EFF Secure Messaging Scorecard

Secure Messaging ScorecardThe Electronic Frontier Foundation’s Secure Messaging Scorecard evaluates popular communication apps based on privacy and security criteria and determines which are the best to use. You’ll quickly notice that Google Talk, AIM, and similar options are among the least secure, and it will explain to you why.

Remember, privacy is not all about you. Recall Dr. Daniel J. Solove’s article: by using secure messaging systems, you are respecting and protecting the privacy of the recipient as well as every person connected to the content of the message. We are more tightly interconnected these days than ever before, so the action you take to protect privacy affects the community as a whole. The Secure Messaging Scorecard is another great resource for learning how to use technology responsibly in an age in which information is easily abused and manipulated.

You may also enjoy the fact that FOSS apps such as TextSecure, ChatSecure, Pidgin, and RedPhone, are all ad-free, beautifully designed, and faster and more lightweight than most proprietary software.

HTTPS Everywhere

Download the HTTPS Everywhere extension for Firefox and Chrome, made by the venerable Electronic Frontier Foundation — it’s one of the easiest and most important ways to protect your privacy online, by forcing all servers that support SSL connections to encrypt your internet traffic.

That padlock you often see to the left of a URL indicates that the connection is SSL-secured. You’ll see that padlock a lot more often after installing this extension, indicating that your connection is encrypted and what you’re sending to the website cannot be deciphered or intercepted. Online banking and credit card purchases couldn’t happen without SSL, but it’s essential for protecting other forms of private communication such as email. Use it. Everywhere. Always.

Email Self-Defense with PGP Encryption

Many people think of “encryption” as a complicated, mathematical, or highly technical process used only by hackers–but nothing could be further from the truth! The average computer user can learn email encryption in just 30 minutes, and the privacy benefits you gain from this practice are enormous.

The Email Self-Defense Guide by the Free Software Foundation provides a simple and clear tutorial for configuring and implementing email encryption on Mac, Windows, and Linux using your existing email client. This is all you need to get started using email encryption! Go try it!


PGP (discussed here as its open-source brother, GnuPG) is a powerful encryption protocol used by normal people, journalists (e.g. Glenn Greenwald and Laura Poitras) and government agencies worldwide to share information ranging from mundane to top secret. Spend a few minutes to learn this important privacy practice and be happy to know that only you and the recipient will be able to read your encrypted messages.


If you’re new to encryption, read no further. If you’re a more advanced user, here are some technical notes that may be helpful:

  • Don’t confuse PGP with SSL encryption, as they are two different but crucially important concepts: SSL encrypts data in transit, but the message is decrypted as soon as it hits a disk (e.g. your Gmail folder, your computer’s memory, your phone…). By contrast, PGP messages are encrypted at rest and in transit, meaning they will always be encrypted until you specifically decrypt them using your private key and mail client.
  • For best results, use 4096-bit keys. There is absolutely no reason not to, and there will be no speed penalty when used on smartphones or computers with modern hardware. 2048-bit keys should still offer good protection, but 1024-bit keys will not!
  • Naturally, I always recommend free and open source (FOSS) software over proprietary software because FOSS is always more trustworthy: proprietary software is “closed-source” and not open to independent review. Therefore I suggest using the popular open-source email client, Mozilla Thunderbird, instead of iCal or Microsoft Outlook. It’s compatible with Linux, Windows, and Mac. PGP will work just fine on your existing email client, however, if you prefer to keep using it or want to try Thunderbird later.
  • The GPG4WIN compendium has tons of useful information about GPG, too.

FBI says search warrants not needed to use “stingrays” in public places

http://arstechnica.com/tech-policy/2015/01/fbi-says-search-warrants-not-needed-to-use-stringrays-in-public-places/

The FBI makes another anti-privacy declaration, following the theme of the past few years. This is another reason why it’s important to encrypt your sensitive calls to protect the content of your messages. However, as long as your phone is broadcasting to cell towers, its location can be determined. Switching your phone to Airplane Mode and using a WiFi-based encryption protocol to place calls, send texts, or chat, will help protect your words, but will not necessarily obscure your location or your metadata (who you’re talking to, when, where), which is the foodstuff of mass surveillance.

Every step you take to regain control of your privacy, however, is helpful. Taking steps to make mass surveillance uneconomical is an important way for us to exercise our constitutional rights and resist government intrusion into private life. Protecting free speech (I) and privacy (IV) is one of the most patriotic things that we can do.

Unless you’re the rare target of sophisticated government-sponsored malware (in which case you have bigger problems), powering off your phone should be sufficient to prevent transmission. Remember that even then, your uptime and downtime can be recorded, and if you tend to power off your phone at a specific time or place each day, that can be telling as well. Warrantless wiretapping policies implemented through the Patriot Act following the hysteria of 9/11 make much of this possible without permission from the courts, producing strongly negative chilling effects on speech and activity.

Finally, public surveillance cameras and video analysis using facial recognition software can identify people quite easily, so even without a phone, you can still be tracked–but every privacy measure you take makes tracking much more difficult and costly. This is yet another reason why many organizations, such as the Electronic Frontier Foundation (EFF), call for greater restrictions on government spying and law enforcement powers, to protect citizens’ privacy. Unless police serve a legitimate warrant, where we go, whom we talk to, and what we do, should remain our personal business.

edit: more info on rogue cell towers here

Link

http://prism-break.org/en/

PRISM-Break is an excellent resource for finding privacy-centric alternatives to common apps and operating systems. Everything suggested is free and open source with a strong emphasis on security. Much of the software that I personally use is listed here.

Counterargument to “Nothing to Hide”

For an eloquent and brilliantly conceived analysis of the “nothing to hide” argument, I strongly recommend reading the following article:

Solove, DJ. “I’ve Got Nothing to Hide” and Other Misunderstandings of Privacy. 44 San Diego L. Rev. 745 (2007).

Have you ever heard someone proudly declare, “I don’t mind if the government is reading my emails, because I’m not doing anything wrong–I have nothing to hide”? Privacy is a deeply misunderstood but admittedly nebulous concept, and it affects nearly every area of our lives, including interpersonal interaction, social customs, and global policy.

“…suppose the government examines one’s telephone records and finds out that a person made calls to her parents, a friend in Canada, a video game store, and a pizza delivery place. ‘So what?,’ that person might say. ‘I’m not embarrassed or humiliated by this information. If anybody asks me, I’ll gladly tell them where I shop. I have nothing to hide.'”

While it seems to follow reason that only wrongdoers need be worried about government scrutiny or intrusion, this dangerous sentiment expresses a logical fallacy central to common misconceptions about freedom and privacy.

Dr. Daniel J. Solove, Professor of Law at George Washington University, published the article in 2007, well before the global surveillance disclosures of NSA contractor Edward Snowden in 2013, and it is even more relevant today than ever.

“By saying ‘I have nothing to hide,’ you are saying that it’s OK for the government to infringe on the rights of potentially millions of your fellow Americans, possibly ruining their lives in the process. To me, the ‘I have nothing to hide’ argument basically equates to “’I don’t care what happens, so long as it doesn’t happen to me.'”

Dr. Solove’s review is absolutely the best statement on the topic that I’ve read, and no matter what your political affiliation, your opinion of the NSA‘s worldwide surveillance programs (PRISM), or your feelings about civil liberties, I hope that you will read it, too.

“The problem, in short, is not with finding an answer to the question: ‘If you’ve got nothing to hide, then what do you have to fear?’ The problem is in the very question itself.”

Install ChatSecure on Android and iPhone

chatsecureThese instructions will help you install the privacy-focused ChatSecure messaging app on Android and iOS-based phones.

ChatSecure allows you to send messages to friends as rapidly as text messages, but with the important benefit of strong encryption that prevents anyone from eavesdropping on the conversation: only you and the recipient can ever read the messages, and the conversation is effectively erased when it is closed. Regular text messages (SMS), on the other hand, can be read by the telecommunications provider (e.g. AT&T, Verizon, T-Mobile…), by law enforcement without a warrant, and potentially by anyone intercepting your data traffic. This is true even if you “delete” the messages from your phone.

In slightly more technical terms, ChatSecure is an XMPP/Jabber messaging client that implements Perfect Forward Secrecy (PFS) and Off-The-Record (OTR) communication over end-to-end encrypted WiFi or 4G/3G data channels. Here is how it works:

A unique encryption key is generated at the beginning of every chat session, and old keys are never re-used. Even if a previously used key were compromised, it would pose no risk to future communication, which would use a different key (PFS). Because nobody can prove what was discussed—not even the participants—the OTR protocol grants plausible deniability in addition to end-to-end encryption. This method is one of the safest ways to communicate digitally.

By contrast, PGP/GnuPG encrypted emails are protected using the same strong encryption algorithms, but they rely on the same key for every message (no PFS). Thus, a compromised secret key would allow the interloper to decrypt all past messages. Nonetheless, PGP/GnuPG is still an excellent method when both parties are educated in good security practices such as fingerprint verification. ChatSecure provides rapid communication, multiple levels of security, and plausible deniability not offered by PGP/GnuPG.

Configuration Instructions

1. Select ChatSecure from your list of apps after installing it from the Google Play Store or F-Droid Repository.

1 23

2. Tap the three dots and “Add Account.”

45

3. Swipe until you see “New Account” and tap “Add Account,” unless you already have one. For privacy reasons, I do not recommend using a Google account, but this is an option, as are other similar choices. Instead, let’s start by making a new account.

6

4. The account creation page will appear. Enter a new username. When you select “Chat service
domain,” a dropdown list of XMPP chat service domains will appear. These are all highly
reputable services, so unless you have a strong preference, choose whichever one you like. Enter a strong password and tap “Register Account.”

  • You will not need to configure Advanced Account Settings, so ignore that.
  • If you run a rooted Android phone and use Orbot, you can proxy ChatSecure through Tor. Otherwise, leave the “Connect via Tor” box unchecked.

5. Back on the main screen, tap the three parallel white lines ≡ in the top left corner of the screen
to reveal the account preview window. Tap your account name to bring up the sign-in page and
enter your username and password.

  • In this example, I am connecting through Tor. If you left the Tor box unchecked earlier,
    also leave it unchecked here.

7

6. Once you are signed in, return to the sign-in page and tap “Display Your Fingerprint” to
generate a scannable QR Code containing your XMPP username and fingerprint. Other
ChatSecure users can scan your QR Code to connect with you on ChatSecure.

8

  • If you do not already have the Barcode Scanner app on your smartphone, you will be
    instructed to install it—simply follow those directions.
  • Ideally, exchange QR Codes with friends in person for greater assurance that you’re
    connecting to the intended recipient.
  • Otherwise, upload your QR Code to a secure image-sharing site like https://img.bi/ and link your friend to it.
  • If you do not have a contact’s QR Code, you may still be able to find them by selecting “Add Contact” and searching for them by username. To confirm the identity of the recipient, have them read you their fingerprint over the phone while you compare it to the one displayed on your screen (or coordinate by signed email). If it is not identical, then someone may be attempting to tamper with your conversation.

9

7. Your chats will use the OTR protocol with encryption forced and required either over WiFi or the 4G/3G data channel. Enjoy!

  • You can use Pidgin with the OTR plugin on your desktop to communicate with ChatSecure users as well.