Surveillance
Self-Defense

Human rights defender?

  • Human rights defender?

    Recipes for organizations who need to keep safe from government eavesdroppers.

    If you run an organization whose work might be monitored by governments—either locally, or when you travel—you need to think about locking down your communications. Here's a basic guide for what to think about when planning your institutional surveillance self-defense.

  • Assessing Your Risks

    Trying to protect all your data from everyone all the time is impractical and exhausting. But, do not fear! Security is a process, and through thoughtful planning, you can assess what’s right for you. Security isn’t about the tools you use or the software you download. It begins with understanding the unique threats you face and how you can counter those threats.

    In computer security, a threat is a potential event that could undermine your efforts to defend your data. You can counter the threats you face by determining what you need to protect and from whom you need to protect it. This process is called “threat modeling.”

    This guide will teach you how to threat model, or how to assess your risks for your digital information and how to determine what solutions are best for you.

    What might threat modeling look like? Let’s say you want to keep your house and possessions safe, here are a few questions you might ask:

    What do I have inside my home that is worth protecting?

    • Assets could include: jewelry, electronics, financial documents, passports, or photos

    Who do I want to protect it from?

    • Adversaries could include: burglars, roommates, or guests

    How likely is it that I will need to protect it?

    • Does my neighborhood have a history of burglaries? How trustworthy are my roommates/guests? What are the capabilities of my adversaries? What are the risks I should consider?

    How bad are the consequences if I fail?

    • Do I have anything in my house that I cannot replace? Do I have the time or money to replace these things? Do I have insurance that covers goods stolen from my home?

    How much trouble am I willing to go through to prevent these consequences?

    • Am I willing to buy a safe for sensitive documents? Can I afford to buy a high-quality lock? Do I have time to open a security box at my local bank and keep my valuables there?

    Once you have asked yourself these questions, you are in a position to assess what measures to take. If your possessions are valuable, but the risk of a break-in is low, then you may not want to invest too much money in a lock. But, if the risk is high, you’ll want to get the best lock on the market, and consider adding a security system.

    Building a threat model will help you to understand threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries' capabilities, along with the likelihood of risks you face.

    What is threat modeling and where do I start?

    Threat modeling helps you identify threats to the things you value and determine from whom you need to protect them. When building a threat model, answer these five questions:

    1. What do I want to protect?
    2. Who do I want to protect it from?
    3. How bad are the consequences if I fail?
    4. How likely is it that I will need to protect it?
    5. How much trouble am I willing to go through to try to prevent potential consequences?

    Let’s take a closer look at each of these questions.

    What do I want to protect?

    An “asset” is something you value and want to protect. In the context of digital security, an asset is usually some kind of information. For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices may also be assets.

    Make a list of your assets: data that you keep, where it’s kept, who has access to it, and what stops others from accessing it.

    Who do I want to protect it from?

    To answer this question, it’s important to identify who might want to target you or your information. A person or entity that poses a threat to your assets is an “adversary.” Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network.

    Make a list of your adversaries, or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.

    Depending on who your adversaries are, under some circumstances this list might be something you want to destroy after you’re done threat modeling.

    How bad are the consequences if I fail?

    There are many ways that an adversary can threaten your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data.

    The motives of adversaries differ widely, as do their attacks. A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing.

    Threat modeling involves understanding how bad the consequences could be if an adversary successfully attacks one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all your phone records and thus has the capability to use that data against you. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities.

    Write down what your adversary might want to do with your private data.

    How likely is it that I will need to protect it?

    Risk is the likelihood that a particular threat against a particular asset will actually occur. It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low.

    It is important to distinguish between threats and risks. While a threat is a bad thing that can happen, risk is the likelihood that the threat will occur. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not).

    Conducting a risk analysis is both a personal and a subjective process; not everyone has the same priorities or views threats in the same way. Many people find certain threats unacceptable no matter what the risk, because the mere presence of the threat at any likelihood is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem.

    Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.

    How much trouble am I willing to go through to try to prevent potential consequences?

    Answering this question requires conducting the risk analysis. Not everyone has the same priorities or views threats in the same way.

    For example, an attorney representing a client in a national security case would probably be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos.

    Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.

    Threat modeling as a regular practice

    Keep in mind your threat model can change as your situation changes. Thus, conducting frequent threat modeling assessments is good practice.

    Create your own threat model based on your own unique situation. Then mark your calendar for a date in the future. This will prompt you to review your threat model and check back in to assess whether it’s still relevant to your situation.

    Last reviewed: 
    2017-09-07
  • Communicating with Others

    Telecommunication networks and the Internet have made communicating with people easier than ever, but have also made surveillance more prevalent than it has ever been in human history. Without taking extra steps to protect your privacy, every phone call, text message, email, instant message, voice over IP (VoIP) call, video chat, and social media message may be vulnerable to eavesdroppers.

    Often the safest way to communicate with others is in person, without computers or phones being involved at all. Because this isn’t always possible, the next best thing is to use end-to-end encryption while communicating over a network if you need to protect the content of your communications.

    How Does End-to-End Encryption Work?

    When two people want to communicate securely (for example, Akiko and Boris) they must each generate crypto keys. Before Akiko sends a message to Boris she encrypts it to Boris's key so that only Boris can decrypt it. Then she sends the already-encrypted message across the Internet. If anyone is eavesdropping on Akiko and Boris—even if they have access to the service that Akiko is using to send this message (such as her email account)—they will only see the encrypted data and will be unable read the message. When Boris receives it, he must use his key to decrypt it into a readable message.

    End-to-end encryption involves some effort, but it's the only way that users can verify the security of their communications without having to trust the platform that they're both using. Some services, such as Skype, have claimed to offer end-to-end encryption when it appears that they actually don't. For end-to-end encryption to be secure, users must be able to verify that the crypto key they're encrypting messages to belongs to the people they believe they do. If communications software doesn't have this ability built-in, then any encryption that it might be using can be intercepted by the service provider itself, for instance if a government compels it to.

    You can read Freedom of the Press Foundation's whitepaper, Encryption Works for detailed instructions on using end-to-end encryption to protect instant messages and email. Be sure to check out the following SSD modules as well:

    Voice Calls

    When you make a call from a landline or a mobile phone, your call is not end-to-end encrypted. If you're using a mobile phone, your call may be (weakly) encrypted between your handset and the cell phone towers. However as your conversation travels through the phone network, it's vulnerable to interception by your phone company and, by extension, any governments or organizations that have power over your phone company. The easiest way to ensure you have end-to-end encryption on voice conversations is to use VoIP instead.

    Beware! Most popular VoIP providers, such as Skype and Google Hangouts, offer transport encryption so that eavesdroppers cannot listen in, but the providers themselves are still potentially able to listen in. Depending on your threat model, this may or may not be a problem.

    Some services that offer end-to-end encrypted VoIP calls include:

    In order to have end-to-end encrypted VoIP conversations, both parties must be using the same (or compatible) software.

    Text Messages

    Standard text (SMS) messages do not offer end-to-end encryption. If you want to send encrypted messages on your phone, consider using encrypted instant messaging software instead of text messages.

    Some end-to-end encrypted instant messaging services use their own protocol. So, for instance, users of Signal on Android and iOS can chat securely with others who use those programs. ChatSecure is a mobile app that encrypts conversations with OTR on any network that uses XMPP, which means you can choose from a range of independent instant messaging services.

    Instant Messages

    Off-the-Record (OTR) is an end-to-end encryption protocol for real-time text conversations that can be used on top of a variety of services.

    Some tools that incorporate OTR with instant messaging include:

    Email

    Most email providers give you a way of accessing your email using a web browser, such as Firefox or Chrome. Of these providers, most of them provide support for HTTPS, or transport-layer encryption. You can tell that your email provider supports HTTPS if you log in to your webmail and the URL at the top of your browser begins with the letters HTTPS instead of HTTP (for example: https://mail.google.com).

    If your email provider supports HTTPS, but does not do so by default, try replacing HTTP with HTTPS in the URL and refresh the page. If you’d like to make sure that you are always using HTTPS on sites where it is available, download the HTTPS Everywhere browser add-on for Firefox or Chrome.

    Some webmail providers that use HTTPS by default include:

    • Gmail
    • Riseup
    • Yahoo

    Some webmail providers that give you the option of choosing to use HTTPS by default by selecting it in your settings. The most popular service that still does this is Hotmail.

    What does transport-layer encryption do and why might you need it? HTTPS, also referred to as SSL or TLS, encrypts your communications so that it cannot be read by other people on your network. This can include the other people using the same Wi-Fi in an airport or at a café, the other people at your office or school, the administrators at your ISP, malicious hackers, governments, or law enforcement officials. Communications sent over your web browser, including the web pages that you visit and the content of your emails, blog posts, and messages, using HTTP rather than HTTPS are trivial for an attacker to intercept and read.

    HTTPS is the most basic level of encryption for your web browsing that we recommend for everybody. It is as basic as putting on your seat belt when you drive.

    But there are some things that HTTPS does not do. When you send email using HTTPS, your email provider still gets an unencrypted copy of your communication. Governments and law enforcement may be able to access this data with a warrant. In the United States, most email providers have a policy that says they will tell you when you have received a government request for your user data as long as they are legally allowed to do so, but these policies are strictly voluntary, and in many cases providers are legally prevented from informing their users of requests for data. Some email providers, such as Google, Yahoo, and Microsoft, publish transparency reports, detailing the number of government requests for user data they receive, which countries make the requests, and how often the company has complied by turning over data.

    If your threat model includes a government or law enforcement, or you have some other reason for wanting to make sure that your email provider is not able to turn over the contents of your email communications to a third party, you may want to consider using end-to-end encryption for your email communications.

    PGP (or Pretty Good Privacy) is the standard for end-to-end encryption of your email. Used correctly, it offers very strong protections for your communications. For detailed instructions on how to install and use PGP encryption for your email, see:

    What End-To-End Encryption Does Not Do

    End-to-end encryption only protects the content of your communication, not the fact of the communication itself. It does not protect your metadata—which is everything else, including the subject line of your email, or who you are communicating with and when.

    Metadata can provide extremely revealing information about you even when the content of your communication remains secret.

    Metadata about your phone calls can give away some very intimate and sensitive information. For example:

    • They know you rang a phone sex service at 2:24 am and spoke for 18 minutes, but they don't know what you talked about.
    • They know you called the suicide prevention hotline from the Golden Gate Bridge, but the topic of the call remains a secret.
    • They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour, but they don't know what was discussed.
    • They know you received a call from the local NRA office while it was having a campaign against gun legislation, and then called your senators and congressional representatives immediately after, but the content of those calls remains safe from government intrusion.
    • They know you called a gynecologist, spoke for a half hour, and then called the local Planned Parenthood's number later that day, but nobody knows what you spoke about.

    If you are calling from a cell phone, information about your location is metadata. In 2009, Green Party politician Malte Spitz sued Deutsche Telekom to force them to hand over six months of Spitz’s phone data, which he made available to a German newspaper. The resulting visualization showed a detailed history of Spitz’s movements.

    Protecting your metadata will require you to use other tools, such as Tor, at the same time as end-to-end encryption.

    For an example of how Tor and HTTPS work together to protect the contents of your communications and your metadata from a variety of potential attackers, you may wish to take a look at this explanation.

    Last reviewed: 
    2017-01-12
  • Keeping Your Data Safe

    If you have a smartphone, laptop, or tablet, you’re carrying a massive amount of data with you at all times. Your social contacts, private communications, personal documents and personal photos (many of which have confidential information of dozens, even thousands of people) are just some examples of things you may store on your digital devices. Because we store and carry so much data, it can be hard to keep it safe—especially because it can be taken from you relatively easily.

    Your data can be seized at the border, taken from you in the street, or burgled from your house and copied in seconds. Unfortunately, locking your device with passwords, PINs, or gestures may not protect your data if the device itself is seized. It’s relatively easy to bypass such locks because your data is stored in an easily-readable form within the device. An adversary would just need to access the storage directly in order to copy or examine your data without your password.

    With that said, you can make it harder for those who physically steal your data to unlock its secrets. Here are a few ways you can help keep your data safe.

    Encrypt Your Data

    If you use encryption, your adversary needs both your device and your password to unscramble the encrypted data. Therefore, it's safest to encrypt all of your data, not just a few folders. Most smartphones and computers offer complete, full-disk encryption as an option.

    For smartphones and tablets:

    • Android offers full-disk encryption when you first set up your device on newer devices, or anytime afterwards under its “Security” settings for all devices.
    • Apple devices such as the iPhone and iPad describe it as “Data Protection” and turn it on if you set a passcode.

    For computers:

    • Apple provides a built-in, full-disk encryption feature on macOS called FileVault.  
    • Linux distributions usually offer full-disk encryption when you first set up your system.
    • Windows Vista or later includes a full-disk encryption feature called BitLocker.

    BitLocker's code is closed and proprietary, which means it is hard for external reviewers to know exactly how secure it is. Using BitLocker requires you trust Microsoft provides a secure storage system without hidden vulnerabilities. On the other hand, if you're already using Windows, you are already trusting Microsoft to the same extent. If you are worried about surveillance from the kind of adversaries who might know of or benefit from a backdoor in either Windows or BitLocker, consider an alternative open-source operating system such as GNU/Linux or BSD, especially a version that has been hardened against security attacks, such Tails or Qubes OS. Alternatively, consider installing an alternative disk encryption software, Veracrypt, to encrypt your hard drive.

    Remember: Whatever your device calls it, encryption is only as good as your password. If an adversary has your device, they have all the time in the world to figure out your passwords. An effective way of creating a strong and memorable password is to use dice and a word list to randomly choose words. Together, these words form your “passphrase.” A “passphrase” is a type of password that is longer for added security. For disk encryption we recommend selecting a minimum of six words. Check out our guide to Creating Strong Passwords for more information.

    It may be unrealistic for you to learn and enter a long passphrase on your smartphone or mobile device. So, while encryption can be useful to prevent casual access, you should preserve truly confidential data by keeping it hidden from physical access by adversaries, or cordoned away on a much more secure device.

    Create a Secure Device

    Maintaining a secure environment can be hard. At best, you have to change passwords, habits, and perhaps the software you use on your main computer or device. At worst, you have to constantly think about whether you're leaking confidential information or using unsafe practices. Even when you know the problems, you may not be able to employ solutions because sometimes people with whom you need to communicate use unsafe digital security practices. For instance, work colleagues might want you to open email attachments from them, even though you know your adversaries could impersonate them and send you malware.

    So what’s the solution? Consider cordoning off valuable data and communications onto a more secure device. You can use the secure device to keep the primary copy of your confidential data. Only use this device occasionally and, when you do, consciously take much more care over your actions. If you need to open attachments, or use insecure software, do it on another machine.

    An extra, secure computer may not be as expensive an option as you think. A computer that is seldom used, and only runs a few programs, does not need to be particularly fast or new. You can buy an older netbook for a fraction of the price of a modern laptop or phone. Older machines also have the advantage that secure software like Tails may be more likely to work with them than newer models.

    When Setting up a Secure Computer, What Steps Can You Take to Make it Secure?

    1. Keep your device well-hidden and don’t discuss its location—somewhere where you are able to tell if it has been tampered with, such as a locked cabinet.
    2. Encrypt your computer’s hard drive with a strong passphrase so that if it is stolen, the data will remain unreadable without the passphrase.
    3. Install a privacy- and security-focused operating system like Tails. You might not be able (or want) to use an open-source operating system in your everyday work, but if you just need to store, edit, and write confidential emails or instant messages from this secure device, Tails will work well and defaults to high security settings.
    4. Keep your device offline. Unsurprisingly, the best way to protect yourself from Internet attacks or online surveillance is to never connect to the Internet. You could make sure your secure device never connects to a local network or Wifi and only copy files onto the machine using physical media, like DVDs or USB drives. In network security, this is known as having an “air gap” between the computer and the rest of the world. While extreme, this can be an option if you want to protect data that you rarely access, but never want to lose (such as an encryption key, a list of passwords, or a backup copy of someone else's private data that has been entrusted to you). In most of these cases, you might want to consider just having a hidden storage device, rather than a full computer. An encrypted USB key kept safely hidden, for example, is probably as useful (or as useless) as a complete computer unplugged from the Internet.
    5. Don’t log in to your usual accounts. If you do use your secure device to connect to the Internet, create separate web or email accounts that you use for communications from this device, and use Tor (see guides for Linux, macOS, Windows) to keep your IP address hidden from those services. If someone is choosing to specifically target your identity with malware, or is only intercepting your communications, separate accounts and Tor can help break the link between your identity, and this particular machine.

    While having one secure device that contains important, confidential information may help protect it from adversaries, it also creates an obvious target. There’s also a risk of losing the only copy of your data if the machine is destroyed. If your adversary would benefit from you losing all your data, don't keep it in just one place, no matter how secure. Encrypt a copy and keep it somewhere else.

    A variation on the idea of a secure machine is to have an insecure machine: a device that you only use when going into a dangerous place or attempting a risky operation. Many journalists and activists, for instance, take a basic netbook with them when they travel. This computer does not have any of their documents or usual contact or email information on it so there’s minimal loss if it is confiscated or scanned. You can apply the same strategy to mobile phones. If you usually use a smartphone, consider buying a cheap throwaway or burner phone when travelling for specific communications.

    Last reviewed: 
    2018-06-28
  • Things to Consider When Crossing the U.S. Border

    Planning on crossing the border into the United States anytime soon? Did you know that the government has the right to, without a warrant, search travelers at the border—including when they land at international airports—as part of its traditional power to control the flow of items into the country? (Note that although some of the same legal justifications exist for searches of those leaving the U.S. and that such searches are possible, travelers are not routinely searched on their way out of the country.)

    For a more in-depth treatment of this issue, check out EFF's guide, Digital Privacy at the U.S. Border: Protecting the Data On Your Devices.

    Here are Some Things to Keep in Mind When Crossing the U.S. Border:

    Border agents may demand your digital data. Consider your individual risk assessment factors. Your immigration status, travel history, the sensitivity of your data, and other factors may influence your choices.

    Be aware that unusual precautions may make border agents suspicious.

    • Back up your devices. This may help in case one or more of your devices is seized. You can use an online backup service or an external hard drive, though we don't recommend carrying both your laptop and your backup hard drive at the same time.
    • Reduce the amount of data you carry over the border. Consider traveling with a "clean" laptop. But note that simply dragging files to your trash doesn't delete them completely. Make sure you securely delete your files. Consider leaving your regular mobile phone at home and purchasing a temporary phone and transferring your SIM card over or getting a new number when you arrive at your destination.
    • Encrypt your devices. We recommend using full-disk encryption  on your devices (laptops, mobile phones, etc.) and choosing secure passphrases.
    • If a border agent asks for your passphrase , you do not have to comply. Only a judge can force you to reveal such information. However, refusal to comply could bear consequences: for noncitizens, you may be refused entry into the country; for citizens, your device may be seized or you may be detained for several hours.
    • Power down your devices before arriving at the border to block high-tech attacks.
    • Don’t rely on fingerprint or other biometric locks; they are weaker than passwords.
    • Agents can get live or cached cloud content from the apps and browsers you have on your device. Consider logging out, removing saved login credentials, or uninstalling sensitive apps.
    • When dealing with border agents, remember these three things: Be courteous, do not lie, and do not physically interfere with the agent’s search. Border agents have a right to look at the physical aspects of your device (e.g., to make sure drugs aren’t stored in the battery compartment of a laptop).

    Not sure you’ll remember these tips? Check out EFF’s Border Search Pocket Guide, designed to be printed, folded, and carried in your pocket while traveling.

     

     

    Last reviewed: 
    2018-05-16
  • Choosing the VPN That's Right for You

    What’s a VPN? VPN stands for “Virtual Private Network.” It enables a computer to send and receive data across shared or public networks as if it is directly connected to the private network—benefiting from the functionality, security, and management policies of the private network.

    What is a VPN Good For?

    You can use a VPN to connect to the corporate intranet at your office while you’re traveling abroad, while you are at home, or any other time you are out of the office.

    You can also use a commercial VPN to encrypt your data as it travels over a public network, such as the Wi-Fi in an Internet café or a hotel.

    You can use a commercial VPN to circumvent Internet censorship on a network that blocks certain sites or services. For example, some Chinese users use commercial VPNs to access websites blocked by the Great Firewall.

    You can also connect to your home network by running your own VPN service, using open-source software such as OpenVPN.

    What Doesn’t a VPN Do?

    A VPN protects your Internet traffic from surveillance on the public network, but it does not protect your data from people on the private network you’re using. If you are using a corporate VPN, then whoever runs the corporate network will see your traffic. If you are using a commercial VPN, whoever runs the service will be able to see your traffic.

    A disreputable VPN service might do this deliberately, to collect personal information or other valuable data.

    The manager of your corporate or commercial VPN may also be subject to pressure from governments or law enforcement to turn over information about the data you have sent over the network. You should review your VPN provider’s privacy policy for information about the circumstances under which your VPN provider may turn your data over to governments or law enforcement.

    You should also take note of the countries in which the VPN provider does business. The provider will be subject to the laws in those countries, which may include both legal requests for your information from that government, and other countries with whom it has a legal assistance treaty. In some cases, the laws will allow for requests without notice to you or an opportunity to contest the request.

    Most commercial VPNs will require you to pay using a credit card, which includes information about you that you may not want to disclose to your VPN provider. If you would like to keep your credit card number from your commercial VPN provider, you may wish to use a VPN provider that accepts Bitcoin, or use temporary or disposable credit card numbers. Also, please note that the VPN provider may still collect your IP address when you use their service, which can be used to identify you, even if you use an alternative payment method. If you would like to hide your IP address from your VPN provider, you may wish to use Tor when connecting to your VPN.

    For information about specific VPN services, click here.

    We at EFF cannot vouch for this rating of VPNs. Some VPNs with exemplary privacy policies could be run by devious people. Do not use a VPN that you do not trust.

    Last reviewed: 
    2016-06-09
Next:
JavaScript license information