Keeping Digital Communications Private in a Surveillance State
by Sam Hausman
You’re probably already aware of the growth of the federal government’s capability to monitor its citizens across the Bush and Obama administrations (but if you aren’t, the ACLU offers a succinct summary; PBS and the Huffington Post go into more depth). To the best of my knowledge, the Obama administration has largely used this massive surveillance apparatus responsibly. However, we have no such guarantees that the Trump administration will use it in the same manner. In fact, we already have several indicators that the incoming administration intends to use this ability for more nefarious purposes.
In an interview with Morning Joe in December 2015, Trump seemingly defended Putin against allegations that Putin had ordered the killing of dissident journalists. When asked his thoughts on these allegations, the President-elect said, “At least he’s a leader.” Furthermore, as Marc Randazza of CNN explained this February, “Trump has a history of filing SLAPP suits. SLAPP stands for Strategic Lawsuit Against Public Participation. This describes a lawsuit filed against someone for exercising his or her First Amendment rights — filed with little chance of success, but with the knowledge that the lawsuit itself is the punishment. After all, if people have to spend hundreds of thousands of dollars to defend themselves because they criticized Donald Trump, they might think better of doing so again in the future.” All of this coalesces into a portrait of a man who has no qualms about using the means at his disposal to silence his critics.
The surveillance apparatus that Trump stands to inherit did not appear overnight. It has ballooned in the thirteen years since the 2003 Patriot Act. Fortunately, privacy activists and security engineers have been developing a robust toolkit over that period. Many of those tools are free and easy to use. While it’s possible that a Trump administration never misuses this surveillance apparatus, being prepared for the worst case never hurts. As such, I’ve prepared brief explanations of some of the basic tools that are at our disposal for keeping digital communications private.
Two-Factor Authentication (2FA)
2FA is simply the practice of adding a second layer of verification to a login process. Many services such as Gmail implement this by having you register a trusted device or account. You login with your normal password, Gmail sends a unique six-digit passcode to your trusted device, you enter that and you’re in — hence the name (the two factors are your original password and the verification code). I strongly recommend doing this for any account that contains information that you would not want publicized; it only adds a few seconds to a login process but increases security exponentially.
A tutorial on setting up 2FA with Google can be found here. If you don’t use Gmail, a quick online search of “How to set up 2FA for [your preferred service]” should bring up the relevant information.
Virtual Private Networks (VPNs)
A virtual private network extends a secure private network across a public network that is not necessarily secure, like the WiFi at Starbucks. Many corporations that have intranets use VPNs so that their employees can access their private network from home. VPNs prevent ISPs, government surveillance agencies, corporations and anyone else who might be interested from intercepting any of the data that you send and receive.
ProXPN offers a free VPN that allows for a download speed of 300 kilobytes per second. VPNs that allow for unlimited download speeds generally cost a few dollars per month; a list of some effective ones can be found here. Setup instructions vary by service but they are generally straightforward.
Signal is a private communications app for text messaging and calls. It uses end-to-end encryption just like Apple does for iMessages. The fundamental difference is that Apple logs who you contact via iMessage along with other information such as the date and time when you entered a number and your IP address — which could be used to identify your location. Signal keeps no such logs. Legally, both Signal and Apple would be obligated to turn over any information demanded by subpoena. Apple could end up turning over a significant amount of your data in such a situation; because Signal stores no information besides your email address, they would have nothing else to reveal. Furthermore, unlike Apple and other providers that use closed source cryptography protocols, Signal’s cryptography is open source. This guarantees that there are no hidden backdoors built into the software that would allow a company to divulge your information without your consent.
Signal is available for free on the App Store.
ProtonMail is a secure email service with a generous free plan. Like Signal, its cryptography is open source and its encryption is end-to-end. They do not allow themselves access to your data. A ProtonMail user is required to use two passwords. The first password, which can be recovered if forgotten, verifies the user’s identity; the second password, which is never stored, decrypts the user’s mailbox itself. Consequently, ProtonMail does not have the capability to access your inbox. Even if issued a subpoena, they would simply not be able to comply.
ProtonMail also offers unprecedented hardware-level security. As their website states, “Our primary datacenter is located under 1000 meters of granite rock in a heavily guarded bunker which can survive a nuclear attack.” While it might sound like overkill, this approach greatly increases the security of the service. Many successful hacks are perpetrated using social engineering. Social engineering refers to the exploitation of the human element. For example, a security guard could be tricked into allowing a hacker into a data center. From there, the hacker’s job becomes much easier because with access to the physical servers, they do not have to penetrate any network security protocols. Google, as is common for many providers in the United States, advertises the location of their data centers. ProtonMail’s data centers are all located in Switzerland and their location is not public record.
These many layers of protection make the chances of the NSA penetrating ProtonMail’s security quite small, let alone any party without governmental resources behind them.