How to reduce government spying on you

December 12, 2018 — May 27, 2020

computers are awful
computers are awful together
confidentiality
security
wonk
Figure 1

Many people today are living in surveillance states with weak citizen protection and persecution of citizens who blow the whistle on state wrongdoing, rapid erosion of privacy, criminalization of failure to turn state informer, or even counselling resistance, and attacks on the free press, all without oversight by the public.

That’s Australia. Things are worse in Yemen, India, China, Russia, Saudi Arabia, etc. I’ll go ahead and say that I think that on balance strong encryption is a good idea to have in society as one bulwark against surveillance societies and also for just plain safety of business communication. In practice, we all use consumer-grade encryption, even the army. There are some interesting options for solidarity in software designers, as Eleanor Saitta points out, or you might say, design challenges stringent enough that our quisling tech sector will be unlikely to rise to them.

🏗 link to particular risks for each state.

For any of these anti-journalist states, you need hardcore security.

1 Firstly avoid corporate surveillance

Patrick Merer, How to use Facebook if you are a repressive regime. Bear in mind even notionally democratic regimes Facebook provides your data to the police without warrants.

2 What you might use to get around this

EFF’s Surveillance Self Defense course is a good starting point.

They talk you through the theory and practice of different types of security, modeling the risks you face and trying to minimize them for different scenarios.

Maciej Cegłowski observes, discussing the related problem of securing political campaigns:

Campaigns have small budgets and operate in an unusually hostile environment. Not only are there people whose job it is to attack campaigns, but those people enjoy their work, get a government pension when they retire, and live happy, fulfilled professional lives.

I presume (hope?) he’s talking about hostile foreign actors but who knows these days?

OK, there is a lot to do, but let’s start with the basics. First, minimize your exposure to corporate surveillance.

Next, you probably want to lock down your computer. Maybe lock down one a little bit and also get a second, hardcore locked-down computer for your secret stuff.

3 DNS

You need to fix this to avoid getting profiled in the first place. Constantly leaking info if you don’t kick it in the pants. See DNS servers.

4 Sharing confidential information anonymously

OK, you are doing something that the Australian state finds threatening, such as exposing possible murder by government employees to public oversight, and for which they will send you to prison for the crime of journalism. The state will indeed mobilize the full force of the law to get at you.

Obviously, a journalist reporting these stories needs legal protection for their whistleblowers, but this is no longer offered in Australia.

A partial bandaid solution to the erosion of press freedom is the ability to transfer documents anonymously.

Secure Drop

SecureDrop is an open source whistleblower submission system that media organizations and NGOs can install to securely accept documents from anonymous sources. It was originally created by the late Aaron Swartz and is now managed by Freedom of the Press Foundation.

There is an instance run by DuckDuckGo at dmys7duszeb2salo.onion which you could use to transfer documents.

5 SSH

There’s a lot of fiddling in ssh.

To secure it in particular, you need to beat 1024-bit DH keys sigh. NSA is reading your comms with keys shorter than 2048 bits.

researchers Alex Halderman and Nadia Heninger presented compelling research suggesting that the NSA has developed the capability to decrypt a large number of HTTPS, SSH, and VPN connections using an attack on common implementations of the Diffie-Hellman key exchange algorithm with 1024-bit primes. […] In this post, we present some practical tips to protect yourself from the surveillance machine, whether you’re using a web browser, an SSH client, or VPN software.

There are more steps to secure ssh.

5.1 USB

USB is another security nightmare. See e.g. Badusb Malware: O.M.G cable (explanation for the busy), Poisontap, lanturtle usbarmory… One imagines that if the DIY world can so readily destroy you via USB then the state actors are pretty good at it. Oh, Thunderbolt is broken too. Essentially, peripherals are a disaster.

Countering such attacks? USB condoms such as USG could probably help if you need to use USB, which you do. That is, if you don’t mind carrying a large, inconvenient device whose job is to reduce the functionality and speed of your peripherals. Few of us feel like we are likely enough to be targeted that this is worth doing, although as the cost of these attacks drops lower, that might change.

6 Hardened Desktop OS

See hardened OSes.

7 Hardened smartphones

See hardened smartphones.

8 Dazzle camouflage

The future will ruin fashion! One day vintage will mean something different.

Confuse automated surveillance by being weird. (while at the same time attracting non-automated surveillance.) I have mixed feelings about this. Effective? Practical? 🤷‍♂ Fun? 🤘

Figure 2: Mac Pierce’s Opt-out cap is presumably how we opt out of future profiling?
Figure 3: Banksy

9 Incoming

How can you keep your data secret if a state actor is compromising the very hardware of the servers that store your information, or just network security in general is a disaster because of terribly and ubiquitous decision. NB even if you don’t buy the Bloomberg article, there’s no reason to suppose it won’t eventually be true.