Donald Trump’s victory this past Tuesday has left many feeling hopeless, helpless, deeply anxious and straight-up scared, but almost as soon as the final results came in, people started coming up with concrete ways to prepare for the country’s radical lurch to the right.
There have been calls to donate to organizations like Planned Parenthood, the Council on American-Islamic Relations, the ACLU and immigrant advocacy groups like the Coalition of Humane Immigrant Rights of Los Angeles. There have been large, loud protests in the streets of New York and L.A., Seattle and D.C. There have been a lot of social media posts about activism, organizing, and not giving up the fight.
And there have been a lot of posts like this:
Hey, no joke, and I'm paraphrasing smarter people. If you plan on opposing Trump:
Get Tor.
Get Signal.
Get a VPM
2FA on your emails.Now.
— John Rogers (@jonrog1) November 9, 2016
The idea that Donald Trump, with his low tolerance for dissent and appetite for petty vengeance, will soon be in control of our state surveillance apparatus is understandably scary. Without some kind of encryption, almost every form of communication we have is pretty easy for law enforcement to intercept and track, and everything that gets saved on a server is vulnerable to being either subpoenaed (legally) or hacked (illegally) and then leaked.
But what should we do? Are the tweets going around actually good advice? What’s Tor? What’s Signal? Should we all just burn our phones?
“You can sort of drive yourself crazy trying to protect yourself online,” says Amul Kalia of the Electronic Frontier Foundation, a nonprofit dedicated to protecting civil liberties in the digital world. “So you need to figure out who’s your adversary and what’s your threat model to figure out what kind of precautions and tools you should use in your daily life.”
Every step to make your digital life more secure necessarily involves a little bit of extra work, and an investment of time. You can have a convenient life online, or you can have a totally secure life online, but you definitely can’t have both. So the idea is to find a level of security that meets your needs and that you’re actually willing to commit to. And if you don’t want to deal with any fiddly tech stuff at all, some of the oldest tricks in the book can still be the most effective.
“There’s this fetishization right now, of people saying we’re all gonna turn into hackers and use the newest greatest technology to subvert this government infrastructure,” says Rye Skelton, a programmer and security researcher in Los Angeles. “But there are people all around the world who are avoiding being monitored by these agencies by speaking face to face — just being aware of what you put on your computer or online is already a huge mitigation factor.”
But if you do want to keep communicating online, the EFF has a comprehensive Surveillance Self-Defense Guide on its website that lays out the basics for different situations in customized security “playlists” — including one for activists and protesters and a Starter Pack for total n00bs.
You should read whichever one applies to you in full (there are many, and they are very detailed), but here are a few core takeaways from the basic guides.
Pick good passwords, lock your phone and use two-factor authentication to log in.
All this other stuff just falls apart if someone can guess “1234” and gain access to all of your carefully encrypted messages. So:
Pick good passwords, and use different ones for everything — a password safe like KeePassX can help keep track of them all (but then of course, if someone guesses the password for the password safe, you’re screwed).
Lock your phone using a code, not biometrics — the cops can make you unlock your phone with a fingerprint, but not a numeric code.
Start using two-factor authentication to log in. That way, even if someone has your password, they can’t get in without your phone (which, hopefully, they can’t get into without your code). But beware! Using SMS texts for two-factor authentication is not very secure — use an app like Google Authenticator instead.
If you don’t want anyone reading your texts or listening in on your phone calls (which cops can do in real-time at protests, or whenever they feel like it), stop using iMessage, Telegram, WhatsApp or whatever, and switch to Signal.
Why? It uses end-to-end encryption, meaning the actual contents of your messages just look like a bunch of gibberish to anyone who’s trying to intercept the messages. It’s open-source — which means a lot of people can see how it works, and agree that it’s secure. And even though it does produce some metadata — the type of timestamp, subject line, location, etc. information that the NSA is prolifically tracking and storing — it deletes almost all of it. The FBI demanded that the makers of Signal hand over the metadata of some persons of interest earlier this year, and all they got were the dates and times that the account was created, and the last time the account connected to the servers. Practically zilch. And it’s free! You just have to convince your friends to start using it.
If you don’t want anyone reading your chats, start using Off-the-Record (OTR).
OTR is a chat encryption protocol that works with chat clients like Pidgin (for Windows or Linux), Adium (for OS X), and a handful of others. It takes some time to get going, but once it’s set up, and you convince your friends to start using it, your instant messages will be private.
If you don’t want anyone reading your emails, start using PGP.
It’s a little complicated, but basically you use a password-protected private key to send and receive encrypted emails — no one without the key (which, if your password is good, should be no one but you) can read them. Unfortunately, emails sent this way still spit off metadata, including a subject line, timestamps, and associated IP addresses. So:
If you don’t want anyone figuring out any of the metadata associated with anything you do — like when you sent emails, what IP you sent them from, things like that — start using Tor, and maybe combine it with a VPN
We are entering the weeds here, folks, but Tor is a free, volunteer-run service that masks who you are by routing all of your internet usage through the Tor network (instead of the normie network that everyone else uses). Most people use the Tor Browser Bundle, which integrates with your normal web browser to reroute you to the Tor network — then you’re just on the internet like normal, except it’s a little slower, and no one can tell that you are you.
A VPN works in a similar way, but instead of logging into the Tor network, you log into the network of a certain VPN provider, and then use the internet as if you were accessing it using their connection. Instead of logging in from Peoria, all of a sudden you’re logging in from London. This is good for some degree of privacy, since the websites you’re using can’t tell that you’re you back in Peoria, but it’s less secure than Tor because the VPN provider itself might not be able to be trusted — they still know you’re in Peoria, and they might be compelled to tell someone else, if a government agency (or anyone else) asks. Kalia recommends checking review sites, like That One Privacy Site’s VPN Comparison Chart, to see which VPNs are more trustworthy.
Combining a VPN and Tor is more secure than using either by itself, but at that point your internet starts to get verrryy slooww. And it’s worth noting, if you’re someone who’s already kind of a newbie to this whole thing, that using any service that’s somehow linked to your real name or address or anything while using Tor or a VPN kind of defeats the purpose — if you log into your gmail using Tor, it’s pretty easy for Google to figure out that you’re still you, just using Tor.
If you don’t want anyone accessing your files, stop saving them in the cloud.
“The cloud” is just a cool term for a bunch of servers in a bunch of buildings somewhere, and every company that runs those servers can be pressured to hand over all the data that you’ve backed up on them. So don’t trust the cloud — back up your own data at home, and encrypt it while you’re at it. OS X automatically encrypts data using File Vault. iOS automatically encrypts the phone as long as you have password protection on. Android has built-in encryption as well, and Windows users can use Microsoft’s BitLocker (it’s a little more complicated, but here’s a link).
Trust no one.
Just kidding! Ha. Good luck out there.
