You’re a Criminal in a Mass Surveillance World – How to Not Get Caught
I was in Amsterdam when the Snowden story broke. CNN was non-stop asking politicians and pundits, “Is Edward Snowden a traitor?” Those who said he betrayed America also said something else: Mass surveillance is only an issue if you’re a criminal. If you’ve got nothing to hide, then you’ve got nothing to fear.
The Snowden story hit me upon my return from – of all places on earth – the Secret Annex of the Anne Frank House. The Secret Annex is where Anne Frank and her family hid from the Nazis for two years. It was during this period of hiding in terror that Anne wrote her world-famous diary. In it she confided, “I want to be useful or bring enjoyment to all people, even those I’ve never met.”
I say I was lucky because the cosmic unlikeliness of my Secret Annex visit coinciding with Snowden’s mass surveillance revelations led to some revelations of my own. My understanding of law, criminality, and mass surveillance coalesced into a horrifying picture.
It turns out we’re all criminals in a mass surveillance world. The only question is whether we’ll get caught. Let me explain.
What Makes a Criminal?
Merriam-Webster defines crime as “activity that is against the law.” Law is defined as a “set of rules made by the government.” Thus a criminal is someone who breaks government rules.
The law as a whole is an ever-expanding collection of rules that politicians (“lawmakers”) decree and occasionally repeal. Laws are as moral as the politicians who make them.
Simply put, laws are the rules politicians make up, and criminals are people who break them.
It floored me to realize: Anne Frank was, in fact, a criminal. She was a fugitive of the law.
We can express outrage at the designation since Anne did nothing wrong. And we can debate which rules of any particular regime are tolerable or repugnant. But our opinions don’t change the fact that “criminal” is a government-defined standard imposed on us, the governed.
A law-abiding citizen was obligated to turn Anne into the police. To assist her was a crime. In America the Fugitive Slave Law obligated law-abiding citizens to turn in runaway slaves, and assisting them was punishable by 6 months in jail and a $28,000 fine (in today’s dollars).
In early colonial America masturbation, blasphemy, and homosexuality were crimes punishable by death. Virtually any act you can think of has been criminalized by one regime or another. Being a law-abiding citizen only means you comply with whatever rules politicians have imposed on you.
Throughout history we observe only a slight overlap between the endless supply of laws governments impose on people and the handful of acts we all agree are morally wrong: theft, assault, rape, murder.
The American Crime Complex
To understand why we’re criminals requires a basic overview of how law is created and enforced.
Every law hatches a new crime with an associated punishment. A law is both an order and a threat, for if a law carries no threat of punishment, it’s not a law. It’s a suggestion. Politicians mince words by using different labels for their rules – laws, regulations, statutes, bills, acts, ordinances, et cetera – but they all fundamentally mean the same thing: Obey or be punished.
Every year American politicians create thousands of new laws. They are incorporated into volumes consisting of hundreds of thousands of pages of legalese. The laws are grouped into “codes” such as the CFR, USC, IRS Code, and codes for every state. These codes, along with the Constitution, executive orders, ratified treaties, county and city ordinances, and rulings from district courts to the Supreme Court comprise U.S. law as a whole.
Although the law is incomprehensible to the governed, ignorance of the law is not a defense when you’re prosecuted by the government.
Suspicion of committing even the most trivial crime subjects you to arrest at the discretion of a law enforcement officer. The Supreme Court has ruled that it’s legal to arrest people for crimes such as driving without a seatbelt or having unpaid parking tickets. Arrest can result in imprisonment for months or years without ever being convicted of a crime.
The application of these punishments is wildly inconsistent and often horrifically arbitrary. The minimum sentence for first degree murder in Illinois is 20 years, but in Indiana it’s 45 years. Compare 20 years for murder with 15 years for having sex on a beach. Or 5 years for stabbing a man to death. Or 5 days (yes, days) for raping a 14-year old girl. Victimless crimes often carry far harsher sentences than raping and killing people, such as 25 years for selling painkillers to a friend.
The Supreme Court ruled in 1978 that it’s legal for prosecutors to threaten you with catastrophic punishment – even life imprisonment – for a minor crime if you don’t forfeit your right to a jury trial. (In the landmark case prosecutors secured a life sentence for forging an $88 check because the defendant refused a plea bargain.)
Because prosecutors wield such enormous power, almost everyone takes a plea bargain. Getting your day in court is a myth perpetuated in TV shows and movies. Innocent people often agree to plead guilty and suffer the punishment rather than risk having their lives destroyed. The system is rigged against you, and your chance of conviction at trial is around 90%.
This government prosecutor explains to new prosecutors that the goal of jury selection is to pick people who “are as unfair and more likely to convict than anybody else in that room.”
Given this set of facts, it’s no surprise that millions of Americans today are caged and millions more are on probation or parole. The “land of the free” is the most imprisoned nation in the world on both a total and per capita basis. The prison-industrial complex is booming.
The Secret Annex
Back to our heroic criminal, Anne. The Frank family moved from Germany to Amsterdam in 1933. Otto started a successful spice and pectin business. In 1942 the family went into hiding from the Nazis in the rear section of Otto’s building. Anne called it the Secret Annex. It’s a cramped, makeshift living quarters whose hidden entry is masked by a swinging bookcase.
The feeling was overwhelming as I slunk through the space: I am disgusted by my species. This little girl and her family spent two years living with a noose around their necks knowing the floor could drop out at any time.
Then one day it did. An informant tipped off the police. They were arrested and sent to death camps, which were described as “labor camps” to its victims. “Work will set you free” it said above the gate at Auschwitz. The Franks were healthy enough to be put to work rather than gassed straight away.
Are you female? Imagine yourself as a 15-year old being stripped naked by guards, having your head shaved, getting tattooed with a serial number, and then being forced into non-stop hard labor. Take a moment and imagine having a daughter who suffered this fate.
We’re members of a species that does this. Not as an act of spontaneous insanity, but deliberately and methodically. Let us remember: It was legal.
Only Anne’s father Otto survived. His wife and two daughters perished despite the substantial measures he had taken to avoid this horrific fate. They left Germany early on, and he even put his business in a gentile’s name to stay out of government filings. As things got worse, he applied for visas to bring his family to America or Cuba, but they were rejected. How did his family end up trapped in Amsterdam? Laws.
A heroic woman named Miep Gies rescued Anne’s diary before the police confiscated everything in the Annex. Miep returned the diary to Otto after the war ended. She was one of six souls who risked their lives as outlaws in order to keep them in hiding.
Miep not only rescued Anne’s diary. She never read it out of respect for Anne’s privacy. When Otto published it, Miep said if she’d read it she would have felt obligated to destroy it since it was filled with damning information, including her name and all the others who helped the family survive, including an (illegal) underground supply network.
The dramatic irony of Miep not reading Anne’s diary made me cry. Here is an act of human decency which epitomizes everything government is not. Miep not only risked everything trying to keep these people alive. She not only saved Anne’s diary, one of the world’s most powerful pieces of literature. She not only didn’t read it despite its owner getting shipped off to a death camp. After the Franks were arrested, Miep went to the police station and offered the arresting officer a bribe for their release. As fearless as that was, it didn’t work. She escaped punishment because the officer had a soft spot for her being from his home town, Vienna.
If it’s possible to love a dead woman you’ve never laid eyes on, I do. Miep, thank you for showing people that human decency springs from following our conscience, not the law. Millions blindly follow orders. The bravest heroes in this world are law-breakers.
A Single Piece of Data
Walking from Anne’s Secret Annex into CNN’s nothing-to-hide mass surveillance chorus provided a rare moment of clarity in my life. Her father’s disclosure a decade earlier of a single piece of data, their religion, destroyed his family. The disclosure was a legal requirement to be issued a passport.
To apologists of mass surveillance, what did Anne Frank have to hide? I ask because the person credited with popularizing the nothing-to-hide argument is none other than Joseph Goebbles, Minister of Public Enlightenment and Propaganda for the Third Reich. (Back then the word propaganda didn’t have a negative connotation. It meant public relations.)
After examining the Frank family passports in the Secret Annex, it later struck me how much more information is extracted by the US census and annual American Community Survey. Where were you born? Are you “Black, African Am., or Negro?” Are you Pakistani? Latino? Are you unemployed? What is your profession? How much money do you make? Do you own or rent? How much do you spend on utilities? Who lives with you? Do you have children? How well do you speak English? Do you speak another language at home? What is your marriage status? Have you been divorced? Where did you go to school? Have you been employed by the U.S. military? Which wars did you fight in? And on it goes… All information explained away as needed to hand out “government benefits.”
Minister Goebbels would have wrung his hands with delight at having this depth of data on his regime’s citizens. But this data is absolutely trivial compared to what the U.S. government actually knows about you. Thanks to William Binney and Edward Snowden, we know that the U.S. regime has for many years been secretly constructing the means to monitor and record every aspect of our lives.
Snowden put it in terms everyone can understand: “Even if you aren’t doing anything wrong, you are being watched and recorded.” Thankfully we don’t have to take Snowden’s word for it. The government’s agenda was laid bare in this secret NSA slide from 2011: Sniff It All – Know It All – Collect It All – Process It All – Exploit It All.
Share It All is in reference to swapping surveillance data with New Zealand, Canada, Britain, and Australia – the so-called Five Eyes who are de facto military protectorates of the United States.
Snowden nailed the Collect-It-All endgame in a single phrase. “Turnkey tyranny.” As is the case with most propaganda, the NSA reveals its intentions in a cloak of misdirection. The cloak here is security. “National security” isn’t about your own personal security, as comforting as it would be to believe. It’s about the security of the government, no matter what the government is today or becomes in the future.
In fact every time you see or hear the word national, just think government. When politicians beat the national security drum, they’re referring to regime security, not yours. (You’re more likely to die falling out of bed.) The NSA is in essence the Government Security Agency. The national anthem is the government anthem. When you pledge allegiance to the flag, you’re vowing to serve the government, not family, friends, neighbors, or customers.
The government’s motives are reflected in its symbols. Here’s a sampling:
The NSA bird holds a key to unlock everything that is not public – in other words, what is private is the government’s business. Know It All. Collect It All. Exploit It All. The Earth-sucking octopus represents one of a fleet of NROL surveillance satellites. Total Information Awareness is a program set up years ago that had the same agenda as the dystopian film Minority Report: arrest people before they commit a crime. The sinister inspiration for the Total Information Awareness logo is echoed on the one dollar bill, which features the all-seeing eye of God.
Understanding the motives helps us see every justification of mass surveillance for what it really is – a veiled threat: If they don’t do it, terrorists will kill you. Terrorism, the mortal danger to civilization which kills fewer people than autoerotic asphyxiation, bathtub falls, toddlers, and lightning.
A Noose Around Our Necks
Mass surveillance equals perpetual uncertainty. No matter how honest and benevolent you consider the current American government, no one knows what laws a future regime will impose. Otto Frank never would have disclosed his family’s religion had he known it would lead to the murder of his loved ones a decade later. His family would have fled Germany and attempted to illegally immigrate elsewhere, as millions have done throughout history.
Living under mass surveillance is living with a noose around your neck. You can’t know what circumstances will cause you to hang. History is loaded with never-saw-that-coming catastrophes. The 20th century alone is an inconceivable horror – 262 million corpses engulfed in various government wars and genocides. That’s equivalent to every single adult living in America today suddenly perishing.
All the nightmare regimes of the past that kids study in school predate the era of computerized mass surveillance. The ability to lock down people’s lives instantly… to track them, analyze them, trap them, financially paralyze them, impersonate them, frame them, and apprehend them is unprecedented. Governments always seek to control the governed, but mass surveillance is the most powerful weapon of control ever devised. Because of its novelty, invisibility, and deep complexity, many people can’t comprehend its implications and therefore don’t defend against it.
Why You’re a Criminal
We unknowingly commit crimes, including felonies, in our day to day lives. The fact that we haven’t been caught is a matter of detection – namely, surveillance. As mass surveillance expands, the government’s crime detection capabilities increase exponentially.
“There is no one in the United States over the age of 18 who cannot be indicted for some federal crime. That is not an exaggeration.” This warning is from John Baker, a retired law professor who tried in vain to count new federal crimes created in just the past few years. The same message comes from attorney Harvey Silverglate in his book Three Felonies a Day: How the Feds Target the Innocent.
Because politicians have made us criminals, what the government knows about you can cost you your freedom. Understanding that is so important that you shouldn’t take anybody’s word for it. See for yourself.
Into the Abyss
Most federal law is aggregated into the United States Code (USC) and the Code of Federal Regulations (CFR). Let’s start with the CFR. Go here, select a year from the menu, and click Go. A list of 50 Titles will appear. Click on the Text link for any Title and start reading. You’ll see that some Titles have several volumes. For example, here’s Volume 1 of the 2014 Banks & Banking code, the first of ten volumes for that year alone.
If you’re anything like me, after a few minutes your brain will attempt to revolt. Push on and do your best to even vaguely understand what Congress – the lawmakers – demand of Americans. You’re up against literally hundreds of thousands of pages of legalese. Much may not apply to anything you’re currently doing in your life, but finding out what applies to you now and has applied to you in the past is, quite literally, impossible. And with thousands of new rules being created every year, you won’t know when you break new laws in the future either.
Need a breather? Have a laugh with me at the sinister humor of the CFR web site’s slogan: “Keeping America Informed.” How many Americans have even heard of the CFR, much less read a single sentence of its laws? What could possibly better illustrate the essence of propaganda double-talk than this slogan? When you tap out on the CFR, give the USC a browse.
But wait, there’s more. Thousands of pages more. The IRS Code is, shockingly, 74,000 pages. When the IRS decides you’ve done something wrong, you are presumed guilty unless you manage to prove yourself innocent. Anyone who’s dealt with the IRS knows that the process is its own punishment. Now that tax forms are filed electronically, artificial intelligence and data mining increase the power to detect non-compliance exponentially.
You’ve seen it first-hand: The law is truly unknowable to the governed. Being a law-abiding citizen is a myth.
Of course this is just federal law. Any adult can be prosecuted for a federal crime, but what about state crimes? State law is another incomprehensible morass – tens of thousands of pages of legalese per state. Cross an invisible line and the same act may no longer be a crime – or it may have twice the penalty. Wade into California’s legal code for a sample, or look up your own state and see for yourself. The abyss goes even deeper. There are thousands of county and municipal laws too.
This demonstration wasn’t meant to depress you. Truth just sucks sometimes. In this case ignorance is anything but bliss.
Every single day ignorance of the law costs people their savings and their freedom. And here’s the awful Catch-22: Ignorance of the law is no defense, even though it’s literally impossible to comprehend what the government demands from us.
Good people everywhere have been turned into peaceful outlaws by politicians.
We live our lives trapped in a ubiquitous but invisible scaffolding of rules. There is literally no aspect of our lives not subject to politicians’ orders. Everything that’s not forbidden requires government permission. What kind of society is this?
Crime Detection Is the Killer App
As criminals we already have a noose around our necks. Crime detection is the terrorizing question that hangs over us. That millions of Americans are behind bars makes one thing clear: The government is zealous about enforcement. New prisons are being built every day. Prosecution isn’t a constraint either since only a handful of cases see a trial.
Crime detection is law enforcement’s biggest bottleneck, and that’s where Collect-It-All surveillance changes everything. Police already track you by wide-area surveillance, thousands of networked street-level cameras, auto-scanning license plates, drones, and spy planes, but that is primitive compared to what’s coming.
Computerized face recognition is already extremely accurate and fast. You can be matched against a nationwide database instantly. This technology will be integrated with the body cameras police now wear. You will be cataloged and tracked by your Universal Control Number (UCN). Yes, that’s really what it’s called. A friend of mine is an Auschwitz survivor. You can still read the “control number” tattooed on his arm.
Military contractor Lockheed Martin has for years been designing biometric surveillance systems to track us by our hand prints, face, voice, and walking gait. Their use for crime detection is unlimited. Anything that can be electronically measured can be the basis for automated crime detection. For example fingerprints can now reveal drug use.
Going forward mass surveillance will be combined with robotics to create law enforcers who will automatically scan and crime check you. The military-industrial complex is leading robotics development. As with bug-sized drones and MRAPs, the technology and equipment will cross-pollinate with domestic law enforcement.
Hopefully this glimpse of what’s coming makes it clear. Mass surveillance isn’t about having nothing to hide. It’s about hiding whatever we can.
Mass Surveillance Cheerleaders
The highest profile shills for mass surveillance are the usual suspects: politicians and mega-corporation execs who have the most to gain. Former U.S. Senate majority leader Trent Lott: “What are people worried about? What is the problem? Are you doing something you’re not supposed to?”
Google chief hypocrite Eric Schmidt defines privacy as an excuse to hide wrongdoing: “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”
Google employs many brilliant people who no doubt mean well, but the simple truth is this: Google’s business is, literally, mass surveillance. Google is a major contractor to the US government, including the NSA, as well as several military contractors.
Snowden revealed the NSA has direct access to Google’s servers. Google’s vast offering of services equals the world’s biggest surveillance roach motel. There’s a reason the room and board are free. You’re the product, not the customer.
The Death Star Is in Utah
Mass surveillance is not only Collect-It-All recording of your life. The totalitarian power of mass surveillance comes into focus when one sees how years of data can be summoned in the future for purposes you can’t predict. Five or ten years from now your surveillance records could be used as the basis for advanced interrogation, criminal prosecution, bail-ins, property confiscation, blackmail, stalking, humiliation, horrific medical procedures, internment camp, deportation, and yes, even execution. None of these is without historical precedent.
The technology enabling Collect-It-All surveillance perhaps seems vague since we don’t have any practical reference for what it takes to implement. Here’s a glimpse.
Snowden’s revelation of the Collect-It-All blueprint was the prelude to the completion of a 1.5 million square foot complex called the Utah Data Center. The original name of the complex – Massive Data Repository – is more ominously instructive.
Imagine a stadium-sized complex filled with the world’s fastest super computers and endless racks of digital storage space so vast that you literally can’t comprehend how much information can be stored. The power and cooling required for the complex is staggering. It consumes 1.7 million gallons of water daily to operate. This is the mass surveillance equivalent of the Death Star. Last year it went fully operational.
Consider this in light of Anne Frank. In the pre-digital time of the Nazis, they had a miniscule quantity of information about the Frank family compared to what would be known today. And the little information they had was stuffed in filing cabinets.
The difference between filing cabinets and the space-age technology of the Utah Data Center is almost impossible to describe. In terms of speed, it’s like comparing a tricycle with a supersonic jet. In terms of search power, it’s like a magnifying glass versus the Hubble telescope. In terms of data storage, it’s like a hot tub versus Lake Michigan. And yet, it’s worse.
Weaponized Data Mining
There simply is no comparison to be made in the pre-digital era when it comes to data mining – using the power of computers to find patterns across vast quantities of data. The Utah Data Center is weaponized data mining.
Collect-It-All surveillance means that if the government wants to target you, it can comb back through years of your life in minute detail. As we’ll see shortly, coming up with a crime in order to prosecute you is easy. There are so many laws in existence today that legal experts agree that anybody can be prosecuted for crimes they aren’t aware they’ve committed.
Even if you didn’t commit the crime you’re being prosecuted for, mass surveillance guarantees that innocents will be targeted because data mining can’t tell whether a pattern is intentional or coincidental. Say there’s an enemy of the government being tracked by the feds. You coincidentally are on the same flight sitting next to him, use the same car service, stay in an adjacent room at the same hotel, eat at the same restaurant, and then take the same flight the next day to another city. Now you too are a target. If you happen to also be Muslim (1% of the U.S. population), good luck.
U.S. law is clear on what might happen next. Perhaps men show up and interrogate you. Or they secretly tear apart your life down to the smallest detail looking for any charge to pin on you. Maybe they destroy your reputation and monitor how you respond. Or maybe you get disappeared. Under the NDAA, American citizens can legally be kidnapped, imprisoned in secret without charges or access to a lawyer (indefinite detention), and subjected to torture programs developed by doctors.
The Torture Triumvirate
To design the US government’s torture program taxpayers paid over $81 million to Dr. James Mitchell and Dr. Bruce Jessen and another $31 million to Dr. Martin Seligman, former president of the American Psychological Association. Seligman is a man who achieved fame by repeatedly shocking dogs until they completely gave up trying to avoid the shock, even when presented with the opportunity to do so. This state of hopeless surrender is what he coined “learned helplessness.”
These three were not paid $112 million to suggest sleep deprivation or waterboarding (both of which have been used for centuries.) The public has no clue what the real torture program is. But given the government’s history of using drugs to torment people, I suspect drugs are the holy grail of modern torture as they break no bones and leave no scars. Imagine being inflicted with a drug-induced migraine and then getting locked in a cell with blasting heavy metal and flashing strobe lights. What would you say to make it stop? Centuries ago you’d confess to being a witch.
Death From the Sky? Legal.
If being kidnapped, caged and tortured without trial isn’t sufficient for the government’s purposes, the president also claims legal authority to summarily execute US citizens. Four Americans, including a 16-year old boy, have already been executed by drone strike – no charges levied, no trials, no evidence presented, no opportunity for defense. Just sudden death from the sky.
If you think “kill lists” are only about Muslims and therefore don’t affect you, count yourself among Germans in the early years of the Nazi regime who said these laws are unfortunate but only affect a few Jews. By the time the general public felt things were really getting out of hand, to speak out was to risk your own life. So let me repeat: The government has granted itself legal authority to summarily execute American citizens. Just because you’re not a target, don’t delude yourself. This is turnkey tyranny.
The data mining power of the Utah Data Center will find all sorts of extremely unlikely coincidences which will be used to cage or kill innocent people. The old way to do that was to torture people into making false confessions, frame them with planted evidence, or convict them based on faked forensic science. Even supposedly ironclad one-in-a-million DNA evidence has been exposed as unreliable. With weaponized data mining, no fabrication will be required to put innocent people away.
Much like the IRS process of finding you guilty unless you can prove your innocence, you’ll be in the crosshairs trying to explain an extraordinarily unlikely coincidence. A one-in-a-million coincidence is common when the world’s fastest supercomputers are searching for patterns among quadrillions (that’s thousands of trillions) of pieces of data. Trying to establish your innocence will be like trying to prove a negative.
Mass surveillance is ushering in a brave new world of crime detection. The vast majority of crimes in the past have gone undetected. A Collect-It-All mass surveillance apparatus is an all-seeing eye which untethers crime detection from manpower constraints.
Law Is Codified Hypocrisy
My definition of a bad guy is a person who purposely harms or threatens to harm others or their property. I used to think of crime as the stuff that bad guys do. Bad guys are criminals, and criminals are bad guys. Makes sense, right? After all murder is a crime. Theft is a crime. Assault is a crime.
Cartoons, TV shows, and movies I’ve seen from childhood have reinforced the only-bad-guys-do-crime message. And my teachers were explicit: Good people obey the law. Be a law-abiding citizen.
Yet millions of Americans who are not bad guys have criminal records. Victimless crime accounts for an estimated 86% of the federal prison population.
My day in the Secret Annex taught me that it’s a trap to equate crime with morality. While I think it’s always preferable not to harm people or their property, neither my nor your preferences should be conflated with laws. That’s because most laws have nothing to do with actually harming others or or their property. Sure there are plenty of bad guys who are criminals, but there are also millions of Americans who have been convicted of victimless crimes. They simply broke a politician’s rule, often unknowingly.
Meanwhile many bad guys aren’t criminals because the law doesn’t apply to them. Every day peaceful people and their property are harmed by government employees acting in a fully legal capacity. That’s because those who govern us are permitted to do the very things the governed are forbidden from doing.
If you are carrying out government orders:
- Legally maiming and killing thousands of people who haven’t harmed anyone isn’t mass murder. It’s collateral damage.
- Legally caging a person for consuming something the government doesn’t approve of isn’t kidnapping. It’s corrections.
- Legally siphoning all the money out of someone’s account isn’t theft. It’s civil asset forfeiture.
- Legally blockading a country from receiving desperately needed goods and services isn’t economic warfare. It’s foreign policy. (Don’t forget, the dead children are collateral damage.)
- Legally using insider information to rack up stock market profits isn’t insider trading. It’s Congressional investing.
- Legally transferring hundreds of billions to Federal Reserve banking cartel cronies isn’t fascist economics. It’s quantitative easing.
- Legally forcing interest rates to zero so that savers lose purchasing power and banks clean up isn’t price fixing. It’s monetary policy.
- Legally spending trillions to create the most militarized society in history isn’t totalitarian insanity. It’s defense.
- Legally demanding your money under threat of imprisonment to pay for all these things isn’t extortion. It’s taxation.
What is criminal for the governed is legal for the government.
(If you’re a government employee or contractor, thank you for being open-minded enough to read this. When one’s salary depends on believing something, considering other perspectives is as difficult as it is rare.)
I’ve focused on the U.S. government because that’s what I know, and it tends to do these things on a broader scale than other regimes. But every regime follows the same pattern of outlawing the very same behavior it exhibits. Some just do it more aggressively than others. Generally the larger the regime, the greater the victimization of the governed.
Even when a law applies both to the government and the governed, it’s not enforced equally. Martha Stewart went to prison for lying about a stock trade, and Marion Jones went to prison for lying about using steroids. But General James Clapper, czar of the government’s mass surveillance complex, wasn’t even prosecuted for the felony of lying under oath to Congress about mass surveillance. General David Petraeus walked free despite lying to FBI investigators and leaking top-secret information. Members of the government’s Federal Reserve bankster cartel were exempted from punishment for committing multiple felonies.
What enables this codified, self-perpetuating hypocrisy? The institution of government is defined by its monopoly on both the creation and enforcement of law. This means the government can do whatever it wants, from double parking to mass slaughter with essentially no repercussions other than “regime change” through elections. Who in their right mind believes this is a good way for society to operate? If there were ever a monopoly to break up, it’s the one government protects with all its might.
As pieces of the picture came together for me, I felt depressed and wanted to throw my arms up and say, “Forget it. There’s nothing I can do to change any of this.” Then it hit me: “There’s nothing I can do” are the magic words every power-hungry person longs to hear. Learned helplessness – the conviction that you are powerless to change whatever’s being done to you.
Those who watch Game of Thrones know the show has much to teach about those who seek power. The pitiful character Reek is the personification of learned helplessness. Even with a razor at his barbaric captor’s throat, he is incapable of doing anything but obeying. When his sister risks her life to rescue him, he clings to his cage and refuses to go. That’s the essence of learned helplessness.
The Greatest Weapon of Oppression in the History of Man
Every regime uses physical violence to force compliance with its rules, but physically breaking people who resist takes considerable effort, resources, and manpower. Mass surveillance gives those who seek control a vastly more powerful, far-reaching weapon.
This article was inspired by Ed Snowden’s own words to Laura Poitras in Citizenfour. He warns her that the government’s Collect-It-All mass surveillance apparatus is “the greatest weapon of oppression in the history of man.” It’s a War of Terror that’s being waged on us.
In a mass surveillance world where the law is unknowable, we live our lives wondering what crimes we’re committing and when we’ll be detected and prosecuted. This has a chilling effect on how we live. We censor ourselves to suppress the underlying anxiety of knowing we’re criminals who are being watched and recorded.
The end-game of mass surveillance is self-imposed subjugation. Threats and cages are no longer required because people believe resistance is hopeless. When we know we’re being monitored by those who have the power to beat, cage, and kill us, we imprison ourselves in our own fear.
I refuse to live that way. I hope you do too.
When people self-censor out of fear, they erect their own walls, saving government the effort. The governed avoid inquiry into controversial issues. They censor what they read at the library. They censor the web sites they visit. They censor their browser search terms. They censor what they write in emails and texts.
Free thought and inquiry into the most important matters get suffocated as we live under perpetual anxiety about whether what we do is acceptable to those who govern us. Fear leaks into our consciousness like black ink. I recently joked with a friend that he’s addicted to Coke, and he nervously wrote back clarifying “to anyone else reading” that it was Coca-Cola.
People censor what they say on the phone, on Skype, on Google Hangouts. Surveillance software automatically transcribes your words into text. Your conversations become instantly searchable and trigger key word alerts. (If you’re thinking of organizing or attending a police brutality protest, know that a trigger word list leaked years ago includes the terms cops, police, authorities, and law enforcement amongst hundreds of others. Furthermore, these events are tracked by the government.)
People censor what they share with friends on social networks. They increasingly limit posts to selfies, photos of food, and opinions about approved topics like sports and movies, rather than information or opinions that can land them on a terror suspect list.
They shy away from protesting and see the often brutal treatment of those who do. They hear about domestic black sites. Signing a petition opposing a government program is like handing the government a suspect list.
People come to know that political affiliations can make you an IRS target or trigger a home invasion. They read that withdrawing cash from a bank account is cause for criminal investigation. Yet if they don’t put cash in the bank, they risk outright confiscation as has happened over and over.
They see the persecution of whistleblowers and the crushing of business owners who won’t compromise their customers’ security. Innocent people end up on terrorist watch lists. They see the mainstream media’s bipolar twitching between terror-mongering and titillating celebrity scandals.
This all brings on a chilling sea change in our daily lives. The message becomes unmistakable. The government is off-limits to meaningful criticism or resistance to whatever it dictates.
Authority as a Conditioned Response
Obeying authority is what we’re taught to do from childhood. You don’t want trouble, do you? Then don’t complain. Follow the rules. Abide by the law.
We’re raised to follow orders and pledge allegiance to authority. We are conditioned to comply. Chain of command is a principle which pervades our society, not just the military. The apex of command is of course the head of the government, the Commander-in-Chief. What comic irony to call this individual “leader of the free world.”
What’s the upshot of our perpetual compliance conditioning? “Just following orders” and “Just doing my job” routinely precede the most atrocious acts perpetrated against other human beings.
What about those with enough self-awareness and independence of thought to see the pattern at work? The realization that mass surveillance makes you a perpetual suspect and non-compliance with any government rule makes you a criminal silences meaningful opposition. It doesn’t take many horror stories to roll a fog of fear over an entire population. Especially when people know they’re being continually watched and recorded.
Learned helplessness will get you if you don’t brace yourself and think clearly. You can’t change the system, but that doesn’t mean you’re helpless. You don’t have to be a victim. We as individuals can take simple steps to impede the government’s dragnet recording of our lives. We can encrypt our calls, our texts, our emails, our phones, our computers. We can show our friends and family how to do the same. It’s really just a matter of quiet resolve.
Most people like to read articles that confirm what they already believe. But beyond venting to friends, people are generally too lazy to take action unless they feel immediate danger. Here’s where we must differentiate mass surveillance from every other threat. Mass surveillance is a silent, invisible war being waged against us. The only time you’ll actually feel immediate danger is when it’s too late.
The Action Mindset
Are you in an action mindset yet? If not, here’s my last loving nudge. I’m begging you – seriously, I truly am begging you – to overcome inertia and take action. If nothing else has convinced you, then do it to keep government employees from oogling your genitals. Or if you think government isn’t and never will be a threat to your well-being, then do it to protect against identity theft, fraud, blackmail and doxing by free agent bad guys.
People don’t understand just how much risk they’re taking by not securing their computer and smart phone. Your life can be ruined. If you’ve already secured yourself, please encourage others and help friends and family. This site has aggregated almost a quarter billion accounts which have been breached (aka “pwned”). Many more accounts than that have been compromised, so if you check to see if you’re on the list and come up clean, be aware that it’s no guarantee you’re secure.
If you’re a parent with kids using computers, you need to know how to protect them. Kids are curious, and the more dangerous, forbidden or risky the topic, the more inquisitive they tend to be. What if your son comes home from chemistry class and wonders, just for the sake of curiosity, how to make a bomb? What if he’s watching Breaking Bad and starts browsing around wondering how Walter White made meth? What if a friend comes over and as a prank searches for how to join ISIS?
Are these the sorts of things kids might do? Of course. And it can turn your entire family into a target, including getting your home raided by men with automatic weapons who will shoot your dogs and take your computers, phones, and papers. Implement the enclosed anti-surveillance guide to protect your kids from getting your family in a world of trouble.
It’s All You
No matter what it is that motivates you to take action, the important thing is that you follow through. The best thing about the government’s bald-face lying about mass surveillance is it dispelled any notion that it will be “reformed” (whatever that means).
A few months before the Snowden revelations broke, James Clapper, czar of all U.S. intelligence agencies, replied under oath to this question (which he received a day in advance of his testimony):
Richard Nixon, after secretly bombing Cambodia (which brought the genocidal Khmer Rouge to power), persisted in lying to the public about it. As he told his aides, “Publicly, we say one thing. Actually, we do another.” True to form, shortly after Snowden came forward Obama was in full-on denial mode. The lie below was from his appearance on The Tonight Show with Jay Leno.
Literally nothing the government says about mass surveillance is credible. Every public relations gambit to make it look like “something is being done” is aimed at deterring us from taking responsibility and acting for ourselves. Don’t be fooled by political theater. It is nothing but two-faced gamesmanship.
Mass surveillance programs are built in secret and they operate in secret. Remember that what little we know is due to an act of treason (as defined by the government of course). And it’s only the NSA we know something about since that’s what Snowden had access to. The CIA, FBI, DEA, DHS, INR, DIA, NGA, NRO and other agencies have their own surveillance programs. Even the IRS has joined the spy brigade.
Any NSA policy change will be publicly heralded by politicians as a great victory while other programs silently spring up or continue operating under different code names or different agencies. As with mass surveillance obliterating the 4th Amendment, all Constitutional violations are not only predictable, they’re inevitable. Trusting the government is like trusting pit bulls to guard a pile of pork chops.
Thankfully Edward Snowden gave us the guidance we need.
Snowden’s most important insight is not that we’re being recorded in a Collect-It-All panopticon. It’s that we – as individuals – have the power to free ourselves from the surveillance noose: “We have the means and we have the technology to end mass surveillance without any legislative action at all, without any policy changes.”
We have the power, but only if we exercise it. What does that amount to in practical terms? Being willing to use some free software. After a couple hours you’ll have taken action that can literally save you from the worst kind of trouble, including criminal prosecution, blackmail, and kidnapping. You may even save your life. Same goes for any friend or family member you can persuade to take action. And you’ll sleep better knowing you’re no longer enabling mass surveillance.
Some might object and say that taking defensive action is an unnecessary act of paranoia or ‘Murica hating. Those people may just be doing their job. Others may be fact-resistant humans. Fear of real risks is not paranoia. It’s motivation. Only the most fact-resistant among us would deny that there are individuals and extraordinarily powerful institutions who are actually out to get you one way or another.
Most people prefer to feel rather than think. I know I’d feel much better pretending all this is much ado about nothing. Even if you’re not the fact-resistant type, the temptation to abdicate responsibility and hope politicians will “fix the system” is as tempting as it is delusional. The system we live under was built by people who want it to work this way. To those in control, it’s not broken. It may not work for you, but it works for them. And you work for them. The only hope we have for change is to do it ourselves.
The U.S. regime is the alpha dog of mass surveillance, mass incarceration, and mass media propaganda. But all governments aspire toward ever greater control over their populations. China, Russia, England, all of them. The bigger the government, the more they squeeze. It’s just a matter of money, manpower, time, and technology. Smaller countries are often laughably ham-fisted in their approach, like making it a crime to insult politicians.
Perfect security does not exist in digital or physical life. A house has a continuum of steps you can take to secure it, but it will never be secure from a determined adversary. A lock on your door is better than nothing, but most locks can be defeated in seconds by people who are trained. Even if you have great locks, what about the door itself? Can it be kicked in? What about your windows? Anybody can break a window. Alarms are useful, but they have several vulnerabilities. Plus they don’t actually keep people out of your home. (By the way, your home is now see-through to the government thanks to radiation blasts from mobile X-ray vans.)
Just as perfect home security is impossible, there’s no such thing as perfect digital security. No matter how many precautions you take, there are too many “known unknowns” you can’t protect against. Software like your operating system, drivers, and web browser have faults which get exploited. Some of those faults are honest human error, and some are purposely engineered to weaken your security. Those who pretend to protect you are leading the charge to purposely undermine the security of products we rely on in order to track everything we do online.
Now that the Internet is regulated – meaning, controlled – by the government like a utility, things will only get worse.
The very hardware you use – computer chips, routers, hard drives – also have exploits which you can do nothing about. The CEO of Intel refused to answer, with good reason, a question about whether Intel places “backdoors” in its chips. The biggest tech companies in the world are American, and they must comply with orders in the name of national security while being gagged from disclosing said orders.
Bottom line: America’s tech giants are surveillance proxies for the government. The government is also typically their biggest customer. This is the essence of the military-industrial complex.
We almost never hear about it because to say something is a death wish, but corporations also employ NOCs (non-official covers) who carry out government directives.
Modern computers have become so complex it’s practically impossible to know everything that’s happening “under the hood.” Even TVs can record you, translate your speech to text, and beam it to third parties. Computer chips the size of a dime and cheaper than a Big Mac can do all that and more. Really just about any electronics device in range of a wifi signal can be reconfigured into a surveillance device. That includes seemingly innocuous things, like a keyboard or USB thumb drive.
I’m not trying to dishearten you. It’s better to see things as they really are than to be ignorant of real risks. The truth is we’re being attacked from all sides.
The only shining light in all this is the free and open source software (FOSS) movement. Open source means publishing a program’s source code online so that anybody can inspect it, audit it, compile it, and test it. The complete transparency of FOSS stands as our best safeguard against purposeful sabotage of our security.
The way most people use computers and smart phones is equivalent to leaving your doors and windows wide open with a neon COME ON IN! sign blinking in the front yard. We’re going to close the doors and windows, install curtains and quality locks, and toss the sign in the dumpster.
But know that if you’re ever individually targeted by the government as a person of interest (for example a journalist or whistleblower), pretty much everything you do on a computer or phone likely will be in the regime’s hands unless you have extremely specialized skills like Ed Snowden. As he said, “If there is a warrant against you, if the NSA is after you, they are still going to get you.” If you think you may have been individually targeted, run Detekt as a first step to check for malicious software commonly used against journalists and activists.
The goal of this guide is not anonymity. Anonymity is not possible because it requires control of many factors that are simply beyond our control. Our goal – Snowden’s plea to us all – is to stop the dragnet collect-it-all recording of our lives. As peaceful outlaws living in a mass surveillance world, the most effective act of self-preservation we can take is to render the greatest weapon of oppression inoperable.
If you don’t act, there will have been no real point in reading this. You’ll probably sleep less soundly, and mass surveillance will continue metastasizing. The reality is that to not take action is to enable mass surveillance. And remain highly vulnerable to hackers, stalkers, and fraudsters – threats which seem hypothetical until you get humiliated, blackmailed, stalked, or ruined.
The following guide is 10 basic steps which involve using free software. It’s followed by a list of essential security practices. The guide is intended to be a “minimum effective dose” of security against hackers, fraudsters and mass surveillance. It may seem like a lot, but if anything I went light because I don’t want people to get overwhelmed and do nothing. This is an incremental process. If one of these steps is too difficult or intimidating, don’t bail on everything else. Every step substantially decreases your risk exposure, so don’t feel as though you need to treat the following guide as all-or-nothing.
Good security is a habit more than anything. What may initially seem like an inconvenience will eventually not even be noticed, just like locking the door to your home. Suggestions for improvements and updates are welcome and appreciated.
STEP 1 – CLEAN AND PREP
Why: There’s a good chance your computer is already infected with malicious software (malware). Unfortunately malware attacks are a never-ending plague. You can’t spend time online and not be at risk of infection. This includes viruses, keyloggers (which secretly record everything you type, like GROK or Magic Lantern) and various other programs that track you and send your private information to bad guys.
There are thousands and thousands of malware programs out there with new ones being launched daily. It’s not just hackers, fraudsters, or governments who create and spread malware. Huge companies that you’d think would be fiercely protective of their reputation, like Sony, will infect you. Lenovo, the world’s largest personal computer vendor, is under fire for selling 43 models with pre-installed malware which dramatically undermines your computer’s security. This site shows if you’re infected. If you are, here’s how to fix it.
***For Apple desktops and laptops only***
Install and run the following programs:
CCleaner – Download the free version. After you’ve run a scan and fixed any problems it finds, close it and then move onto the next program. I suggest running CCleaner once per month.
***For Windows PCs and laptops only***
First, let’s make sure your copy of Windows is up to date. Microsoft is constantly releasing security patches to fix security vulnerabilities, and your computer should be set to automatically install important updates. If you don’t know how to check if important updates have been installed, see this if you’re running Windows 7 and this if you’re running Windows 8. Windows 10 installs updates automatically.
But Windows 10 users, BEWARE! Windows 10 is a surveillance nightmare by default. It tracks just about everything you do. To quote their end-user license agreement: “We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary.” Good faith? Microsoft is an NSA contractor, and its biggest customer is the U.S. government.
Be sure to change these Windows 10 settings to reduce Microsoft’s surveillance and the amount of personal data sent to them. A way to do it quickly is to use one of several free privacy apps designed for this purpose, such as O&O ShutUp10. Let it create a Restore Point when it asks you, and then under the Actions menu, select “All recommended and limited recommended settings.” The whole process takes less than a minute.
Second, see if your anti-virus scanner is up to date and then run a scan. Windows 7, Windows 8, and Windows 10 come with free anti-virus software. If you already run a third party anti-virus program, update and run that instead. If you haven’t installed any third party anti-virus software, on Windows 7 load Microsoft Security Essentials and do a scan. If you don’t have it, install it free here (ignore this if you run Windows 8). For Windows 8, run a scan with Windows Defender (see here if you need help). In Windows 10 also uses Bit Defender, and these are the steps to run a manual scan. Don’t continue until the scan is finished. Virus scans can take a while (10-20 minutes), so it’s a good time to grab a drink or a snack. If you find any infections, quarantine or delete them.
Third, we’re going to install and run four free programs that protect against malware. They all work a bit differently and catch different infections. If you already have other anti-malware programs you use, you can decide whether to delete them and go with this suite or stick with what you have.
Reboot your machine if it’s been on a long time. (A fresh restart is generally a good idea when installing a bunch of new software.) Then install and run the following:
CCleaner – Get the free version. Make a backup of your registry when it asks. After you’ve run a scan and fixed any problems it finds, close it and then move to the next program.
Malwarebytes Anti-Malware – Get the free version. Check for updates before running the scan. Fix any problems it finds and continue to the next program.
Spybot Search & Destroy – Get the free version. Check for Updates and run a scan. After it’s done and you fix any problems, Immunize your system. Immunization blocks your computer from communicating with a long list of known malicious sites.
Malwarebytes Anti-Exploit – Get the free version. This program shields your browser from sudden attacks that malware companies don’t yet know about called zero-day exploits. You don’t need to do anything. Just install and it will work in the background.
I suggest running CCleaner, Malwarebytes, and Spybot scans once a month. You should also do it immediately if you suspect that you’ve made a mistake like following a link to a shady-looking site you didn’t mean to visit or opening a suspect file.
STEP 2 – REPLACE YOUR BROWSER WITH FIREFOX
Why: (If you already use Firefox, skip to the add-on section.) People get attached to web browsers, so please consider my reasoning if you recoiled in horror at this suggestion. Google’s Chrome is the most popular web browser in the world. That image of Google’s boss and Obama gives an indication of how closely tied Google is to the government. Google is not only one of the government’s key business “partners.” It’s the juiciest target for the government to infiltrate. Snowden showed us that it has. You can virtually guarantee that NOCs work at Google.
Google’s business is literally mass surveillance. It collects more data about more people than any other company in the world. The business model is simple. Google tracks and records you and then turns you into a profile that it sells to advertisers. As Eric Schmidt said, “We know where you are. We know where you’ve been. We can more or less know what you’re thinking about.”
The reason Google’s services are free is because you’re not the customer. You are the product. As Google itself says, “Our customers are over one million advertisers, from small businesses targeting local customers to many of the world’s largest global enterprises…” It’s biggest customer is of course the U.S. government (federal and state).
In contrast, Firefox doesn’t track you and sell you as a product. The developers of Firefox are highly vocal about being anti-surveillance. Firefox is open source, meaning any programmer can audit the code to see what it’s doing. And Firefox has add-ons that are necessary to thwart tracking and surveillance. (Chrome has add-ons too, though many of them contain malicious code.) Bottom line is the Firefox people aren’t in the surveillance business.
If you’ve been using Internet Explorer, know that it’s being phased out by Microsoft and has been plagued with security flaws. And it doesn’t support important add-ons needed to protect you.
If you’re on Mac, I recommend Firefox over Apple’s Safari browser as a matter of diversifying trust. At the end of the day we’re trusting all software we use not to exploit us. But Firefox doesn’t have the financial incentive like Apple does to track you. And while Firefox is open source, Safari is not. Also Firefox has a more robust collection of add-ons.
What to do: Install Firefox and set it as your default web browser. After you have Firefox running, click the Options button (the gear icon), click the Update tab, and select “automatically install updates.” Then install these security add-ons. (Each add-on puts an icon in the Firefox toolbar for quick access to its settings.)
HTTPS Everywhere – (click “Install in Firefox”). This increases the difficulty of bad guys intercepting what you see in your browser and makes it harder for them to set traps that can give them access to your computer.
uBlock Origin – uBlock not only blocks ads and prevents companies like Google and Facebook from tracking you even when you’re not on their sites. It also protects you from thousands of sites that can inject malicious software on your computer. The more popular ad blocker, AdBlock Pro, was removed from this guide because it is not open source like uBlock Origin, and because companies can buy their way past AdBlock.
Privacy Badger – (click the ‘download for Firefox’ link). This add-on pays attention to when you’re being tracked by a browser cookie and then deletes it. There is some overlap with AdBlock Plus, but Privacy Badger fills in some gaps because it doesn’t rely on block lists.
Disable WebRTC — This add-on prevents your IP address (a number which personally identifies your computer) from being revealed when using a VPN. (A VPN masks your IP address as explained later in this guide.)
Random Agent Spoofer – When you visit web sites your browser sends information about its configuration that leaves a unique digital fingerprint. This fingerprint identifies you. If you’re curious you can see the print it leaves here. Install Random Agent Spoofer so you don’t leave prints wherever you go. (Note that Random Agent Spoofer can make some sites behave strangely, and if that happens, you can temporarily disable the add-on.)
Ghostery (optional) – If for some reason you try AdBlock Plus and don’t like it, Ghostery is a solid alternative to try. I suggest using one or the other. If you use it I don’t recommend enabling GhostRank. (The program will ask when you install it, saying that its data collection is anonymized). Anonymized data collection isn’t necessarily anonymous.
NoScript (optional) – NoScript is optional because there’s a substantial learning curve. NoScript makes web browsing more secure, but the price is that many sites won’t display properly until you tell NoScript which parts of the site to allow. Once you set the permissions for a site, NoScript will remember them. But there’s that initial few seconds at a new site where you may need to allow the core parts of the site for it to display correctly. It took me a couple days to get used to it, but this article gives good guidance if you need help. If it’s not too intimidating, give it a try. You can always remove any Firefox add-on if you don’t like it.
Important note: I recommend using Firefox as the browser for your Android and iOS devices as well, but note that not all of these security enhancing add-ons are available for the mobile versions of Firefox. The availability status is changing, so I recommend stepping through the list on your mobile device to see what’s available.
STEP 3 – USE A SURVEILLANCE-FREE SEARCH ENGINE
Why: Google tracks and records your search terms along with when you entered them as part of its profiling analysis. Yahoo and Bing do the same thing. By analyzing every search you make, a shocking amount can be learned about you and your behavior. That’s why Google’s Chairman said, “We can know more or less what you’re thinking about.”
What to do: Fortunately, you can get Google’s search results without being tracked and recorded. StartPage is an anonymized version of Google, meaning it asks for search results on your behalf so that Google doesn’t know who is doing the asking. Go to StartPage and click “Add to my browser” and make it your default search engine. If you want non-Google search results, use Ixquick for a composite of several other search engine results. Both are excellent. Just make sure you set one of them as your default search engine. One other option is DuckDuckGo, which also doesn’t surveil you, though I prefer the search results of the other two.
Now that you’ve switched to surveillance-free search, if you were using Google before, take a minute to delete your search history.
STEP 4 – END THE PASSWORD NIGHTMARE
Why: Passwords are our bread and butter security measure. We use them every day to guard our accounts, assets, and personal information. The nightmare is that passwords as a security measure totally suck. The majority of passwords are so weak that they’re hacked within seconds. The security industry desperately needs to innovate beyond passwords, but we’re stuck with them for now.
The reason passwords suck is it’s really hard to remember a strong password, much less a strong password for every account you have. So people end up using weak passwords, and they use the same one or two passwords everywhere. This is a security disaster.
Massive advances in computing power and password cracking software have made once-strong passwords a joke. Ed Snowden put it simply. The government can make 1 trillion password guesses per second. Free agent bad guys can make trillions of guesses too; it just takes them a bit longer. And the guesses are educated, not random, starting with databases of millions of real passwords which have already been hacked.
The disturbing truth is that 99% of the passwords people use are easy to crack for a reason. The same strategies we use to make passwords memorable are the very same strategies hackers exploit to crack them.
Hackers study how we come up with passwords – the most common words, the way we combine them, and the modifications we make. Then they write software that tests variations of those strategies using alternate spellings (like “l34rn” instead of “learn”), famous dates, names, movies, sports teams, addresses, combinations of your personal and family info, phrase and quote dictionaries, song lyrics, et cetera.
Even when we think we’re being really clever, we’re not. One site recommended taking an easy-to-remember password and then shifting your hands over a key to the right to type it. So Happydays would become Js[[ufsud. Seems like a great idea since the password now looks totally random. Except it’s not random at all. Hackers know this strategy too and can easily write software to apply the key shift strategy against all the other educated guesses they’re making.
Even if you do have a strong password, if you’re using it (or a slight variation of it) multiple places, you’re opening yourself up to full-blown attack. Using the same password over and over creates what engineers call a single point of failure. Even if the password is rock solid, the web sites we entrust our passwords to get compromised. This gives the attacker instant access to wherever else you use that password. Here’s a recent example of a web hosting service being hacked, exposing 13 million passwords. Google, AT&T, Apple, Home Depot, Ebay, Target…all have been hacked at various times. Bottom line: don’t reuse passwords.
Given the disastrous state of passwords, we have to know how to make strong, unique passwords which can withstand sustained automated attacks. But what if you have 20, 30, or even 100 web site accounts? Fortunately the market has provided us with password management software that can generate and remember strong passwords with minimal effort. But the master password to access the manager needs to come from you and obviously be very strong. Same thing with the password to access your computer and phone.
What to do: Before we get to the password manager, it’s imperative that you know how to create strong, memorable passwords. I’ve researched a bunch of approaches and incorporated them into a basic methodology.
I can’t get overly specific about how to use the method because a specific strategy that’s public is easy to reverse engineer and crack. For example, people think the strategy of taking a famous phrase like “to be or not to be” and using the first word of each letter – tbontb – is a good password strategy because it looks so random. It’s actually a lousy password because it’s too short and that first-letter strategy is well known. Any good password cracker will run that strategy against databases of famous phrases, quotes, lyrics, poems, et cetera. So I’m going to show you how to make your own strategy using a modified passphrase.
Unlike a password, a passphrase is several words. Every passphrase you make should be at least six words long. Here’s the catch. The words can’t be something you’d find in a database, like tobeornottobe, or variations of it like t0b30rn0tt0b3 or ToBeOrNotToBe! These are all readily cracked.
You need six words that mean something to you personally, but not to a bunch of other people. That’s the key. When people hear they should use a passphrase, they often pick something others would too, like newenglandpatriots or dancetillyoudrop. Not strong. It’s got to be 1) personal to you and 2) quirky. For example, mysizzlingloveaffairwithbacon is good because it’s pleasant to type, easy to remember, and the wording is quirky, not just a simple statement like ieatbaconeveryday. Even if you knew me and my affinity for bacon, mysizzlingloveaffairwithbacon would still be extremely difficult crack. (Don’t use this passphrase even if you share my love of bacon.)
So to review, we want personal and quirky – not literal information, like iwenttowaldonhighschool or ihavetwoyoungersisters or mymomisnamedsallysmith.
By the way, some people use totally random words like cowhandlestringredplentywindow, but I find that much harder to remember. It’s very secure though because it guarantees the user won’t pick an obvious or famous phrase. But a quirky, personal passphrase will not only be easier to remember, it won’t be annoying to type.
Make sure you use 6+ words. Also know that you can include spaces in your passphrases (blue ants freak my bed out). I didn’t just to make the examples I’ve provided easier to distinguish from the text.
The difference in typing time between six or seven words versus two or three is only a couple seconds, but the difference in password security is gargantuan. The word count is much more important than the word length. blueantsfreakmybedout is strong even though it’s made of short words. Don’t skimp on word count. (Note for Android users: Some Android devices impose a 16 character passphrase limit, making 6 words difficult. Do the best you can, and here’s a list of 2 and 3 letter words to help. A 5 word passphrase is still very robust, especially if it’s modified as described next.)
Now that you know how to make a quirky personal passphrase, we’re going to add one more layer of security. We’re going to apply a modification to the passphrase. Why? Because if an adversary figures out you’re using a passphrase, lower-case English words with no modification will be the first line of attack. The relentlessly increasing speed of computers means you might be vulnerable even if you use six words. Also if you unknowingly pick a common phrase like a famous quote or line from a song, the modification can save you from being cracked.
One example of a modification is to capitalize the first word of the passphrase – Mysizzlingloveaffairwithbacon. This modification is the most obvious one though, and bad guys know that, so pick something else. Pick anything that does something with capitals, punctuation, numbers, or any combination of those. Do your own thing, even if it’s simple. That’s better than a common modification like using leetspeak (e.g. substituting 3 for e, 4 for “a,” and 0 for “o”). Hackers have common modifications like this nailed.
It doesn’t need to be finger-twisting to type. You could even integrate the modification into the context of the passphrase itself, like eat8baconstripsEverymorningyay! That’s a deliciously strong password that you shouldn’t use.
An extremely powerful modification technique you should consider is swapping one or more of your passphrase words with a foreign language equivalent. Don’t bother with foreign words that are so popular that they’re used in English too, like nada or mucho. It doesn’t matter what language you pick, even Pig Latin, as long as you can remember the word. mysizzlingloveaffairwithaconbay turns “bacon” into Pig Latin, pun intended.
You’ll only need to invent and remember a passphrase to unlock your password manager and to log into your (soon to be encrypted) devices. The rest will be handled by your password manager.
If you’re nervous about forgetting a new strong password, you can write it down until it’s grooved. Some security people will tell you to never write down a password, but writing down a strong one is far better than having a weak password. Just don’t put the password someplace obvious, like next to your computer. The odds of somebody breaking your weak passwords online is exponentially higher than somebody breaking into your home and finding your passwords.
If you write down a password, here’s a technique in case someone finds the paper and tries to use it. Insert some dummy characters into the password that you’ll recognize as not being legit but which will fool others. You could add something, like your year of birth, as a decoy. So it would be, for example, mysizzling1980loveaffairwithbacon. If somebody finds and uses it, when it fails they’ll think you’ve changed your password.
Picking a Password Manager
A password manager does two critical things. First, it remembers all your passwords in an encrypted vault (except of course the password to access the vault). And second, it can replace your crappy passwords with automatically generated very strong passwords.
After you’ve chosen a manager, you’ll want to make sure that you’ve told Firefox not to remember your passwords. Go to Options → Security and uncheck “Remember passwords for sites.”
There are several password managers to choose from. They all have pluses and minuses. Here are a few I think are worth your consideration. Using any of them will massively improve your security, so go with whatever seems to suit you best. They are all free to try.
KeePass has been around a long time. It’s open source, free, and everything is stored on your machine. None of your passwords are uploaded to the cloud (a third party’s servers), so you don’t have to trust strangers to keep your passwords safe. But KeePass has a clunky interface that takes some getting used to. It’s also less convenient for the same reason that it’s more secure: Having your passwords in the cloud means you don’t have to worry about backing up the password vault or syncing your vault with other devices. With KeePass you have to back up your vault because if your computer dies or is stolen, you’ll lose all your passwords. And if you change a password, you need to manually sync the vault with any other computer or mobile device you use. KeePass was originally written for Windows, but because it’s open source there are multiple versions for all platforms to choose from.
Next we move to cloud-based managers. Dashlane has an elegant interface and is feature rich. Lastpass is the most popular manager and is also feature rich. They have a lot going for them, but both companies are based in the U.S. and subject to strong-arming. They promise that they store your passwords in an encrypted form that they can’t access, but there’s no way to know for certain because it’s not open source software.
If either company gets a government demand to divulge customer data or compromise their software with a backdoor, they will be legally gagged from telling people about it. I’m not making a value judgment against the companies – they seem very sincere and well-intentioned. But let’s not fool ourselves. Nobody at these companies is going to go to prison protecting your or my security. That said, Dashlane gives you the choice of storing your password vault locally (no copy in the cloud). If you’re willing to handle backing the vault up, that provides a substantial measure of assurance.
Another good choice for a cloud-based closed source manager is 1Password. One benefit it has over Dashlane and Lastpass is that it’s not in the U.S. The company is Canadian, and they point out that they have key people based in four different countries. If a demand was issued with a gag order, the principals in the other three jurisdictions could alert customers that their security was compromised without being tossed in prison.
Last but not least, my favorite choice is Encryptr, a free and open source cloud-based manager and e-wallet. Encryptr is zero-knowledge, meaning you don’t have to trust a third party to keep your passwords safe. You get the benefit of cloud storage without the risk of trusting closed source software. It’s not nearly as feature rich as 1Password, Dashlane, or Lastpass, but I personally like simplicity. And when it comes to all your passwords, open source transparency and zero-knowledge are arguably an overriding consideration.
I encourage you to try two or three out and see what feels right to you. Don’t stress about your choice. Whatever you pick, you’ll be massively more secure.
The final step with any password manager is to visit every site you have an account with and replace the old password with a newly generated strong password. Yes it’s an annoyance, but you only need to do it once. The payoff in security is enormous. (And don’t forget to turn off Firefox’s password storage: Options → Security → uncheck “Remember passwords for sites.”)
STEP 5 – ENCRYPT YOUR COMPUTER
This means your computer’s hard drive(s) and any external hard drives.
Why: If you currently use a password to log onto your computer, that does not protect the information on your computer. The log-in can be circumvented with little effort by anybody with modest skills. Your drive needs to be encrypted, or your data is exposed to anybody with access to your computer.
If your computer is ever stolen, you’ll be out a computer but encryption means you won’t have to worry about being blackmailed, defrauded, stalked, or having your life otherwise hacked to bits.
If your internal or external hard drive dies and you chuck it or take it to get repaired, a stranger won’t be able to take it and recover all your data on it. They will only find an encrypted volume.
***For Apple desktops and laptops only***
Apple ships its desktop and laptop computers with built-in encryption called FileVault. Follow these directions and turn it on. Don’t store your security key with Apple, and don’t store it on iCloud where Apple can be forced to disclose it or expose it in a security breach. Use the third recovery option: a strong passphrase. If you’re nervous you’ll forget it, print it out and store it someplace safe (not with the computer). And if you print it use the tip about printed passwords: Insert some dummy characters into the password that you’ll recognize as not being legit in case somebody finds it.
If you have external hard drives, you should encrypt those with FileVault too. Here’s how.
If you don’t want to trust Apple with your encryption (e.g. the possibility of a government back door), there is a free and open source solution. Veracrypt. It’s the successor to a highly respected encryption program called TrueCrypt. Unfortunately using Veracrypt is more complicated than FileVault, so expect about 30 minutes of learning curve. You can use VeraCrypt to encrypt your main computer drive and any external drives.
VeraCrypt also can create an encrypted “file container,” which is like having a virtual hard drive of any size you choose where anything you put in it gets encrypted. For example you could make a 1 gigabyte file containers, put all your most important documents in it, and then put that file container anywhere – USB drives, the cloud, wherever – and your data is secure even if someone gets their hands on the container. (You can use Veracrypt to make file containers even if you use FileVault to encrypt your drive.)
Here’s the VeraCrypt documentation, most of which you don’t need to read to benefit from the core functionality of the program. (The default options are fine to use unless you need advanced features.) You can also search Youtube for several Veracrypt tutorials. The Beginner’s Tutorial is a good place to start. It will show how to make a file container. Once you feel comfortable making a file container (make and delete a couple just to get the hang of it), then try encrypting an external volume, like an external hard drive. The final step is to encrypt your main drive.
***For Windows PCs and laptops only***
Just to reiterate, having a Windows password will deter a nosey passer-by from going through your computer, but it is does not provide meaningful security.
You have a few decent options. The first is to use Microsoft’s disk encryption, which is called BitLocker. It’s free if you already are running Windows Vista Ultimate or Enterprise, Windows 7 Ultimate or Enterprise edition, or Windows 8 or 8.1 Pro or Enterprise edition. If you’re not you’ll need to upgrade to use BitLocker. Here’s a guide to get started if you want to go this route.
BitLocker is way better than nothing, but the problem with BitLocker is it’s closed source, so nobody can tell if it has government backdoors. Plus BitLocker been hacked before, reinforcing Microsoft’s long history of producing insecure software. (Also new Windows 8.1 PCs ship with “Pervasive Device Encryption,” but Microsoft forces everyone to upload the encryption key Microsoft, so it’s not truly secure.)
The other (and I believe better) option is to use the free and open source Veracrypt. It’s the successor to a highly respected encryption program called TrueCrypt. Unfortunately using VeraCrypt is a bit more complicated than BitLocker, so expect 20-30 minutes of ramp up. You can use VeraCrypt to encrypt your main computer drive (the one with your operating system on it), as well as any external drives.
Veracrypt also can create encrypted “file containers,” which is like having an encrypted virtual hard drive of any size you choose. Anything you put in a file container gets encrypted. For example you could make a 1 gigabyte file container, put all your most important documents in it, and then put that file container anywhere – usb thumb drive, cloud storage, wherever – and your data is secure even if someone gets their hands on the container file (assuming you used a strong passphrase).
Here’s the VeraCrypt documentation, most of which you don’t need to read to benefit from the core functionality of the program. (The default options are fine to use unless you need advanced features.) You can also search Youtube for several Veracrypt tutorials. The Beginner’s Tutorial is a good place to start. It will show how to make a file container. Once you feel comfortable making a file container (make and delete a couple just to get the hang of it), then try encrypting an external volume, like an external hard drive.
The last step is encrypting your system disk (your main drive, typically the C: drive). To do that you need a CD burner and a blank disk to make a Rescue Disk in case there’s a problem. If you’re not technical it’s a bit scary, and I appreciate how much it sucks to feel technically intimidated. So if you get freaked out, either use BitLocker if you have it, or make a big VeraCrypt container (they can be whatever size you want) and keep all your private data in there. A VeraCrypt container is pretty quick and easy to make, and you can copy it anywhere just like a regular file.
If you do encrypt your system drive, I recommend backing up your personal data (documents, photos, music, etc.) to an external drive first. That way if something goes wrong, you’ll still have your files.
DiskCryptor is another free, open source alternative that’s a bit easier to use (and has fewer features). Here’s a tutorial video that walks you through how to encrypt your main drive step by step. Again, back up your personal data to an external drive first just in case. I’ve never had a problem with VeraCrypt, but I did once have a problem with DiskCryptor and needed to restore my files.
STEP 6 – SECURE YOUR MOBILE DEVICES
Why: If your phone or tablet is ever stolen, the last thing you want is to worry about is having all your contacts, email, photos and other personal info in the hands of bad guys.
I know people who have had phones taken into back rooms during random airport security questioning. You really want your data encrypted with a strong password in a situation like that because all of your phone’s data can be cloned very quickly.
Because you can be arrested for trivial infractions such as driving without a seatbelt or having unpaid parking tickets, even the smallest crimes can be combined with narratives cops are trained to concoct about reasonable suspicion to pry open the door for a full-blown search of your digital life using sophisticated analytical tools. The only protection you have – and it’s great protection, thankfully – is to encrypt and password protect your mobile devices.
Needless to say, if a police officer or other government agent tells you to unlock your phone, politely refuse. If you comply, anything they find can be used against you. And it doesn’t matter whether you’ve been Mirandized or not. No matter how certain you are that you haven’t committed a crime (re-read the Into the Abyss section again if you think you’re innocent), there are officers who will plant evidence and fabricate testimony, so don’t give them rope to hang you. This guide provides essential guidance on how to interact with police.
***for iPhone and iPad users only***
Passcode – Many people don’t even put a passcode on their iOS device. Hopefully it’s clear by now that doing that is pretty much like begging for misery.
If you don’t have a passcode, from the home menu tap the gray settings icon. Then tap the “General” settings button and choose “Passcode Lock.” Tap the “Turn Passcode On” option at the top of the menu. Turn “Simple Passcode” OFF and choose a real passcode – at least 10 characters. Will it be annoying at first to spend an extra 2-3 seconds unlocking your phone? Yes, but you’ll get used to it.
People who use the “simple passcode” option might as well not have a passcode. Anybody who is determined can guess a 4 digit password within a couple hours, often within minutes since people pick obvious ones like 1111, 1234, 4321, 4444, 1357, 3579, et cetera.
If the extra 2 or 3 seconds to enter a real passcode is unpalatable, at the very least turn the “Erase Data” option to ON in the Passcode Lock settings page – and don’t use an obvious 4 digit code.
Don’t Trust – Apple’s attempts to make things automatic can lead to critical security breaches. Here’s one many iPhone users don’t know about. Say a coworker is going to put a file on your iPhone, like a sales video you both made together. You plug your iPhone into his Mac. Up pops a question asking if you “Trust” his computer. If you say ‘yes’ and you have your iTunes set to backup iPhone data automatically, ALL your iPhone data will be copied to your coworker’s computer – contacts, messages, email, photos, everything. So don’t “Trust,” or make sure you have automatic backup turned OFF.
***for Android users only***
Cyanogenmod – Manufacturers of Android devices install various software that they ship with the device. You really don’t know what that software is doing. It may track you, and it’s often “bloatware” that slows your device down. A solution is to install Cyanogenmod. If you have a device on this list, then you can use the Installer which makes things easy. If you don’t have a device supported by the Installer, I would skip it unless you want to roll up your sleeves and get fairly technical.
Encrypt your device – While iPhones are encrypted by default, Android devices generally are not. (Some new Android models like the Nexus 9 are shipped with encryption on by default, and fortunately most other new Android devices will follow suit shortly.)
Be aware that if your Android device is more than a couple years old, encrypting it will make it perform more slowly. I think it’s worth it, but it bears mentioning since this is the case for older models. You can try it, and if it’s not workable for you, you can unencrypt the phone, but know that unencrypting it will factory reset it. Newer Android devices don’t suffer any noticeable performance hit.
When you enable encryption, you’ll need your phone to be mostly charged as well as plugged in. It takes about 30-60 minutes. Go to Settings->More->Security->Encrypt device. Here you’ll of course want to pick a strong passphrase that’s ideally easy to type. Remember without a decent passphrase there’s not much point to the encryption. Will it be annoying initially to spend an extra 2-3 seconds unlocking your phone? Yes, but you’ll get used to it. It’s worth it.
Be sensible – I agree with this article’s advice that you generally don’t need anti-virus software for Android devices if you’re sensible about sticking to legit-looking apps from the Google Store or other trusted sources that seem legit. Also avoid apps that demand unreasonable permissions to access to your phone. If you’re downloading a game and it wants permission to access all your contacts or dial phone numbers, for example, I’d skip it. The free DCentral1 app lets you monitor what permissions your apps have.
STEP 7 – USE SECURE CLOUD STORAGE
Why: If you’re going to upload files to cloud storage like Dropbox, Google Drive, iCloud, or OneDrive, use a service that encrypts your files before they are uploaded. No matter what Dropbox claims about security (and they’ve been caught contradicting themselves), you don’t want to trust any company with your personal files. The Dropbox site says, “Dropbox employees are prohibited from viewing the content of files you store.” Saying people are not allowed to look at your files is not security you can count on, nor is it protection from the government surveilling your Dropbox.
What to do: To quote Snowden, “Get rid of Dropbox.” Snowden’s suggestion is to use SpiderOak because it’s zero-knowledge, meaning they encrypt your files before they’re uploaded, making it impossible for the company to see the contents of what you store on their servers. The first 2GB on SpiderOak are free. (Use the desktop app rather than the web interface or mobile app to upload your data since the latter two don’t encrypt your data locally.) An alternative to SpiderOak that takes a similar approach is Wuala, which gives the first 5GB free. Also worth considering is open source encrypted cloud storage such as Seafile (1GB free) or the mostly open source Cyphertite (8GB free).
STEP 8 – SHUN SURVEILLANCE-BASED SOCIAL MEDIA
Why: Many people in this world are lonely. “Free” social networks like Facebook are designed to capitalize on this. In return for helping you feel connected to others, they study you like a lab rat and turn you into a product. I’m not exaggerating. As the founder of Facebook Mark Zuckerberg said, “They ‘trust me’ – dumb fucks.” I wonder if he was thinking that when Facebook publicly opposed the awful CISA warantless surveillance legislation while secretly lobbying for its passage. (Update: Facebook got its way, and CISA is now law.)
Meanwhile Zuckerberg surrounds his home with empty lots and hundreds of acres of undeveloped land.
Facebook’s “like” system is designed to reinforce whatever your existing beliefs are. Facebook is engineered to be a giant echo chamber which figures out what you like to hear so it can feed it to you. That’s how it hooks people.
It’s also the ultimate propaganda system. Recall Facebook’s notorious social engineering experiment which proved it could manipulate the mood of over half a million people by altering their feeds. The experiment received funding from the US Army Research office. The military funds research on the mass manipulation of a population’s mood? You don’t say.
As with Google, Facebook’s core business is mass surveillance. You’re the product, not the customer. Facebook collects and stores an insane amount of intel about every facet of your life. It not only tracks everywhere you go, it lets others track you too.
Facebook has developed software as accurate as the human brain to reveal your identity in any photo you or someone else uploads. And yes, even 4 years ago Facebook was tracking you and assembling hundreds of pages of intel on you even when you weren’t logged in. Now it’s thousands of pages, and the surveillance and analysis are much more sophisticated.
Every time people post photos of themselves and others to Facebook, Instagram (owned by Facebook), Twitter, Google, or other surveillance-based services, they are unwittingly building mass surveillance databases containing the details of people’s appearances, who they associate with, what they do, and when and where they’ve been.
A single innocuous photo can reveal a lot of information. Trillions of photos is a frightfully vast surveillance database to be exploited by regimes, corporations, and free agent bad guys. Mass surveillance depends on social media as a primary data source.
Every American technology mega-corp has backdoors. Snowden made it clear: Tech giants are surveillance proxies for the government. The government’s own top secret slide is worth repeating here as it just says it all.
To put it plainly, Facebook and other “free” social media services are mass surveillance roach motels. Free is the bait to get you in the door, and surveillance intel is used to hook you on the service so you can become a forever profitable product. Yes they are slickly marketed, convenient, and ultra-popular. They are also a trap and indispensable to the mass surveillance scaffolding. Check out of the roach motel.
What to do: It’s easy to share photos with friends and family without undermining our security by using encrypted cloud storage (step 7) or encrypted messaging and email (coming up). But to some the prospect of opting out of Facebook or other social networks is unthinkable. But is Facebook actually improving the quality of your life? Are you now happy and fulfilled because of Facebook? If you’re willing to try, here are some suggestions for breaking the addiction.
If you’re unwilling to reject surveillance-based social media, at the very least adjust the “privacy” settings as tight as you can so that your life isn’t an open book to free agent bad guys. Facebook and Twitter are primary research tools for hackers and stalkers, and of course police and surveillance agencies. They use fake profiles to friend you and gather intelligence. Or impersonate you and use you as an unwitting honeypot. The NSA even impersonates Facebook.
You can replace surveillance-based social networks with non-surveillance alternatives. I’m a member of Liberty.me, a member-funded social and publishing network. Because its members are its customers, Liberty.me eschews a surveillance-based business model. Members can sign up with fiat money or bitcoin. Unlike Facebook which demands people use their real names, you can choose any name you’d like and reveal your identity only to those you personally trust.
STEP 9 – ENCRYPT YOUR EMAIL, CHAT, AND TEXTS
Why: Your email, chat, and texts desperately need to be secure. They are a jackpot of personal information about your life that can be used to harm you in any number of ways. It doesn’t matter if you think your life is not particularly exciting. People who stalk, extort, kidnap, and blackmail don’t limit their targets to hard-partying celebrities. Your email gives a treasure trove of leads to bad guys about how and where else they can invade your life. Surveillance-based email options like Gmail are not encrypted, and your email is automatically scanned and analyzed for packaging you to advertisers.
Companies that offer closed source software which claim to use robust end-to-end encryption are not worth considering unless there are no other options (and fortunately there are). A perfect example is WhatsApp, owned by Facebook. The company says it uses and likes open source, and yet WhatsApp’s code is not open source. Being closed source, people have no way to verify the quality of the encryption, whether there are bugs in the implementation, whether there are backdoors, and what is happening to your data behind the scenes. There have been several security breaches, but as with all closed source software, we don’t know how many security flaws are being quietly exploited right now.
The same issues make Skype untrustworthy despite its claims of secure encryption. Microsoft scans your Skype messages, and there have been backdoors in Skype and other Microsoft products for years.
The bottom line is no matter how exciting and promising the security claims, any closed source software, especially if offered by a U.S. based company with U.S. backers who fund military contractors, is fundamentally unable to provide reliable security assurances.
What to do: Replace your communications software with encrypted alternatives. Email, chat, texts, and phone calls. (Yes, even SIM card manufacturers have been hacked.)
Telegram – iOS, Android, Mac, Windows, Linux
Chatlink – no logins, no cookies, no plugins, open source – just pull it up in your browser and go
Telegram – iOS, Android, Mac, Windows, Linux
If you like the convenience of using a webmail account, choose a provider who uses built-in encryption. I like Tutanota, Protonmail, Neomailbox, and Countermail. (I’d recommend Startmail too if they accepted bitcoin.) They all use an open source, gold standard encryption called PGP. Tutanota deserves particular recognition because it’s entirely open source. Some of them are subscription based, and some operate on donations. Unlike Gmail and its ilk, these all have robust privacy policies, are hosted outside the U.S. (making them harder to strong-arm), and make the encryption process seamless.
By contrast, if you want to use a local email client like Thunderbird, the only way to do so securely is to configure and use PGP yourself. Doing that on Windows and on Mac is frankly a huge pain in the rear for non-technical people. Even Glenn Greenwald, the reporter who broke the Snowden story, couldn’t follow the tutorial Snowden made for him. Upstart Whiteout looks like it’s trying to make the process far easier.
If you’re dead set on using an insecure mail provider like Gmail, Yahoomail, or Outlook, your best bet is to use Mailvelope to incorporate PGP encryption. It’s still a hassle to use, though, compared to Tutanota and the others who do the encryption for you automatically.
I realize that switching email providers is a big deal (as far as these things go). But notifying people that you’re switching to an encrypted email provider is a desperately needed message people need to hear. Overcoming mass surveillance is more of a motivational challenge than anything else. Mass surveillance is packaged as just another news item to shake your head over. But personal action is the only thing that will inspire others to take it seriously. Mass surveillance is not a news items. It’s a silent war being waged against us.
When you choose an email address, consider not basing it on your name. There are constant security breaches at companies resulting in email addresses getting lifted along with other potentially embarrassing info. If your email address also reveals your name, it gives bad guys another piece of data to work with in taking you apart.
STEP 10 — USE A QUALITY OFFSHORE VPN
Why: You have an ISP who provides you with internet access. The problem is that ISPs monitor and record your activity online. Net neutrality will only intensify the monitoring as ISPs are turned into government regulated utilities.
The same monitoring happens when you’re at a coffee shop, airport, hotel, or other public wifi. But at those places it’s even worse because anyone with technical skill can monitor what you’re doing in addition to the ISP.
That’s where a VPN comes in. It stands for Virtual Private Network. The main benefit it offers is to encrypt your Internet traffic. Neither your ISP or the creepy guy at Starbucks will be able to track what you do online.
What to do: Choosing a good VPN is key. This is the one step in this guide where I urge people to avoid the free route. There are free VPNs, but they are slower and typically have lousy privacy policies because they target you with ads to compensate for the VPN being free. VPN services require substantial capital investment, so you really want to be a customer rather than the product for advertisers. It’ll cost around 15-20 cents per day. Hugely worth it for the security benefit.
What you want is a reputable VPN that uses strong encryption and a “no log” policy. You also want the VPN to be based outside the U.S. Otherwise the company can be legally gagged and crushed like Lavabit. I suggest choosing one of the VPNs from the list provided here.
ESSENTIAL SECURITY PRACTICES
Congratulations on taking action! The process of hardening your security gives great perspective on just how insecure our digital lives are. No wonder we’re constantly hearing about security disasters.
The following practices are for the most part quick and simple to adopt. They can save you untold grief.
Prevent social engineering attacks. “Social engineering” is when a bad guy calls an account or customer support rep (typically) and convinces the rep that the impostor is you, thereby getting access to your account. This happens all the time. (Skillful bad guys do their homework on their targets and call with you address, phone, social security number, etc. in hand. They are highly convincing.) Prevent this type of security breach by calling your cell phone, cable, and Internet providers and telling them you want to secure your account with a 4-digit code or a password.
By the way, if you’re tired of paying for Microsoft Office, switch to the free and open source Libre Office. It reads and writes Microsoft Word, Excel, and Powerpoint files.
Recognize when “free” is a trap. Bad guys know that free things are enticing. There’s a lot of wonderful free and open source software (FOSS). But there’s even more free software out there that despite promising great benefits is malicious. Exercise caution and do some web searching first to see if a program is malware before you try it out. A little due diligence can quickly confirm what’s legit.
The same warning applies to free reports or books sent as pdf files or Word docs. Typically they promise to deliver health, sex, or money-making secrets. Documents can have malware embedded in them, as can the sites that promise to give you access to them.
Uninstall Adobe Flash. I suggest uninstalling Flash and seeing if you even notice it’s gone (Windows uninstall, Mac uninstall). Why? Because it’s constantly revealed to have “critical vulnerabilities” as Adobe puts it. If you decide to use Flash, make sure you keep it up to date because it’s been constantly plagued with security flaws and secret exploits.
If you’re determined to use Flash, the installer will try to slip in McAfee Security Scan during the installation. The installer annoyingly opts you in by default because Adobe gets an affiliate kickback. I suggest not allowing McAfee to be installed (uncheck the box). It’s a crippled version of McAfee’s paid product that will say your computer is at risk until you purchase it, and it’s a pain to uninstall. If it slipped by you already and you want to uninstall it, here’s how.
Cover your webcam when you’re not using it. Even five years ago public school employees were remotely turning on web cams and secretly recording students at home. Plenty of malware and commercial stalkerware out there does the same thing. Most desktop computers don’t have a camera or microphone, so you can disable them both just by unplugging your webcam when you’re not using it. And that little dot above your laptop screen where the camera lens is? Cover it up with a bit of post-it note or black electrical tape. It takes 3 seconds to cover and uncover the lens, so just groove the habit. Unfortunately there’s no easy fix I know of to physically enable and disable your laptop’s mic.
If you have an Android device, here’s an inexpensive app that can disable your camera and microphone, which can be remotely activated and used as a surveillance device.
Use two-factor authentication (2FA). 2FA uses two security tests to permit access to information or physical resources. One example is an ATM card and a PIN code. Another is a password and a fingerprint. The more factors you add, the harder it is for bad guys to crack. Just going from one to two factors provides a huge increase in security. Many mobile devices can take advantage of 2FA. The downside is it’s usually more inconvenient to use. Bad guys are counting on you to be dissuaded by that, so use 2FA whenever you can. Here’s a directory of sites that support 2FA.
Have kids? Parental controls. Kids are a security nightmare. Gold stars to you if you teach them how to behave intelligently online. Just recognize that it’s highly unlikely they will always follow your instruction. Kids are particularly resourceful about things that are forbidden. If they ask you to buy a movie or video game for them and you say no – if they ask at all – they may decide to find it online. Whether or not you approve of that, “free” software is a honeypot for malware.
Bad guys are smart. They’ll offer a “cracked” copy of a video game, for example, but the act of installing it will also surreptitiously install malicious software that can do anything from stalking you to recording everything you type (including passwords) to sending files from your hard drive to bad guys. A lot of malware also turns your computer into a zombie that infects other computers on the web. If you care about not harming others online, use measures to avoid becoming a tool for bad guys to go after others.
Both Microsoft and Apple provide parental control settings for choosing what can be downloaded and visited on the web. There is also free third party software that gives you more options, as well as parental control apps for mobile devices. Consider these options carefully unless you have full confidence in your kids and their friends.
Encrypt individual files and folders. There are lots of reasons for encrypting individual files or folders. Maybe you need to email files to people who use insecure (unencrypted) email like Gmail or a corporate email address. Maybe you want to put files on a USB stick and take them someplace. Maybe you need to upload files to somebody’s Dropbox or Google Drive account who is unwilling to switch to SpiderOak. Maybe you want a person or organization to have files in their possession but not be able to access them until a certain event happens like an accident. Maybe you want to back up a big directory full of files and keep it at a location that’s handy but not secure like the desk of an apartment filled with roommates. Or maybe you just want an extra layer of protection for very important files in case somebody accesses your computer when you’re logged in and your hard drive is decrypted.
Whatever the reason may be, there are several free programs for encrypting individual files or folders. To encrypt a file or folder full of files, I suggest the free and open source 7-zip on Windows or Keka on Mac. Both programs compress your files but also give you the option of encrypting them. There are different compression formats those programs can use like 7-zip, zip, and rar. I suggest using 7-zip format because it’s Mac and Windows compatible and the compression is good. Here’s a quick how-to for both programs. Just remember compressing files won’t encrypt them by default; you also need to enter a (strong) passphrase. After you encrypt it the name of the file like “MyAccounts.7z” or “SurpriseVacation.7z” will still be visible.
Deleted files aren’t deleted until you shred them. Any file you delete isn’t actually deleted when you trash it. All trashing it means is that you’ve given permission for the file to be overwritten. To make sure that the empty space on any storage device is actually empty rather than filled with your deleted files, you need to use a program that writes dummy data over your real data a few times. A program we’ve already used, Ccleaner, does this (use at least 3 overwrites). On Windows another option is Eraser, which is open source. An even more comprehensive one is BleachBit. Mac users can shred deleted files by selecting Secure Empty Trash. More details on Mac file shredding here.
Securely deleting files on SSDs (used in mobile devices, lots of laptops, USB thumb drives, and many desktop computers) is a no-go for technical reasons. That’s why it’s all the more important to make sure the drives are encrypted. If you ever want to sell or give away your Android or iOS device, do a factory reset. The encrypted data will still be there but the encryption key will be erased, making the data unrecoverable.
Privatize your purchases. Your credit card transactions are recorded and distributed to multiple government agencies. As with tech companies, the government is a direct customer of the credit agencies who give them your financial information. Like surveillance-based social media, you are the product, not the customer.
A running record of every transaction you make along with when and where you make it is a mass surveillance wet dream. Like uploading your photos to Facebook, every credit card transaction helps weave the mass surveillance net. I don’t deny the convenience of credit cards or the benefit of “points.” But as with social media, the price is hidden but high.
Use cash when you can. It’s still relatively private, which is why the government hates it. But know that having a few thousand dollars in your possession makes you a criminal suspect. If found, your cash will likely be confiscated. Its use is gradually being outlawed and several countries are rapidly going cashless.
Also know that if you try to withdraw a few thousand dollars out of your bank account you will likely be questioned and have a Suspicious Activity Report filed with the government. The same thing goes if you try to deposit a sizable amount in your account.
Precious metals are also difficult for the government to track. While they can be a great way to hold onto your savings in a zero-interest QE-driven world, the problem is it’s difficult to purchase things without resorting to barter.
So how to deal with the fact that withdrawing or holding cash in meaningful amounts has become a serious liability? More people every day are turning to non-government digital currencies. These non-government currencies are called cryptocurrencies because they are secured against counterfeiting through their use of cryptography. The most popular cryptocurrency is bitcoin.
There are many good reasons to use cryptocurrencies. The first is that you have monetary independence and privacy. You don’t have to fill out bank forms or get permission to access your money. You can send money anywhere in the world instantly without forms or questioning, and it costs only a few cents in fees. People who work abroad and send money home typically pay 10% in remittance fees. The compound savings by not getting clipped 10% every time is huge.
Hundreds of thousands of items can be purchased with bitcoin, including the recommended VPNs in Step 10.
The second is security. Accounts can be locked down and siphoned for bail-ins. Cash can be lost, stolen, and seized. You cannot walk around with a substantial amount of cash without making yourself a target. That is doubly true if you travel, where carrying $10,000 on a plane effectively makes you a criminal suspect.
You can carry any amount of cryptocurrency in a secure “wallet” on your phone, computer, USB thumbdrive, or even your camera’s flash card without anybody seeing what you have. Your wallet can be backed up the same way you would back up any computer file. If your phone or computer get stolen, the money can’t be spent without the key to your wallet. You can copy your wallet as many places as you want and even print it out as a paper wallet. You also can split your money into as many wallets as you want and store them different places if desired.
For the ultimate in portability and security, you can use a brain wallet. A brain wallet means that access to your money is literally only in your brain via your passphrase. There is no other way to access your wallet (so don’t forget the passphrase!) You can cross any border with just the clothes on your back while “carrying” any amount of money with you.
While bitcoin transactions are not systematically identity tracked and reported to corporations and government agencies, bitcoin purchases are not truly anonymous. While your name isn’t attached to purchases, the purchases themselves can be traced. There are techniques for anonymizing bitcoin, such as mixing. Another option if you want to make anonymous purchases is the DASH cryptocurrency, which is specifically designed for anonymity.
The third reason is cryptocurrencies allow you to hold your savings in a currency that is not being systematically counterfeited (the government term is inflated). Cryptocurrencies are new, so the primary risk in using them is volatility. Volatility can work for or against you. People love upside volatility; downside volatility is what makes people nervous.
The way to deal with volatility if it worries you is to dollar cost average (DCA) your cryptocurrency purchases. If you wanted to own, say, $5,000 worth of a cryptocurrency like bitcoin, you could DCA the purchases by buying $1000 in bitcoin per week for 5 weeks, for example. Or $500 per day for 10 days. The more you spread it out, the more volatility is reduced.
Lastly, use bitcoin out of principle. The government derives its power to do all the objectionable things it does from the monetary system. Fiat currency can be created in any quantity by the government at any time and at zero cost.
Given the government’s ability to create money instantly at zero cost, tax collection today is mostly about social engineering. Paying taxes maintains the illusion that fiat money is scarce and therefore valuable. Yet with every additional trillion dollars that it snaps into existence, the government enriches itself while eroding the purchasing power of savers who treat the dollar as an article of faith. The fiat story never has a happy ending. Nobody is going to end (or audit) the Fed, but cryptocurrencies enable us to largely ignore it. That is truly liberating.
Torrent carefully. If you’ve never used Bittorrent, you’re missing out on a ton of quality content that is absolutely free. Bittorrent is a way for people to efficiently share files of their choosing with anyone else in the world. Many people think bittorrent is only for downloading copyrighted material like movies, TV shows, and music, but there are loads of copyright-free content on bittorrent.
Whatever you download, be careful. It’s easy to download files that have been shared with the purpose of injecting your system with malware. If you’re going to use bittorrent, here are a few suggestions:
Use qBittorrent for your client. It’s open source, unlike the popular but closed source utorrent. For increased security use IP filtering and anonymous mode. For even more security use it with a VPN service that permits bittorrent use. (All the VPNs recommended in step 10 allow bittorrent use.) Using qBittorrent with a VPN will prevent your ISP from monitoring your qBittorrent usage.
Media files like mp3, mp4, avi, mov, and flac are safe to download. They don’t carry malware infections. I recommend playing media with VLC Player. It’s fast, free, open source and doesn’t spy on you.
Don’t download any software from bittorrent unless you trust the source or really know what you’re doing. Anything that requires installation (like an .exe file) is a big security risk. If you have kids, they may (will) download games from bittorrent which are likely malware carriers. (Just because a game runs properly doesn’t mean your computer hasn’t been loaded with malware.) To make matters worse, the directions for much of the software you see on bittorrent sites tell you to disable your anti-virus during installation. It’s true that anti-virus software can impede installation of some software, but disabling it for an untrusted source is a great way to get slammed with malware.
Grow your knowledge – Once you feel comfortable using the security measures in this guide, I encourage you to investigate other ways to increase your protection. Liberty.me’s free privacy guide has some good advice that goes beyond online protection of your identity.
For more online security measures, this guide is a solid next step. Note that it’s still a beginner’s guide, which gives you an idea of how much can be done. It’s wise to remind ourselves as security beginners that we’ve only taken basic steps. This guide also offers some more in-depth advice when you’re ready. Both cover using your VPN in combination with TOR. There is a performance hit to your browsing speed, but you get substantially more privacy. Just don’t take the anonymity claim on the TOR web site as literal. There’s no such thing as bulletproof anonymity online, though when you use TOR properly, you can achieve an extremely high level of security that requires very sophisticated adversaries to defeat.
Donate – Many extraordinarily talented, principled, generous people who understand the horrific implications of mass surveillance work ceaselessly to provide free, open source solutions to protect us. I encourage you to send a market signal that their heroic work is sincerely in demand and appreciated. In other words, please donate here or to whatever open source projects you use. Also consider supporting critical resources that journalists, activists and whistleblowers depend on like SecureDrop, TOR, and Tails. They require continual development to keep pace with mass surveillance expansion. Without these resources we’d be in the dark about what’s being done to us.
Snowden is one of many who have risked their lives to expose mass surveillance and the other awful things regimes do in secret. As mass surveillance technology advances, if the tools to fight it don’t advance then resistance will become impossible. We depend on the ongoing diligence of skilled coders in a very real and urgent way.
Ok, I gotta ask. Did you skip some steps because you made a value judgment about your life? Maybe you decided to stick with Dropbox since you only put family reunion photos or cooking recipes there? Perhaps you didn’t switch to encrypted calls and texts since you think whatever you have to say will be met with indifference by those who record you.
Every bad guy and every regime banks on you thinking this way so that you don’t take action. Mass surveillance depends on mass indifference. It’s not about whether files are sensitive or whether you’d share them with someone who politely asked to see them. It’s about your power to give permission. It’s about control. Universal control. Snowden wasn’t mincing words when he risked his life to expose the greatest weapon of oppression in the history of man.
When it comes to mass surveillance, principle is inseparable from risk. If you choose not to act, everything can and will be taken without permission. Whenever down the line you decide things have gotten insufferably out of control, it will be too late to do anything. Ignoring ugly truths is how we end up looking back and wondering how things got so bad. Don’t fall for it. If you haven’t already, please act now.
Gratitude for Alan Turing
Encryption is what empowers us, the governed, the peaceful outlaws. Without it we would have no shelter from the shadow of criminality politicians have cast over us.
What breathtaking irony that the means to protect ourselves is owed to a heroic criminal named Alan Turing. The father of computer science and mastermind of cryptography, Turing broke the Nazi regime’s “unbreakable” encryption code, Enigma.
After providing the British government with its single most powerful weapon – the means to know everything the Nazis were going to do in advance – Turing was prosecuted by the regime in 1952 for being homosexual. The man who saved millions of lives by shortening war – that greatest of government abominations – was a criminal.
Turing pled guilty to the crime. As punishment the government ordered him to be chemically castrated in a series of brutal medical treatments which led to his suicide two years later.
This man was a liberating force for humanity. We owe him our deepest gratitude.
Parting Thank You
The Internet is the most powerful tool we have to inform, protect, and help ourselves and others. By taking action, you are materially advancing the cause of human liberty. Our own psychology is the biggest risk in determining our fate. Will we succumb to learned helplessness? Or will we quietly and with determination cut the noose from our necks?
Together we can thwart those who seek to dominate and control. Let’s take care of ourselves, help others wherever we can, and turn away from fear, the eternal enemy of freedom.
I plan to keep this guide updated with improvements and suggestions. I can be reached at bananas (at) tutanota.com. Check out my new book on living a free life. Thank you for reading and good luck.
All text herein is free to use and published under the CC0 public domain license. All other images are displayed under the Fair Use terms of non-commercial use for commentary, criticism, and education. My other writing is here.
STEP 1 – CLEAN AND PREP
STEP 2 – REPLACE YOUR BROWSER WITH FIREFOX
STEP 3 – USE A SURVEILLANCE-FREE SEARCH ENGINE
STEP 4 – END THE PASSWORD NIGHTMARE
STEP 5 – ENCRYPT YOUR COMPUTER
STEP 6 – SECURE YOUR MOBILE DEVICES
STEP 7 – USE SECURE CLOUD STORAGE
STEP 8 – SHUN SURVEILLANCE-BASED SOCIAL MEDIA
STEP 9 – ENCRYPT YOUR EMAIL, CHAT, AND TEXTS
STEP 10 — USE A QUALITY OFFSHORE VPN
Liberty is to life what sand is to beaches.