Privacy 101.

It's probably no surprise to you by now to know that the U.S. Government is actively collecting your emails, phone calls, text messages... just about everything. If you aren't taking the necessary steps to secure your online communications, you should probably start immediately. 
It doesn't matter if you're just an ordinary citizen like us, or participating in some large-scale whistleblowing activities and are on the FBI's most wanted list (probably us in the future), privacy is important to all of us.

And please, spare us your excuses, ie., "I have nothing to hide"

 

The Tools

Below are some recommendations to help secure your online information. 
You can probably find tons more, and might even advocate a better option. If so, let us know about it. 

Just a blunt note, it's super difficult to go "dark" (meaning completely anonymous) online.
If 'they' want to track you down, and have the time and resources, they'll find a way.
But these recommendations are certainly helpful either way. No matter who you are,

we strongly recommend you begin taking a serious look at your use of security/privacy tools online.
And, don't be a dummy. Use things appropriately. We don't advocate illegal activity.
If you do something stupid, it's your own choice and you get to deal with the consequences. 

 

The Basics

Internet Browsers

Remember to stay away from Google. They track everything you do, read your emails, and are a part of the NSA Team, according to the NSA documents Snowden released. So, we obviously don’t recommend using Google Chrome. We recommend getting the latest version of Firefox, or, latest stable version of Chromium (what Chrome is based on), with no Sync or WebRTC support. Another new option is called Brave that seems pretty good and privacy conscious. There are tons of other options as well, so feel free to do your homework.

 

No matter the browser you choose, install the following browser extensions:

These plugins will help block various methods of tracking and information leaks, which may help identify you.

 

Best of all, use Tor for all your browsing needs. (more information found below on Tor).

It's browser is a Firefox browser, with necessary security plugins already installed. There are even browsers that connect with Tor on your mobile device. Keep in mind when using Tor, to NOT log in to your normal accounts, ie., Gmail, Facebook, etc. Tor is tremendously helpful for anonymity. When you log into accounts using your regular credentials, it will help identify you that much easier.

iPhone Tor Browser: We suggest OnionBrowser. (Free) There are tons of options though, some free, most not. Do your research and read reviews. Maybe contact the Tor project directly for recommendations if you'd like further assistance. 

Android Tor Browser: Click here.

Get/Use a Password Manager

Weak and reused passwords are usually the number one cause of accounts getting hijacked, and a compromised account on any 3rd party service may assist an adversary in de-anonymizing you. You can’t prevent or foresee security issues which may exist in the service itself, but at least you can do your part by generating strong and unique passwords for all the services you use. There are many password managers out there, LastPassKeePass and Dashlane are just some of them.

We, personally, use LastPass

 

 

Passphrases

Forget song lyrics or fancy characters. If you must use a manually entered password, we suggest using what is called a Passphrase.

For a wonderful guide on creating Passphrases that are easy to memorize, but even the NSA can't figure out, read here

 

Use Two-Factor Authorization with Everything

The value of this is if someone does steal your password, or it’s left or exposed somewhere … [two-factor authentication] allows the provider to send you a secondary means of authentication — a text message or something like that. [If you enable two-factor authentication, an attacker needs both your password as the first factor and a physical device, like your phone, as your second factor, to login to your account. Gmail, Facebook, Twitter, Dropbox, GitHub, Battle.net, and tons of other services all support two-factor authentication.]

 

OPSec (Operational Security)

This is probably the hardest part. Its easy to frak up, and once you do, there is not much you can do to undo the damage. Here are some guidelines, the list is by no means exhaustive and is meant to get you to think about your online activities in a critical way.

  1. Don’t use the same usernames, or nick names as you normally would. If you go by xxSexyBoi69xx, guess what, that stops now, not just because it’s permanently attached to your real identity, but because its stupid and shame on you. Use a unique username, name, etc for every service you use. If you’re super unimaginative, there is FakeNameGenerator that will do all the work for you.
  2. Don’t reuse passwords, use a password manager that will generate strong and unique passwords for every service you may want to use.
  3. Never make a direct connection between your alter ego and your real identity. This includes sending emails to and from yourself, mentioning yourself as the alter-ego and vise versa, etc. Just pretend that your true identity does not exist.
  4. Never leave your unlocked computer unattended unless you live alone in a locked bunker. Other members of your household, friends, hamsters, are not aware of your split personality aspirations, and its best for it’s to remain that way since they may (unknowingly or maliciously) undo all the work you just did.
  5. Use your head. Critically analyze the implications of your actions from the perspective of your imaginary (or not so imaginary) adversary. If you were in their shoes, how would you use JohnDoe125’s Pinterest account that posts geo-tagged photos of a cat that belongs to your girlfriend in order to unmask you?

 

Snowden on OPSec:

It all comes down to personal evaluation of your personal threat model, right? That is the bottom line of what operational security is about. You have to assess the risk of compromise. On the basis of that determine how much effort needs to be invested into mitigating that risk.
Almost every principle of operating security is to think about vulnerability. Think about what the risks of compromise are and how to mitigate them. In every step, in every action, in every point involved, in every point of decision, you have to stop and reflect and think, “What would be the impact if my adversary were aware of my activities?” If that impact is something that’s not survivable, either you have to change or refrain from that activity, you have to mitigate that through some kind of tools or system to protect the information and reduce the risk of compromise, or ultimately, you have to accept the risk of discovery and have a plan to mitigate the response. Because sometimes you can’t always keep something secret, but you can plan your response.

Everybody doesn’t need to know everything about us. Your friend doesn’t need to know what pharmacy you go to. Facebook doesn’t need to know your password security questions. You don’t need to have your mother’s maiden name on your Facebook page, if that’s what you use for recovering your password on Gmail. The idea here is that sharing is OK, but it should always be voluntary. It should be thoughtful, it should be things that are mutually beneficial to people that you’re sharing with, and these aren’t things that are simply taken from you.

If you interact with the internet … the typical methods of communication today betray you silently, quietly, invisibly, at every click. At every page that you land on, information is being stolen. It’s being collected, intercepted, analyzed, and stored by governments, foreign and domestic, and by companies. You can reduce this by taking a few key steps. Basic things. If information is being collected about you, make sure it’s being done in a voluntary way.

For example, if you use browser plugins like HTTPS Everywhere by EFF, you can try to enforce secure encrypted communications so your data is not being passed in transit electronically naked.

[SOURCE]

 

Tor / VPN

An essential part of online privacy is hiding your identity and information. Recently, the U.S. Government voted to allow ISP's to sell your private internet data. Sure, the NSA has been snooping into our goods the entire time - but now, more than ever, it's important you cover yourself, even if you aren't doing anything sketchy or illegal. The use of these tools is no illegal in any way, and is recommended for general internet use.

Tor

https://torproject.org

Tor is free software for enabling anonymous communication. The name is derived from an acronym for the original software project name "The Onion Router". Tor directs Internet traffic through a free, worldwide, volunteer network consisting of more than seven thousand relays to conceal a user's location and usage from anyone conducting network surveillance or traffic analysis. Using Tor makes it more difficult for Internet activity to be traced back to the user: this includes "visits to Web sites, online posts, instant messages, and other communication forms". Tor's use is intended to protect the personal privacy of users, as well as their freedom and ability to conduct confidential communication by keeping their Internet activities from being monitored.

Edward Snowden on Tor:

SNOWDEN: I think Tor is the most important privacy-enhancing technology project being used today. I use Tor personally all the time. We know it works from at least one anecdotal case that’s fairly familiar to most people at this point. That’s not to say that Tor is bulletproof. What Tor does is it provides a measure of security and allows you to disassociate your physical location. …
But the basic idea, the concept of Tor that is so valuable, is that it’s run by volunteers. Anyone can create a new node on the network, whether it’s an entry node, a middle router, or an exit point, on the basis of their willingness to accept some risk. The voluntary nature of this network means that it is survivable, it’s resistant, it’s flexible.
If you’re not using Tor you’re doing it wrong.
[Source]

 

VPN

VPN: A virtual private network (VPN) extends a private network across a public network, such as the Internet. It enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across the VPN may therefore benefit from the functionality, security, and management of the private network. VPNs may allow employees to securely access a corporate intranet while located outside the office. They are used to securely connect geographically separated offices of an organization, creating one cohesive network. Individual Internet users may secure their wireless transactions with a VPN, to circumvent geo-restrictions and censorship, or to connect to proxy servers for the purpose of protecting personal identity and location. 

You should invest a few dollars per month into a privacy conscious VPN provider. TorrentFreak keeps an excellent list of these providers, which is updated every year. Things to look out for include lack of logs, built in firewall, acceptance of Bitcoin, mobile options and a proven history of not turning over subscriber data when asked for it. HideMyAss, for example, is a popular provider, however you may want to stay away from it, even if you don’t plan on having your data being subpoenaed by the FBI.

As we use it ourselves, we recommend Windscribe.

Do your own research and get what you feel comfortable with and what you can afford. 

We ABSOLUTELY, 100%, recommend avoiding VPN services that are Free-only. If they aren't selling you a product, YOU are the product. Many have been found to be selling customer information or not providing advertised security. Our recommendation, Windscribe, does offer a free account, but it's bandwidth and options are limited. It's main offering are paid accounts, either monthly or yearly. 

A few bucks a month is definitely worth the price of secure, private, honest VPN service. 

 

 

Communication.

 

Forget Gmail, Skype and Facebook Messenger. These centralized, non-encrypted communication tools owned by the Internet giants are not your friends. They exist for a single reason: to collect as much data on you as possible, which then our government accesses.

Meet your new friends:

Email

  • Tutanota — End-to-End encrypted email provider out of Germany
  • Protonmail — End-to-End encrypted email provider out of Switzerland.  *(this is what we use)
  • Lavabit — Snowden’s infamous email provider, coming back soon!
  • Oneshare - Send Private Info That Self-Destructs after being opened one time. 

Voice + Video Calling

  • TOX — Open source encrypted video, audio, and chat software
  • Jitsi — Open source encrypted video chat

Mobile Messaging and Calling

  • Signal — Encrypted instant messaging and voice calling application
    • Pros: Signal is free, open source, easy to use, and features a desktop app, password protection for Android, secure group messages. It’s also maintained by a politically-conscious nonprofit organization, and offers: original implementation of an encryption protocol used by several other tools, ephemeral (disappearing) messages, control over notification content, sent/read receipts—plus it can encrypt calls and offers a call-and-response two-word authentication phrase so you can verify your call isn’t being tampered with.
      Cons: Signal offers no password protection for iPhone, and being maintained by a small team means fixes are sometimes on a slow timeline. Your Signal user ID is your phone number, you may have to talk your friends into using the app, and it sometimes suffers from spotty message delivery.

    • Keep in mind your Signal “account” is tied to your phone number, and metadata is not encrypted, meaning they can tell who you are, who you're talking to, timing of messages, and maybe location, etc., but not the content of your message. If you wish to remain truly anonymous, this should only be done on a disposable phone.

  • OTR – Off the Record Messaging. Messaging allows you to have private conversations over instant messaging by providing:

    • Encryption

      • No one else can read your instant messages.

    • Authentication

      • You are assured the correspondent is who you think it is.

    • Deniability

      • The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages he sees are authentic and unmodified.

    • Perfect forward secrecy
      • If you lose control of your private keys, no previous conversation is compromised.

 

Others:

  • Wickr:
    • Pros: Wickr offers free, ephemeral messaging that is password protected. Your user ID is not dependent on your phone number or other personally identifying info. Wickr is mostly reliable and easy to use—it just works.

      Cons: Wickr is not open source, and the company’s profit model (motive) is unclear. There’s also no way to turn off disappearing messages.

  • Threema:
    • Pros: Threema is PIN-protected, offers decent usability, allows file transfers, and your user ID is not tied to your phone number.
      Cons: Threema isn’t free, isn’t open source, doesn’t allow ephemeral messaging, and ONLY allows a 4-digit PIN.

  • WhatsApp:
    • Pros: Everyone uses it, it uses Signal’s encryption protocol, it’s super straightforward to use, it has a desktop app, and it also encrypts calls.
      Cons: Owned by Facebook, WhatsApp is not open source, has no password protection and no ephemeral messaging option, is a bit of a forensic nightmare, and its key change notifications are opt-in rather than default.

  • Facebook Secret Messages:
    • Pros: This app is widely used, relies on Signal’s encryption protocol, offers ephemeral messaging, and is mostly easy to use.
      Cons: You need to have a Facebook account to use it, it has no desktop availability, it’s kind of hard to figure out how to start a conversation, there’s no password protection, and your username is your “Real Name” as defined by Facebook standards. Facebook is part of the NSA team, as shown by the revealed Snowden documents.

    • You should probably stay away from Facebook, entirely

 

There are certainly other tools out there in addition to those discussed above, and use of nearly any encryption is preferable to sending plaintext messages. The most important things you can do are choose a solution (or series of solutions) which works well for you and your contacts, and employ good security practices in addition to using encrypted communications.

There is no one correct way to do security. Even flawed security is better than none at all, so long as you have a working understanding of what those flaws are and how they can hurt you.


 

PGP.

Pretty Good Privacy (PGP) encryption program provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann developed PGP in 1991.

To this date, there is still no known method for breaking PGP encryption, by any government or individual. 

 
ProtonMail.com

ProtonMail.com

A wonderful option for secure emails, is to use PGP. This allows you to encrypt a message which can only be decrypted and read by the corresponding private key. There are many ways to use PGP - there's an introductory video (below) created by Snowden when he was initially contacting journalists about releasing the NSA documents. 

Many new email providers all PGP encryption that is built into their system. One that we use is ProtonMail, but there are several others. 

How to use PGP for Mac OSX

How to use PGP for Windows

How to use PGP for Linux

 

Snowden Tutorial: PGP For Journalists (2013)

"These are a basic instructions on how to protect Source-Journalist communications from being intercepted and read when they transit the internet using a technique called Public Key Encryption (PKE). By following these instructions, you'll allow any potential source in the world to send you a powerfully encrypted message that ONLY YOU can read even if the two of you have never met or exchanged contact information.
 

Conclusion.

Anonymity is hard.
Even if you follow the steps above there are still ways you can be de-anonymized if someone wants it bad enough, so don’t consider this to be a carte blanche to commit crimes online.

You can even take your precautions further and use burner phones, temporary computers, portable operating systems, and deeper levels of encryption to help you in your pursuit of total anonymity. The recommendations above are thins we could consider plausible and acceptable for the everyday internet user. 

To be truly anonymous, you have to stop using the Internet entirely, and that’s something very few of us would be willing to do.

 
 

Have a tip or suggestion?

We're not pros. We only know what we read about or have tried ourselves.

If you find something that you would suggest as a better option, or even just an alternative, we'd love to know so we can post it here.