New U.K. Surveillance Laws - Time to Get Serious About Security
Dr. G
You may have already heard - but in case you haven't - the United Kingdom is expanding their surveillance powers through the Investigatory Powers Bill that was passed in Parliament and given royal assent in November 2016.
It is now the law of the land, at least in the U.K., and allows for some interesting powers. Every website visited by every U.K. citizen will be stored for a full year by every ISP operating within the country, and that data will be offered up on a silver platter to the government whenever they make a request - all without the need for a warrant.
Presumably, this will apply to any person using the Internet within the U.K. since there isn't a real method of determining who is a citizen. This same storage also applies to mobile apps as well, so you can be certain the phone companies will be involved in the shenanigans. This is supposed to be limited to the metadata and Internet connection records, but we all know how quickly governments step over the line when these types of actions are involved. This same bill allows the government to legally hack into computers, monitor phone conversations, and use the other normal surveillance techniques most law enforcement agencies already use. This last piece requires a warrant from a panel of judges and the Secretary of State so, at least on the surface, they are making it look tough to acquire.
The European Union's courts have stepped in to block this overreach of government surveillance, but the Brexit will likely keep the new laws in place. OK, no real new news there except that governments are continuing to expand their spying on people inside and outside of their borders.
So for all the newbs, those who have forgotten how to protect themselves, and anyone else, here are some ways to keep yourself safe next time you travel through the U.K., or anywhere else for that matter. I'm intentionally keeping this from being a technical, step-by-step article. You're smart enough to figure out the details. I'll just give you some crumbs to lead you in the right direction.
First up: Internet activity.
Tor is a pretty obvious choice here. You could use one of many free or paid for VPN services: just search for "VPN services" if you want a listing. This is great for watching Netflix from a restricted location, but you never know if the providers of these VPN services have been compromised or strong-armed by the government. So, even though it may appear secure, it might just be an illusion. One hop for all your data isn't a great choice, which is why we have Tor. Now, I'm not a big fan of Tor because a lot of human traffickers and child exploiters use it to hide their activities. But, in this case, Tor is likely your best option to keep anyone from spying on your perfectly legal and legitimate Internet activity. You can download and install the Tor browser, then use it anytime you think your privacy is at risk. There are also a few Tor-based apps for Android and iPhone that give you the same capabilities. Check their website for the latest options. Unless you're a criminal, Tor is probably overkill for your everyday Internet activity and can slow you down considerably. If you just want to encrypt your web traffic without any concern for the monitoring of your browsing habits, you can use the HTTPS Everywhere add-on for Firefox, Chrome, and Opera which, essentially, makes much more of your traffic encrypted and unreadable. And if you are concerned about a search engine tracking your search habits, navigate over to a service like Disconnect Search. Just be warned: one of their developers used to work for NSA.
Phone conversations and text messaging are even more common than Internet activity, so we'll cover that next. There's always the Blackphone from Silent Circle, but that's a steep price to pay since many of the capabilities are available as free apps on Android and iPhones. Signal Private Messenger from Open Whisper Systems can handle both of these tasks, assuming the person you are communicating with is also using the Signal app. Similar to Lavabit, Signal uses end-to-end encryption and Open Whisper Systems doesn't have access to any of your messages, message content, voice conversations, call data, metadata, or anything else. Everything is private between you and the other party. Edward Snowden promotes this app and - love or hate him - that is a pretty big endorsement. Honestly, I like to make encrypted phone calls to my wife just to make NSA think there is some big secret that they don't know about.
So what about email?
This is probably the most difficult. Email encryption is a clunky operation, even for technically savvy people. There are some third-party solutions you could use; one of the Snowden NSA leaked documents stated that they haven't been able to break encrypted emails by users of Zoho or similar online email services. But I'm not a big fan of these solutions because it puts someone else in the middle that I may not be able to trust at some point down the road.
Enter PGP. Yes, it's been around since the early nineties, but it is still a solid method of encryption that is used world-wide. You can start using it right away with the GNU Privacy Guard (a.k.a., GPG), but it will take a bit of time to get it set up and, depending on your email client, will probably require some copying and pasting of the encrypted contents before sending the message on its way. As with other forms of communication, the receiver will need to be able to decrypt the contents if they want to read your message, so you may be limited in this scope unless everyone you talk to is as security conscious as you.
If you want to take it to another level, encrypt your entire phone.
The latest versions of the iPhone and Android operating systems provide full-disk encryption capabilities for the phone's internal memory and additional SD card storage, when available. Both Apple and Google have gone on the record - in a somewhat veiled fashion - to say that there are no backdoors to their operating systems that can bypass this encryption capability. OK, if that is true, then any person or government who wants to analyze your phone won't have much to do, that is, as long as whatever password you are using isn't something they can easily break. Different countries have different laws about whether you would need to hand over your password, so do some research before you travel. The U.S. Supreme Court ruled in 2014 that police can't search phones without a warrant, but you may be forced to give up the password once the warrant is issued. I suppose you could pretend you forgot the password.
And you should also encrypt your computer as well.
And you should also encrypt your computer as well. If you don't already have TrueCrypt installed, you are missing out on a capability that the same Snowden leaked file indicated the NSA couldn't break. TrueCrypt mysteriously shut down a few years ago and it was widely suspected that they got hit in the same way as Lavabit, but their software is still available and, apparently, still unbreakable. I always keep a few encrypted containers on my systems to keep private information private. You should do the same.
You get the basic idea.
People want to monitor your communications for a lot of different reasons and, while I have no problem with governments spying on each other, I don't want any of those governments spying on me. If you want to see what I am doing, get a warrant. And even then, good luck breaking through the encryption of my stuff because I'm pretty sure I'll forget my password. These tips should help you secure most of your common communication, since NSA seems to be stuck when it comes to using the solutions in this article. That should make all of us do the happy dance, even the really bad dancers, which, let's face it, is most of us.
Happy encrypting!
References