In just the past month, we’ve read stories about how Canadian police are tracking environmental activists, the Mexican government is monitoring journalists and activists, and US security agencies are peering into the communications of Black Lives Matter activists. Every day brings more examples of entities and governments around the world violating privacy and putting the security of activists and campaigners at risk.
But there seems to be a tool for every online privacy breach and we’re going to dive into encryption, passwords, and how to secure your data, phone and messaging as you work in an insecure world. You may want to catch up on your threat model first – not everyone faces the same risks.
Choosing (and Using) the Right Online Security Tools
Nick Sera-Leyva, Human Rights and Training Programs Manager at Internews, knows all about how online security tools can help or fall short. “What is key to [online security and privacy] is that the tools are not what’s helping you. The tools themselves are not the solution; it’s how you use them. You need to know what they’re capable of and what they’re not.”
The tools themselves are not the solution; it’s how you use them. You need to know what they’re capable of and what they’re not.
– Nick Sera-Leyva, Internews
Taking Sera-Leyva’s warning into consideration, let’s look at a variety of ways you and your organization can improve your digital security. However, just because we introduce something below doesn’t mean it’s sacrosanct and it doesn’t mean it will work for you. Explore threat modeling and understand your situation before deploying new tools.
DataGenetics did a study of 3.4 million four-digit PINs. They found the most common PIN was 1234 (11 percent), and in second place was 1111 (6 percent). This shocking lack of creativity goes to a larger point: you aren’t going to protect yourself by being unoriginal or basic. There are a couple of steps you can take to be better off than the 17 percent mentioned here.
“Organizations should have a stated password policy,” says Allen Gunn, the executive director at Aspiration. This is a very low-tech, first step that most organizations can benefit from. Password policies should include how often a new password needs to be created, who can know a particular password, and to not allow the same password for multiple accounts. Most importantly, these procedures need to be followed by everyone in the organization.
Once a procedure is agreed to, you need to create safe passwords or passphrases. To make sure everyone is on the same page, a password is just that, a word like “R0ckwell&” to log into an account. A passphrase serves the same function but is a series of words like “everyone’s g0t a plan unti! they g3t punched in the f@ce.” Not all accounts will allow longer passphrases, but the reasons you might consider a passphrase over a password are because they are harder to guess and crack.
“The ideal passphrase is memorable to humans but hard for computers to figure out. Your dog’s name with some numbers and symbols are very easy for a computer to figure out based on minimal data about you,” says Bill Budington, a software engineer at the Electronic Frontier Foundation (EFF).
Budington recommends creating a strong master password. A master password or passphrase can be used for a password manager. A password manager is a single application that holds multiple passwords to various programs, websites and online accounts. Two recommendations from EFF are KeePassX or LastPass.
Next, if you want to generate a truly random passphrase, get some dice. Six-sided is fine. Diceware is an analogue cipher that translates dice rolls into passphrases (Here’s the list to translate your dice roles). Each five rolls of the dice will equal a letter or word. Do this until you have five or six words and voilà you have a randomly generated master passphrase. There are websites that generate random passphrases, but you never know who is monitoring those sites or your new passphrase. Rolling dice is the secure bet.
Beyond the creation of your new passphrase, you will also want to deploy two-factor authentication where available. For example, Gmail, facebook, Twitter, and WordPress all have two-factor authentication. The idea here is that a password or phrase, no matter how good, is only one level of protection. Two-factor authentication will ask for your password and then will, for example, text you a unique one-time PIN to verify you are who you say you are.
In 2013, 3.1 million Americans had their smart phone stolen. That was double the rate in 2012. When you smartphone is stolen, it’s just not the device you lost, it’s your bank card, your ID, and your private conversations. A password is not enough to stop a savvy criminal from stealing your identity along with your phone. One way to improve your device’s security is through encryption.
Both Android and Apple phones have built in encryption software. On Apple operating systems it’s called FileVault. For an Android device, you can find the process for encrypting your hard drive or external SD card in the security tab under settings. For Windows Pro, EFF recommends BitLocker, and for standard Windows they recommend DiskCryptor.
If you choose to encrypt your devices, you may also want to consider creating encrypted backups. It would also be a good measure to not house the backup and the original in the same place.
If you are in need of a cloud-based storage option, there are three potential programs you may want to look at. While most of us use Google Docs or Dropbox, Gunn says that’s an unsafe choice. Spider Oak, Least Authority and ownCloud provide encrypted, cloud-based data hosting.
No matter the device and the tool you use, know how to use it first. This is particularly important regarding encryption. Sure, the tool does what it’s supposed to do, but how good is your passphrase? If it’s weak, the tool can be a moot point.
In the first article of this series, we introduced you to Norman Shamas, a community organizer and technologist in Washington D.C. Shamas was organizing protests on Twitter around police brutality using the hashtag #DCFerguson. It just so happened the police were also watching the same hashtag and were able to be at the protest site before the protesters.
In Shamas’ case, he could have privately organized through a non-public platform. However, there are other steps and tools people can use depending on what they are trying to keep private.
This might seem obvious, but turn off Google Maps’ and other data collection defaults on all your various apps. For many of us, it’s our ambient data that provides organizations, businesses and individuals the most information about us.
In regards to online communication, tools with OTR (Off-the-Record) protocols like Adium X or Pidginallow you to use chat clients that you are already familiar with, but encrypted. This means you can use Google Hangouts or facebook chat without those companies seeing your conversations. These OTR tools should not be confused with Google Hangout’s off-the-record setting, which disables logging but does not encrypt your chats from Google. If you want to encrypt texts and phone calls, Open Whisper Systems makes trusted tools. RedPhone and TextSecure work on Android phones, and Signal works on iPhones.
HTTPS Everywhere is a free plugin for Firefox, Chrome and Opera that will improve your privacy when browsing online. Once you install this plugin, it will work behind the scenes to encrypt your contact with websites not using HTTPS.
“I wouldn’t take data across the border if I didn’t have to,” says Shauna Dillavou, the executive director of CommunityRED. That being said, it’s all about threat modeling. Gunn recommends you ask yourself what you are traveling with, what can be compromised and whom that could affect.
First, following Dillavou’s recommendation, don’t travel with data if you don’t have to. If you can, have a travel computer with nothing important on the hard drive. If you have to travel with data, make sure you leave an encrypted back up with a trusted third party; however, Gunn points out, this plan might put that third-party at risk if that person, for example, lives in Iran.
If the computer you’re traveling with does have important data on it, make sure it’s thoroughly deleted. It’s not enough to drag the file to your trash. For more on how to securely delete your data see EFF’s guide for Mac and Windows.
Second, if you have to travel with data, make sure you turn off your computer before you cross the border. Gunn calls this a “universal best practice.”
If you have to repatriate data and you don’t want to physically carry it across a border, cloud storage may provide an alternative. Spider Oak, Least Authority and ownCloud discussed above are potential options.
This article provides only an introductory glimpse at what can be done to better protect your privacy and data. By employing these and other protections, “We’re raising the cost of surveillance,” says Gunn. This is to say that you can never become 100 percent secure, but you can make it harder for people to access your and your contacts’ information.
Phone and Data Security: Resources and Organisations
Here are the groups and tools mentioned in this story.
Secure Cloud Storage
OTR/Off-the-Record protocol tools
Text, phone call and browser encryption
- RedPhone: Android
- TextSecure: Android
- Signal: iPhone
- HTTPS Everywhere: a free browser encryption plugin for Firefox, Chrome and Opera
Secure Data Deletion
Categories:safety and security
Stories you may also like...
Campaigning in high risk environments
Tactics include investing in analysis, adapting and responding rapidly, listening to communities and treading lightly—especially with media.
Why strong organisational security culture matters (and how to create one)
Digital security is about education and habit formation. Here are concrete steps your organisation can take to promote a strong security culture.
Stay safe out there: Threat modeling for campaigners
A campaigner's guide to threat modeling will help you evaluate online and operational security risks so you know what to worry about and how to prepare.