Recent revelations that the US National Security Association and the UK GCHQ have been monitoring internet traffic through the PRISM program are worrying for activists. We are being spied on, with the complicity of the major internet companies: Apple, Facebook, Google and others.
Absolutely everything we do online is being monitored: by the security services on one hand, and by tech companies on the other. Tech companies monitor us so they can sell advertising to us, and increasingly work hand in hand with the security services.
This has really important implications for activists. It is not our intention to make you paranoid, because that can be really debilitating. However, we know that even before the rise of social media, companies were colluding with the police and hiring private detectives to create blacklists of union activists, particularly in the construction industry. It’s reasonable to assume some version of the same behaviour is happening now.
It is very difficult to entirely evade surveillance: we would need to keep all our cards, passports and so on in Faraday sleeves (a wallet that blocks RFID frequencies), opt out of all social media, and use encrypted, anonymous email for all communications.
This would make communication so complicated and slow that it would completely undermine our activist work, and we’d still not have guaranteed security. The best way to approach this is to take some simple, reasonable precautions which dramatically increase the cost and difficulty of surveillance. If it takes five minutes to crack an encrypted message, for example, and if thousands of people use encryption, it’s a powerful disincentive, and it stops the security services from hoovering up and categorising data the way they do now.
Here are some useful security precautions you can take.
PGP encrypted emails
PGP stands for pretty good privacy. You create a key, which you share with people you trust, and encrypt your emails. It takes a little while to set up, but once it’s done, it’s pretty easy to encrypt or digitally sign everything you send. You need a key management program (it stores the details of your contacts’ encryption keys), and an email program that works with it.
On a desktop computer, Thunderbird is an email program that manages encryption keys. On Android phones, K-9 mail works with APG to manage your keys, making it easy to send secure emails on the move.
TextSecure: install it NOW
If you use an Android phone, a simple way to increase your security is to use TextSecure. It’s available on the Play Store, and will encrypt your text messages. It is extremely easy to do and will dramatically increase your security.
ChatSecure and Pidgin/Adium with OTR
ChatSecure allows you to have encrypted chat (for instance, Google Chat) on Android and iPhone. Pidgin or Adium will work on your PC or Mac.
You can use Tor to encrypt and redirect your browser traffic, making it extremely difficult to track your online activity. The downside of this is that Tor slows down your browsing, so it’s only appropriate for activist work.
Red Phone replaces your default dialler on iPhone or Android and encrypts your calls. Unfortunately it can also affect call quality!
You have more security options on Android than on iPhone. If you’re particularly adventurous, you can root your phone and install Cyanogenmod, an open source version of Android that will give you more options to control your phone
On a desktop, Linux gives more control and security options by default than Windows or Mac.
The importance of metadata
Metadata is information about information. Even if all your messages are encrypted, anyone monitoring your communications can still see who you are talking to, even if they can’t read the content. You can construct a really comprehensive picture of someone’s life just from building a picture of who they communicate with regularly. Bear this in mind when interacting with other activists.
You can set up a Facebook account under an assumed name, using an anonymous email address – we use Luther Blisset – and use that account to create and manage activist pages. This helps disassociate individuals from pages, and at the very least introduces plausible deniability. You can create accounts on Twitter and many other social media without giving away much personal information.
Constructing an innocuous persona
Since it is impossible to avoid leaving some digital footprint, one strategy could be to hide in plain sight by having a public social media profile that is clearly you, but is also innocuous and clearly within the bounds of “normal” – no algorithm will flag your posts about the Race for Life or Ice Bucket Challenge you did, the TV programme you watched, and the mainstream political opinions you express.
You can save your more important communications for the anonymous accounts.
Reset The Net (https://pack.resetthenet.org/) has excellent, easy to use resources for helping keep you safe online
Security in a Box (https://securityinabox.org/) has really comprehensive guides to making yourself as secure as possible. Many can be downloaded as PDF booklets.