Practical tips: Secure communications

Installation by SpY in Madrid, Spain
Installation by SpY in Madrid, Spain

In the street art and graffiti community, many of us deal with sensitive data every day, but many of us do not protect ourselves from being snooped on. The NSA and GCHQ may have little interest in what you were doing running around with cans of paint last night, but other government agencies might care a great deal, and they also have a surprising level of access to your data and communications if you don’t protect yourself.

I’m not a lawyer or a security expert, and I’m not encouraging anyone to break the law. My tips in this post are not legal advice and they’re far from perfect. I simply want to get a discussion going about security in our community and suggest a few ways that we might begin to protect ourselves and communicate more securely. My suggestions are US-centric, but many of the same tips and concerns should apply no matter what country you’re in. Also, remember that no system is ever completely secure. If you have questions or more tips or you think my tips don’t work the way I say they do, please email me or leave a comment.

Step 1: Use secure passwords

Many of the security measures I’m going to suggest in this post require creating secure passwords. This is my favorite method for creating reasonably secure passwords that are easy for you (but nobody else) to remember. You can also use randomly generated passwords.

If it’s just too much to keep track of different passwords for every different website you sign up for or hard drive you encrypt, try a password manager. KeePass is an open source password manager, which means it’s much less likely that the software has any back doors, and it’s available on many different platforms.

Lifehacker has more on generating and storing passwords.

Step 2: Secure your computer

Last year, Vamp was convicted of writing graffiti partially based on images that were found on his computer. If Vamp felt that he absolutely had to have photographs of graffiti on his computer, he could have taken the step of encrypting his hard drive. That might not have saved Vamp, as in countries such as the UK there are laws requiring suspects to hand over encryption keys under court order, but that isn’t the case in the USA where the latest case law has said that the government cannot compel you to decrypt your data (thank you 5th Amendment).

For PC users, PC World has some great instructions on encrypting just about anything including your hard drive or any external drives that you may have. For Mac users, FileVault 2 is a pretty solid solution. This article explains how to use FileVault 2 as well as encrypted Time Machine backups. For Linux users, or those who just want an alternative file or disk encryption tool not designed by Apple or Microsoft, TrueCrypt may be the solution.

But why encrypt your hard drive if you’ve already password protected it? Password protection really doesn’t help all that much, especially when law enforcement has seized your hard drive as evidence. This metaphor about lock boxes and secret codes may be helpful in explaining the difference between password protection and encryption. And here’s how easy it is for anyone to take your data off of a PC running Windows if the computer is password protected but the data is unencrypted.

Don’t fall for the trap of thinking a password on your computer makes you secure. Encrypt your data.

Randy Sarafan of F.A.T. Lab has a tongue-in-cheek tip if you forget to encrypt your data or you just want an added layer of security when Johnny Law is at your door and you don’t mind losing your data for good. Of course, in that case, you might be accused of destroying evidence, so it’s probably better to just encrypt your hard drive.

Step 3: Secure and anonymize your web browsing

Do you visit websites about graffiti and street art every morning? Okay, it’s not proof that you’re engaging in illegal activities, but it probably doesn’t help matters of you’re already under suspicion. The way most us browse the web, records of what sites we visit and when we visit them are easily obtainable by the government.

This is an area that frankly I could use some further education on, but I’ll try my best…

If you want to make sure you’ve got a secure connection on as many sites as you visit as possible, HTTPS Everywhere is a great browser extension, but be sure to read the FAQ to understand how it keeps you secure and how it does not.

You may also want to limit tracking cookies so that third parties aren’t able to gather as much information about you or what websites you visit. For that, there’s Disconnect 2.

Although it’s not perfect, Tor is easy to use and generally considered a good way to surf the web anonymously. Or if you want to be really secure and anonymous, you may want to use a VPN instead.

Step 4: Secure your emails

I sometimes get emails from people who are presumably sending photographs of illegal street art or graffiti that they have just completed, and they often reveal their government names in the process. I love getting those emails, but it’s definitely risky for the people emailing me. It’s not hard to imagine a situation where law enforcement accesses an artist’s email records and uses that to arrest or prosecute them.

Email is a fundamentally insecure mode of communication. That said, a lot of us still use it. It’s somewhat of a necessity for many of us. Still, there are ways to send emails that are more secure than your average email. Even if it’s clear that you and I have been emailing, if we encrypt our emails, it won’t be clear what we were emailing about. The US government does not need a warrant to access our emails or Facebook chat logs, but if our emails are encrypted, the contents of our messages will be beyond gibberish to anyone but us.

Lifehacker has a nice set of instructions on how to encrypt your emails. Despite what people may tell you, it’s actually not all that difficult to set up email encryption. I use Mailvelope, which Lifehacker describes how to set up.

Still, sending and receiving encrypting emails is a bit more complicated than encrypting a hard drive. With a hard drive, you know the encryption key, and that’s good enough. In that you’re the only person who needs to encrypt or decrypt your data.

If I send you an encrypted email, how are you supposed to decrypt it unless I’ve told you the password? The solution is public key encryption. This video does a nice job of explaining how that works. Basically though, one password (called a key, and stored publicly) is used to encrypt data and another password/key (which is kept a secret) is used to decrypt data that has been encrypted by the first password/key. That way, just because you can send me an encrypted email does not mean you can decrypt that same information, and I never have to tell anyone the code that decrypts emails that are sent to me. If you want to send me an encrypted email, you can get my public key here.

The downside to email encryption is that the only people who can receive encrypted emails are people who have created a set of public and private keys. You can’t just send an encrypted email to your mom one day if she hasn’t already generated a public key for you to use. One solution to this problem is critical mass. As people encrypt their emails, one day it may become standard practice. Is that a crazy idea? No more crazy than suggesting that one day everyone will have an email address.

Step 5: Secure your online chats

Instant messaging has many of the same basic flaws as email (messages can be unencrypted, messages can be stored on a third party server, records can be kept of when messages were sent and to whom). I don’t use instant messaging all that much, so I don’t really have an opinion here, but Lifehacker has some suggestions on how to send and receive instant messages more securely.

Step 6: Secure your phone

Phones are dangerous for security on a number of levels. To imagine a worst case scenario: Someone takes your phone out with them while they’re putting up some art without permission, and they take photos while they’re out, leaving those photos on your phone. Suddenly, the police come knocking on your door because they have GPS data, which leads to photographic data, that your phone was at the site of a crime. Of course, in that instance, you’re going to be the suspect, not the friend who borrowed your phone. Better have an alibi. Or just secure your phone.

The best move is probably just to not store sensitive information on your phone. Luckily, as this article notes, that’s increasingly less necessary. Even encrypted smartphones are not entirely safe, as court orders can compel Apple or Google to decrypt phones. Still, it may be better to set up a passcode on your smartphone that not, as that provides at least some security.

Also, according to the ACLU, the government may have access to your phone’s location data and can use that to track you even without a warrant. Don’t carry your phone with you at all times, particularly when you don’t want to be tracked.

Finally, I know it’s almost impossible to avoid these days, but Instagram is not a safe way to post photos. They will reveal your user information to law enforcement.

Step 7: Secure your text messages

As with emails, I’ve often gotten text messages from people where they’re texting things that they perhaps shouldn’t be about activities that the government might argue they should not have done. Like email, text messages can be very incriminating and even the most secure options for sending texts are very traceable.

Standard SMS text messages are absolutely not secure.

The contents (but not the metadata) of iMessages are reasonably secure. That is, of course, unless they’re not.

What about alternatives? WhatsApp is pretty popular and claims to be secure, but the German government isn’t so sure.

For now, our best bet for secure text messaging seems to be Telegram, an app for iPhone and Android. It’s what I’m starting to use (thanks to Hrag for first alerting me about the existence of Telegram). It offers “secret chats” that don’t allow Telegram to read or store your encrypted messages, and the messages can be set to “self-destruct” like a Snapchat photo. One major downside: Your Telegram account is tied to your phone number, so can’t really be anonymous unless you’ve got a burner smartphone. Also, Telegram’s security has recently been criticized. Hopefully though, Telegram works for now and the idea behind the app leads to future, more secure, developments.

Step 8: Secure your voice calls

If you want to get around wiretaps, government access to your phone metadata or anything else along those lines, Silent Circle seems like the way to go, although I’m not yet a subscriber myself. For $9.95 a month, you get encrypted voice and video calls between other Silent Circle subscribers, and the logs the company keeps are absolutely minimal. They say, “Our goal is to have nothing to turn over or disclose to any third party.” Like email encryption though, Silent Circle really only works if we all use it.

Photo by GoatChild