Essential Online Security: An Anarchist’s Guide for Everyone!

May 31, 2017

The following is our long-awaited written introduction to online security. It follows on from the workshop we did on the subject in April, as part of our Capitalism: A Survival Guide series. We hope to produce more of these guides, and show how meeting our basic needs feeds in to the revolutionary struggle to kill capitalism before it kills us.

Sometimes it can feel like Ron Swanson has the only sensible reaction to the online world, but we do have some other suggestions that allow you to keep your internet connection going.  We’ve included links to short videos, visual guides, and software downloads – all you need to secure yourself online, with no prior knowledge required.

Introduction
What the guide is, and why we wrote it.
Foundation
The basics of how the internet functions and where it is vulnerable. Will help explain why we suggest some of the steps we do and will get you up to speed with the terminology we’ll be using.
Countering Threats pt1: ‘Illegitimate’ Organisations
Practical how-to steps to protect yourself from identity theft, password thieves, and malicious software.
Countering Threats pt2: Corporations
Steps to protect yourself from being tracked by the advertising companies, having your personal information stored and sold, or having Facebook know more about you than everyone you add to your friend list combined!
Countering Threats pt3: State Surveillance and Corporate Espionage
Steps to throw a spanner in the works of mass surveillance programs, make it harder for government departments to leaf through your online life, and even cause some trouble for any spies targeting you specifically.
Countering Threats pt4: Linking up for the Big Fights
Dodging mass state surveillance programs and looking for corners of the internet still free of totalitarian corporate control is an essential first step in securing ourselves online. However, just as essential is fighting to keep the internet free, and to stop the invasions of our privacy at the source. Find out how here.

Introduction

The rapid expansion of the internet has created opportunities for us to learn, talk, create, and organise in ways that would have never been possible without it. This hasn’t been without its cost though. Much of what we now take for granted would have seemed like dystopian science fiction even just a couple of decades ago. Advertising companies keep a file of information on every one of us, corporations know who all our friends are, our likes and dislikes, and our movements can be tracked remotely in real-time, and the government can access thousands of pages of our conversations from the mundane to the sensitive.

It’s all so overwhelming that most of us ignore it, often to our cost. This guide aims to change that. There are many relatively easy things we can all do to protect ourselves. If you can use the internet, you can manage most or all of what we suggest without any assistance. With a few relatively small changes to behaviour and a handful of free pieces of software, you can arm yourself against malicious hackers, corporate snoops, and state surveillance. Not only will this keep you safer, but normalising these protections will help keep others safer. Especially those organising in places or in ways that put them in more danger from the government. More than that, you can help join in the fight to keep the internet a free and open space, rather than the corporate controlled dystopia that many of our ‘leaders’ would like it to be.

Note for the tech savvy: This is very much a work in progress, so if you have suggestions for links to put in or things that should be changed or added, drop a comment or email us. Bare in mind we have designed it to be as simple as possible. We’re also looking at compiling phone security into a separate section, and listing apps specifically designed to be of use to activists.

 

Foundation

If you’re new to all this it can be hard to wrap your head around without some kind of visual aid. Luckily, someone has created this excellent five-minute video on how the internet works. So, as in our workshop, let’s start with this:

IPs and ISPs
Your Internet Service Provider (ISP), such as Virgin Media or BT, is likely to be able to identify you personally – or at least have your street address. They can access this via the Internet Protocol (IP) address, which, as we learned from the video, every device that connects to the internet has.

Your ISP is also able to work out which websites you visit. Every time you visit a webpage, not only does the host of that page get your IP address, your ISP is able to match your IP address to that of the server hosting the webpage. Other data will also be viewable by your ISP and others (especially if the connection is insecure), but we’ll get to that later!

Encryption
This is a word we’ll be using a LOT. By default, computers store information ‘unencrypted’ or in ‘plain text’, which means in a way that can be read by anyone. Information is sent between them in much the same way. This means that anyone who gets access to your computer or ‘listens in’ on your connection can see everything you’ve written or sent. In addition, if someone is powerful enough to demand information from your email provider or mobile network, it’s likely they’ll get a nice list of everything you’ve sent in quite a long while. Even texts you and the person you sent them to have deleted!

On the other hand, encrypted information is stored in such a way that it is unintelligible gibberish to anyone who lacks the key to read it. It’s like having all your emails and documents written in a secret code. Only once you put in the right key, for instance a password, is it translated into readable information. Depending on what you’re encrypting and how you’re using it, maybe only you will have this key, or just you and the website you are looking at, or just the person you’ve sent an email to. Often the process of encrypting information (and decrypting it back into plain information again) is handled automatically by your computer, so you can just sit back and enjoy the security without any inconvenience.

Insecure/Secure Connections and Website Leaks
Most connections to websites are ‘insecure’, which you can tell by looking at the URL (address of a website in the address bar). If the URL starts with ‘http://’, it means that everything sent back and forth between you and the website is in its ‘plain text’ form, and anyone in the middle can view it. This person in the middle could be your ISP or someone ‘packet sniffing’ – that is, attempting to look at your packets, the ones we learned about in the video.

However, other connections are ‘secure’, indicated by the URL starting with ‘https://’ – the ‘S’ stands for secure (yes, really!). In this case, the packets sent between you and the website are encrypted’ using a type of security called ‘Secure Socket Lock’ (SSL). This means most of the information you send to and from the website is hidden from your ISP and any potential packet sniffers. They’ll still know which website you are communicating with, but not what is being said.

It is especially important to establish you have a secure connection – a URL that starts with ‘https://’ – when you are sending sensitive information, such as your passwords or bank details. It can also be important when sending communication because you don’t want just anyone being able to read every message you type!

Alas, https is not perfect. While it does protect you from the people ‘in the middle’, the owner of the site may still have access to anything you send. It is good practice for these sites to store sensitive data (like passwords) in such a way that even the owners of the site can’t access it. However, even major companies, who should know better, are often found to be using outdated protection (or none at all) for their users’ passwords, leading to the kind of major leaks that often grab the headlines.

You can even search via your email address or username on Have I Been Pwned, and find out all the times your details were potentially compromised. Don’t panic, but do ensure you change passwords, and don’t use the same passwords on multiple sites (more on that later). Consider signing up for automatic alerts from Have I Been Pwned.

Cookies
Cookies are small pieces of data stored on your computer by a website you have visited. They can contain any information: the language you have selected to read the website in, which links you have clicked while on the website (like a breadcrumb trail), or the pieces of info you have typed into a form field (like your name, address, credit card number…).

This doesn’t mean that cookies are inherently bad though! In fact, some are essential and tell the web servers whether or not you are logged in and which account you are logged in on. This is so that it doesn’t show potentially sensitive information to the wrong person. And if a website has stored a cookie on your computer, other websites can’t just access the data in that cookie.

Cookies are limited in size so can’t hold a lot of information. So some websites save cookies on your computer that have a unique identifier in them, like a bar code for your computer. This code matches with one for data saved on their own systems, meaning they can store unlimited data about you and your browsing.

Some parts of a webpage you visit are actually part of another website entirely, such as those annoying (often repetitive) adverts you see everywhere. These websites within websites are still able to access and store cookies – they are able to identify you and save information about you, and even display adverts specifically targeted at you, based on your browsing history. Ever been on Facebook and there has been that rather creepy ad for that clothing website you were browsing earlier? This is all down to cookies, specifically “Third Party Cookies”, which we’ll explain how to deal with a bit later on.

Countering Threats pt1: ‘Illegitimate’ Organisations (and malicious individuals)

Malicious software
The most common threats we face online include viruses, adware, trojans, and ‘ransomware’ like that which recently crippled parts of the NHS.  There are a few things you can do that will massively decrease your chances of being affected by them.

• Ensure every piece of software you use is up-to-date. This includes your browser and browser plug-ins, email client, and operating system (Windows, Linux, Mac).
• Use anti-virus software, keep it up to date, and let it run recommended scans. There are a number of free options, with Avast, Avira, AVG Free, and Bit Defender all having built up good reputations. Although, be wary of ‘bundled’ programs.
• Do not download or install programs from the Internet when you are not 100% of the source. If in doubt, ask around amongst your friends or search for reviews online.

People attempting to gain access to your online accounts
A malicious individual doesn’t necessarily need to get a bit of software onto your computer to cause you problems. It’s common for people to break into your accounts directly, by guessing your password, or intercepting your computer as it sends it.

• Never input any of your personal details when not on a secure connection (https), as insecure connections are vulnerable to people ‘sniffing’ data that is passing along them. To ensure that every website capable of using https defaults to doing so when you connect, you can use Https Everywhere (https://www.eff.org/https-everywhere), which is available on Firefox, Firefox for Android, Chrome, and Opera. Https Everywhere can only ensure that all possible security features on a website are activated – if they don’t exist, they can’t be activated, and the add-on can’t help.
• Protect your primary email account like it’s the goddamn Holy Grail! Almost everything you have ever signed up for has an option to reset log-in details via your primary email address, and it’s possible that other security details could be found by going through your old emails. For that, follow these rules (and apply them to other particularly sensitive accounts, like online banking):
  
  • Don’t use its password anywhere else! Every website can have a leak, and that leak could have your email address next to a password – make sure it isn’t the one you use to log into your primary email account. And make sure it isn’t even very very close to being the same password either.
  • Change the password you use for it regularly. The longer you use a password the higher the chance of someone getting access to it.
  • Don’t use easy-to-guess security questions. In the age of Google and Facebook, facts like ‘first school’ and ‘mother’s maiden name’ are much easier to find out than they used to be. It’s a much better idea to make up fake security questions and answer combos, but of course, then you have to remember them – writing a clue to these questions on a bit of paper you hide in your sock drawer is infinitely more secure than ‘favourite colour’.
• Be careful with mobile devices! They are much easier to lose or have stolen than a desktop or laptop, and often contain just as much (or more) sensitive data.
  • If you leave your phone or tablet logged in to various websites or apps, or save passwords on it, make sure it’s encrypted and locked. Encryption prevents anyone who steals (or ‘finds’) your phone going through your passwords, phone numbers, and drunken selfies. You can encrypt Android, iPhone, even your Windows phone, by following the linked-to guides.
    
  • In the event of your phone getting lost or stolen, you should change all of the passwords, just in case.
• Just because they’re harder to steal, doesn’t mean your desktop or laptop computer won’t get stolen. You can encrypt Windows and macOS as well, although depending on your setup (and budget) it can be a little more time-consuming than for a mobile. 
• When creating passwords, make sure it is something that is difficult to guess for a human, and difficult to crack for an automated program. Humans might know your favourite movie or lucky number. Automated programs will have lists of common passwords (like qwerty678), or entire dictionaries of words – including all the common ‘misspellings’ (like swapping the letter ‘o’ for the number ‘0’)! A good option is to use a long password with unconnected words, maybe even in more than one language, or including proper nouns.
  
• Better yet, use long strings of seemingly random characters, like K8ds731Jjfnt%4ly9TQ8!02. How would you remember such an awkward password? Good question! The answer is… You don’t, you use a password manager!
• Seriously use a password manager. You don’t have to just take our word for it though, this short animation explains how and why! Recommended password managers include LastPass (https://www.lastpass.com/), LogMeOnce (https://www.logmeonce.com/), DashLane (https://www.dashlane.com), but you can always ask around or do your own research to find out which one would be best for you.

‘Phishing’ Attacks and Scams
Some people don’t rely on computer skills at all. Instead, they simply ask you to hand over your details. While most scammers (often deliberately) use laughably obvious attempts to get your details, some can be exceptionally clever and hard to spot.  Here are a few tips to avoid many of the traps they use:

• As a rule, never hand out your password to anything to anyone ever. Not via email, not via instant messaging services, and not on the phone (unless, of course, it’s a password just for phone use).
• Be incredibly wary about giving out your personal details when someone emails or calls you, rather than the other way around. It might even be worth calling the caller back on a number you know is legitimate. Be careful here though, if you’re calling back on the same land line it may not be secure. Try from your mobile or a different landline.  Legitimate companies who call you and ask for details will often give you half of something first, which is a little better, but still could be someone trying to get additional details from you when they have incomplete information.
• If you get an email that suggests you log into, for example, your banking website, do not click the link in the email! Instead, go to your address bar and access the website as normal. It’s entirely possible that the link in the email actually goes to a fake version of the banking website, one the scammer wants you to try and log into so that they can get your login details
• If someone calls you up and tells you your computer is broken, they are almost certainly a scammer. The same goes for those pop-up warnings on some websites telling you that ‘Your PC is unsecure – Click here to install some random software to secure it!’. In fact, ‘anti-scam scams’ are one of the more common varieties!
  

Countering Threats pt2: Corporations

Just because an organisation is a registered company, doesn’t mean they aren’t still a threat to our online security. They are often a more insidious problem, as the services we want to use them for (eg: online shopping) are often mixed in with ones we want to avoid (eg: our personal details being sold to advertising companies).

The main issues you are likely to face are:

• Social media organisations attempting to create predictive profiles on us
• Tracking cookies and ‘Third-party’ cookies, like the ones we told you about earlier, eg: via advertising companies
• Advertising companies (often the same as above) looking to create profiles to target adverts at us, building their databases every time we give out any sort of information
• Bundling unwanted software
• Anti-piracy

Luckily, there is a lot you can do to fight against this.

Breaking away from the corporate machine

The best way to protect yourself from corporations is to avoid using their products and services wherever possible. This is a lot easier than you might think. Since the dawn of computers, there has been a thriving community of ‘open source’ software producers. Not only do they offer the software they create for free, but they openly show everyone how it is made. This allows loads of people to work on improving one piece of software, to check it for any potential risks or problems, and it helps creators of other software who can share the code used to make it.

So, not only are you more secure online, you’re also helping create the online version of the world we want to see… People collaborating and producing things, to meet their own needs and desires and that of others, without any motivation based on profit! Here are some notable examples of open source software and non-corporate web services:

Firefox  A free open-source browser you can use as an alternative to the ones created by Microsoft, Apple, and Google. Works on PC, Mac, and Android Phones.
Thunderbird An email client from the makers of Firefox.
Libre Office An entire alternative suite of office applications. Designed to be easy-to-use by anyone who has used Microsoft Office in the past. With its own versions of Word, Powerpoint, Excel, and more. Not only is it completely free, it’s arguably a better piece of software!
Linux This is the big one! Allows you to do away with Microsoft or Apple, and run a computer entirely from open-source software. It’s quicker, safer, and more efficient. It does take some getting used to though, and there are a huge number of versions. Best with a friend or educational course to ease you into it.
Open Street Map An alternative to Google Maps or Bing Maps (which I assume someone, somewhere must use). A project to create an open-source map of the world, with numerous pieces of software (including many that allow you to get directions on your phone) supporting it.
Riseup.net Who do you want to trust with looking after your emails and online chats? A corporate giant like Yahoo or Google, or a bunch of anarchists on a shoe-string budget? Ok, actually, that may not be as obvious a choice as we imagined. However, we strongly suggest the latter. Riseup offers a wide range of services to activists for free (they run on donations), and are committed to helping keep your data private, and to bringing down capitalism. You’ll need an invite code from someone who knows you to start using their email services, but if you are active in a few groups you probably know someone already!
Aktivix Like Riseup this is another excellent alternative source of email accounts and mailing lists. Like riseup you’ll also need an existing user to vouch for you – so the choice between them may just depend on who you know.

Install software to block tracking and adverts
We highly recommend uBlock Origin for content-filtering and ad-blocking. It’s a free extension on almost all of the main browsers, and is less memory-intrusive than other ad-blockers, with additional features. Not only will this help protect your personal information, it means fewer annoying adverts, more secure browsing, and it can help sites load quicker! Go get 11111it (free) on Firefox, Firefox for Android, Chrome, Safari, or Microsoft Edge.

We also recommend Privacy Badger, which runs fine alongside uBlock Origin. Privacy Badger focuses on blocking images and scripts that advertisers and others may be using to track you, which often disables their adverts as a nice side-effect. It can occasionally interfere with the functionality of some sites, but is easy to turn off or adjust on a site-by-site basis.

Search anonymously
If you are logged into Google, it will keep a record of everything you search for. You probably guessed that. Even without logging in, search engines will attempt to keep track of what you’re up to. Luckily, there are plenty of ways to get around this!

The simplest is to use a search engine that allows you to search anonymously, such as https://www.startpage.com/ or https://www.duckduckgo.com/. You can add Duck Duck Go to Firefox as well, so that even when you search from your address bar or search bar, you do so privately.

However, if you prefer a good ol’ Google search but don’t want to be giving out your data, you can do this via Searchonymous, a free Chrome extension, and Firefox add-on.

Block third-party cookies
We talked about what these are, and why they are best avoided, in the intro. Here is a relatively simple way to avoid them for common web browsers:

Firefox: Click Options > Privacy > History > Use custom settings for history > Accept third party cookies: Never
Chrome: Click Settings > Privacy > History > Content settings > Cookies: Check ‘Block third party cookies and site data’ > Done
Microsoft Edge: Toolbar > Click ‘…’ > Settings > Advanced Settings > Privacy and Services > Cookies > Click text box > Click ‘Block only third party cookies’


Watch Out For Bundled Software
Sometimes when you install one program, you can end up with a second one you didn’t bargain for. Often something annoying like a tool bar for your web browser. This is often when you have downloaded or updated a piece of free software from a company still looking to make a profit. The best way to avoid this is to look carefully at the options when you are installing or updating software. In almost every case there will be either a tick box to install this unwanted program, such as shown below, or an option given like ‘press yes to install this tool bar, click no to just install the software you want’. They rely on people not paying attention before clicking yes/next/agree. It can be a pain, but you should at least briefly look over your options, rather than just clicking quickly through them.

Avoid Facebook and Google Mobile apps
That is, wherever possible! They will often access and store much more data about what you do than the websites do alone. Many of their functions can be replicated by open-source apps that won’t sell out your privacy. Often,  you can simply access what you want via your phone’s browser instead, although, in the case of Facebook Messenger, it is blocked unless you tell your browser to ‘request desktop version of the website’. If, for whatever reason, it’s unavoidable to use the apps, try the following:

• When installing the Facebook app, don’t allow it to read your contact list, access your photos, or become your default browser (meaning it would know all of the sites you visit, how long you spent on them, etc). All of this amounts to more data the app can record and store, and potentially share with third-parties.
• Ensure Google Maps is set to not record or store your location data or to share it with third-parties. You can do this by going into the app menu, selecting ‘Settings’ and ‘Google location settings’.

Using Facebook? Make sure you check your privacy settings
Ok, so you’re handing data over to Facebook when you post it to Facebook (that’s a given). It’s still preferable to make sure you’re not accidentally sharing it with dozens of other companies, or anyone who happens to Google your name, though! If you post something and it’s set to public (do it once, and it may become your default) it means just that, so be very wary of ever doing so. There are also a couple of other things you might not have thought of, but we’ll go through them now…

First off, you can get to your privacy settings on Facebook (you have to be logged in) via Settings > Privacy, and then you’ll have a variety of options you can go through:

• ‘Who can see my stuff?’ | As we mentioned before, this is automatically set to ‘Public’. You can change this to ‘Friends’ (all friends), ‘Friends except’ (all friends, except for those you add to the exception list), ‘Specific friends’ (only those friends you add to this list), or ‘Only me’ (only you are able to see what you post)
• ‘Who can contact me?’ and ‘Who can send me friend requests?’ | Both of these are auto-set to ‘Everyone’, but you can choose to change this so that only ‘Friends of friends’ can contact you or send you a friend request
• ‘Who can look you up using the email address/phone number you provided?’ | Again, these are auto-set to ‘Everyone’, but you can opt for only ‘Friends of friends’ or even just ‘Friends’
• ‘Do you want search engines outside of Facebook to link to your profile?’ | This box is checked by default, and means that if someone searched your name in a search engine, a link to your profile will be listed as one of the search results. By unchecking the box, you are preventing this from happening!

Prevent third-party access to your social media profile
By logging into other apps and surveys using your Facebook or other social media account, you are exposing yourself to lots of potential risk. Apps all have access to different amounts of data, and as they add users, their databases grow and become targets for hackers. Basically, the more applications you use, the bigger your security risk. Those quiz and polling sites you have logged in via Facebook? Companies can gain access to the personal information you gave to these apps.

You may already have given these permissions away, but you can revoke them by following these steps: Log into Facebook > ‘Settings’ > ‘Apps’ > Scroll down to ‘Apps others use’ > ‘Edit’ > Uncheck all boxes > ‘Save’.

Use a fake name wherever possible

If you don’t use your real name, it will obviously be harder to find, record, and store personal information about you! For this reason, many companies will pester you a lot for your real name, but luckily most won’t go as far as getting you to prove it.

Don’t tag yourself in pictures where anonymity is key
If there is a picture of a protest and you spot yourself there in black bloc, don’t tag yourself. Definitely don’t tag your mate next to you. Even if you were just dressed for a march in the sun, it’s best not to make the job of state surveillance of protesters easier! This might sound a little silly, but this has actually happened, and people have been caught up in legal action as a result.

Avoid logging into other websites via Facebook, Google, and other social media accounts
Logging into other websites using your an existing account (‘Log in via Facebook’, etc) could allow the parent company details of what you’re up to when you’re not even using their website.

The software can even track you via cookies when you don’t use it to log in. To avoid this, you could log into social media via a different browser, or via your browser’s ‘private’, ‘hidden’, or ‘incognito’ windows or tabs (which will keep your social media cookie separate).

Putting ‘all your eggs in one basket’ can be risky, and a failure in just one company’s security could expose all your other accounts. A separate account and password is your safest bet (especially for a site with sensitive personal information). With a password manager, you’ll even get most of the convenience without the risk.

Countering Threats pt3: State Surveillance and Corporate Espionage

This is perhaps the scariest one. Edward Snowdon’s revelations confirmed what many had long suspected. Our governments (in the US, UK, and more) collect massive amounts of information on all of us with little or no oversight. You don’t need to have broken any laws, be suspected of it, or even just belong to a political organisation – everyone is caught in their spy net. Not only this, but they are often aided by having ‘back door’ access to numerous pieces of software, with or without the companies that run them knowing.

When caught carrying out this, often illegal, surveillance, most states simply changed the law so it wasn’t illegal any more. In the years since they have expanded their capacity to track everything we do. However, there is a lot we can do to help slip through their net. If enough of us do it, the whole thing may stop working.

Disclaimer: The following should help you dodge a lot of the automated mass surveillance that takes place, and will even hinder agencies who are targeting you specifically. However, these are only basic steps. With enough resources, time, and knowledge nearly anything you do can be gotten through. If you are planning something especially sensitive, you shouldn’t be involving a computer or phone in it at all, before, after, or during – especially if you’re reading an intro guide!

Stop the government knowing every single website you have ever visited
ISPs are now required to log all the websites you visit, which means this information is now available to numerous government departments, from the police and intelligence services, right down to the NHS and DWP! Your ISP may also respond to requests to trace your IP address, for example, from copyright holders looking to send ‘cease and desist’ letters to those they suspect of illegal downloading.

On top of this, when you connect to someone else’s WiFi, you could potentially be monitored by them, or have your history unwittingly stored by their network!

This is where TOR (‘The Onion Router’) and VPNs (Virtual Private Networks) come in. Using either of these will mask what you are sending and receiving and where it’s going or coming from. It will also conceal your identity from the websites you visit (unless you log into them!). Your ISP will often be able to see that you are using TOR or a VPN but not what you are using it to do. You can even use both, or even both twice – but that’s a bit more complex that what we are looking at in this guide, and comes with its own potential risks. Using these tools also lets you access websites that are being blocked by a specific connection, maybe your work WiFi blocks access to anarchist propaganda for example!

So, which should you use? Check out this handy pros-and-cons list to see which option is best for you.

TOR
What it is: TOR directs your internet traffic through a volunteer run international network of computers acting as relays called ‘nodes’.  Your information is encrypted and bounced between these nodes, before reaching an ‘exit node’ which communicates between the Tor network and the rest of the internet. It helps to conceal your identity from websites and your browsing history from ISPs
Route: Your PC TOR node some other TOR nodes TOR exit node rest of the internet
Pros:
Free!
Doesn’t require you to trust anyone (not even the people who run TOR, or it’s nodes should have any way of finding out what you are up to!)
Your ISP doesn’t know any information other than the time you are looking at ‘something’
Easy to use via ‘TOR browser’
Cons:
Slows down your connection
Can be vulnerable if configured incorrectly, or used to access certain types of online content
Some vulnerabilities, but these will only mostly affect those doing things that would get a lot of attention from the authorities!
Some websites block access from TOR
Where to get it: You can download TOR Browser here

Paid VPN
What it is: A VPN creates an encrypted ‘tunnel’ between your PC and the VPN provider’s own network of computers. It’s as if you had a private cable running straight into their network. Their network then communicates with the outside world for you, masking your identity and what you are up to.
Route: Your PC Encrypted tunnel The VPN host rest of the internet
Pros:
Doesn’t effect your connection speed as much
Easy to set up (and the provider will give you help, if you need it)
Few vulnerabilities
Your ISP doesn’t know any information other than the time you are looking at ‘something’
Cons:
Requires you to trust your VPN host
Costs money!
Where to get it: We recommend signing up for ‘Private Internet Access’ via getavpn.org. It doesn’t keep logs, is run by folks trusted by activists, based in Iceland (which has some of the strongest privacy laws), allows torrent use, is cheapish at $40/year (about £30),  has committed to shutting down before caving to a request to breach privacy of its users, and (via that link) 30-40% of what you pay is donated to Fight for the Future . You can use it on up to five computers/tablets/etc at once

Free VPN
What it is: As above, only free!
Route: As above
Pros:
Free
Few vulnerabilities
Your ISP doesn’t know any information other than the time you are looking at webpages
Cons:
Often either unreliable or slow
Some free VPN providers bombard you with ads or unwanted software
Often restricts what you can do, for example streaming video or downloading large files
Where to get it: Riseup offers a free VPN, which is trusted, safe, and free of adverts, but it can be unreliable (https://riseup.net/en/vpn)

State Surveillance of Messages
As we said before – and we’re sure you agree – no one wants a random person trawling through their personal messages, whether it be on social media, on your mobile phone, or in your email. It’s not a simple matter of being ok if you’ve ‘done nothing wrong’. There are plenty of things we all do that we wouldn’t want everyone to know about, even if they aren’t immoral or illegal. Then, of course, there is the problem of what will become illegal in the future. Today’s free expression of democracy can easily be tomorrow’s dangerous domestic extremism.

Here are some ways to keep your private conversations just that:

Don’t say it online
We’re being serious here. If what you are saying relates to secret plans for an upcoming demonstration or direct action, or relates to something that may have happened and is of, uh, questionable legality, it may be best not to mention it online at all. Of course, this isn’t always practical if you need to coordinate things or check up on someone, but you should always be very careful about what you say, especially with specifics. That said, there are a lot of ways to mitigate the risk of talking online, and we’ll go into two of the best now. We recommend them not only for your super-secret-revolutionary-plans but also for your day-to-day conversations with friends.

You can’t stop the Signal
Signal is an extremely easy-to-use messaging service for mobiles. If you’ve ever installed an app and sent a text, you should have no problem with it! Not only does it encrypt texts you send to other signal users, it allows you to create encrypted group conversations, send encrypted files and photos, make encrypted phone calls, and even have encrypted video chats. It can be used as your default texting (SMS) application, so you don’t even have to remember to switch to it to send messages to other Signal users.

It is free, open source, and recommended by nearly every expert on internet security and knowledgeable activists the world over. It will prevent even your mobile network operator from knowing what you are saying. If you have an Android or iOS phone there is no reason not to get it!

A couple of important notes:
Signal sends messages over mobile internet. For voice or video conversations, you’ll need decent reception, as well as the data allowance to spare (or a WiFi connection).

It’s all well and good encrypting messages as they are sent between phones, but it’s also important to encrypt them on the phone itself. As we mentioned before it is relatively easy to encrypt an Android phone or iPhone.

Emails and Pretty Good Privacy
When it comes to whether the government can read them, emails are usually about as secure as a pile of open letters you’ve left outside your front door. They can call up your email provider and ask for them to be handed over, or simply turn up and seize the computers they are stored on. They can listen in on your connection and copy them as you send and receive them, or maybe even get your password and log in to read them just like you do.

Clearly, this is not a great way for things to be! You could devise a secret code you send your emails in, but you’d need to explain it to everyone you talk to, and it’s unlikely it’d take long for the government to break it. You could save your messages in a password-protected encrypted form and then send them to your friends… but then you’d need to give them the password to open them at the other end, right? If you just emailed them the password, the whole thing would be pointless!

Luckily, there is a solution to all of these problems. It’s called Pretty Good Privacy (PGP) and dates back to 1991. It’s a way of encrypting and decrypting things that works especially well for email. It’s very hard to crack, in fact, it’s the hardest thing to crack that isn’t hidden away in a military bunker somewhere. It allows anyone to send you a secret encrypted message without having to meet with you to discuss codes or passwords first! It’s slightly more complicated to set up than most of the things in this guide, but it is definitely worth the effort.

“How does it work?” you are probably wondering. Well, very simply, it involves a way of encrypting that uses two keys. One is known as a public key, which you can hand out to people. Anyone can use the public key to encrypt a message, turning it from something anyone could read, into something that even they can’t read anymore. See, that’s the really clever bit: the public key only works one way. It ‘locks’ the messages into an encrypted form, but it can’t ‘unlock’ them again. For that, you need the second key, the private key. This is the one that you keep hidden and to yourself. It allows you to unlock and view any message that has been encrypted using the public key.

There is also something else this pair of keys allows you to do, which is use them the other way round! This way anyone with your public key can ‘unlock’ and read something that has been written, but only you (with your private key) could have been the person to ‘lock’ it in the first place. Whilst this doesn’t sound as useful straight away, it comes in very handy. It is a way of people confirming that you were the one who wrote something. This is referred to as ‘digital signing’, as it’s like having a (very difficult to forge) signature on all the messages you send out. Combined with the previous way of using the keys, it’s extremely powerful. It means you and your friend can send messages that only each other can read, and that you know must have come from the right person!

That’s the theory bit (very briefly, if you’re into mathematics, it can be fascinating to look into in more detail). On to the practice!

The way we’d recommend to use PGP is via an email client. If you’re unaware, an email client is a program that handles the sending, receiving, and storing of emails on or from your computer. If you use email at work, it’s probably through a mail client. Common ones include Apple Mail, Microsoft Outlook, and, our favourite one, Thunderbird. The alternative is accessing your email via a browser on a website like hotmail.com. Mail clients allow you much more functionality and customisation.

Specifically, we’d suggest you use Mozilla Thunderbird (as it is free and open-source) along with the PGP applications Mozilla recommends, namely GnuPG and Enigmail. The Thunderbird website has a pretty good guide to setting it all up, so we’ll just run through a summary.

First off, you set up Thunderbird (if you weren’t using it already). This will mean inputting your email address and password, and possibly additional information. Then you install the other two pieces of software. Once it’s all set up, you can generate your pair of keys! You’ll get told this a lot, but never ever give anyone your private key. Not only could they then read all your emails, they could forge your digital signature as well! Thunderbird can store your private key (password protected and encrypted of course), and it can send your public key directly to your friends. It can also handle the receiving and storing of public keys from other people. It can also upload your public key to a database so other people can find it automatically without you having to give them it each time. Likewise, it can download public keys from these databases for people you want to email.

Another potential problem with sending secret messages that only the recipient can read… what if the recipient isn’t who they say they are? It’s easily overcome if it’s someone you’ll see in person, of course. They just have to say, “Hi, I’m Sam, and this is definitely my public key”, but in other circumstances (like where you are using a public database of keys, as we just mentioned) you may have to rely on the ‘web of trust’. Simply put, this is a list of people who vouch for each other using their digital signatures. So if you know Sam is really Sam, and Joe is really Joe, you can look at the web of trust and see they both vouch for the fact that Sally is really Sally, and thus be pretty sure of it yourself. Whilst you’re at it, you can vouch for Sam and Joe!

If your private key does get stolen somehow (or you suspect it might have been), you need to revoke it ASAP. This lets everyone know not to use it or trust it any more. Then you can generate a brand new set of keys to use instead. It can be good to periodically do this anyway, for the same kind of reasons as it’s a good idea to regularly change passwords.

Countering Threats pt4: Linking up for the big fights

Just by following any (or all) of the suggestions so far in this guide, you’re already contributing to making the internet (and the world) a safer and freer place. It’s relatively easy to increase the impact you’re already having. Here is how to do that, and why what you’re doing already matters.

You’re normalising encryption
If encryption was only ever used to send messages that are essential to keep from the prying eyes of the government, it’d be easy for them to spot those messages! It only really works if it becomes common for people to use encryption when they’re planning to go to the pub, talking about football, or sending cat pictures. With enough time, any single message can be broken into, but if the person doing the breaking has to go through 3000 dog memes to find one piece of intel, it’s going to make their job near impossible.

You can help spread it!
Mention to people you use encryption. Talk about why. Ask if they know how easy signal is. Maybe link them to this guide. Not only does this help normalise encryption further, you might end up equipping someone with a tool that is essential for what they are doing. Maybe you’ve saved them from finding themselves harassed by a fracking company two years from now, because the spy the company hired couldn’t decrypt the email with their real name and address in it. Good on ya!

You’re breaking the hold the data-collectors have over all of us
Data on one person is dangerous in the wrong hands, and it’s the wrong hands who put the most effort into collecting it. Even more dangerous is data on lots of people in the wrong hands. It allows corporations and states to predict and influence our behaviour (I really wish that were just paranoia). Each person that removes themselves from this pool of data helps! Especially if you’re the type of person who wants to change the world, after all, we need to be unpredictable to win!

You’re ensuring you’re a strong link
Information doesn’t usually get shared just from person A to person B (or person A to corporation B), it gets spread around. If you’re making sure you handle it well, you are keeping everyone you are connected with a little bit safer.

You could start some important discussions
Sometimes it feels like we’re all just sleepwalking our way into a totalitarian dystopia. As anarchists, we encourage people to question all-of-the-things. It’s important to keep this up, and make sure it forms part of our normal interactions with others, and not just some specially allotted ‘activist’ time.

You’re supporting open-source projects
We’ve mentioned this already, but, in many ways, open-source communities are an example of how we’d like to see the whole world work. When you use the software they make (especially if you can afford to donate to the projects as well), you’re helping sustain and grow them. At the same time, you’re one less customer for the giant corporations that control so much of our electronic world.

Want to be more proactive?

All of this is great, but if it’s really got you riled up, or you just think these campaigns may fit in well with your life or skills, you may want to do more. Luckily, there are a number of groups that dedicate their time and energy towards exposing state surveillance, fighting dangerous new laws, and keeping the internet as free from corporate control as possible.

Here are a few we’ve had direct experience with. You’ll likely recognise some of them from earlier in the guide. It would have been so much harder to come by this information and the resources we link to without groups like these!

Electronic Frontier Foundation (https://www.eff.org/)
Probably the most famous of the lot, and certainly the largest. It’s an international group, based in the US, that aims to protect privacy, innovation and civil liberties, and expose potentially dangerous government and corporate actions. Its tactics range from legal funding and advice, supporting the development of software that helps its aims, educational projects, lobbying of states, exposing the impacts of new laws in the media, and even publishing an anthology of speculative fiction. It’s a ‘broad church’ but has done some undeniably excellent work since it’s founding 26 years ago.

Fight for the Future (https://www.fightforthefuture.org/)
This group is US-focused, but has information that is useful the world over. As well as providing radical education tools, in its own words it ‘is dedicated to protecting and expanding the Internet’s transformative power in our lives’. It uses demonstrations and mass campaigning, both online and in person, to influence policy and protect online freedoms, and to protect dissent and protest in general.

Open Rights Group (https://www.openrightsgroup.org/)
The best source of UK-specific news on government and corporate surveillance, data protection, and laws that threaten our online freedoms. As well as providing this info, they ‘talk to the media, campaign, lobby, go to court, and work with other activists and campaign groups’.

BarnCamp (https://barncamp.org.uk/)
BarnCamp is a low-cost, rural DIY skill-sharing event started by UK tech collective Hacktionlab. It is open to everyone: activists, campaigners, people involved in social and community groups, and anybody else with an interest in technology and how to subvert it and put it to good use. All skill levels are invited and should get something out of it.

Anarchist Federation (https://www.afed.org.uk)
As the existence of this guide shows, we are committed to fighting for freedom online, as well as in our communities, workplaces, and out on the streets. Previous campaigns have included DefyID (back in the early 2000s), which was part of the successful fight against mandatory biometric ID cards!  If you want a free and equal society, then see if we sound like the organisation for you.

Written by Bristol Anarchist Federation Posted in Resources Tagged with Capitalism: A Survival Guide, encryption, internet, online, privacy, security, surveillance