A Cyber Self-Defense Course Against the Police

OpinionsOlivier Sylvestre — Published November 8, 2016

The conference he gave couldn’t have occurred at a better time—in the days prior, it was revealed that the Service de police de la ville de Montréal and the Sûreté du Québec had been spying on journalists.

The revelations of police surveillance on journalists across Quebec are highly disturbing, but not only journalists need privacy. Privacy is necessary for freedom of the press, freedom of thought, and freedom of speech.

Aside from bringing police forces to court and advocating for legislative changes, taking steps to protect your own privacy is your most effective weapon against surveillance. These digital privacy tools are available to everyone. Use them.

Use Signal for calls and text messages

Using Signal, an app available on iPhone and Android, and a Google Chrome extension, is the most straightforward way of circumventing the methods the SPVM and the SQ used to identify the journalists’ sources amongst the police forces.

You may not know that, but every time you make a call or send a regular text message (SMS), your cellular phone provider keeps a record of your metadata: who you called or texted, how long the conversation lasted, and when and where you were at that moment. The police only has to get a warrant for the information and present it to your phone company to obtain those records. This is exactly the kind of surveillance the police used against journalists and their sources.

Signal lets you send text messages and call other people anonymously. Your communications, instead of going through cellular waves where they are logged and can be tapped into, will be transmitted through the internet. The content and metadata of your message will be end-to-end encrypted. That means only you and the person you are communicating with will ever know the content of your conversation and the fact that it happened.

The app is free, easy to install and use, and can even replace the default messaging and calling app on most Android phones. It already supports group conversations and attachments, it is open source, and best of all, it is strongly recommended by Edward Snowden.

Use a strong password

Stop thinking of passwords as ten-letter words you use to unlock all your accounts digital devices. “H3llo!” is not a strong password. For a modern computer, it would be a manner of seconds before it would have guessed such a short password.

You really should use is a longer passphrase, unique to each of your accounts. A strong passphrase needs to be easy to remember for you, so you do not get locked out of your Facebook account, but hard to break.

The simplest solution to that problem is to use a sentence instead of a word as your password. Let’s say that you like horses. You could use the passphrase “IReallyLikeHorses.”

That passphrase has 17 characters, and contains capital and small letters. It’s a great start, but you can do better. Add numbers and special characters in there. For example, “IReallyLikeHorses110%”.

Finally, create a unique passphrase for each of the devices and services that you use: “IReallyLikeHorses110%OnFacebook,” “IReallyLikeHorses110%OnMyMac,” for all your accounts. At 32 and 29 characters respectively, those passwords are tough to crack. Dashlane, a password management software company, estimates that it would take at least four undecillion (that is 10^36) years for a computer to decipher them.

That is what you are aiming for: hard to crack, hard to forget.

Encrypt your storage drives

Encrypting a digital storage drive makes it unreadable unless you have the passphrase that unlocks it. This will prove especially useful if your computer or phone is ever lost, stolen, or seized by police during a protest. Keep in mind, though, that using encryption is only effective when it is paired with a strong passphrase.

Use the Tor browser

When you visit a website, your computer is essentially publicly asking the site to send you its webpage. That conversation between your computer and the website is generally encrypted. However, the fact that that conversation happened is out in the open. A lot can be learned from you just by looking at which websites you access.

This is especially a problem for activists and journalists living under dictatorships, but it can be useful to know how to access websites anonymously even in Canada.

For example, if you are doing a research on terrorist groups and you want to look at them from the inside, you probably do not want the RCMP to know that you are visiting and probably asking questions on a forum populated by people who are deemed enemies of the state by our government.

What the Tor Browser does is bounce your data, that conversation we talked about earlier, around the internet on the Tor Network. As your web traffic will go from one computer to the next, it will gradually become impossible for authorities to link it back to you.

However, it has many limitations and it can bog down your internet connection.

Localization services

Always assume that your smartphone is constantly broadcasting your location, either through the apps you use or through your phone’s automatic connection to various cell towers and wi-fi networks throughout the city. Your phone can be used to locate you even if it is turned off or in airplane mode.

If you are a journalist and you are going to meet a confidential source face-to-face, or if you are that source yourself, leave your phone at home or at work. You could also remove the battery from your smartphone, but that is increasingly impossible based on the design of new phone models.

The SPVM used La Presse journalist Patrick Lagacé’s phone location data in attempts to find his sources among the police.

Encrypt your emails

Email is still, in my opinion, the hardest place to protect your privacy. There is, at the moment, no secure, consumer-friendly, open source, and cross-platform email client on the market.

Encrypting your emails still entails keeping an up-to-date library of certificates called public keys linked to each of your contacts with whom you would want to communicate securely. Those contacts also need to have your public key in order to make sure emails they receive from you really are from you. Oh and also, you should exchange those public keys in person. That is not what I call consumer-friendly.

Keep in mind that you will also need to convince your friends and colleagues to go through the same nerdy hoops and loops in order to use email encryption. You can also set up an email on encrypted services such as riseup.net.

Once you’ve done all these things, then you’re off to a really good start in protecting your privacy online. Until the systems of mass surveillance are dismantled, these are some of the best tricks to keep some semblance of privacy.