Disclaimer: This checklist provides guidance for protecting your privacy from mass surveillance. It is not intended to address targeted surveillance, especially attacks from sophisticated state actors. The Privacy Issue recognizes that going "off the grid" completely is not possible as a participant in our connected society.
Spy films have long captured our collective imagination. But their subject matter isn’t limited to the realm of fiction. From video monitoring, wire tapping, and license plate scanning to GPS tracking and digital communications surveillance, the methods governments use to keep close tabs on their citizens have increased in scope and sophistication over the past decades. This is the case not only in authoritarian states like China, Russia, and North Korea, but also in most liberal democracies around the world. Edward Snowden’s 2013 NSA revelations and the 2017 WikiLeaks CIA disclosures shed light on the U.S. government’s mass surveillance programs, while the Five Eyes network has a long history of collecting and sharing information about their citizens using a range of dragnet methods.
Why should law-abiding individuals in democratic societies be concerned about these practices? One of the pillars of free societies is the presumption of innocence: the legal principle which holds that people are innocent until proven guilty. It follows that there must be a reasonable suspicion of unlawful behavior before people become subjects of surveillance. Mass surveillance goes against this requirement for reasonable suspicion of unlawful behavior and, in doing so, normalizes the idea that everyone is potentially guilty until they are proven innocent, as Amnesty International explains. Dragnet monitoring has long been used to stifle free speech and crack down on government opposition, criticism, and dissent. Even in countries where civil liberties are largely respected, it only takes a switch in government or the introduction of new laws for the situation to change. Furthermore, governments are working in increasingly-close cooperation with Big Tech companies that hold mountains of data on their users. To find out more about this form of surveillance by private companies, read The Privacy Issue’s guide to ad tech industry tracking.
In this climate of constant, indiscriminate monitoring, the following checklist offers strategies for resistance against the mass surveillance of digital communications by governments. It is by no means comprehensive or complete, but following these steps will increase your chances of keeping your digital communication and devices both private and secure – all while resisting the erosion of free speech, civil liberties, and open democracies.
Security Basics
If privacy controls are the curtains on your windows that allow you to stop others from looking in, think of security settings as the lock on the front door. The stronger and better quality it is, the more effective it will be at keeping others out. Here are a few pillars of good digital security habits.
The method of "device hardening" means covering or securing the ports and surfaces through which your activity may be intercepted on a device. The simplest way to do this is to put a sticker or sliding cover over your webcam and phone cameras. If you’re concerned about being listened to, consider a dummy plug for your device’s built-in microphone. There are a handful of apps that will monitor your microphone and camera activity and alert you to any suspicious activity. You may also want to consider purchasing a phone or laptop with hardware kill switches the next time you shop for a new device.
Generate a strong and unique password for every account you log in to. The easiest way to do this is to choose a password manager, such as one of the options we recommend in our privacy paradox explainer. As security expert Bruce Schneier explains, the NSA uses dictionary attack tactics to exploits weak user password in its surveillance operations.You may also consider the use of passphrases, such as four random common words or the diceware method.
In addition to a strong password, multi-factor authentication (MFA) adds an extra level of security to your accounts by requiring other methods of authentication alongside your password. Often, these One Time Passcodes (OTP) are sent via SMS to your phone, something usually called two-factor authentication (2FA). However, the use of an authenticator app is recommended so that you are not vulnerable to SIM swapping attacks. The most secure authentication method is likely the usage of a physical security token.
Credit card companies are notorious for readily-sharing payment records with the government. If you are worried about this, try to avoid using a credit or debit card for sensitive transactions – pay in cash or Bitcoin (or your cryptocurrency of choice) instead. Though cryptocurrency transactions are often traceable, it is possible to use payment processors like BTCPay for truly private transactions in Bitcoin. You may also want to learn how to use Monero, Zcash, or other "privacy coins" when you don’t want your transactions recorded, though adoption of these is not yet mainstream.
Browse Securely
Given the deep ties many Big Tech companies have with government agencies, your every online action has the potential to be served up to the government. Here are four key tools that allow you to navigate the Internet without leaving data trails that can be gathered and used to target you.
This privacy-focused search engine does not record your search terms, unlike Google, which is known to share your search and browsing data with the NSA. DuckDuckGo also helps you to avoid the filter bubble.
Use the EFF & Tor Project’s browser plugin HTTPS Everywhere to encrypt your Web browsing. This helps protect you from third-party snooping on your Web traffic.
Browse the Web via Tor Browser, which uses strong encryption and "onion routing" to give you true anonymity. Tor comes with benefits as well as drawbacks (such as slowing down your traffic). Read up on Tor tips before jumping in, and consider using Tor with a VPN.
Use a VPN that keeps no logs – which may include information about your IP address, which websites you have accessed, and more. This is crucial, as VPNs are obliged to comply with government subpoenas for information. However, they can’t hand over information they don’t have. IVPN does not keep logs, operates its own DNS servers, and offers an AntiTracker mode.
Encrypt Your Communication and Devices
Encryption safeguards your data with strong math that is nearly impossible to break and is essential for digital privacy. Though the thought of encryption and math scares away some users, there are very easy ways to integrate it into your daily life.
Signal is a Free and Open-Source Software (FOSS) messaging platform that offers end-to-end encryption (E2EE) and is endorsed by Edward Snowden. Wire and Riot/Matrix are other popular options.
Firefox Send, Tresorit Send, and Riseup Share/Up1 are three options for quickly sending files via the Web. OnionShare is a truly anonymous option that uses the Tor network, and therefore requires someone with Tor Browser to receive the files.