Difference between revisions of "Digital Security"

From Resistance Manual
Jump to: navigation, search
(Personal Safety and Security)
Line 1: Line 1:
==Electronic Surveillance==
 
 
Every activist, down to someone who's simply Tweeting in support of the resistance, could potentially be put under surveillance. The United States has a long history of surveilling political dissidents, from making lists of Communists during the Red Scare to monitoring civil rights activists through programs like CointelPro.[https://www.democracynow.org/topics/cointelpro] Given that the laws around electronic privacy are underdeveloped, the government can potentially gain access to a lot of information without going through the processes that would come with more established/recognized privacy rights.
 
 
Surveillance has a well-documented "chilling effect" on freedom of expression. The simple fact of knowing that it's possible somebody could be paying attention to your actions severely reduces the scope of the actions you're willing to take and may lead to self-censorship (well before, and/or more severely than, governmental censorship is even put in place). This impacts everything from political dissidence to art, and is a serious problem regardless of whether those with access to surveillance information make active use of that information.
 
 
=== Government Surveillance===
 
 
====Information Accessible Without a Warrant====
 
*The PRISM program,[http://www.theverge.com/2013/7/17/4517480/nsa-spying-prism-surveillance-cheat-sheet] which began after the September 11, 2001, attacks, enables NSA analysts to query the information stored by Facebook, Google, Yahoo, MSN, Apple, Youtube, AOL, and Skype.[https://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data] Information indicating which specific companies are a part of this program was released in 2013 as part of the Snowden disclosures, and it is likely that more companies have been added to the system since those materials were created.
 
*The XKeyscore program,[https://theintercept.com/2015/07/01/nsas-google-worlds-private-communications/] also started after September 11, is a complex software system that enables NSA analysts to quickly access any of the NSA's data. According to The Guardian's Glenn Greenwald, low-level NSA analysts can, via systems like XKeyscore, "listen to whatever emails they want, whatever telephone calls, browsing histories, Microsoft Word documents. And it's all done with no need to go to a court, with no need to even get supervisor approval on the part of the analyst."[https://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data][http://abcnews.go.com/blogs/politics/2013/07/glenn-greenwald-low-level-nsa-analysts-have-powerful-and-invasive-search-tool/] He added that the NSA's data bank of collected communications allows its analysts to listen "to the calls or read the emails of everything that the NSA has stored, or look at the browsing histories or Google search terms that you've entered, and it also alerts them to any further activity that people connected to that email address or that IP address do in the future."[http://abcnews.go.com/blogs/politics/2013/07/glenn-greenwald-low-level-nsa-analysts-have-powerful-and-invasive-search-tool/]
 
*The Foreign Intelligence Surveillance Act of 1978[https://www.gpo.gov/fdsys/pkg/STATUTE-92/pdf/STATUTE-92-Pg1783.pdf] describes procedures that the government must follow in conducting domestic surveillance. It was passed after a bipartisan effort to create more strictly defined rules on the matter after the revelations about President Nixon's use of government resources to spy on opposition political parties. The Act provides means by which American spy agencies can be approved for secret warrants to conduct surveillance on individuals within US jurisdiction, via electronic surveillance, physical searches, telephone surveillance, access to business records, or certain other means. The Act created a secret court, the Foreign Intelligence Surveillance Court (commonly known as the FISA Court), that examines these surveillance requests without making the content of the requests public and decides whether to approve or deny the requests. Between 1979, the year of the court's creation, and 2013, of 35,529 requests submitted, only 12 were denied.
 
*The USA Patriot Act, initially signed by George W. Bush in 2001 and later reauthorized in part by Barack Obama in 2011, widened and enhanced the capabilities authorized by FISA. Previously, only conventional wiretaps (on phones) were authorizable under FISA; but the Patriot Act added wiretaps on packet-switched networks (the Internet) to the list. It also allows for lower-level FBI officials to issue National Security Letters, which require the recipient to provide some information to the Bureau but that also contain a gag order prohibiting the recipient from disclosing the existence of the NSL to anybody other than an attorney.
 
 
====Information Accessible With a Warrant====
 
If a warrant is actually obtained, then of course more information becomes accessible. The individual subject to the warrant may not be aware of the warrant: Often the warrant requires an internet service or cell phone provider to give information to a government agency, and the government can request a gag order preventing the organization providing the information from telling its clients that they are subject to a warrant.
 
 
===Online and Offline Harassment===
 
 
Donald Trump's victory has emboldened the (already quite active) online trolls who harass, insult, and threaten women, minorities, LGBTQ+ people, and others who disagree with them or don't support Trump. This harassment can discourage people from engaging online and prevent very real conversations about our country and its future from taking place. Harassment can lead to serious long-term effects, including trauma. Online attacks can also extend into the real world. Doxxing, where the private details of someone's life are exposed, is one type of attack. Other threats include stalking, swatting, and identity theft. Some tools for reducing the risk of doxxing are [http://www.computerworld.com/article/2849263/data-privacy/doxxing-defense-remove-your-personal-info-from-data-brokers.html here] and [http://juliaangwin.com/privacy-tools-opting-out-from-data-brokers/ here].
 
 
Given the threat of this harassment, people who engage in resistance activities online need information and tools to protect themselves.
 
 
 
==How to Protect Yourself from Digital Surveillance==
 
==How to Protect Yourself from Digital Surveillance==
 
=== Without Changing the Platforms You're Using===
 
=== Without Changing the Platforms You're Using===
Line 113: Line 90:
 
*[https://medium.com/@mshelton/securing-your-digital-life-like-a-normal-person-a-hasty-and-incomplete-guide-56437f127425#.8mldoefnv Securing Your Digital Life Like a Normal Person]
 
*[https://medium.com/@mshelton/securing-your-digital-life-like-a-normal-person-a-hasty-and-incomplete-guide-56437f127425#.8mldoefnv Securing Your Digital Life Like a Normal Person]
 
*[https://crimethinc.com/2004/11/01/what-is-security-culture What Is Security Culture?], CrimethInc.
 
*[https://crimethinc.com/2004/11/01/what-is-security-culture What Is Security Culture?], CrimethInc.
 +
 +
==Electronic Surveillance==
 +
 +
Every activist, down to someone who's simply Tweeting in support of the resistance, could potentially be put under surveillance. The United States has a long history of surveilling political dissidents, from making lists of Communists during the Red Scare to monitoring civil rights activists through programs like CointelPro.[https://www.democracynow.org/topics/cointelpro] Given that the laws around electronic privacy are underdeveloped, the government can potentially gain access to a lot of information without going through the processes that would come with more established/recognized privacy rights.
 +
 +
Surveillance has a well-documented "chilling effect" on freedom of expression. The simple fact of knowing that it's possible somebody could be paying attention to your actions severely reduces the scope of the actions you're willing to take and may lead to self-censorship (well before, and/or more severely than, governmental censorship is even put in place). This impacts everything from political dissidence to art, and is a serious problem regardless of whether those with access to surveillance information make active use of that information.
 +
 +
=== Government Surveillance===
 +
 +
====Information Accessible Without a Warrant====
 +
*The PRISM program,[http://www.theverge.com/2013/7/17/4517480/nsa-spying-prism-surveillance-cheat-sheet] which began after the September 11, 2001, attacks, enables NSA analysts to query the information stored by Facebook, Google, Yahoo, MSN, Apple, Youtube, AOL, and Skype.[https://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data] Information indicating which specific companies are a part of this program was released in 2013 as part of the Snowden disclosures, and it is likely that more companies have been added to the system since those materials were created.
 +
*The XKeyscore program,[https://theintercept.com/2015/07/01/nsas-google-worlds-private-communications/] also started after September 11, is a complex software system that enables NSA analysts to quickly access any of the NSA's data. According to The Guardian's Glenn Greenwald, low-level NSA analysts can, via systems like XKeyscore, "listen to whatever emails they want, whatever telephone calls, browsing histories, Microsoft Word documents. And it's all done with no need to go to a court, with no need to even get supervisor approval on the part of the analyst."[https://www.theguardian.com/world/2013/jul/31/nsa-top-secret-program-online-data][http://abcnews.go.com/blogs/politics/2013/07/glenn-greenwald-low-level-nsa-analysts-have-powerful-and-invasive-search-tool/] He added that the NSA's data bank of collected communications allows its analysts to listen "to the calls or read the emails of everything that the NSA has stored, or look at the browsing histories or Google search terms that you've entered, and it also alerts them to any further activity that people connected to that email address or that IP address do in the future."[http://abcnews.go.com/blogs/politics/2013/07/glenn-greenwald-low-level-nsa-analysts-have-powerful-and-invasive-search-tool/]
 +
*The Foreign Intelligence Surveillance Act of 1978[https://www.gpo.gov/fdsys/pkg/STATUTE-92/pdf/STATUTE-92-Pg1783.pdf] describes procedures that the government must follow in conducting domestic surveillance. It was passed after a bipartisan effort to create more strictly defined rules on the matter after the revelations about President Nixon's use of government resources to spy on opposition political parties. The Act provides means by which American spy agencies can be approved for secret warrants to conduct surveillance on individuals within US jurisdiction, via electronic surveillance, physical searches, telephone surveillance, access to business records, or certain other means. The Act created a secret court, the Foreign Intelligence Surveillance Court (commonly known as the FISA Court), that examines these surveillance requests without making the content of the requests public and decides whether to approve or deny the requests. Between 1979, the year of the court's creation, and 2013, of 35,529 requests submitted, only 12 were denied.
 +
*The USA Patriot Act, initially signed by George W. Bush in 2001 and later reauthorized in part by Barack Obama in 2011, widened and enhanced the capabilities authorized by FISA. Previously, only conventional wiretaps (on phones) were authorizable under FISA; but the Patriot Act added wiretaps on packet-switched networks (the Internet) to the list. It also allows for lower-level FBI officials to issue National Security Letters, which require the recipient to provide some information to the Bureau but that also contain a gag order prohibiting the recipient from disclosing the existence of the NSL to anybody other than an attorney.
 +
 +
====Information Accessible With a Warrant====
 +
If a warrant is actually obtained, then of course more information becomes accessible. The individual subject to the warrant may not be aware of the warrant: Often the warrant requires an internet service or cell phone provider to give information to a government agency, and the government can request a gag order preventing the organization providing the information from telling its clients that they are subject to a warrant.
 +
 +
===Online and Offline Harassment===
 +
 +
Donald Trump's victory has emboldened the (already quite active) online trolls who harass, insult, and threaten women, minorities, LGBTQ+ people, and others who disagree with them or don't support Trump. This harassment can discourage people from engaging online and prevent very real conversations about our country and its future from taking place. Harassment can lead to serious long-term effects, including trauma. Online attacks can also extend into the real world. Doxxing, where the private details of someone's life are exposed, is one type of attack. Other threats include stalking, swatting, and identity theft. Some tools for reducing the risk of doxxing are [http://www.computerworld.com/article/2849263/data-privacy/doxxing-defense-remove-your-personal-info-from-data-brokers.html here] and [http://juliaangwin.com/privacy-tools-opting-out-from-data-brokers/ here].
 +
 +
Given the threat of this harassment, people who engage in resistance activities online need information and tools to protect themselves.

Revision as of 13:39, 20 March 2017

How to Protect Yourself from Digital Surveillance

Without Changing the Platforms You're Using

Be careful what you post

  • What to know: Often, we post material online that can compromise our own safety and security. For example, when you post a photo to Twitter or Instagram, all identifying metadata is stripped from it. However, when you post to other sites like Flickr, all that data is preserved and can be used to identify and locate you. Even on sites like VSCO, which display images without giving viewers the option to download them, images can be extracted from the source code of those sites complete with location metadata embedded.

Often, services like Instagram and Twitter will ask you to enable location services so they can tag your tweets or posts with your current position. This can be useful but poses a lot of risk at the same time. It is akin to giving a troll a live feed of your current location.

  • What you can do:
    • Disable location services for apps like Twitter and Instagram.
    • When you post to social media, avoid posting identifying information about your current location.
    • Avoid patterns. If you stop at the same Starbucks every day, do not post a photo of your morning drink while tagging that Starbucks.

Secure your apps and services with 2-factor authentication

Almost every service like Twitter and Facebook offer the option to enable two-factor authentication for your account login. This means that besides using a username and password to log in, you also enable either an app like Duo Mobile, or opt to receive a code on your mobile phone to serve as a second layer of security.

Strengthen your passwords

There are a number of attacks hackers can use to guess or crack your passwords, so here are a few rules to follow:

  • Make them long. At least 12 characters should be the rule. More is better.
  • Do not use any personally identifying data in your passwords, such as:
    • Important Dates
    • Names of people or pets
    • Companies you have worked for
    • Cities you have visited or lived in
  • Use non-dictionary words when possible.
    • If you do use dictionary words to make the password easy to remember, then combine them with numbers and symbols. An example would be gips973"bake.
    • You can also combine random words that have nothing to do with you (see above regarding personally identifying information) with spaces to form questions that make no sense. An example is Baked horses tower road.. If you add the punctuation in there, or throw in a number, that is even more secure.
  • Do not reuse passwords! This is very important. If you use the same password for Twitter and your GMail, both could be compromised. Use a password manager such as LastPass or 1Password, or an encrypted text file at the least, to hold your various passwords. Most password managers store your passwords in an encrypted vault so even if their sync systems are compromised, your data typically is not.

With User-Friendly Software

The single most important step you can take toward securing your communications is to use strong encryption. The existing surveillance infrastructure relies on the fact that most information sent over the Internet is totally unsecured. Sending an email without encryption, for example, is the equivalent of sending a postcard in the mail: anybody with access to the message can read its contents, and because information on the Internet will pass through multiple systems before reaching its final destination, any of the systems that pass your emails on to the next server in the chain could be reading their contents.

Encrypted communication, by contrast, is illegible to anybody without the correct key to decrypt it. The intermediate servers passing it along cannot make sense of it without knowing the precise way in which it was encrypted. There is some debate about the NSA's capabilities with respect to breaking commonly used encryption methods, but it is broadly believed that one of the reasons for the agency's massive expansion in data storage capacity in recent years[1] is to enable a "store until relevant" methodology, whereby the agency simply stores all communications it can intercept, regardless of relevance or encryption, and returns to them when the necessary decryption keys become available or computing power reaches a point that enables vastly accelerated brute-force decryption methods. The broad consensus, however, is that encrypting your communications is the single most important step you can take to avoid having them read by third parties of any kind.

You can refer to this Medium post for a straightforward guide to encrypting your communications easily and safely.

It's also important to be careful about what you communicate online. Anything you post, message, or even type into a text box on Facebook is compromised information that can be easily collected by intelligence agencies. Information stored on Google's servers is easily accessible to NSA analysts. Your Amazon shopping history, Twitter posts, private messages on any digital service, Snapchat photos or messages, and Reddit posts and private messages are all fair game. In general, anything you post to an online service, whether it's in a private message or a public post, is available to surveillance agencies with little effort. Never use a third-party service for private communications unless you are absolutely confident that the contents of those communications could not be used against you.

Texting/Messaging

  • What to know: Texting is not a secure method of communication.
  • Acceptable alternative: There are a few apps and services you can use as a replacement for texting.
    • Signal has quickly grown into the tool of choice for many activists, journalists, and people who are part of a resistance. There are no known or public vulnerabilities with this app. If you're a Chrome user, you can also use Signal Desktop.
    • Dust—an app for disappearing text messages and photos that is similar in some ways to Snapchat.

Email

  • What to know: When it comes to email, here's a rule of thumb: Say nothing in your email that you will not be hurt by seeing on the front page of the New York Times. Email is an inherently insecure method of communication and should only be used with multiple precautions.
  • Acceptable alternatives:
    • Switch to using an encrypted email service. Protonmail and Tutanota are two easy-to-use providers of encrypted email. Both are hosted outside the US, so they are less likely to hand over your data on a subpoena; more to the point, both services store your email in an encrypted form on their server (also known as "encryption at rest"), and you are the only one who has the password. These services can hand over your data, but without your password(s) to unlock them, they're just garbled ciphertext.
    • One important note: Protonmail will give you a "public key" so that someone who is not using Protonmail can send you secure mail from, for example, their iCloud account using the GnuPG Apple Mail plugin to encrypt it. However, you cannot send that person an encrypted message unless you have them come to Protonmail's website and enter a unique password that you have prearranged with them.
    • Caveats: Using Protonmail or Tutanota is only useful if you are communicating with someone who is using the same service. You cannot send encrypted end-to-end mail from Protonmail to a Tutanota or Gmail user. You CAN send such a user an encrypted message that they have to come to Protonmail or Tutanota's website to decrypt, but you would have to provide them a password verbally, which would defeat the purpose.
    • When you simply want to avoid giving out your email address (e.g., when taking a Trump-sponsored poll!), you can get a free, temporary email address from Shark Lasers.
  • For more advanced users:
    • Start using GnuPG to encrypt all your mail. This is a bit tricky, as you have to get into the world of Public Key Infrastructure (PKI) and need to have the public key of anyone you want to email. If you want to get into this, however, here are a few good tutorials:
    • This 12-minute video called GPG for Journalists—Windows Edition is rumored to have been created by Edward Snowden to teach journalist Glenn Greenwald how to communicate over encrypted email. It is a good primer on the subject, even if you are using a Mac.
    • If you are on a Mac, you should see GPGTools, which gives you the full GPG package as well as a plugin for Apple's Mail application. This assumes that you have an email provider that grants you IMAP access and you do not mind restricting your use of email to your personal computer.

Web Browsing

  • What to know: Browsing the web is not safe from surveillance. However, there are measures you can take to be safer when you browse.
    • Use Tor: Most security professionals recommend using Tor. Tor is one of the first tools you should reach for when browsing the web. While it used to be that only the technologically savvy used/understood Tor (and that is still the case if you want to use it for all your network activity), the Tor Project now has a more user-friendly web browser. Simply download the Tor Browser and launch it. It takes a few minutes, but when it is up and running, you can browse the web in relative anonymity and privacy.
      Here are a few things to keep in mind when using the Tor Browser.
      • If you put the Tor Browser on a flash drive, you can run the brower directly from that drive so you do not have to sacrifice your anonymity when not using your own computer. Add both the Mac and Windows versions to the drive.
      • Know that using Tor can be frustrating at times. Since it is routing your traffic through multiple "hops," or servers around the world, it can be slow. You will not be able to stream YouTube over Tor (though it is not out of the question if you get a good route at random).
      • Using the Tor Browser alone is not enough to shield you. Read this section on the Tor Project's website to understand the risks that you face, even when using Tor Browser.
      • Set your Tor Browser Security settings to "Medium" or "High." This makes it more frustrating to use the system, since it blocks a lot of the Javascript that modern websites need to run in order to serve you ads, track you around the internet, etc., but it also makes things more frustrating for someone trying to snoop on your activity.
      • There are mobile versions of Tor Browser, as well. On iOS, there is VPN Browser and Tob. For Android, there is Orbot.
    • DuckDuckGo—an anonymous search engine (i.e., Google without the tracking). It does not really work as well as Google, but it is much more secure.
    • Tails Operating System—Tails is a live operating system that you can start on almost any computer from a DVD, USB stick, or SD card. It aims to preserve your privacy and anonymity, and helps you to use the Internet anonymously and circumvent censorship. All its connections to the Internet are forced to go through the Tor network.

(This section is not complete. There's a lot more to come.)

Personal Safety and Security

Protester Safety

Other Guides

Electronic Surveillance

Every activist, down to someone who's simply Tweeting in support of the resistance, could potentially be put under surveillance. The United States has a long history of surveilling political dissidents, from making lists of Communists during the Red Scare to monitoring civil rights activists through programs like CointelPro.[2] Given that the laws around electronic privacy are underdeveloped, the government can potentially gain access to a lot of information without going through the processes that would come with more established/recognized privacy rights.

Surveillance has a well-documented "chilling effect" on freedom of expression. The simple fact of knowing that it's possible somebody could be paying attention to your actions severely reduces the scope of the actions you're willing to take and may lead to self-censorship (well before, and/or more severely than, governmental censorship is even put in place). This impacts everything from political dissidence to art, and is a serious problem regardless of whether those with access to surveillance information make active use of that information.

Government Surveillance

Information Accessible Without a Warrant

  • The PRISM program,[3] which began after the September 11, 2001, attacks, enables NSA analysts to query the information stored by Facebook, Google, Yahoo, MSN, Apple, Youtube, AOL, and Skype.[4] Information indicating which specific companies are a part of this program was released in 2013 as part of the Snowden disclosures, and it is likely that more companies have been added to the system since those materials were created.
  • The XKeyscore program,[5] also started after September 11, is a complex software system that enables NSA analysts to quickly access any of the NSA's data. According to The Guardian's Glenn Greenwald, low-level NSA analysts can, via systems like XKeyscore, "listen to whatever emails they want, whatever telephone calls, browsing histories, Microsoft Word documents. And it's all done with no need to go to a court, with no need to even get supervisor approval on the part of the analyst."[6][7] He added that the NSA's data bank of collected communications allows its analysts to listen "to the calls or read the emails of everything that the NSA has stored, or look at the browsing histories or Google search terms that you've entered, and it also alerts them to any further activity that people connected to that email address or that IP address do in the future."[8]
  • The Foreign Intelligence Surveillance Act of 1978[9] describes procedures that the government must follow in conducting domestic surveillance. It was passed after a bipartisan effort to create more strictly defined rules on the matter after the revelations about President Nixon's use of government resources to spy on opposition political parties. The Act provides means by which American spy agencies can be approved for secret warrants to conduct surveillance on individuals within US jurisdiction, via electronic surveillance, physical searches, telephone surveillance, access to business records, or certain other means. The Act created a secret court, the Foreign Intelligence Surveillance Court (commonly known as the FISA Court), that examines these surveillance requests without making the content of the requests public and decides whether to approve or deny the requests. Between 1979, the year of the court's creation, and 2013, of 35,529 requests submitted, only 12 were denied.
  • The USA Patriot Act, initially signed by George W. Bush in 2001 and later reauthorized in part by Barack Obama in 2011, widened and enhanced the capabilities authorized by FISA. Previously, only conventional wiretaps (on phones) were authorizable under FISA; but the Patriot Act added wiretaps on packet-switched networks (the Internet) to the list. It also allows for lower-level FBI officials to issue National Security Letters, which require the recipient to provide some information to the Bureau but that also contain a gag order prohibiting the recipient from disclosing the existence of the NSL to anybody other than an attorney.

Information Accessible With a Warrant

If a warrant is actually obtained, then of course more information becomes accessible. The individual subject to the warrant may not be aware of the warrant: Often the warrant requires an internet service or cell phone provider to give information to a government agency, and the government can request a gag order preventing the organization providing the information from telling its clients that they are subject to a warrant.

Online and Offline Harassment

Donald Trump's victory has emboldened the (already quite active) online trolls who harass, insult, and threaten women, minorities, LGBTQ+ people, and others who disagree with them or don't support Trump. This harassment can discourage people from engaging online and prevent very real conversations about our country and its future from taking place. Harassment can lead to serious long-term effects, including trauma. Online attacks can also extend into the real world. Doxxing, where the private details of someone's life are exposed, is one type of attack. Other threats include stalking, swatting, and identity theft. Some tools for reducing the risk of doxxing are here and here.

Given the threat of this harassment, people who engage in resistance activities online need information and tools to protect themselves.