Securer Devices and Communication
By Albert Fox Cahn, Esq.
Every form of electronic activity comes with a risk of being monitored. In this training, we can’t give you tools to protect perfect privacy, but we can give you simple steps you can take every day to make your devices and communications more secure. Following this guide, you can reduce the risk of being tracked without giving up on the electronic productivity and connectivity we need to be efficient at nearly any modern task.
Device Selection
The most invasive tracking devices threatening government workers aren’t housed in some secret intelligence site, it’s not a military-grade sensor system, it’s the tracking embedded in the devices we use and carry with us almost anywhere. You should assume that anything you do on a government owned device can easily be tracked, including the device’s location.
Steps To Take: use a personal device for any sensitive communications outside of work, ideally a device that has never been connected to your work email system or any other official account.
Location Data
Your devices, particularly smartphones, are constantly collecting and leaking information about your location, potentially even when the devices are turned off. Many of the free apps that Americans download every day, even something as innocuous as a weather or flashlight app, make money by selling your data, particularly your location, to the highest bidder. Not only do data brokers sell this information to advertisers, but they routinely sell it to police.
Steps To Take: (1) never take a work phone to a sensitive site, and avoid taking even your personal device if you are particularly concerned; (2) periodically audit all the apps on your phone, removing any apps that you don’t use regularly; (3) periodically review location sharing settings for apps, disabling location services for any apps that don’t need access; (4) be wary of sharing your location using any friends / family location tracking tool, such as Life360.
Internet Activity
Our devices not only track where we go in physical space, but they track nearly every aspect of have we navigate digital spaces. Typically, when you go to websites or use internet-enabled apps, your IP address links your activity to your real-world identity. But even when your IP address is hidden, there are an array of tools for companies to know who you are. Browser fingerprinting technology allows companies to identify your computer based on nothing more than your browser’s unique settings. And there are other technologies that are specifically targeted at tracking smartphone users, such as using sonic beacons that are detected by your device’s microphone, Bluetooth beacons that are detected by its antennae, and many more.
You may have heard that virtual private networks (“VPNs”) can help keep your internet activity private, by hiding your IP address, but they are only a partial solution. While VPNs can hide your IP address from the websites that your interacting with, they do nothing to block browser fingerprints, beacons, or other technologies from identifying you. Even more concerning, using a VPN allows the VPN operator to monitor all of your internet activity. Many companies, especially free VPN services, will then sell information about your internet activity to third parties, including governments.
In contrast, The Onion Router (“TOR”) is a free, open-source protocol that allows users to tap into a network of nodes around the world to mask their internet activity. Like an onion, TOR routes your internet traffic through multiple layers of protection, so that no one node can know both who is sending and receiving data. Unlike a VPN, TOR can’t sell your data, because it doesn’t have it. The TOR web browser also integrates protections against browser fingerprinting and a variety of other trackers, further improving privacy. However, while TOR reduces the risk of tracking, no protection is perfect.
Steps To Take: (1) use the TOR browser to more privately view websites. (2) In the most extreme circumstances, you can improve protections by using a brand-new computer from a public location with open Wi-Fi and minimal monitoring of who’s present.
Communications
It’s impossible to collaborate effectively without communicating, but often our communications are our most readily tracked online activity. Every form of electronic communications poses some risk, but you can improve your privacy and security by using high-quality encrypted platforms.
Most commercially available communications platforms are frequently intercepted wholesale, including email, SMS text messages, and social media direct messages. The risk is most extreme for unencrypted, centrally controlled systems (like Slack, Teams, and work email), but also true for most commercial alternatives.
Many products claim to “encrypt” your messages, but very few use the high-quality encryption that can give you peace of mind. Unless messages have “end-to-end encryption”, they can easily be read by third parties at some point in their lifecycle. Even then, many companies that advertise end-to-end encryption offer something very different in practice. Services like Telegram boast about encryption, but messages are unencrypted by default, leaving them exposed. And services like WhatsApp do encrypt every message by default, but they fail to encrypt any of the metadata about your conversation (who you communicate with, when, and where from), leaving you exposed.
Signal offers the most robust set of privacy protections for most messaging purposes, encrypting every aspect of your communication, and never mining your metadata for advertisers or law enforcement. Still, even the most sensitive conversations aren’t always appropriate on signal. When a conversation is particularly sensitive, it is important to enable disappearing messages, ensuring that communications won’t be accessible if someone’s phone is compromised at a later date. Additionally, with group conversations, the larger a group gets, the more cautious you should be about what you put in writing. Not only could you have an imposter who joined the group without your knowledge, but there are more people whose devices could be compromised in the future.
Steps To Take: (1) use Signal for sensitive conversations. (2) Enable disappearing messages, and adjust when conversations are particularly sensitive. (3) Be cautious about sharing sensitive statements in very large groups.