Master Digital Self-Defense: Essential Strategies to Fortify Your Privacy Against the New Surveillance Laws

Master Digital Self-Defense: Essential Strategies to Fortify Your Privacy Against the New Surveillance Laws

Welcome to this urgent edition of our newsletter, where we address the deeply troubling enactment of the “Reforming Intelligence and Security America Act (RISAA)” and provide you with digital self-defense tips in response.

Just few days ago, after a hasty passage through Congress, President Biden signed into law what is arguably one of the most alarming expansions of government surveillance in recent history.

Despite its name, RISAA blatantly misrepresents itself.

Far from reforming the invasive powers under Section 702 of the Foreign Intelligence Surveillance Act (FISA), it aggressively widens them, undermining the basic constitutional rights and privacy of Americans.

This new law escalates the government’s authority to compel an unprecedented range of individuals and providers to assist in surveillance operations.

It’s not just telecommunications giants who are implicated now; the act stretches to potentially include anyone who has incidental access to communications infrastructure—landlords, maintenance personnel, and beyond.

While the law asserts that it does not intentionally target Americans, it nonetheless permits warrantless backdoor searches of Americans’ data if it is “incidentally collected.”

Given the FBI’s history with technologies like the Magic Lantern keylogging malware and the use of Pegasus software, it is reasonable to speculate that they may already possess extensive data on U.S. citizens.

Now, they could potentially search through this information with even less accountability under the law.

These expansions represent a significant and sinister overreach into the private lives of ordinary Americans, with minimal accountability for misuse of the data collected.

RISAA also disturbingly broadens the scope of what counts as “foreign intelligence” to include counternarcotics efforts.

This shift paves the way for surveillance activities to be justified under the pretext of everyday criminal activities.

The act’s passage is not just a policy failure; it is a fundamental betrayal of American values of privacy and due process.

In light of these developments, our focus must turn towards robust surveillance self-defense.

It is imperative that we not only stay informed but also actively engage in protecting our digital privacy.

This rest of this newsletter will provide you with critical updates and resources to help safeguard your personal information against this sweeping surveillance machinery.

Together, we must challenge this overreach and advocate for a reevaluation of our surveillance laws to ensure they respect and preserve our fundamental freedoms.

Your privacy should not be a casualty of misguided security measures, and it is up to us to hold our representatives accountable.

Basics of Digital Self-Defense

Surveillance Self-Defense provides you with guidance on protecting the privacy of your digital data and communications from unauthorized surveillance, from petty criminals to nation states.

The most important thing you can remember is that the goal is to make it as annoying and time-consuming as possible for any adversary to collect information about you.

Your goal is to make it too difficult, so they move on to a simpler target with fewer countermeasures to deal overcome.

Creating Strong Passwords

Effective password management is crucial for securing your online accounts. Follow these detailed recommendations to create and maintain strong passwords:

  1. Use Unique Passwords: Never reuse passwords across different accounts to prevent a single breach from compromising multiple accounts.
  2. Password Managers:
  • Generate strong, random passwords that are difficult to guess.
  • Store multiple passwords securely.
  • Protect all your passwords with a single, strong master password.
  • Sync your passwords across devices for easy access.
  • Only use paid password managers.
  • Avoid password managers that have been exploited/compromised.
  1. Master Password:
  • Create a robust master password for your password manager.
  • Consider enabling two-factor authentication to add an extra layer of security.
  1. Low-Tech Solutions:
  • Consider writing down passwords on paper and storing them securely as a safer option than digital storage, depending on your threat model.
  1. Memorize Important Passwords:
  • Memorize your device unlock passwords, encryption passwords (e.g., full-disk encryption), password manager’s master password, and email account password.
  1. Creating Passphrases:
  • Use dice and a word list to randomly generate a strong, memorable passphrase of at least six words.
  1. Security Questions:
  • Provide fictional answers to security questions to prevent attackers from guessing them.
  • Store these fictional answers in your password manager.
  1. Two-Factor Authentication (2FA):
  • Enable 2FA wherever available to require both your password and a second factor to access accounts.
  • Prefer authenticator apps or hardware security keys over SMS for receiving 2FA codes. (Authy > Google Authenticate > SMS)
  1. One-Time Passwords:
  • Use one-time passwords for added security on sensitive accounts.
  • Store backup codes securely in case of device loss or theft.
  1. Legal Considerations When Disclosing Passwords:
  • Be aware of local laws regarding password disclosure, especially when traveling or crossing borders.

Keeping Your Data Safe

Data protection requires comprehensive strategies, including encryption and cautious handling of devices:

Encrypt Your Data: Encrypt all your data, not just select folders, to protect it from adversaries who may seize your device.

  • For smartphones and tablets: Enable full-disk encryption in the “Security” settings on Android devices, or automatically use “Data Protection” by setting a passcode during setup on Apple devices.
  • For computers: Use built-in full-disk encryption features such as FileVault on macOS, full-disk encryption during system setup on Linux, and BitLocker on Windows Vista or later. Consider alternative encryption like Veracrypt or operating systems like Tails or Qubes OS for enhanced security.

Create a Secure Device: Segregate sensitive data and communications to a secure device that you use less frequently and with greater caution.

  • Purchase Considerations: An older netbook could be a cost-effective choice for a secure device. Ensure it is compatible with secure software like Tails.
  • Setup Tips: Encrypt the device’s hard drive with a strong passphrase. Install a privacy-focused OS like Tails or Qubes. Keep the device offline and use it primarily for storing sensitive data.
  • Security Practices: Avoid connecting the secure device to the internet or local networks. Use physical media like DVDs or USB drives to transfer files. Consider using an encrypted USB key for data storage.
  • Account Management: Create separate web or email accounts for use exclusively with the secure device. Use Tor to hide your IP address and maintain anonymity online.

Maintain General Security Practices: Keep your operating systems and software up-to-date to protect against vulnerabilities. Avoid discussing the location of your secure device, and store it in a locked, tamper-evident place.

Alternative Strategy – Insecure Machine: Use a basic device for risky operations or in potentially dangerous locations. This approach minimizes the loss if the device is compromised.

Mobile Consideration: For travel, consider using a cheap burner phone instead of your regular smartphone to reduce risks and data loss.


What Should I Know About Encryption?

Understand encryption to protect data both at rest and in transit:

Encrypting Data at Rest:

  1. Full-Disk Encryption: Encrypt all information on a device, protecting it with a passphrase or other authentication method. Check if your operating system enables full-disk encryption by default.
  2. File Encryption: Encrypt specific individual files on a computer or storage device.
  3. Drive Encryption: Encrypt all the data on a specific storage area on a device.
  4. Combining Encryption Methods: Use file encryption for specific documents, like medical files, and drive encryption for the area of the device where these files are stored.

Encrypting Data in Transit:

  1. Transport-Layer Encryption (TLS): Protect your messages as they travel from your device to the app’s servers and vice versa. Examples include HTTPS and VPNs. HTTPS protects the data you enter on a site, while VPNs encrypt your internet traffic between you and the VPN provider.
  2. End-to-End Encryption: Ensure that messages are encrypted from the sender to the recipient, with no ability for intermediate servers to decrypt them. This is ideal for private communications where you do not trust the intermediate servers.

General Tips:

  1. Use Encryption for Both Data at Rest and in Transit: Provide comprehensive security against a range of threats, from physical access to your device to interception of your communications.
  2. Regularly Update and Verify Encryption Methods: Stay informed about the best practices and updates as encryption options and their implementations can change.

What Encryption Does Not Do:

  1. Does Not Protect Metadata: While encryption secures the content of your communications, it does not typically hide metadata such as the fact that you are communicating and the duration of the communication.
  2. Be Mindful of Backups: Ensure that backups of your encrypted conversations are also encrypted, particularly when stored in the cloud.

Your Security Plan

Create a personalized security plan by assessing risks and determining protective measures:

Identify What You Want to Protect (Assets):

  • List the data you keep, where it’s kept, who has access to it, and what stops others from accessing it.
  • Consider information like emails, contact lists, direct messages, location, devices.

Identify Who You Want to Protect It From (Adversaries):

  • Make a list of potential or known adversaries who might want to access your assets, including individuals, government agencies, corporations.
  • Consider destroying this list after planning for security to protect their identities.

Assess the Consequences of Failure:

  • Consider what adversaries might do with your data.
  • Evaluate the capability of your adversary, such as technical skills or access levels.

Evaluate the Likelihood of Threats (Risk):

  • Determine the likelihood that a threat will occur, balancing it against the capability of the adversary.
  • Write down which threats you take seriously and which are unlikely or too difficult to address.

Determine Your Willingness to Mitigate Risks:

  • Balance the need for security with convenience, cost, and privacy.
  • List available options to mitigate threats, considering financial, technical, or social constraints.

Identify Your Allies:

  • Think about who in your network can help protect your security and privacy.
  • Discuss shared security concerns and establish mutual agreements for protection.

Regularly Review and Update Your Security Plan:

  • Mark your calendar for regular plan reviews to ensure your security plan remains relevant to your situation.

Communicating with Others

Maintain your privacy when communicating by carefully selecting communication methods and understanding their security features:

  1. Prefer in-person conversations for maximum privacy, without digital devices.
  2. Use end-to-end encryption to ensure only the sender and the recipient can access the content of communications.
    • NOTE: End-to-end encryption secures data only while it is in transit. However, some applications may still have access to the content you type before you press send.
  3. Choose communication tools that utilize end-to-end encryption for voice and video calls, messaging, and emails.
  4. Be aware that services like Google Hangouts do not offer true end-to-end encryption if they control the encryption keys.
  5. Verify the security of your communications by using apps that require active management of encryption keys.
  6. Use encrypted alternatives over the Internet for phone calls and text messages to avoid surveillance.
  7. Understand that end-to-end encryption does not protect metadata such as the subject line of emails or the fact that communication has occurred.
  8. Consider additional features in communication tools, such as ephemeral messages or the ability to use aliases, depending on personal security needs.
  9. Evaluate the popularity and user-friendliness of secure communication apps within your network and region to ensure usability.
  10. Stay informed about encryption techniques and choose tools that are publicly known and reviewed for security.

Choosing Your Tools

Choose the right digital security tools by understanding your specific threats and evaluating the tools’ effectiveness:

  1. Recognize the specific threats you face and determine how to counter them.
  2. Remember that no tool provides absolute protection. Consider your overall digital practices rather than relying solely on tools.
  3. Concentrate on threats that are most likely to target you, rather than attempting to protect against all possible attackers.
  4. Prefer tools that are open-source, as this allows for public scrutiny and improvement of the software.
  5. Ensure that the tool has undergone independent security audits to validate its security.
  6. Choose tools whose creators are transparent about both the advantages and limitations of their products.
  7. Opt for tools that are actively maintained and updated, reflecting the creator’s commitment to security.
  8. Understand the legal environment of the tool’s creators, especially how it might affect your privacy.
  9. Consider tools designed to protect even if the creators are compromised or coerced by authorities.
  10. Regularly check for any updates or security flaws reported about the tools you use.
  11. Always keep your devices and software up-to-date to protect against known vulnerabilities.
  12. Work with colleagues or peers to stay informed about the security tools you use.

Seven Steps To Digital Security

Follow these practical steps to assess and improve your digital security:

  1. Ask yourself what you want to protect, who you want to protect it from, how likely it is that you’ll need to protect it, how bad the consequences if you fail, and how much trouble you are willing to go through to prevent potential consequences.
  2. Identify weak links in your security practices by evaluating each part of your information and computer use.
  3. Opt for simpler security solutions to easily manage and identify weaknesses, as complex systems can be hard to maintain.
  4. Understand that more expensive security solutions aren’t necessarily more effective and consider low-cost security measures.
  5. Be cautious about whom you trust with your information, recognizing the potential risks and consequences of sharing sensitive details.
  6. Develop a practical security plan tailored to your specific risks and manageable on a day-to-day basis.
  7. Regularly re-evaluate your security practices, acknowledging that what is secure today may not be secure tomorrow. Keep updated with the latest security advice and practices.

Why Metadata Matters

Understand the significance of metadata and its impact on privacy:

  • Metadata includes the subject line of your emails, the length of your conversations, the timeframe of your conversations, and your location when communicating.
  • Metadata has historically had less privacy protection than the content of communications, making it easier for authorities to access.
  • Metadata can reveal sensitive details about your life, such as calls to sensitive services or involvement in certain activities, without revealing the content of the conversations.
  • Protecting metadata is challenging because digital communications systems need it to function properly, similar to how a postal worker needs to read an envelope to deliver mail.
  • Use services like Tor to help limit the amount of metadata produced during online communication.
  • Be aware of the metadata you transmit, who can access it, and how it might be used until laws and tools to minimize metadata are improved.

I sincerely hope these tips inspire you to take control of your privacy and safeguard yourself against the surveillance state.

Stay Curious,

Addie LaMarr

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *