging data to third parties when you surf the Web. Using search engines that protect your privacy better than Google, like StartPage or DuckDuckGo, is also a good idea.
Short of using Tor, options like Privacy Badger, Selfdestructing Cookies, and Ghostery, incognito/private browsing in Firefox, and Chromium instead of Chrome can help you take small steps toward better information security practices.
And of course, don’t surf while logged into Google.
3: Look to the European example: get your data off American servers.
Following the Snowden revelations, Austrian law student Max Schrems filed a lawsuit resulting in the European Court of Justice ruling last month that the safe harbor agreement isn’t safe. According to the European court, indiscriminate and illegal American mass surveillance violates the human right to privacy, and so sending data to the U.S. as if it’s a safe harbor violates ordinary Europeans’ human rights. In practice, this means leading legal scholars now recognize unlawful surveillance undermines ordinary people’s human rights.
So you should get your data off American servers to protect yours. This means kicking the Gmail and Google addictions, replacing them with alternative, relatively secure email services. Counter-terrorism specialists were saying for years that we should let Google do counter-terrorism. Well, they are now. And it’s jeopardizing security as well as privacy. We haven’t effectively stopped them with domestic U.S. legislative pushback because our political system is too corrupt. But we can make illegal surveillance a lot harder and more costly, and our own communications harder and more costly to intercept.
4: Use basic email encryption for basic emailing.
As far as we know, current encryption defeats the kind of fiber-optic cable tap that has enabled intelligence agencies to compromise entire countries’ electronic communications. All encryption is breakable, but for now PGP/GPG encryption seems safe.
The easiest way to begin encrypting email is to download Thunderbird with the Enigmail extension along with GNUPGP software. It’s all free, and you can find step by step instructions here.
Your meta-data — who you are, who you’re contacting, and the subject line — remain vulnerable to surveillance. So a lot of people set up anonymous email accounts using Tor or VPNs — more on these later — before using encrypted email for really sensitive communications.
Don’t worry if you find email encryption difficult and frustrating. It is easy for experts to make mistakes in this realm. There are lots of steps, and doing better is a process.