The 25 Minute Crypto Shopping List
Things to do when your country wants to spy on everyone for no particular reason and that bugs you (ho ho ho)
First term: threat model. In other words, your assumptions about who might want to spy on you and why.
My threat model is low to moderate. I’m not that interesting. However, my government just gave itself the right to read my browsing history going back a year, and to collect unspecified vast amounts of comms data in a footprint around a target. Basically they get to pour the surveillance custard over a whole postal district and sort it out later. They can do this for three days without a warrant, and the process of getting a warrant under the IP Act 2016 is not burdensome. It’s basically ministerial approval and rubber stamp. At the same time, I’m occasionally outspoken on political issues and my wife has worked in politically contentious areas (such as anti-rendition, anti-death penalty) in the past and no doubt sooner or later will again. It wouldn’t be unheard of for the security service to take an interest in people like me. I’m also, just as you are, a potential target for cybercriminals and nuisance spoiling.
If the big boys really want in to my digital life, they’re gonna get there. If you’re seriously concerned about state-level intrusion, you quit mobile phones and the Internet for ever, get a pane of glass and some flash paper, you use one time pads to write messages to your friends and they burn them afterwards. Okay?
But for me, something less dramatic is enough.
The reality is that it took me ages to do anything about it, because YIKES. So here’s where I got to after I took ages…
(I’m talking about paid services in a couple of cases because there’s infrastructure here, and you want to know who you’re dealing with and that a proper obligation exists between you. That is not to say that there are no good free services, either free because free or because you use them at a lower level than the one where they start to charge. But. This is my list.)
- Signal
Whisper Systems’ messaging app is as secure as you’re realistically going to get. It also does calling. So you download it, shove it on your phone, and use it with anyone else you know who has it instead of SMS or the standard call. The more of your friends who use it, the more use it is to you. Get it now: it takes a few seconds, and there’s basically no setup, because it works from your existing contacts list. Elapsed time: a minute.
2. VPN
Virtual Private Network. Basically: instead of making a connection to whatever website through your ISP (who now, in the UK, has a legal obligation to log your web use) you make an encrypted connection to a VPN. The VPN then makes an onward connection for you. Exactly what you are doing is somewhat obscured. Good practice anyway if you ever, ever use WiFi in public places like Starbucks. There are many of these. For me, it came down to a choice between NordVPN, VYPR, and F-Secure’s Freedome. It slightly depends what you want to worry about. The friend who suggested Freedome pointed out that I probably would prefer not to use it if I included Finland high in my threat model. I do not include Finland high in my threat model at this time. (Yes, there are free ones. I do not know which of them is the best.) Elapsed time: five minutes.
3. Password Manager
There are dozens. Pick one. Your passwords are crap, and you write them down. Then have a decent password for your password manager. Just one solidly difficult password. Elapsed time: five minutes.
Username and password by itself is crap. This is better (though not perfect). It is incrementally more annoying, because you have to go through another stage in the login on a new machine, or if you have your browser set up to be aggressive about deleting its history. Apple, Google and others already make this available to you as part of their services. Enable it. Elapsed time: actually, Apple makes you wait to do this, so it takes a while. Google doesn’t — another five minutes.
5. Secure Email
All email is a postcard. Don’t say anything via email that you would not say on a postcard. As a matter of practical reality, though, you’re going to, so get ProtonMail or something like it. Signup is free, and takes no longer than a Googlemail signup. ProtonMail automatically encrypts messages sent to other ProtonMail users. It also offers you the option of sending encrypted messages to people who don’t, but you have to give them a password to open the message via another channel. (Don’t email it to them.) Elapsed time: four minutes.
6. Browser
If you really care about your privacy online, you use TOR. I haven’t made the shift to TOR yet because I want to know more about how it works, and how the UK courts will construe it. I probably will when I have enough time to do a bit of research. In the meantime, there are various secure-ish builds of Chrome, and I use two extensions — Privacy Badger and HTTPS Everywhere — to keep things honest. You’ll notice these are both from the Electronic Frontier Foundation. Note that the EFF maintains its own, better, version of all this, and will help you go beyond what I’ve suggested. Elapsed time: four minutes.
And there you go. Once you’ve done this, you are, as it were, human-vanilla obfuscated. You are not Edward Snowden. You are just someone who takes reasonable security measures, at approximately the same level as drawing your curtains and getting window locks. That is to say that while someone can get into your life online, they’ll have to work hard to do it, and they probably don’t care that much. Beyond this, there’s a Rubicon of secure Operating Systems and the like. That is not territory into which I have yet ventured.
Does that help?
