Activists: Four 20 minute steps for online privacy and security

The recent reports on the spying programs of phone records and internet activity is unsettling, but no surprise for some of us. Our School for Creative Activism in May was with Muslim-American activists unfairly surveilled by the NYPD. Sweeping surveillance is lazy police work, and the side effects are damaging to society.

So what can activists do? There are two ends to the spectrum – ignore it and paranoia. Neither are good.

  • Ignorance opens us up to all kinds of problems. Having your mail, social network accounts, or banking accounts hacked. The results can range from simply embarrassing to financially ruinous.
  • Paranoia isn’t healthy and, as we learned from COINTELPRO in the 60’s, also an effective form of oppression.

Between these poles is where we should try to land. Where exactly depends on your comfort level, the kind of work you do, and your ability.

I’m going to lay out just a few things one could do to improve privacy and security each within a 20 minute period and some steps to go further. These are small and relatively basic steps toward securing your communications and your privacy online. You don’t have to do it all now, but you can at least begin the process.

Of course, this is by no means comprehensive, but a lot of people can benefit from taking these first steps. If you have brief and constructive suggestions, please submit a comment.

Step 1: Test your passwords.

You have a good password right? You know how to do it; some letters and numbers, a couple uppercase, theres even a ? in there. Facebook might even say your password is “strong.” Put the strength of your passwords to the test using Passfault. (Passfault is now offline but security.org has something similar.)

This tool will tell you how long it would take to crack using different cracking tools. I was shocked.

Running a password like P1ckle? through pass fault I learned it would take less than a day to hack with an everyday computer. Put this up against the computing power of the NSA and wonder why you have a password at all.

Passfault Demo_ Password Evaluation

Step 2: Strengthen your passwords.

You can test what makes a strong password with Passfault, and you can make a stronger password, but how will you ever remember something so complicated?

One answer is a password manager. Shop around, but I like 1Password. While it is relatively costly, looking at all the features I think it’s a good value. 1Password creates strong passwords, stores them, and automatically fills them in for you when you need them.

Another strategy is to use passwords that are long, but easy for you to remember. As shown in the comic below, while varied characters help, length is more important. Just make sure you use words that no one else would guess. So don’t pull a Keyser Söze and just pick whatever words come to mind first, you can use “diceware” to generate the words for you. All you have to do is create an image in your mind to connect the random words so you can remember.

password_strength

By the way, don’t click on that Keyser Söze link if you haven’t seen The Usual Suspects yet.

Step 3: Start moving files from Google and Dropbox to a private sync solution.

It looks as though Dropbox and Google data streams run right through the NSA. While you may not have much to hide (and of course, it’s critical you know that is the wrong way to think about surveillance) you may also prefer to keep the your and your cohorts documents private. For what most people use Dropbox and Google Docs for, tools like Syncthing, NextCloud, and others offer a free and private replacement.

bittorrent-sync

These tools synchronize data over encrypted connections without a central server – so no Google Drive, Dropbox, or cloud, only the computers invited into the network. This means private, peer to peer based sharing and synchronization. Computers have to be online to sync, but the more people the files are shared with the easier this is. At the Center for Artistic Activism we use Syncthing and NextCloud. You may also consider Resilio Sync.

Step 4: Start using PGP/GPG to encrypt your email

When using postal mail there’s some messages you’d be fine sending as a postcard, and others you’d want enclosed in an envelope. Depending on what email service and applications you use, your email could be going across networks like a postcard for anyone who can pick up the stream to read. This can be partially prevented by using secure connections and servers, but that pathway across the internet may not be entirely secure. Encrypting email is the only way to ensure privacy across those connections.

GnuPG is a free tool that allows you to set up encryption. If you’re using Apple’s Mail.app, GPGTools will get you up and running with encrypted mail fairly quickly. For Gmail users there’s a chrome plugin called Mymail-Crypt for Gmail™ that can help get you started. There are other tools you can research and try and you can search for more information. Explaining the ins and outs is a bit beyond the scope of this article, but skimming the GPG Howtos and Manuals to get a sense of how it works.

For encryption to work, both parties need to use it. This means it’s inherently social. PGP users have “key parties” (not that kind of key party) where they share their public key codes so they can exchange private messages. Encouraging other people to use encryption allows you to create secure networks.

Go for direction, not perfection

Following these few steps can help get you a little more privacy and prevent your accounts from getting cracked, regardless of if it’s by a mischievous prankster, a scammer across the world, or our own government.

Of course, we shouldn’t be subject to this kind of surveillance revealed in recent news reports at all, but we can minimize what private information is available. I’ll be the first to admit I am not fanatical about privacy. I might walk from my shower to my bedroom past an open window. I love the convenience that comes from location based notifications on my GPS enabled smart phone when walking by a post office and it reminds me to get stamps. I am also off-put by paranoia – I can’t take seriously putting tape over my laptop’s camera because I understand how the circuit works. And that’s just not how I want to live.  However, having tools that enable a little choice and independence along with ease of use is very encouraging. Someday maybe we’ll more easily be able to control our phone metadata. Someday I might be less forgetful about getting stamps. For now, I’ll start taking some steps and for the available tools to help, we need to use them. We also need to set aside some time to understand how things work deeper than the “basic gmail user” level of computer literacy.

When you’re ready to do more, check out Prism-Break.

One final thought: Another good defense is not doing something stupid. Basic privacy is your right, but whenever there is an element of your work, your reasoning, or your research that you’d be afraid of your audience finding out, take caution. Are you trying to trick people in any way? If so, how would they feel about this if they found out? How would your (politically sympathetic) parents or grandparents feel about your plans? If you’re trying to get away with something that is blatantly illegal or destructive, check back in with your goals and make sure there’s not a better way.

Leave a comment