1
0
mirror of https://github.com/privacyguides/privacyguides.org.git synced 2025-07-24 12:21:09 +00:00

Compare commits

..

1 Commits

Author SHA1 Message Date
Kevin Pham
b5da4264d7 Update publishing.md
Signed-off-by: Kevin Pham <123699355+kpham42@users.noreply.github.com>
2025-05-02 15:43:11 -04:00
2 changed files with 50 additions and 40 deletions

View File

@@ -2,43 +2,3 @@
title: Mass Surveillance Programs
icon: material/bank-outline
---
title: Avoiding Mass Surveillance
icon: material/domain
---
You are not being paranoid if government mass surveillance concerns you.
In 2013, an NSA contactor named Edward Snowden [leaked thousands of classified reports](https://www.pbs.org/wgbh/frontline/article/how-edward-snowden-leaked-thousands-of-nsa-documents/) detailing the bulk data collection practices operated by the United States intelligence community. Among them were two top secret programs operated by the National Security Agency: [PRISM](https://www.theverge.com/2013/7/17/4517480/nsa-spying-prism-surveillance-cheat-sheet) and [XKeyscore](https://arstechnica.com/information-technology/2013/08/building-a-panopticon-the-evolution-of-the-nsas-xkeyscore/). Although both were supposed to [target foreigners](https://www.nbcnews.com/politics/congress/section-702-foreign-intelligence-surveillance-act-congress-what-know-rcna96259), they ended up collecting the personal data of [millions of Americans](https://www.eff.org/pages/Incidental-collection) as well.
PRISM was a classified program that allowed the NSA to collect data directly from the data centers of major [U.S. tech companies](https://money.cnn.com/2013/06/07/technology/security/nsa-data-prism/index.html) like Google, Facebook, Apple, and Microsoft. This included emails, chat messages, video calls, and file transfers. What made PRISM troubling was how quietly and efficiently it worked. Cooperating companies provided direct access, often [without users knowing their data was being provided].
XKeyscore, on the other hand, was a "search engine" used to collect and analyze nearly everything a user does on the internet. It allowed analysts to search through emails, browsing histories, and social media activity in real time. XKeyscore could identify users by their browsing behavior or even [past associated usernames](https://www.lawfaremedia.org/article/nuts-and-bolts-xkeyscore), leading to the widespread use of techniques like [fingerprinting](https://www.techradar.com/features/browser-fingerprinting-explained) to identify and track people across the web.
## How Does Mass Surveillance Work?
Mass surveillance operates on the collection and analysis of vast amounts of data: both the content of communications and the digital trails people leave behind. Even when content is encrypted, surveillance programs can infer much through indirect means, relying heavily on [communications metadata](https://freedom.press/digisec/blog/metadata-102/) and [browser fingerprinting](https://blog.torproject.org/browser-fingerprinting-introduction-and-challenges-ahead/).
To put it shortly, communications metadata refers to information that describes communications between two individuals. Many people mistake end-to-end encryption as foolproof; however, investigators may find the [circumstances](https://abcnews.go.com/blogs/headlines/2014/05/ex-nsa-chief-we-kill-people-based-on-metadata) of a given conservation useful even if they cannot read its content. Examples of this include send time, message size, subject headers, and even the IP addresses associated with a conversation.
Fingerprinting, on the other hand, is used to identify users based on the unique characteristics of their devices and software. Details like screen resolution, time zone, installed fonts, and browser extensions can create a unique profile that allows state actors to track individuals across websites and sessions. XKeyscore and similar tools use these methods to follow users, even if they try to hide behind anonymizing tools.
## Why avoid Mass Surveillance?
Mass surveillance can threaten the safety of journalists, activists, whistleblowers, and anyone with dissenting opinions. By minimizing your digital footprint and understanding how data is collected and shared, you protect your rights and make bulk data collection more expensive and less effective.
It thrives on convenience and passive data collection. Breaking that cycle means making intentional choices on how you browse the internet and communicate with other people.
## Best Practices
### 1. Utilize Anonymizing Software
To reduce your exposure to mass surveillance, adopting [anonymization software](https://www.privacyguides.org/en/advanced/tor-overview/) is one of the first steps. Start by masking your IP address and browsing behavior with tools like [Tor Browser](https://www.privacyguides.org/en/tor), or go even further with [Linux distributions](https://www.privacyguides.org/en/os/linux-overview/) such as [Tails or Whonix](https://www.privacyguides.org/en/desktop/) that route all traffic through Tor. For regular internet browsing, [virtual private network](https://www.privacyguides.org/en/vpn/) providers (VPNs) like Mullvad VPN or Proton VPN can help obscure your IP address from your internet service provider and visited websites; however, it does not enhance your anonymity at all. Your [browser](https://www.privacyguides.org/en/desktop-browsers/) also matters: Mullvad Browser and Brave offer increased protections against fingerprinting. Installing [browser extensions](https://www.privacyguides.org/en/browser-extensions/) like uBlock Origin can also protect you against malicious advertisements and trackers.
### 2. Reduce Communications Metadata
Even when your messages are encrypted, the metadata around your communications can still identify your identity and habits. That is why you should use [end-to-end encrypted messengers](https://www.privacyguides.org/en/real-time-communication/) designed with metadata reduction in mind. Signal, SimpleX, and Briar minimizes the exposure of metadata like who you're talking to and when. You should also consider [removing the metadata](https://www.privacyguides.org/en/data-redaction/) associated with the pictures or files you create before sending it online. When you must use email, [encrypted email providers](https://www.privacyguides.org/en/email/) such as Proton Mail and Tutanota help protect content data, while features like automatic message deletion and disabling read receipts or typing indicators further reduce metadata leakage.
### 3. Consider Jurisdiction
Where your data is stored can be just as important as how its stored. [Jurisdiction](https://www.techradar.com/vpn/why-does-vpn-jurisdiction-matter) affects which laws govern access to your data, so choosing services based in comparably privacy-respecting countries like Switzerland or Iceland can provide stronger protections. Conversely, avoid companies headquartered in surveillance-heavy countries if your threat model includes this factor. If you do not trust cloud-based services, consider [self-hosting](https://www.privacyguides.org/en/file-sharing/#nextcloud-client-server) your services with Nextcloud, which allows you to maintain greater control over your information. However, its end-to-end encryption implementation is [inferior](https://eprint.iacr.org/2024/546.pdf) compared to alternatives like [Proton Drive or Cryptpad](https://www.privacyguides.org/en/cloud/). Regardless, you should always stay informed about domestic and foreign laws that govern data retention and disclosure obligations.

View File

@@ -2,3 +2,53 @@
title: Publishing Information
icon: material/book
---
---
title: Publishing Information
icon: material/book
---
In 2021, a whistleblower named Frances Haugen leaked internal documents from Facebook, revealing how the company knowingly allowed misinformation and assisted in state-sponsored censorship. Known as the [Facebook Files](https://www.wsj.com/articles/the-facebook-files-11631713039), this leak was notable in how successful it was in preventing retaliation before Haugen publicly identified herself. While not confirmed, she most likely shared documents with the Wall Street Journal through [SecureDrop](https://securedrop.org/).
Her case is not unique. Whether you are a whistleblower, an investigative journalist, or an amateur blogger, the ability to publish safely is essential to a transparent society.
## Why Publish Anonymously?
In some countries, simply speaking out can result in criminal charges or loss-of-life. Even in relatively "free" societies, publishing critical information can attract legal threats, online harassment, or unwanted media attention. For example, [this hobbyist security researcher was sued](https://arstechnica.com/security/2024/08/city-of-columbus-sues-man-after-he-discloses-severity-of-ransomware-attack/) for documenting a ransomware attack on his own blog!
Anonymity enables freedom of speech by separating your voice from your identity. It helps protect you from retaliation while keeping the focus on the message.
## Best Practices
### 1. Use a Pseudonym
A pseudonym empowers you to maintain a consistent identity while separating your real-world persona from your published work. Choose a name (or Username) that has not been linked to you and use it exclusively for anonymous publishing.
Register [new accounts](https://www.privacyguides.org/en/basics/account-creation/) and [email](https://www.privacyguides.org/en/email/) addresses from devices and internet connections not associated with your identity. Avoid using the same writing style, login behavior, or online habits that could de-anonymize you. Remember that a pseudonym is only as strong as your ability to keep it separate.
In some cases, like in large newsrooms, you may need a public identity to establish credibility. If that is the case, shift your focus toward secure communication with confidential sources and protecting your operational security. Consider setting up a secure tipline instance for your organization.
### 2. Find a Platform
Where and how you publish matters. Here are a few options:
#### Create your Blog
Depending on your situation, you may be deciding between creating a website or using a third party platform like Substack or Medium. If you go with the former, [Ghost](https://ghost.org/) is an excellent open-source alternative to Substack. You can also create your own website through services like Wix or SquareSpace if your threat model allows it.
You can also consider running a Tor hidden service for an informal blog. This gives you control over hosting and minimizes reliance on third-party platforms. See [self-hosting resources](PLACEHOLDER) for guidance.
#### Use Alternative Social Media
[Social networks](https://www.privacyguides.org/en/social-networks/) can help you connect with a potential audience and gather feedback. Instead of X or Facebook, a decentralized and federated alternative like [Mastodon](https://joinmastodon.org/) can resist censorship from government actors. If you need help creating your first Mastodon account, read this resource here.
### Seek External Publishers
Many media outlets accept tips through a tipline, a system designed to receive anonymous submissions via Tor. This can be safer than publishing independently if you are sharing sensitive documents or exposing wrongdoing.
### 3. Compartmentalization
Compartmentalization involves isolating your publishing work from everything else. Whether youre using a pseudonym or your real name, never mix your activities. Instead of using apersonal laptop, purchase a dedicated laptop for your publishing work. When you decide to publish your final draft or upload your documents, do not log in from home or work networks. Instead, use an anonymous network like [Tor](https://www.privacyguides.org/en/tor/) over public wifi.
Furthermore, you should also install a anonymity or security-focused operatin system. When doing sensitive activities, boot from [Tails OS](https://www.privacyguides.org/en/desktop/#tails), an amnesiac Linux distribution that leaves no trace. For high-security daily usage, [Qubes OS](https://www.privacyguides.org/en/desktop/qubes) lets you compartmentalize your personal and work tasks in isolated virtual machines called qubes. If one of these virtual machines becomes compromised, you can always dispose of them.
Do not reuse passwords, emails, or browsing habits across different identities. Each project or pseudonym should exist in its own bubble. Compartmentalization ensures that you can safely publish your work without endangering your safety.