Unless you’ve been living under a rock for the last 36 months you have at least heard the names “National Security Agency” and “Edward Snowden” thrown around. Scary stories about people reading our email, and listening to our phone conversations. The reality is pretty horrifying, and the extent to which big government agencies have managed to snoop on us is unprecedented. So how would we go about retaining our privacy when we have things like Facebook and Twitter which encourage us to spew our lives online with gusto?

I have to point out that I am not an expert at security. I am just a guy on the internet who’s been reading mildly technical articles for several months. I can’t tell you the details of any cryptographic algorithm; I do not understand any of the mathematics behind it. There are half a million things that I have not understood about the things I do talk about. But I have looked into legitimate, peer-reviewed ways of being more secure online, and preventing electronic snooping of your activities.

If you’re just interested in getting to a list of what applications/programs/plugins to use, scroll down to the section titled “Specific tools”.

Also, as a word of caution — If this is the first time you’re encountering all of this, it can be pretty overwhelming to try and wrap your head around all of it at once. It took me several weeks to do that. But keeping that in mind, I’ve still tried to cram all the information into one gigantic post in as simple a manner as I can. If you’re unable to make it to the end of the article, bookmark it and come back later once you’ve munched your way through the first part. I definitely think it’s worthwhile to understand this issue.

What is the problem?

As I mentioned earlier, there’s been worldwide controversy over the fact that the National Security Agency in the US has been surveilling everyone and their mothers. They have targeted programs for email, phone calls and even Skype. And it isn’t just the US either. The US and their most trusted allies, dubbed Five Eyes (Australia, Canada, New Zealand, UK, US) have basically been attempting to track everything that happens on the internet. They do this by tapping into the backbone of the internet, the giant cables that run across the oceans to connect different continents.

Germany has played an active role in helping the Five Eyes. India is hopping on the bandwagon too, setting up an independent surveillance system.

If we let this go unchecked, governments everywhere will be setting up surveillance states in the proper Orwellian sense. It’s important to fight these cases in courts and use the justice system. But it’s also just as important to secure your own communications. The larger the volume of encrypted communication, the more difficult it is for the state to figure out what anyone is doing.

So far the internet hasn’t been too gung-ho about implementing any cryptographic measures, except for a few websites (like banks), but that’s slowly changing. Emails and voice calls can be secured too, they just need the right tools to do them.

So what tools can we rely on?

Open source tools can mostly be trusted, because their source code is free for anyone to look at and check if it’s doing things that it isn’t telling you about. But checking these things take time and effort and money. So not all open source projects are audited, so that’s good to be aware of. However, an un-audited open source software is still better than propietary software mostly because open source projects have (hopefully) hundreds of people working on it, and the chances that they are all malicious are quite small.

How do they work?

All of these tools use cryptography to encrypt your data while sending it to someone else. So it’s encoded in a way that someone who sees the message as it’s going between you and the recepient will not be able to tell what the message is about. They can still see who you’re sending it too, though.

Each software can use a different method to encrypt your data. The two most commonly used ones are what I’ll call password-protected (a.k.a symmetric key algorithms) and public key cryptography.

Password protected algorithms are very straightforward to understand. You input a password, which it uses to convert your message (in plain text) into encrypted text. Then the person you’re sending the message to will use the same password to convert encrypted text back into the message. Security people will tell you that you still have the problem of communicating the password in a secure manner. But that’s not something that we need to worry about for the purposes of this post.

Public key cryptography is slightly more complex than that. The way I initially understood it is this — You want to send a message to Bob in a way that no one else can read it. You are in possession of a lock and key, and Bob is in possession of a lock and key. You don’t have Bob’s key, he’s kept it private, but he has publicly displayed the specifications of his lock. So you build a lock exactly like Bob’s, and lock your message with his lock. When you send it to Bob, he opens it with his key, and reads the message. You have also published the details of your lock, while keeping your key private, and Bob follows the exact same routine. This means that only a person with your key can read a message that’s been locked with your lock, and only a person with Bob’s key can read a message that’s been locked with Bob’s lock.

This is the simplified version of public key crypto. Effectively your lock is your called a public key, and your key is is called a private key. Bob also has a public key and a private key. So when you send a message to Bob, you will encrypt a text with his public key which he can decrypt using his private key. These keys look like long strings of text, and they work with very fancy mathematics that I don’t quite understand. But they work very, very well. So well in fact that the US government had it classified as munitions.

The most popular form of public key encryption is a tool called PGP (standing for Pretty Good Privacy) and the open source version of PGP is called GPG (standing for GNU Privacy Guard, but also conveniently has all the letters of PGP).

Right, so how do we secure ourselves?

It’s important to note right here that these methods are effective only if lots of people use them. If I’m the only idiot in the room using these tools, I may as well not be using these tools, since I can’t communicate with anyone in a secure way.

There are several websites that list software that you can use to secure SMS, instant messaging, emails, phone calls or whatever else.

Reset the Net has a privacy pack, where they outline different tools for different use cases, i.e., apps for phones & programs for laptops. I’ll list a bunch of software that I’ve personally used and like below.

Prism Break also has a list of tools, with some overlap with Reset The Net.

All the tools that I use come from one of the two lists. There are several more resources online which explain wonderfully in great detail several aspects of the global surveillance dragnet, as well as other tools and techniques to keep yourself safe(r) online. I’ll link a few of those right at the bottom of this article.

Specific Tools

I have tried to list cross platform solutions wherever I can. But sometimes I haven’t been able to, so I’ve just listed the one that I use. You can find alternatives to these software in the websites I’ve listed above.

Web Browsing:

1. Tor — Website is here. Cross platform. The granddaddy of online privacy, Tor encrypts as well as anonymizes you while you’re online. I recommend that you only run Tor when you really want to stay anonymous, since it can be quite slow and it is also the method of choice for various political protesters and dissidents to communicate with each other. We don’t really want to clog it up with pictures of cats or whatever.
2. HTTPS Everywhere — Website is here. Cross platform. It is a browser plugin that enforces the secure version of websites wherever possible (the S at the end of HTTP stands for secure). I highly recommend this, it’s very easy to setup and you completely forget that it’s there. It encrypts the connection between you and a website, so someone sitting in the middle cannot see what you’re sending the website.
3. Disconnect — Website is here. Cross platform. A browser plugin that prevents you from being tracked online. Every time you go to any website, half a dozen trackers (at least) hop on to you and start following you around the internet, and this happens without your consent, and it happens everywhere. Again, very highly recommended because it’s dead simple to install and you completely forget it’s there.
4. No Script — Website is here. Cross platform. A Firefox plugin that blocks third party javascript code from running in your browser. Definitely only for people who know what that sentence means, because it can cause havoc if you don’t know how to use it. Very useful and very, very effective. There is a Chrome alternative called ScriptSafe which I have not tried.

Email:

1. Mailvelope — Website is here. Cross platform, a browser plugin for Chrome and Firefox that let’s you use GPG encryption with most popular web mail providers (like GMail). It comes with instructions on how to set it up.
2. Thunderbird + Enigmail — Website is here. Cross platform. An addon to the desktop email client Mozilla Thunderbird. Enigmail allows you to encrypt your emails with GPG encryption. This is (in my opinion) harder to set up that Mailvelope. But as far as I know it is also the only option to encrypt emails if you’re using Thunderbird.

Here’s a nice infographic on email encryption, originally from here.

Instant Chat:

1. Cryptocat — Website is here. Cross platform, available also for iOS (and coming to Android). It’s a browser plugin that opens up a chat window to use for encrypted, secure instant messaging. Additionally it does not store any logs of the chats.
2. Chatsecure — Website is here. Available for iOS and Android. It used to be called GibberBot, and they have a cute little how-to over here. Very easy to setup. Also works without encryption to chat with people using other programs, like Google Chat for instance.

Passwords:

Part of keeping your online self secure is not using “banana123" as your password for everything. It’s difficult to constantly come up with different passwords, and we’re terrible at remembering them. So use a password manager that will generate and store passwords for you. The password manager will be password protected itself, since it keeps the passwords encrypted on your computer. So rather than 6032 different passwords you need to remember, it’s only one master password.

1. Keepass — Website here. Cross platform. My password manager of choice. It isn’t the best looking, but it’s open source and it works quickly. It is important that you save a backup of the password database that it creates, because if you lose that you’ll lose a lot of passwords.
2. Lastpass — Website here. Cross platform. EDIT: I had earlier recommended LastPass, but I have since found out that it has been deemed flawed. Please do not use Lastpass! A much safer option would be to use Keepass and make multiple copies of the Keepass password database on different devices (USB drive, etc).

Please generate long, complicated and gigantic passwords for things like your bank!

Phone communication:

1. TextSecure — Website here. Only for Android. Not by the same team that makes ChatSecure. An opensource encrypted text messaging service. Apparently it is being ported to iOS as well.

RedPhone is a voice-call encryption service made by the same people who make TextSecure. I haven’t used it, but it does have good reviews.