Protect Your Data While Protesting

Good and Geeky Podcast about Privacy, Security and Anonymity

It’s even more important to have good security if you’re taking part in protests for Black Lives Matter. I have seen a load of videos where the police are brutal in the US. They have forgotten there are the to Protect and serve the people. They are just happy donning the good old riot gear and bashing people’s heads with their batons. No one can fight back because they also have guns which they are also likely to use.
I think they are making a huge mistake and will have a more difficult job policing in the future with their present attitude. Attacking people exercising their right to protest peacefully is not on and protesters have to up their game. This can start by protecting the data on the mobile phones, in case they get arrested. The police will take your phone off you and get inside looking for information to incriminate you and anyone else connected. So first off – Turn on the biometric entry to your device. Don’t use fingerprint or face recognition technology to unlock your phone. Then have a good password which they can’t get past. I recommend a long password made up of words with a special character in between if you can.

You can subscribe here Good and Geeky / Wizardgold YouTube Channel – http://goo.gl/zE2Uc

Let’s look at the methods of communication available… starting with email
If you’ve been following my website good and geeky.com you’ll know I’m committed to communication by secure, private and possibly anonymous means. I don’t approve of using email for communications unless it is encrypted. Sometimes you can’t get around it with some email communications, but you can let that only happen with emails without any personal and private data contained within. So somebody send you an email and it’s not encrypted, what do you do? How can you keep your communications private?

There are a number of options and depends upon the contents of the email and with whom you are communicating as to what you do to remedy the situation. If the email sent to you is safe and does not contain any personal information you could reply with unencrypted email if you needed to get the email replied too quickly. If you need to reply with some personal information then it’s going to be a good idea to encourage the recipient to start using encryption. Again we have options with how we do that.

Encrypt the reply using something like the Paranoia Text Encryption And give the recipient the password by secure means. So you would phone them up and tell them the password, let’s assume that you know their voice and you are confident their phone number is correct. PTE is good because there is a web version and the contact doesn’t have to install any software.
Encrypt the reply using an application like Encrypto. Encrypto encrypts documents, so create your reply in whichever application and then encrypt the end result. Send the document in the reply email. Your contact will have to install Encrypto.
Reply to your contact with a messaging service which has end to end encryption. Session, Signal, What’sApp, Threema, Telegram, Wire, Dust, Wickr Me and Confide. You can put whatever you like into any of these messaging services and know that it is not going to be disclosing its contents to a man in the middle attack as it passes through the Internet.
Belt and braces – If you’re really paranoid you could double up on the encryption you use. You could encrypt text using paranoia text encryption before putting it into either a document you encrypt with Encrypto, or an email encrypted using PGP/GPG, or sending via an application using end-to-end encryption. Most the time that would be over-the-top, perhaps you might do this with extra sensitive information.
If you’re using Gmail then you can make use of FlowCrypt. This is a plug-in you can use to add PGP encryption to your Gmail account. If you have FlowCrypt set up you can use a webpage for people to send you encrypted emails to that account. If that contact is also using Gmail you can also encourage them to set up a FlowCrypt account. This would make things nice and easy.
One of the problems with using email and the fact that it is so insecure is when you send encrypted emails to somebody and they reply with the body of your email unencrypted within the text. What is the point of that? If somebody did that to me I would be very annoyed. It is ridiculous to send something encrypted and for it to still end up going through the Internet unprotected. The person receiving the encrypted email would certainly know that it was encrypted so it would be just stupidity or ignorance with them replying in that way. If you needed to continue communicating with that person you would have to work out a different way of sending information. It’s probably less likely to happen if you put the sensitive information inside and encrypted documents as an attachment. When they click on reply and include the body of the email within the reply, attached documents will probably not be included. In any case, the document will still be encrypted. It would take work by the contact to select, copy and paste the information to put back into the reply.
You may have to resort to telling the person off and insisting they follow some basic privacy rules. Maybe all that is needed days a little chat. Maybe you’ll need to change to a different method of communication. Tell that contact you will only communicate with them using end to end messaging services.
You have to wonder why it is that people still persist using email. Is it a lack of knowledge and ignorance of how email is so insecure? Maybe the majority of people still don’t recognise that there are dangers in communicating online. There are many people who would say I don’t have anything worth stealing in my information. These people don’t realise there is software gathering much of this information and putting it together. Perhaps in one email finding out what your date of birth is, and in another email finding out where you live or the name of your dog, all the street in which you grow up. Once there are enough data points they could access your email account and then use that to attack everything else. There’s good reason why when you are giving answers to security questions you should basically put in a hard to guess password rather than the actual information. Store it all in your password manager, I use 1password.
By the way, your most important accounts such as an email account or your Apple account should be protected using two factor authentication. That way if somebody gets your password they’re still not going to be up to get in. The first factor is your password and the second factor is something you have for something you store elsewhere. I use the one-time password application Authy and I also use 1Password to give me those 30 seconds time sensitive digits to gain access to my account. I’m well protected!

Choose a good end to end encrypted messaging service

When I first started looking at these messaging services I didn’t find one which was absolutely perfect. There are a number of things to consider. Does the service encrypt end to end by default. Does it offer verification so you know who it is you are talking to? Can you have disappearing messages so you can choose for a message to automatically vanish after a number of seconds or stick around for as long as a week? Can you sign up for the messaging service anonymously, so you don’t have to give your phone number or your email address? Can you communicate safely within groups? Could your data divulged to law enforcement if the messaging service company was given a legal request? Is the meta data protected within your message? Then there are questions such as how easy is it to use the messaging service. It is easy to add and delete contacts? Can you send audio, photos, documents all make secure encrypted phone calls? An important one is is the application free and if so, why is it free? If the application is something which has to be paid for it could be difficult to persuade your contacts to use. Even if the application is free you might still have contacts who are unwilling to download and install software on their device.

My process in choosing my preferred end to end encrypted messaging service

I use the Messages app which is part of the Apple universe. This is end to end encrypted and has the benefits of connecting well to all the other Apple applications and devices. There is no extra cost to using it and overall I trust Apple and their privacy policy. The two things against it would be that it is only for Apple users and I do have friends who use Android devices. The other downside would be the backup system. If your backups to iCloud are not encrypted, Apple could have to legally give over information if required to by a government organisation. If you don’t back up to iCloud, this is not an issue.
WhatsApp is a popular encryption service with end-to-end encryption. I don’t mind using this with friends who are users of WhatsApp. I don’t think it’s necessary to persuade them to change to something more secure. By more secure, I mean an application which is not owned by Facebook. Facebook has enough black marks against them for how they have used, abused and leaked customers information. For this reason I wouldn’t fully trust WhatsApp.
The next one on the list was Telegram. This is a fairly good secure messaging service. The two things I have against it is the fact you need a telephone number to sign up and the full end to end encryption is not the default. What you get as default is for the most part okay, but I really can’t understand why they don’t give the full package as the default method of communications. I’ve read all their information about the app on the website and I think I can trust their system well enough. I’m happy enough to use Telegram with any of my contacts who are Telegram users. It’s still not a perfect one because of the lack of anonymity. it even has disappearing messages when in stealth mode.
Signal is the application recommended by Edward Snowden and he should know what he’s talking about. It has disappearing messages which can be set to last between five seconds and one week. You can verify your contacts by scanning a QR code if you are verifying in person. There is also a set of numbers you can compare and you might do that across another network where you have already verified the contact is who they say they are. It’s a good application and I would recommend it except for the need to connect it to a phone number. It is possible to get around the phone number requirement by using a burner phone. That’s just too much messing about though if you can find a messaging service without that requirement.

Wire, Keybase Wickr me, Dust, Confide are all other secure messaging applications I’ve looked at, but not really got into. Keybase is good but seems a little bit complicated. Wire is okay and each of them have their pluses and minuses. Depending upon your requirements any of these could – suit your secure messaging need.

The application which was my favourite until recently was Threema. This application ticked most of the boxes and was as close as perfect for my use. One of the things against it is that it is a paid for application. It is inexpensive and in my opinion well worth the cost to buy. However, there are some people who will not spend money on applications unless they really have to and have their arm twisted behind their back. The application doesn’t have disappearing messages, but apart from that gives a good answer to all of the security, privacy and anonymity questions. The other thing it doesn’t do is synchronise between devices. So if someone sends your message to your iPhone you don’t get to see it on your iPad as well. There isn’t a desktop application, but you can use it via the web by scanning a QR code with your Threema app on your device. Threema is a top app for security and you can get around the identity per device by using a group hack.

I think I have now found the perfect secure messaging app – Session.

It is based on the Signal Protocol. It is open source so it can be verified by anyone who knows what to look for. It is anonymous – No phone number or email needed to get an ID on Session. It also strips out meta data. It will not reveal your location because the IP address is removed as it passes through the onion router. It does three hops. Just looked at my app and I can see the messages I send will go through nodes in Germany and France before going to the recipient. No single node ever knows both the origin and destination of the message.

All messages are encrypted and can only be decrypted by the private key stored locally on your device. No messages are stored in a blockchain and will be deleted everywhere after a fixed amount of time. The time depends on the ‘Time to Live’ set in the disappearing messages settings.
Attachments are also end to end encrypted. The Loki server can never see whats in the attachments sent.

Same with photos, the meta data is removed. No details about the camera, no location. Nothing…. Just the image. If you set the disappearing messages to 1 minute or less it is also unlikely anyone can do a screenshot to grab it and send on to elsewhere.

You can link devices with Session – Up to two devices. I have it set so the two iOS devices are connected and the Mac has a different ID. That works fine for me. The iOS ID is the one I will generally use and the Mac ID will be infrequent and more as a back up ID.
How do I connect with someone on Session.

Send the ID by a secure channel to my contact. That could be by voice over a phone call or by for example WhatsApp or other app with end to end encryption. Let’s assume I have already verified the contact in that app. The Session ID is a long – 60 characters alpha numeric code. – Or the contact can send you their Session ID
If you are there in person Get your contact to show you the QR Code for their ID. When you start a new session you get two options. One is for the sharing of ID and the other is all about QR Codes. Show your code or scan their code. That’s all you need to do to get started with sending text, audio, photos and documents. 10mb limit on the documents.

Podcast worth listening to – Recode Decode with Bart Gellman

He wrote a book : What is Edward Sowden’s Legacy? I listened to this podcast and it was an intelligent discussion on security and privacy. Seriously considering deleting my Facebook account.

They discuss the way the US government hover up information on their own people and everyone else around the world. With Trump in the driving seat you can’t trust America. If there weren’t enough reasons to make yourself private online, then this is the clincher. They will hoover up data and metadata on as many people as they can. You really have an imperative to protect yourself from online crookery.

Bart Gellman on Recode Decode