Some things you can do to secure your communications

Now that we know for a fact that we’re constantly under surveillance, more people are wondering what you can do to protect yourself. Today I wrote down some thoughts in response to a post on the OKFN-discuss mailing list. Here it is, lightly edited.

In order to protect your privacy, it’s important to think about what, exactly, you’re trying to defend against. You’ll also need to decide to what length you want to go to protect your privacy, and the privacy of the people you talk to online.

If you want to avoid a scenario where some large corporation shares your data wholesale with others, whether voluntarily or under force, then the solution is not to give your data to such corporations in the first place.

Here, running your own mail, XMPP etc. servers (or paying someone you trust to do it for you) helps, as does replacing “data hoovers” such as Facebook with decentralised / distributed social networking tools (e.g. diaspora*, identi.ca etc). You’ll also want to replace Skype with something like Jitsi, and Dropbox with something self-hosted such as OwnCloud.

This will make it less convenient for an attacker to get hold of your information, as it’s no longer all stored in a few central places.
Note that many of these programs will not be as polished as their non-free alternatives, so you’ll need to decide whether you prefer shiny toys or privacy.

If you’re trying to defend against someone who might intercept specific sensitive conversations, you’ll want encryption. A lot of email clients (e.g. Thunderbird) let you use GnuPG, the Free Software implementation of the OpenPGP standard. For chat, a number of Free Software clients can handle OTR encryption (which stands for “off the record”).

Such measures will probably keep the contents of your messages private, but not the metadata (who you’re talking to, for how long, from where etc.).

If you’re trying to protect yourself, and the people you communicate with, against attackers who might simply steal or confiscate your computers, you’ll want to encrypt your hard drives. Many GNU/Linux distributions offer this as an option during the install process.

Whatever programs you use for communication and, especially, encryption, you’ll want to make sure that they’re Free Software. Given the things we’ve learned in the past few weeks, it’s probably safe(r) to assume that anything where you can’t look at the source code contains a back door for the government.

As an example, here’s what I do myself. My work for FSFE means that I communicate with lots of people, and handle sensitive data occasionally [1]. My setup is by no means perfect. It’s merely the balance I’ve found between privacy, security and convenience.  YMMV. [2]

  • I store my mail on a server run by a small company, where I know the owners personally. I’m paying them EUR 8 a month for administration, shell access, 2GB server space and other sundries. I trust them because I know them, and because I know where their company’s revenue comes from (from me, and people like me). And because I can go and yell at them if they do something I disagree with.On that server, I’m also running OwnCloud, for easy file storage and sharing.
  • I use GnuPG to encrypt sensitive emails.  My preferred mail client is Mutt, but that’s a detail – others work just as well.
  • For chat, I use FSFE’s XMPP servers, and those of the company mentioned above. For social networking, I use identi.ca (which is currently shifting to a new platform, so I’m not sure how well it’ll work a week from now.)
  • I encrypt the hard drives on my desktop and my laptop. This is easy to do when I install a new operating system, and is probably the simplest thing on this list.
  • I run my searches through DuckDuckGo rather than Google. It’s still a centralised service, but at least that way my search data doesn’t get linked with everything else I do around the Internet. (DuckDuckGo has a Firefox plugin which is pretty convenient.) FSFE’s website search uses YaCy, which is a distributed search engine.

Note that all these measures are purely defensive. They don’t make the problem of surveillance go away. They just slightly reduce your risk of suffering from the problems associated with surveillance. So there’s one more point I’d like to add to the list:

  • I participate in politics. Together with many other people and groups, we’re trying to build a society where surveillance will be the exception rather than the norm. Technology can provide us with useful tools, and can shelter us a bit while we do this work. But it won’t do the job for us.

Footnotes

[1] I’m talking about sensitive as in “if this leaks, it’d be trouble and bad press” rather than “OMG there’s a SWAT team coming through the window”.

[2] Views on what’s an appropriate level of security differ widely. Some people will think I’m paranoid. Some will think I’m horribly sloppy.