Updated 18 June 2015
These suggestions are primarily aimed at a British audience. However the majority apply to people across the globe that find themselves in need of greater security, privacy and anonymity for their electronic communications. They assume that your computer is running a version of Microsoft Windows, but again the suggestions can apply to other operating systems that have similar software.
There is no such thing as a 100% secure communication over an electronic medium such as the global internet or telephony network. Many of the suggestions here do provide varying levels of security, privacy and anonymity (SPA). When these tools are implemented properly and used in conjunction with each other, you will greatly improve your personal SPA. By covering your tracks, you can reduce your chances of being on the receiving end of any unpleasantness. Needless to say, great care must be taken in your communications. Even with all the security in place, your SPA can still be compromised by the use of weak passphrases, the opening of attachments from unknown senders and careless revelations of identifiable details. The user (i.e. you) is often the weakest link. Do stay safe by practising safe computing.
Before we can consider security on mobile devices it is worth making some changes which can make things easier during subsequent steps. Although this step is optional, it is recommended.
The majority of mobile devices run either the Apple iOS or Google Android operating systems. You need to start by updating your phone contacts. If they are linked / synchronised with an email address (eg. GMail), then it is best to log in to your email account (on a PC) and update your contacts from there. All changes will then propagate to your linked devices.
To update your contacts, ensure that you change all mobile (and landline) numbers to the proper international format. For example, if you take the full British mobile number ‘07123 456789′, then you need to do the following to it:
a) Drop all leading zeroes
b) Prepend the relevant country code
c) Remove all white spaces from the number
So in our example, the British number ‘07123 456789′ will be updated and stored as ‘+447123456789′. This is the preferred format because there is no longer any ambiguity to its origin or destination messages / calls. Even if the handset sends or receives any communication from anywhere in the world, it can still function properly. Update the telephone numbers for as many of your contacts as you can. Get into the habit of storing numbers in this format. This is the only tedious step, it will take some time (depending on the size of your contacts), but well worth it. Also make a note of your own number in this international format, you’ll need it later.
It is highly recommended that you encrypt your mobile device if possible. Again, this may take some time, you may want to ensure your device is charging during this crucial step and it shouldn’t be interrupted.
Ensure all of your apps are up to date and that any software or operating system updates have been applied. These include much needed security fixes.
Use the following apps:-
* SIGNAL – Private Messenger
Created for iOS devices, this is a free, open-source, secure messaging and secure calling app by Open Whisper Systems (whispersystems.org).
* TEXTSECURE Private Messenger
Created for Android devices, this is a free, open-source, secure messaging app by Open Whisper Systems (whispersystems.org).
* REDPHONE :: Private Calls
Created for Android devices, this is a free, open-source, secure calling app by Open Whisper Systems (whispersystems.org).
There are plans to unify TextSecure and RedPhone on Android into a single app, to bring them into line with their iOS counterpart. Note that these apps are meant to replace your existing messaging or calling apps. You would need to go through a simple registration process using your own mobile number (in the international format). Be sure to use the default settings, then you’ll be good to go.
Three further apps to note for your mobile devices are KROWD, ORBOT and PUSHBULLET. The first is a new secure social networking platform (krowdthink.com). The second allows you to route your internet browsing over the TOR network, while the third allows you to send and receive push notifications between your contacts, other mobile devices and your computer’s browsers when this app is installed and linked.
Another useful app is LOOKOUT (https://www.lookout.com) which can help trace your phone, backup its location or remotely wipe it to prevent your information from being disclosed.
DESKTOP / LAPTOP COMPUTERS
If you are truly concerned that your privacy may have been compromised, do not use your own computer. Go to an internet cafe or other public service such as a library and use the computer there if you can. Otherwise you should be reasonably safe by using your own computer with the following suggestions.
Ensure that you are not using a version of MS Windows, this is a relatively unsecure set of Operating Systems. Try to use a secure distribution of Linux such as ‘TAILS’, which can be copied to a USB drive (or optical media such as CD, DVDs, etc) and run on any computer. There are many Linux distributions that allow you to fine tune their security (eg. SELINUX) with many tutorials online. Do take the time to learn about open-source operating systems, they frequently have software that greatly aids your SPA.
Otherwise if you’re running Windows, do ensure that you have encrypted your hard drive (or at the very least the partition / drive that holds your personal files). You can use DISKCRYPTOR (https://diskcryptor.net) or BITLOCKER (http://www.howtogeek.com/192894/how-to-set-up-bitlocker-encryption-on-windows).
If you have access to the router and can update its settings, do log in to it using your computer’s web browser and note the existing DNS IP addresses and write these down in case you need to undo this step. These would be the addresses for your ISPs DNS. Change the existing DNS IP addresses to ones provided by OpenDNS (opendns.com):
Be sure to save the updated router configuration. You may have to restart your router.
If you do not have access to your router or can not update its DNS IP addresses, then you should use DNSCRYPT (dnscrypt.org). Essentially this involves installing and running a background service process on your windows computer that bypasses your ISPs DNS whenever you use your browser. The instructions (http://www.thewindowsbulletin.com/how-to-encrypt-dns-queries-in-windows-226) are straightforward and when the service is set up and running, will not need any further input from you even after the computer is restarted.
A good free firewall such as COMODO FREE FIREWALL (https://personalfirewall.comodo.com) will help keep out any intruders.
If you want to make use of the Cloud to store your personal files, then opt for zero-knowledge services like SPIDEROAK (spideroak.com) or TRESORIT (tresorit.com). Once installed on your computer, you will be allocated some free space to which you can transfer / backup files (etc). They will then be automatically synchronised with your secure, remote storage.
To make use of the various anonymisation networks, you can install either the TOR BROWSER BUNDLE (torproject.org) or make use of I2P (geti2p.net). They may need some configuration but they are recommended if you wish to conduct your online communications anonymously, away from the prying eyes of your ISP or other surveillance efforts. Take great care to configure them as a ‘Relay’, not as an ‘Exit Node’. There is a newer tor client named ASTORIA that is an especially hardened tor client, there is yet an implementation of it, be sure to use ASTORIA as soon as it becomes available. Be mindful that these anonymisation networks are not designed for transferring huge amounts of data, bandwidth is limited.
A very useful application is BATCHPURIFIER (http://www.digitalconfidence.com/BatchPurifier.html). This tool can help remove your hidden information or metadata from multiple files (eg. photos or images). The metadata can be used to trace when, where and how the file was created (among other things). Removing all this information from files before you store or share them will greatly aid your security, privacy and anonymity (SPA).
To hide your messages in other files, you can use free steganography software like OPENSTEGO (openstego.sourceforge.net). You can then share these files by first uploading them to an anonymous service (see below).
Another great application is KEEPASS PASSWORD SAFE (keepass.info). This is a free, open-source password manager that lets you store your many passwords securely. There are app versions for Android and iOS for use on mobile devices.
Email is a very important service for many reasons. Presently there are many email service providers that offer varying levels of security. However, they all suffer from one significant flaw: their metadata is sent with the message in clear text. This does not bode well for your SPA. This is a consequence of the current set of email protocols being many years old with security more of an afterthought. As a result of the recent events surrounding the Snowden revelations, efforts are underway to completely redesign email for the modern era with intrinsic security, the fabled ‘Email 3.0′. The Dark Mail Technical Alliance (darkmail.info) is leading the effort. This is ongoing (as of May 2015), but the protocols have a name: ‘Dark Internet Mail Environment’ (DIME). When email services adopt this secure protocol, it is highly recommended that you sign up.
But what if you can not wait for the new DIME email services? There is a simple trick that you can use to communicate using any email service. Here’s how it works:
a) Person A registers with a new email account and notes the login credentials (ie. username and password).
b) Person A logs in and drafts a message, but does not send it. The message is saved in the drafts folder.
c) Person A logs out.
d) Person A hands over the login credentials to their trusted contact Person B, in person.
e) Person B then logs in to the same email account.
f) Person B can then read the saved message in the drafts folder, then deletes it.
g) Person B replies by creating a new message and saving that into the drafts folder.
h) Person B logs out.
i) Person A can then log back in and reads the saved message before composing a reply to Person B, and so on.
This communication can take place without a single message being emailed across any server or domain, leaving no trace. It just needs the contacts to access the same email account and some degree of coordination between them. If you do sign up to web mail services (eg. GMail) be mindful that there are many plugins that can be installed to improve security:
* GMELIUS FOR GMAIL
Also, remember to change your GMail settings to disallow tracking. There are many helpful tips available online, specifically how to improve your email’s SPA.
Your browsers are important too. The five most common or major browsers are Internet Explorer, Google Chrome, Mozilla Firefox, Opera and Safari. It is recommended that you use either Chrome or Firefox. Be sure to keep them updated and configured properly for security:
* CHROME – chrome://settings/ – Privacy section – Content Settings (set all to the recommended options, except check block third party cookies, do not allow any site to track your physical location, do not allow any site to disable the mouse cursor and do not allow sites to access your camera and microphone) – Clear Browsing Data (obliterate from the beginning of time all options) – Password (do not enable password auto fill) – System (do not continue running background apps when browser is closed).
* FIREFOX – Tools > Options – Privacy (Firefox will never remember history, clear history (everything)) – Security (saved passwords – remove all) – Advanced > Network (clear web content and offline web content).
Also in Firefox, type the following into your browser’s URL: ‘about:config’. Then proceed to search for the following: ‘privacy.trackingprotection.enabled’. Right-click this and click ‘Toggle’ in the small menu. This should change the value to ‘true’. This is a hidden setting that enables true tracking protection in Firefox.
Be sure to set your home pages in all browsers to DUCKDUCKGO (https://duckduckgo.com) and also bookmark the following site:
This site lets you send self-destructing messages and files to your contacts, anonymously. A facility for encrypted chat is also available. This is purely browser-based, no installation of any software is necessary.
In each browser you should search for and install the following extensions / add-ons / plugins:
* GHOSTERY – prevents tracking
* PUSHBULLET – push notifications to any linked device
* ADBLOCK PLUS or ADGUARD ADBLOCKER – blocks annoying ads that track you
* BETTERPRIVACY – blocks uncommon cookies
You should also install free extensions that are anonymous VPNs such as:
This lets you route your browsing activities through remote proxies located in foreign countries. Do not access your email or financial sites through them. Do not use any untrusted proxy with handling your personal business (ie. those that require login credentials). Take great care not to channel any personal information through them. Use for browsing only. Some are more secure than others, but always exercise caution.
Ensure that whichever browser you use, you are familiar with its Incognito Mode and that it is set up to clear its cache automatically when the browser is closed. I would strongly recommend the OTR.TO (https://otr.to) site for secure and anonymous real-time communication with self-destructing messages and file sharing through any browser, bookmark this now.
SKYPE privacy settings (or other voice calling software on your computer), should be updated (Skype > Privacy…) to disallow the saving of cookies, targeted ads and keep no history. Clear the history periodically and take care to accept IMs or calls from trusted contacts only. Limit how much of your personal information is visible online. Ideally this software should not be used. Included here due to its ubiquity. Use JITSI (https://jitsi.org) instead.
There are many tools to improve your SPA. The ones listed here are highly recommended and there are equivalents for other operating systems. On mobile devices, the apps from Open Whisper Systems are critical for your security and privacy. On computers, many tools can be installed but some websites like OTR.TO can be accessed by any browser. Do check your browser’s security settings and clear your cache / history periodically. Ensure you sign up to a DIME-compliant email service when that becomes available. Use of OPENDNS (either on your router or by using DNSCRYPT) and ASTORIA (when available) is highly recommended. Harden your Facebook (social media) privacy settings by placing your friends in distinct groups and setting their permissions accordingly (http://www.techlicious.com/tip/complete-guide-to-facebook-privacy-settings).
After emptying your computer’s ‘Recycle Bin’, you may use some useful windows commands, eg. CIPHER ensures that no deleted file in a directory can be recovered (http://www.howtogeek.com/168896/10-useful-windows-commands-you-should-know). There are many web sites that will guide you to free software and services that aim to protect your SPA (eg. http://www.techsupportalert.com/content/free-windows-desktop-software-security-list-privacy.htm). There are also many portable apps, do search for them and use them as they help you cover your internet tracks.