Table of contents
- Chapter 1: Introduction
- Overall context
- Safety vs Security
- The right to privacy and security
- Why online security and privacy are relevant for 2021 / Reflection on digital revolution post-pandemic
- Why we should pay attention to online security
- Chapter 2: Privacy Awareness
- “I have nothing to hide” argument and other excuses
- The risks of internet privacy
- When online surveillance and profiling exploit our democracy
- Chapter 3: Tips for online privacy and security
- Privacy tips
- Surveillance tips
- Chapter 4: Collection of resources for activists and organisations
- Good habits
- List of various resources, guides, tools
- Appendices
- Appendix 1 – A GDPR mini overview. Learn the law, use the law
Surveillance tips
We have mentioned before in this manual how pervasive surveillance has become in our online life, and how scarcely informed we are as users. From Prism collecting user data from the servers of US based providers, to GCHQ (the British spy agency) collecting and storing loads of personal data (emails, social media posts, browsing history) and sharing them with the NSA (as revealed by Edward Snowden), to the NSA performing real-time keyword targeting, to spy agencies secretly collecting webcam images from millions of Yahoo! users, to vulnerabilities of IoT devices (vacuum cleaners or dolls, the end result is the same) leading to potential data leaks and hijacking risks, the news are periodically reporting on surveillance issues that very much affect our daily life.
The truth is that governments and spy and defence agencies have the power today to access, if they want everybody’s browsing history, their telecommunications data and Bulk Personal Datasets. If needed, they can force companies to decrypt user data, or they can perform equipment interference, also known as computer network exploitation (CNE), that allows them to interfere with electronic “equipment”. This includes computers, computer media (such as CDs or USB sticks) and smartphones for the purpose of obtaining communications or other information. Equipment interference encompasses a range of activity, from remote access to computers and other electronic equipment to covertly downloading the contents of a mobile phone or storage media during a search. It can be considered mass hacking.
When it comes to anti-surveillance, a lot of the tips mentioned in the privacy section of this chapter are very much valid on this front as well (for instance: using browsers that allow anonymous browsing, like Tor, or using messaging platforms that guarantee 1:1 encryption). We will add some information here on preventing malware, email and messaging encryption, and protecting your website.
A good starting point can be using the What is my IP address tool, that can help you hide your IP address and offers a series of useful tools and guides, such as VPN comparison and breach checks.
You can also head to Surveillance self-defense: it provides many tips, tools and how-tos for safer online communications (it’s a project of the Electronic Frontier Foundation).
Defending yourself from malicious programs
A general good practicerule would be to avoid clicking on links or downloading unknown files received by email or mobile communication apps. But being in control of your applications and devices is equally important.
The next step is installing anti-malware software that uses a scanner to identify programs that are or may be malicious. There are many softwares you can use; our best suggestion is not to use the free of charge ones if possible, as they probably belong to companies monetizing data (as for the case of Avast – AVG).
You can also install anti-spam systems (useful especially for malicious emails).
- the importance of open source
- What to do after
- 2 examples
Use encrypted communication and messaging platforms
Emails are not as secure as we think they are. In order to improve the security of emails as well as making them more private, two programs were developed and used to protect electronic communications: PGP (Pretty Good Privacy) and GPG (Gnu Privacy Guard). They allow encryption of messages by people, and only the people who are authorized can read the encrypted messages; and they are quite difficult to forge.
The freeware version of the PGP program can be downloaded from the home page of PGP International. It is restricted for personal use and is not for commercial purposes, or one can buy it from PGP Corporation. The free digital signature and email encryption program can be downloaded from GPG if it is for personal as well as for business use.
It is also important to note that there are some cons to using encryption: for instance, it can become quite difficult to use the “search” tool in your mailbox due to the unreadable content of the emails.
Whenever possible, use encrypted communication and messaging platforms, for example some of these are:
- Standard Notes: an app for encrypted and synchronized notes.
- OnionShare: Allows to share files securely and includes an anonymous chat. Requires installing the app to open a room, then you can share the link for other users to use (whether or not they have the app installed), preferably with Tor. Pay attention to how to send the link as this could breach the privacy! (Send via Signal instead of email, for example).
- Signal: A messaging alternative to Whatsapp or Messenger, whose open-source programme allows for external auditing of its privacy and encryption.
Protecting your website
Protect your website with an SSL Certificate: it encrypts communications and marks your website as secure. Digital certificates ensure that the information that travels between your website and your visitors is always encrypted and protected against data theft.
If you already have an SSL certificate installed on your hosting, we recommend that you change to secure https browsing directly from your web application (instead of the http). HTTPS is HTTP with encryption. The only difference between the two protocols is that HTTPS uses TLS (SSL) to encrypt normal HTTP requests and responses. As a result, HTTPS is far more secure than HTTP.