A How-To Guide for Whistleblowers, Journalists, And Privacy Advocates
|May 7||Public post|
The Highest Stakes…
This post’s been brewing for a while now. It combines almost every approach I’ve researched in regards to security, privacy, and maintaining anonymity in our world of corporate and government oversight. It dawned on me as I was writing my Firewall series on Medium that the most vulnerable among us needed a simple how-to guide on setting up a safe and secure communication device. This post is the culmination of that idea.
First, it’s worth reminding ourselves why this guide is 100% necessary:
There are those among us whose desire for free and unmonitored communications results in arrest or imprisonment. There are those among us who are imprisoned simply for speaking out against their government. Hundreds of journalists who attempt to share vital information with the public have been imprisoned recently. Or outright murdered. With life and death on the line, the stakes are very, very high.
Preparing for Battle
To begin, we’ll need to understand that a truly secure communication device not only requires specific hardware and software, but it also requires specific guidelines for when how, when, and where users should attempt to use that device. I’ll cover all of that in the next section. Just know: you’ll need to use and treat your secure communication device VERY differently than you would your cellphone.
Next, we’ll want to assume that our adversary has the time, intelligence, and money they need to get what they want from our communication device. Our goal is to make that mission impossible. To do so, we’ll need to understand how our adversary works and then build that into our security approach.
For example, using the application Signal isn’t enough. Yes, Signal uses a very secure technology called “end-to-end-encryption” (or E2EE) to protect all user messages from prying eyes. And yes, E2EE is so secure that even if Signal wanted to spy on users of its own platform, it couldn’t. But your adversary already knows this. Hackers who really want to target you will instead look for methods to circumvent that block. One of the easiest is to try to compromise your entire cellphone or computer, also known as an “endpoint”. Once an adversary has used malware to control or observe your endpoint, then they can see your messages before they are unencrypted.
Therefore, for those in the most dire of circumstances who are looking to have the most secure possible communications, I’d advise the following ground rules to best prepare for doing battle against any unseen and dangerous foe.
The Ground Rules
Purchase a second smartphone as your secure communication device. If you’re on a budget, buy an older, used model from a reputable source. Apple sells refurbished iPhones. So does Gazelle. Use your main smartphone for all of life’s normal, unsecured stuff like social media, email, online shopping, and casual text messages; ONLY use your second smartphone for secure communication — nothing else.
Ensure your second device an iOS device. While some of you will balk at this, Apple’s iOS is — by far — safer than either Microsoft’s Windows or Google’s Android. These results have been confirmed by others. Repeatedly. And then again. And then again.
Only install the base OS and secure messaging apps on your “secure iPhone”. Fully erase any new or used iPhone you purchase before installing iOS—only iOS 9 and later—and your security apps. Never install any email, social media, transportation apps, online shopping or banking apps or establish any connections to iCloud: INSTALL NOTHING BUT IOS AND SECURITY APPS. Sorry for shouting, but that last point is super important.
Set a long, complex password on your secure iPhone. If you don’t know how to enable a longer password, here’s a simple how-to-guide.
Disable TouchID and FaceID. Never, never, never, NEVER allow your biometrics to unlock a device: that’s a gift to your enemies. Yes, that’s an inconvenience for you, but so is being jailed or killed.
Disable your secure iPhone from collecting your geolocations. Turn off the “Significant Locations” setting on your iPhone. To find this rather buried preference, Open the “Settings” app and tap through to Privacy -> Location Services -> System Services -> Significant Locations. Shut it off.
Purchase and use a security screen for your secure iPhone. This will reduce the ability of others to see what’s on your screen. Privacy screens exist for iPhone X, iPhone 6/7/8, iPhone 5’s, and earlier.
Ensure that your home network is secure. I can’t guarantee which internet router you keep in your home, but I can guarantee that you should make changes to your router to make it more secure. Most home routers are made by a handful of companies. Find the make and model of your router — usually printed on the side or bottom of the device — and then visit the website that supports the router you purchased from Belkin, Netgear, Cisco, Asus, TP-Link, or Motorola. Those websites provide the documentation to show you how what I’m now asking you to do:
Change the default password on your router to something long, unique, and memorable only to you.
Update your router software, also known as its firmware.
Disable remote access to your router.
For wireless connectivity, only use the option for WPA2 AES encryption. As it becomes available on your router, use WPA3, an even stronger encryption.
Change the name of your wireless network name (also known as an “SSID”) to NOT include your name, address, or other notable information.
Hide your wireless network from being broadcast.
Disable all Wifi Protected Setup (WPS) and Universal Plug and Play (UPNP) features on your router.
Shut off your router when you go to bed or when you leave home. I’m bolding this because it’s super important.
Establish two wireless networks in your home: a main network that only you can access and use and a second network — a guest network — that your visitors can access.
Ensure your home is free from all bugs and snooping devices. First, throw away all Amazon Alexa and Google Home devices. Now: out the door. The Alexa devices can record and send sound files without your permission and the Google devices, well…Google has secretly installed a microphone in a physical device (Nest). Who would believe that they have never turned it on? Or maybe just 'accidentally', like with Streetview cars and wifi interception ... Will anyone investigate?
Frederik Borgesius@fborgesius"Google says the built-in microphone it never told Nest users about was ‘never supposed to be a secret’" https://t.co/6oZW16A414
Next, if you have any reason to believe that you’re being surveilled, monitored or bugged, purchase an affordable bug sweeper. These handheld devices can be used sweep your home, hotel room, car, or any other location for hidden cameras, microphones, or other bugs that operate using radio frequencies.
Only use your secure iPhone at home, if possible. Now that you’ve got a reliable and more secured home and home network, use your secure iPhone there. You have far more control over your home network and your physical home space than you do any other network or space. Use that to your advantage.
If you must use your secure iPhone in public, be smart. When in public, be aware of who might be able to see your screen or hear your voice. Reduce or eliminate exposure by maneuvering smartly: sit where there’s a wall behind you; don’t use Siri; only communicate via text, no voice or video chats; consider checking your messages under the table.
Find and use a reputable and safe VPN. If you live in under an oppressive regime, then you might need a VPN to even download some of the apps I’ll recommend, let alone use them. This is most likely true for citizens of China, Egypt, Cuba, Oman, Qatar, Russia, Iran, and the UAE to name but a few. Read my piece on how to choose a proper VPN and then, please: use it smartly. Also, use it constantly to provide yet another layer of encryption.
For secure messaging, use Signal. Signal is the industry leader in E2EE messaging. Think Signal messages as a kind of super secure text message that only you and your intended recipient can read. Download the iOS app here. It’s free. Then, learn how to use the app safely here. And remember: never use the Signal desktop application on your computer. Never. Your job is to have one device — only one! — from which you send secure communications. That device is now your secure iPhone, not your much-easier-to-hack desktop computer.
For secure emailing, use ProtonMail. ProtonMail is one of the industry leaders in secure emailing. ProtonMail emails sent between two users can only be read by those users. Download the iOS app here. It’s free. Then insist that anyone who wishes to contact you via email ALSO use ProtonMail.
Disable all lock-screen notifications. Yes: all of them. There’s no sense in allowing someone who walks past your phone to casually see notifications popping up on your lock screen from that secret informant you have at The White House or The Washington Post. That defeats the purpose. Here’s a simple guide for iOS devices.
Leave your secure iPhone powered off when not in use. Airplane mode doesn’t count here: the device must be powered down. If this sounds extreme, consider: top hackers can pull information from a device if it’s powered on.
Never leave your secure iPhone unattended. Have to shower? Purchase a waterproof case and bring it in with you. If that sounds absurd, then consider buying a safe and leaving your secure iPhone in there — powered off — when not in use. If an adversary has easy physical access to your device, then all of the safety and security you’ve worked so hard to achieve will be for naught.
Never bring a cellphone to a secure or private meeting. It is now commonly understood — and this EFF document makes it 100% clear — that your cellphone tracks your location. And more. Therefore, if you have an important meeting with a confidential source, don’t bring a cellphone. In fact, don’t bring any electronics. Go old-school: and grab yourself a paper and pencil.
Bonus advice for my advanced readers: setup a firewall device for your home network. A firewall is a kind of software or hardware that sits between the open internet and you and helps to protect you from the most common kinds of online attacks. While software firewalls can be effective, hardware options are considered more powerful and far faster. Some devices also offer features such as the ability to connect back into your home network with a VPN. Models like this Zyxel are considered among the best in class for home networks and run around $400. Models that cost closer to $200 — such as this BitDefender 2 model — are also well-reviewed but have fewer features. Entry-level firewalls like the CUJO2 are very easy to setup but lack some of the more advanced features that some people might prefer. Pro tip: buy a used model to save money.
I’ll caution — as I always do — that all security and privacy is based on best efforts, best research, and best practice. Nothing is 100% safe. That being said, I think this list of recommendations is easy-to-follow and easy-to-implement for most people.
The biggest caveat of all: it takes a financial investment to purchase the gear you’ll need to accomplish the goals I’ve laid out: a new or used iPhone, a bug sweeper, a screen protector, a reputable VPN provider and, perhaps, a firewall. I understand this makes it difficult or even impossible for some people to participate in what I’ve laid out.
I find that to be truly awful: it shouldn’t cost money to be guaranteed free and private communication. The sad truth is that it does. If you have the money, I hope you’ll consider my suggestions and invest wisely. If you don’t, then I hope you’ll save and pool funds with friends. Perhaps, there’s an opportunity to share a device together.
What Did I Miss?
Do you think I’ve missed something in my setup? Let me know! Leave a comment or drop me a secure email via ProtonMail.