People have been fending off hackers for decades, but things are much harder now that governments and government-sponsored hackers are fishing for data. Tech Solidarity has published a list of suggestions that aim to improve security without requiring any special technical skills.
UK government security agency GCHQ is home to Britain’s cybersecurity operations. Image: Ministry of Defence
Until recently, very few people made serious attempts to protect their data, and some only took extreme measures when visiting countries such as Russia and China. Today, sadly, the actions of the UK, US and other governments suggest you should also regard them as “rogue states” likely to access your data.
Examples include the detention of American citizen Sidd Bikkannavar, who works for NASA’s Jet Propulsion Laboratory (JPL), at an airport in Houston, Texas; the nine-hour detention of Glenn Greenwald’s partner, David Miranda, at Heathrow airport; and the Cleveland Police spying on UK journalists following a local paper’s exposure of police racism. Indeed, Greenwald’s reporting of Edward Snowden’s NSA leaks revealed that the British and American governments are intercepting and collecting data on a massive scale.
Bikkannavar’s JPL phone was taken away for half an hour and may well have been cloned. It could also have had spyware planted on it. Either way, US officials made the phone a security risk. According to the Guardian, British officials “confiscated electronics equipment including [Miranda’s] mobile phone, laptop, camera, memory sticks, DVDs and games consoles”.
The question is: How can people protect their data?
Tech Solidarity – a self-described grass-roots organization founded by Maciej Ceglowski of Pinboard fame – has looked at the problem, in consultation with airport lawyer groups. The result is a list of Basic security precautions for non-profits and journalists in the United States. It is, of course, also applicable to some commercial organizations wherever they are based.
It seems that you should not be doing many of the things you probably are doing. (Well, I am.) For example, you should never put sensitive information in emails, or in cloud services such as Dropbox and Evernote. You should not use Android phones, because they are hard to secure. You should not use fingerprints to unlock devices – you can’t change your fingerprints, nor can you hide them. You should not use your phone number or SMS for password recovery. These things make you more vulnerable.
For better security, Tech Solidarity says you should use an Apple “iPhone 6 or later with a hard-to-guess passphrase”, or a similar iPad. All devices should be encrypted, especially if they are PCs.
You should use Gmail for email, “with a physical security key on your laptop and Google Authenticator on your phone”. (Fido U2F and other Yubikey security keys are examples.) You can use the same security key with several devices and other services including Twitter and Facebook. You can also use a password manager such as 1Password, as long as it isn’t cloud-based. If using a browser, use Google Chrome, because it’s more secure.
Tech Solidarity says you should use encrypted “Signal or WhatsApp on your phone to communicate with other people, rather than SMS or iMessage”. Both services now use Open Whisper security. Messaging must also be set up securely: see the guides to WhatsApp and Signal.
There’s also a PC version, Signal Private Messenger, which runs in the Chrome browser.
Travellers should never connect their devices to unknown ports, and should use a “USB data blocker” (like this) when charging them.
Tech Solidarity warns against taking work devices across the US border. Instead, use laptops, tablets and phones dedicated to foreign travel. You can reset them to factory condition before setting off, and download a blob of encrypted data when you reach your destination.
In comments on Hacker News, Thomas Ptacek said the guide made compromises so that unsophisticated users could follow its recommendations. Companies with their own IT security specialists should be able to provide more sophisticated systems.
There seem to be several reasons for recommending Gmail, despite recent state-sponsored (Russian) attempts to hack it. These may include Google’s investments in security, and its apparent willingness to protect user data when possible. Also, many of the people you are emailing will probably be using Gmail, so your emails may well end up in Gmail whether you like it or not.
As another HN user points out, Ptacek’s advice is very different from Edward Snowden’s. Snowden says: “If you’re not using Tor you’re doing it wrong.” Ptacek comments: “the Tor Browser might be the least safe browser to use of all available browsers that can be installed on modern computers. It is a perfect storm of ‘inferior security design’ and ‘maximized adversarial value per exploit dollar spent’.”
Tech Solidarity’s guide also fails to mention VPNs, on which many corporate users – and a growing number of small businesses – rely. It’s certainly easier to travel “data light” if everything you need is on a company server. If you’re a one-man business, this can be a home/office PC.
I haven’t mentioned all Tech Solidarity’s recommendations, but you should have noticed at least one omission: “Make sure you apply all software updates. Turn on auto-updates where possible.”
That includes updates to applications as well as operating systems.