The Edward Snowden guide to practical privacy

NSA whistleblower talks turkey about personal surveillance

If you want to limit how much governments and companies know about you and your private life, then use Tor, download specific apps and plug-ins, encrypt your hard drive, and use a password manager.

Those are among the tips provided by NSA whistleblower Edward Snowden in an interview with "digital bodyguard" Micah Lee. The interview, published on The Intercept, is interesting in that it provides a practical guide for protecting your privacy from the very mass surveillance that Snowden revealed in his huge leak of US government documents.

The guide covers everyone from the typical concerned citizen to someone who may be handling highly sensitive documents. Here are the highlights:

If you're just an average user concerned about your privacy

  • Use Tor when browsing. You don't have to use Tor all the time (it does slow things down considerably and some sites will also block Tor traffic). But if you are looking at or for something that you feel is sensitive, then either set up your browser to work with Tor or use the Tor browser.
  • Use an ad-blocker. Says Snowden: "As long as service providers are serving ads with active content that require the use of Javascript to display, that have some kind of active content like Flash embedded in it, anything that can be a vector for attack in your web browser – you should be actively trying to block these."
  • Use a password manager. It doesn't matter how many surveys and reports come out that tell people to use different passwords and complex passwords, a huge percentage of us maintain borderline idiotic approaches. The simple answer is: get a password manager. It will protect you.
  • Use two-factor authentication. Many services such as Gmail, Twitter, Dropbox, Hotmail, and Facebook offer this now for no charge. So even if your password does get exposed, you still have a backup such as a text message to your phone to secure your information.
  • Use apps that protect your information. Snowden suggests the smartphone app Signal, which encrypts both your phone calls and texts. It's free and easy to use. Although of course, following a high-profile argument with the FBI, it would appear that Apple's messaging service is also pretty secure (although Snowden would probably have doubts).
  • Use the HTTPS Everywhere browser plug-in. This comes from the Electronic Frontier Foundation (EFF) and will try to force all browser communication to be encrypted.
  • Encrypt your hard drive. This is comparatively easy these days but you have to be careful to do two things: one, have a longish phrase to make it worthwhile; and two, make damn sure you remember that phrase. There will be a slowdown in performance but nothing too bad if you have a modern machine.
  • Be smart with your security questions. Stop using your mother's maiden name for everything. Likewise your first school. The key is to mix things up as much as possible so if someone does get into one of your accounts, they can't use the same information to get in everywhere else.

On this issue – the average Joe – there was a cautionary tale just today on why these things are necessary even if you're not a journalist working on confidential material or a whistleblower or someone protecting valuable secrets.

Business journalist Jeff Bercovici lost nine years of Facebook data when he forgot about an old Hotmail email address, didn't use two-factor authentication, and presumably used a weak password. Someone in Turkey accessed that account and used it to take over his Facebook profile.

By the time Jeff got back, the man had deleted all of his Facebook data. A huge pain and shame, but that information could just as easily have been used to access different accounts and even steal his identity. Jeff tweeted about the experience.

If you are handling confidential information

One of the more interesting takeaways from Snowden's reflections on private security is that you don't need to become a paranoid maniac across your entire life – you just have to learn to segment your activities into levels of risk and not unnecessarily share information that you don't need to.

"You don’t need to hide everything from the adversary," he told Lee. "You don’t need to live a paranoid life, off the grid, in hiding, in the woods in Montana. What we do need to protect are the facts of our activities, our beliefs, and our lives that could be used against us in manners that are contrary to our interests.

"So when we think about this for whistleblowers, for example, if you witnessed some kind of wrongdoing and you need to reveal this information, and you believe there are people that want to interfere with that, you need to think about how to compartmentalize that. Tell no one who doesn't need to know."

If you are sending or receiving highly confidential documents, then what you need to protect is not the fact you went to the supermarket on Tuesday but the connection to the person you are receiving/providing the information to. By concealing that connection then, in Snowden's words, "whoever has been engaging in this wrongdoing cannot distract from the controversy by pointing to your physical identity. Instead they have to deal with the facts of the controversy rather than the actors that are involved in it."

So what tools does he recommend for that kind of interaction?

For providing documents he recommends SecureDrop – which is already used by a range of media organizations – and using it over the Tor network.

He also suggests using a computer that can ideally be thrown away afterwards so no trace is left, and using an operating system that leaves no traces on the machine – he gives the example of Tails.

If you want to pretend to be James Bond

Let's be honest, very, very few of us will ever have material that is so valuable that the security services will pull out all the stops to get at it.

Government representatives typically have their security looked after by others, such as being given clean laptops or phones/tablets when visiting countries like China or Russia. The very few journalists that embark on projects involving state secrets also tend to be brought up to speed by experienced hands.

But if you want to do this yourself – and what self-respecting sysadmin doesn't love mucking about with this sort of stuff? – then there is some advice for hardcore privacy. And a big part of that is not in tools but in mindset.

"It all comes down to personal evaluation of your personal threat model, right? That is the bottom line of what operational security is about," says Snowden. "You have to assess the risk of compromise. On the basis of that, determine how much effort needs to be invested into mitigating that risk."

Never leave your machine unattended. Have a bootloader for your machine on an external device that you keep on your person. Use a virtual machine (Snowden likes Qubes). And think about whether you need your mobile phone on you revealing where you are and where you have been every moment of every day.

All in all, it's a pretty interesting interview capturing years of experience and thought from someone who has spent more time than any of us thinking about such issues. You can catch the full thing here. ®

Sponsored: Virtualization security practical guide