title: ‘Secure Your Communications’ slug: secure_your_communications
Digital communications is the backbone for all of our organizing work. Whether it’s phone, text, whatsapp or Facebook messenger we are constantly in communication with each other, our families, and our movements.
The problem is that almost all of these forms of communications are easily surveilled. We must maintain habits that safeguard the data shared when collaborating or working with other communities, activists, and each other. Encrypted communication protects our right to privacy when the laws and corporate platforms do not.
That is where End-to-End Encryption Messaging (E2EE) comes in! E2EE is designed to keep eavesdroppers out of the conversation. Think of it as putting a seal on the users’ messages, especially as they travel across the social web, and only the sender and recipient have the tool to break open this seal. Even companies that own the messaging platform would not have the means to decrypt the files.
While many apps say they offer E2EE, we give Signal our highest recommendation because they store the least amount of data and was developed by progressive developers to explicitly protect the right to privacy.
WhatsApp, Facebook, and Apple Imessage all offer some form of E2EE but these corporations still monitor and share the content of your data while not being transparent about what
they would share with a government agency if you are targeted.
Sometimes these platforms may be the only way to reach people. Implement Signal where possible but if you must use these other tools only do so when necessary. We highly recommend you practice risk reduction by enabling encryption and verifying contacts.
Finally, we want to emphasize that digital communications still comes second to face to face meetings. However, we do realize this may not be possible for many collaborations. So, ultimately, we emphasize that the best security is discretion. If you have things you want confidential then do not say them on communication platforms. Say only what you feel comfortable having a government official knowing because you do not know when your communications might be compromised.
SO PLEASE BE SAFE AND BE STRATEGIC IN WHAT YOU SAY, WHOM YOU SAY IT TO AND WHEN.
Now let’s explore then how to send End-to-End Encryption Messages on each of these platforms.
Signal1 is a free and open source communication app for Android and iOS that employs end-to-end encryption, allowing users to have encrypted conversations with other Signal users and send end-to-end encrypted texts, group texts, photos, and video messages. Signal uses your data connection, so all parties in a Signal communication must have Internet access on their mobile devices. Signal users don’t incur SMS and MMS fees.
You can download Signal as an app on your phone or use it as a browser extension on your computer.
When you search for the app on your mobile device, make sure to select the version developed by Open Whisper Systems. Download the app, then click Install. You’ll see a list of functions, such as TK, that Signal needs to access in order to work properly.
Signal’s Google Chrome extension allows you to seamlessly continue text conversations on both your mobile device and computer. All your communications will remain encrypted throughout the process. Signal Private Messenger is a Chrome app that links to your phone, so all incoming and outgoing messages are displayed consistently on all your devices. You can comfortably chat using your full desktop or laptop keyboard.
Signal automatically syncs your contacts and messages, so you are good to go.
Safety numbers allow Signal users to verify the privacy of their communication with a contact, either by comparing a number or by scanning a single QR code.
DISAPPEARING MESSAGES ON—
Signal has a feature called “disappearing messages” that automatically removes messages from you and your contact’s devices after a chosen period of time after they’ve been seen. To enable disappearing messages for a conversation, open the screen where you message your contact. From here, tap the name of the contact at the top of the screen, then tap the slider next to Disappearing Messages.
SpiderOak has been a trusted company in the backup space for almost a decade, known for their Zero Knowledge privacy practices. They have been endorsed by Edward Snowden in general and specifically as an alternative to Dropbox in October of 2014.
Semaphor2 is a real-time team collaboration application created by SpiderOak intended to provide an experience comparable to products like HipChat, Slack, or IRC. Because they are Zero Knowledge, it means that they know nothing about the encrypted data you store on their servers. Their unique design means nothing leaves your computer until after it is encrypted and is never decrypted until it is unlocked with your password on your computer.
Each conversation is cryptographically compartmentalized meaning only the participants in any given conversation have access to that data or the encryption keys; however members who join the conversation later can see content created before their entry into the conversation.
Here is how Semaphor lines up with other similar services in terms of security provisions.
Semaphor is user-friendly and easy to navigate. You can get it both on your phone and your computer. Overall, it gives you the ability to communicate safely and robustly with your colleagues and co-organizers. The downside is that it is a paid service but we do recommend the investment.
WhatsApp messenger (now a subsidiary of Facebook) is used all around the world, it was one of the first corporate messaging apps to provide end-to-end encryption by default for all users.
This makes WhatsApp far safer than other platforms. But keep in mind WhatsApp still retains the metadata of your chat logs, which reveal who you were talking with and when. Additionally, content in WhatsApp helps to inform your Facebook algorithm and contributes to your Facebook profile.
So use WhatsApp carefully. First and foremost, make sure all of your contacts are using the most recent version of WhatsApp, to make sure encryption is enabled.
Then, it is good practice to authenticate the person you’re talking to in order to make sure it’s really them. Each of your chats has its own security code used to verify that your calls and messages are end-to-end encrypted.
This code can be found in the contact info screen, both as a QR code and a 60-digit number. These codes are unique to each chat and can be compared between chat participants to verify that the messages you send are end-to-end encrypted. Security codes are visible versions of the special key shared between you. Don’t worry, the codes don’t represent the actual key itself; the key is always kept secret.
To verify that a chat is end-to-end encrypted
If you and your contact are physically next to each other, one of you can scan the other’s QR code or visually compare the 60-digit number. If you scan the QR code and it is indeed the same, a green checkmark will appear. Since they match, you can be sure no one is intercepting your messages or calls.
Facebook Messenger has recently introduced the option to send encrypted private messages. Since many of us use Messenger to organize protests and meetings, it is important that we know how to securely use this line of communication.
<div class="well none" style="border-radius:0">
<span class="warn-icon"><i class="fa fa-exclamation-triangle" ></i></span> <span class="warn-highlight">WARNING: </span><span class="warn-text" markdown="1">Again, please keep in mind that by turning on Facebook's encrypted messaging you are practicing harm reduction—not guaranteeing your complete privacy. Facebook’s privacy policies leaves much to be desired by activists since they are willing to hand over personal information to authorities. Be safe and practice risk assessment to gauge your level of safety on this platform.</span>
</div>
</div>
To start a new encrypted conversation:
Tap the new conversation icon at the top right, then tap Secret in the top-right corner.
Choose your recipient and begin messaging.
Tap Secret Conversation to switch it over.
WHAT IS ENCRYPTION?
Encryption3 as we’ve explained, is when data is scrambled in such a way that only someone with the secret password or key can read it. The scrambling relies on mathematical techniques. These techniques are powerful enough that even major governments cannot unscramble the data you choose to encrypt.
ENCRYPTION FOR PERSONAL USE
When you encrypt data on your computer, it will require a password—also known as a private key—that only you know. This process is called private key encryption, and it’s good for protecting your data on physical objects that you carry with you such as a USB drive, phone, or laptop hard drive.
ENCRYPTION TO COMMUNICATE BETWEEN PEOPLE
There is a dilemma if you want to have secure and private email or communication between you and your collaborators, and you’re the only one using private key encryption. You can encrypt your data and send it to your friend, but then you’d need to tell your friend the password so they can unscramble it. This can be a problem if the government, an ISP, or a hacker has access to your communications and can overhear or capture this password/private key.
Sender
Recipient
Recipient’s
public key
Recipient’s
private key
Hello
the result of
your exam…
Hello,
the result of
your exam…
Different keys are used to encrypt and decrypt messages.
Plaintext
Plaintext
Encrypt
Decrypt
UV[RI=..’V
RZR[‘…T…T
.cBT.cB..U.B
Cyphertext
To address this problem, we use public key encryption. To understand how this process works, consider the following example:
- You want to communicate securely to your friend. Instead of sending them a private key, you ask your friend to send you a lock that only they have the key to. The lock your friend sends is called a public key.
- You receive your friend’s lock, then put your message in a box and lock it with that lock.
- You send the locked box to your friend.
- Your friend uses their private (secret) key, is paired to the lock to unlock it and securely read the message.4
You may be thinking, “What if a government or hacker hires a locksmith to pick the lock?” In this scenario, a weak encryption technique (low-bit encryption algorithm) would represent an easy-
to-pick lock that would only take a few minutes to break. A strong encryption algorithm (known as an RSA, which is used in the GPG software package you’ll read about on the next page), would take a locksmith hundreds of years to pick.
Using a technique like this, you can communicate over an insecure network and still have security. The set of mathematical techniques that allow this to happen electronically is called public key encryption. This encryption techniques is the basis for all secure communication on the Internet, whether it’s HTTPS, GPG, Signal, Tor, or VPNs.5
USING GPGTOOLS FOR MAC
GPGTools is a free open-source software package that allows you to use public key encryption in your communications, primarily over email. You and your collaborator will both need to have a copy of GPG installed on your device.
How to send encrypted email
PASSPHRASE RULES
Make sure your passphrase is one you haven’t used elsewhere, contains at least one capital letter, one number, and one special character. MOST IMPORTANTLY: MAKE SURE YOU REMEMBER THE PASSPHRASE.
<div class="well none" style="border-radius:0">
<span class="warn-icon"><i class="fa fa-exclamation-triangle" ></i></span> <span class="warn-highlight">WARNING: </span><span class="warn-text" markdown="1">For initial convenience, jot down your passphrase on a piece of paper. We strongly recommend that you memorize your passphrase, then destroy the paper.</span>
</div>
</div>
Next, if you are frequently communicating with new contacts add your key to the MIT PGP Public Key Server. This is like making sure you’re listed in the yellow pages of the PGP community. Depending on the extent to which this key is tied to your personal identity, you may instead choose to share it directly with people you wish to correspond with, as opposed to sharing it publicly.
SENDING AN ENCRYPTED EMAIL
First, find your recipient’s key on the PGP key server.
Once you have their key, you are ready to send an encrypted message.
GNU Privacy Assistant is a useful application that’s comes bundled with Gpg4win. You can download Gpg4win at https://www.gpg4win.org/download.html
ENCRYPT A MESSAGE
DECRYPT A MESSAGE
BACKING UP YOUR KEY
You may want to store a copy of your encryption key on a USB stick for carrying around. Or, you can back up your private key by going to Keys → Backup. Your key will be saved to the appropriate location.
USING GPG IN YOUR BROWSER
With some caveats based on browser security, there are plugins for Chrome and Firefox to enable OpenPGP encryption for webmail. Mailvelope (https://www.mailvelope.com/)) provides a relatively simple option for users who are new to encryption and unable to easily switch to a different desktop email application. Mailvelope is open source, audited in 2014, and compatible with most webmail providers, such as TK or TK. Mailvelope works by adding a button in the “compose” window to open a pop-up window in which you can write an email. You can then encrypt the message and send only the encrypted text to the webmail system you primarily use.
Online activism can leave you vulnerable to trolls and other more malicious actors who can threaten your online and physical safety because they disagree with your politics or activism. In the past year, many activists have shut down online. This means that, sometimes, you have to position yourself as an anonymous entity in order to TK.
This section will cover how to make accounts that can easily be traced back to your physical self. In order to create anonymous social media accounts, you will need services that can generate temporary and anonymous email addresses, or temporary phone numbers and a secure VPN network.
First, sign out of all your accounts, close your browser, and restart your computer. Make sure you are logged in to Tor and/or a secure VPN network and are using private browsing.
You can then use the following services to generate temporary emails
- Riseup: https://user.riseup.net/forms/new_user/first
- Slippery: https://slippery.email
- Guerrilla Mail: https://www.guerrillamail.com
These emails self-destruct within a period of days or weeks, which reduces the chance that accounts created with these emails can be traced back to you.
Using your new temporary email address, register your anonymous social media account.