This section will provide you with guidance on ways to establish secure communication when reaching out for help when confronted with a potential digital attack. As a general rule, it is important to understand that most 'normal' communications tools are not very secure against eavesdropping. Mobile and landline phone communication is not encrypted and can be listened to by governments, law enforcement agencies, or other parties with the necessary technical equipment. Sending unencrypted communication is like sending a postcard, anyone who has access to the postcard can read the message. Sending encrypted communication is like placing the postcard inside a safe and then sending the safe, which only you and those you trust know the combination to and are able to open and read the message.
Secure communication is always a trade-off between security and convenience. Choosing the most appropriate form of secure communication will depend on your unique situation, your threat model and the activities in which you are involved. The Digital First Aid Kit is specifically meant for those who are under digital attack; therefore, this section on secure communication assumes you are at high risk.
Finally, when communicating there are different levels of security. How and what kind of encryption a tool makes use of will increase or decrease your communication security. A communication tool that provides end-to-end encryption (such a PGP-encrypted email, or chat with OTR or Textsecure on your phone) is better than using a tool with transport-layer encryption (such as Gmail, Facebook, or Twitter). This, in turn, is better than using unencrypted communications (such as a postcard, your phone or text messages). Do the best that you can with the resources and skills available. Start with the most secure form of communication you can manage and the person you reach out to may be able to help you establish a line of communications that is more secure, if necessary. In many cases, it is better to reach out for help insecurely than not to reach out for help at all.
Where to start? If you believe that your computer has been compromised by malware and the device you are using cannot be trusted, please go directly to the Safer Computing section below. If you think that your communication might be targeted and/or you have just changed to a safer computer, the Safer Communication section and Safer Communication on a smartphone section below provides steps to establish secure communications.
When you are seeking remote help from a third party please keep the following in mind:
If you think there is something wrong with one of your devices or accounts and you are uncomfortable or unsure about what to do next, ask for help from a trained technical professional or (inter)national organizations (some listed below) whom you feel you can trust. Also remember that the device you are using might be the subject of the attack. In order to establish a secure line of communication with a person who can help you, it may be necessary to contact them from an alternate, trustworthy device. The guides referenced below in "Helpful Resources" and in the Resources section can also help. If possible, do not rely on unknown people you find online.
Among the organizations you may reach out to include:
- EFF
- URL: https://www.eff.org/
- email: info@eff.org
- Front Line Defenders
- URL: http://www.frontlinedefenders.org/
- email: info@frontlinedefenders.org
- CPJ
- URL: https://www.cpj.org/
- email: info@cpj.org
- RSF
- URL: http://en.rsf.org/
- email: internet@rsf.org
- Access
- URL: https://www.accessnow.org/
- email: help@accessnow.org
- PGP key fingerprint: 6CE6 221C 98EC F399 A04C 41B8 C46B ED33 32E8 A2BC
- Digital Defenders Partnership
- URL: http://digitaldefenders.org/
- email: ddp@hivos.org
- Freedom House
- URL: http://freedomhouse.org/
- Internews
- URL: https://www.internews.org/
- IWPR
- URL: https://www.cyber-arabs.com/
- Open Technology Fund
- URL: https://www.opentechfund.org
- email: info@opentechfund.org
- PGP key fingerprint: 67AC DDCF B909 4685 36DD BC03 F766 3861 965A 90D2
If at all possible, you should switch to a completely separate device; one that you have no reason to suspect is compromised. Think of a device owned by a friend or family member. Cybercafes may be an option, but in many countries cybercafes are under heavy surveillance by local governments and law enforcement.
If you don't have access to a secure device, you may be able to download and install TAILS. TAILS is a 'live CD' (or USB) that runs a custom operating system that is built to be highly secure, but does not alter the computer you run it on. It has many features to help protect you from a compromised computer and to help you protect your communications.
Download, verify, and install TAILS carefully, following the instructions provided on the site. You will need a blank DVD, or a USB or SD card that is 2 gigabytes or larger. Some of the steps, particularly verifying the download, can be cumbersome, but they are crucial in assuring that the download you have received is the one you intended. You want to be sure that you are moving to a more secure setup as opposed to a less secure one.
If you believe your communications are being targeted, you must stop using the communications services/accounts that you believe are compromised immediately. Create a new account and remember not to re-use your existing usernames, passwords or email accounts as you seek help.
Note: If you are unable to set up PGP email with Thunderbird or OTR with Pidgin or Adium, Mailvelope for email is fast and simple ways to set up more secure communications in an emergency.
The following important recommendations can help you to set up new channels of secure communication:
- After you've moved to a new device, create a new account using a new, secure password. Under no circumstances should you re-use an account or a password you have previously used. Find tips on creating a strong password here.
- Unless your threat model includes surveillance by very well resourced governments such as the USA, the UK, China or many governments listed in Google's transparency report, using Google products may afford you a degree of protection. Google tools (especially using Google tools on Chrome) can significantly increase security in these situations, and gives you access to more secure email, chat and voice/video conferencing. This security only helps 'inside' Google, i.e. Gmail to Gmail or Gchat to Gchat. It offers less protection if anyone forwards this information outside of Google, or a different email address then Gmail is added to a Gchat discussion.
- An alternative to Google is Riseup, a volunteer group working to create democratic alternatives and practice self-determination by controlling our own secure means of communications. They offer services such as Gmal and Gchat. It is important to note that Riseup does not have the resources of Google. That said, depending on your situation, Riseup may be more appropriate.
- For end-to-end security, there are many tools with strong encryption you can use. Here are a few recommendations:
- Pidgin (PC) and Adium (Mac) allow you to chat securely, with end-to-end encryption using OTR. Here is a guide to installing Pidgin with OTR.
- Jitsi can be used both for text chat as well as encrypted voice and video. Use this guide to set it up. You can create an account for a secure voice/video call for free.
- PGP (PC and Mac) allows you to set up end-to-end encryption for your email. Here is a guide for using PGP with Thunderbird on your computer.
- Tor Browser Bundle can be used to increase your security and privacy while visiting websites by bouncing your communications around a distributed network of relays run by volunteers all around the world.
- A number of secure tools come pre-installed in TAILS.
If you only have a smartphone, the following tools can protect your communication. Be aware that your phone is generally tied to your identity (through billing, account services or SIM card registration) and can reveal your location. These tools do not protect against this, they only encrypt the content of your communication.
- ChatSecure by The Guardian Project integrates with desktop chat Clients like Jitsi and Pidgin (using Gchat or Jabber/XMPP) and adds end-to-end encryption and the ability to send encrypted files, photos and audio.
- With csipsimple you can also make secure calls (such as from Ostel).
- RedPhone (for voice) and TextSecure (for SMS) by WhisperSystems are good, but both parties must be on Android (with these tools installed) in order for these tools to work.
- These apps are in the Google Play store, the F-Droid repository and available directly from the links above.
- Orbot by The Guardian Project and the Tor Project is an application that allows mobile phone users to access the web, instant messaging and email without being monitored or blocked by their mobile internet service provider. Orbot brings the features and functionality of Tor to the Android mobile operating system.
Your iOS options are more limited, but the ChatSecure app on the iPhone is created in cooperation with the Android ChatSecure app and has similar features. Onion Browser offers similar features to Tor and Orbot for iOS.
Whether you are helping someone remotely or seeking help from a third party, establishing trust is both very important and extremely complicated. You should presume an adversary may have access to all your account details as well as your original communications when seeking help. This adversary has an obvious interest in intercepting your secure communications channel and providing specific, bad advice. Security tools have built-in ways to verify if the person you are talking to is actually the person you think you are talking to. When getting advice, compare it to concepts discussed on well-respected guides such as Security in a Box, resources at EFF and Press Freedom Foundation.
More information on the various technical aspects of trust can be found in the Establishing Trust section.
- Security in a Box; selecting and maintaining secure passwords https://securityinabox.org/en/chapter_3_1
- EFF's guidelines on how to create a password [forthcoming]