This is the first in a series of posts about online security in the new political era.
Friends, this is a dark time. I don’t need to remind you what’s happening in the US on January 20th. If ever we need to take privacy and security seriously it is now. If you need more convincing on that front, here are a couple of excellent articles on the political climate that we are entering:
Autocracy: Rules for Survival | NYReview of Books
You’ve probably heard of encryption, 2 factor authentication, VPNs, password managers and the like before. You probably think they are all a good idea – but where to start? It’s overwhelming. And what’s the point? Doesn’t the NSA and CSIS just have access to everything anyway? They might. And still, there are measures you can take to make your information more secure and private. I’m going to help you. By going over one topic a month and giving step-by-step instructions, I hope I can convince you that these changes are easy and worth doing.
You know the idea of getting immunized not just to protect yourself, but to protect the most vulnerable in the community? I think of internet privacy in the same way. The more people who start doing the simple things that increase privacy, the less it seems suspicious to do so.
If only activists care about and use encryption and other privacy measures, it can become like a beacon. Like, oh hey, that person must be up to something nefarious – why are they encrypting their messages when no one else is? The more people who encrypt the safer it is for everyone. And remember, the definition of who is an activist gets broader with every right that is taken away.
Encryption. What is it?
Lazy webs: type “what is encryption” into Google and I get:
Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text; encrypted data is referred to as cipher text.
Want a longer and more detailed explanation of encryption? Howtogeek has a good write up. Basically, encryption means that message of your transmission or the contents of your harddrive is garbled to anyone who doesn’t have the password to un-garble it.
What should you encrypt? Everything you can. Let’s start with devices.
Both Apple and Windows have built in encryption that you just have to turn on:
Mac OS: Turn on FileVault under the Apple Menu > System Preferences > Security & Privacy
Here’s the step-by-step instructions from the Apple website.
Windows: Turn on BitLocker thru the Start Bar (enter encryption and go from there).
Here’s the Microsoft how-to.
If doesn’t work on your set-up (it didn’t when I tried on a Windows 10 Home Edition)
Here’s a more in depth how-to from Howtogeek.
For both of these, set up a recovery system (it will prompt you in the set-up process) in case you forget your password too many times.
I trust that if you’re running Linux you know how to encrypt your files.
Your phone might already be encrypted if you have the passcode turned on.
iOS: check under settings to turn on encryption if it isn’t already. Make sure you’re using a passcode. Here’s a step-by-step guide and tips and tricks for security.
Remember that FBI kerfuffle where they demanded Apple give them access to a phone? That sure convinced me that encryption actually works. Here’s a great article in Wired about both Apple encryption and that FBI kerfuffle.
Android: again, check under settings. I had a toggle I could swipe to turn on encryption. Make sure your battery is fully charged as it can take a while (possibly up to an hour) to encrypt your phone. Here’s a step-by-step guide for encrypting your android phone from Howtogeek.
That covers the data on your hard drives. But what about messages in transit?
Messaging Apps with Encryption
I heard about Signal from Edward Snowden. When someone asked him, what can we do right now to protect our privacy he said: Use Signal. That’s good enough for me.
Signal is a text messaging app that encrypts your messages by default. Make it your default texting app. It also allows you to make encrypted phone calls.
Heads up, you can’t take screenshots when using Signal. Which makes sense as it prioritizes security, but I have found that inconvenient at times (like when I’m trying to win an argument or prove I sent a message).
Use WhatsApp? Congrats, you’re already encrypted! [update: the Guardian just revealed that there’s a backdoor that allows access to your information. So…go install Signal.]
Encrypting your email
This is the granddaddy of encryption. PGP stands for Pretty Good Privacy and was developed in the 1990s. Want to set up your email encryption right? Head over to OpenPGP.org and follow their set up instructions.
I have to admit, I’ve known about PGP since the early aughts and I’ve always thought it was a great idea, but I’ve never set it up for myself. It always felt too hard to send my public key out to people I wanted to email. Maybe it’s easier now? [update: I just signed up for a free workshop that will lead me through setting up PGP encryption on Thunderbird. I’ll post an update and possibly a step-by-step guide afterwards.]
Want super easy? Let me google email encryption for some popular email clients and see what’s up.
Gmail: apparently Gmail is encrypting the emails it can.
Outlook: looks fairly easy to set up. Here are the instructions.
Community-run email providers
Keep in mind that you’re at the hands of your email provider in terms of security. Will Gmail/Yahoo/Hotmail allow access to their servers or records? If you’re concerned about this, there are a number of small community-run hosting companies who prioritize privacy and security (they vow to never hand over any information to anyone) and are especially set up to provide services for folks working on social justice issues. Resist.ca in Vancouver and Riseup.net in Seattle are a couple of them.
What about websites?
If you want to be super secure, download and start using Tor as your default web browser (see that Snowden tweet above).
Not ready to part ways with your favourite browser? I’m definitely in that boat, I have to admit. So I’ve installed Https Everywhere as a stopgap measure. I don’t really know how it works, but it’s supposed to make every site https. Https sites are encrypted. Sites like your bank that have that lock icon. More and more sites are encrypted these days, but the majority of the internet still isn’t.
That’s it! You’re all set up.
- encrypt your computer (Apple, Windows)
- encrypt your phone (iOS, Android)
- install Signal
- encrypt your email using PGP and/or change email providers
- start using Tor as your web browser or use a browser extension like Https Everywhere
Wait! What about Metadata?
A word about metadata. When you use encryption on text messages and emails, the contents of your message is kept private but the information about the transmission of it is not. Cellphones ping towers, emails hit servers. I saw Edward Snowden speak via a skype-like-thing-that-I’m-sure-wasn’t-skype last spring in Vancouver and he explained it like this: if you’re emailing your aunt a cookie recipe, the recipe is protected, but the fact that you emailed your aunt is not. Keep that in mind, because metadata matters – Drone strikes use metadata to target victims (and often get it wrong).
Go encrypt your stuff!
Okay, friends. Go encrypt your stuff. I give you the deadline of Jan 20th – the inauguration – to go through this pretty short and easy list. If nothing else, it’ll give you a feeling of doing something in the midst of a political climate that might be making you feel afraid and hopeless. Oh, and if you’re on my contact list, I’ll know when you sign up for Signal, because it’ll send me a text about it. Which is ironic if you ask me.
Next up in the series: Using secure passwords and password managers. Check back in February for that instalment.
Top photo by Tim Gouw, Toronto Ontario | unsplash.com