mirror of
https://github.com/privacyguides/privacyguides.org.git
synced 2025-07-23 11:51:16 +00:00
Compare commits
1 Commits
kpham42-ge
...
kpham42-ge
| Author | SHA1 | Date | |
|---|---|---|---|
|
11ebcfd7fe |
@@ -2,3 +2,43 @@
|
||||
title: Mass Surveillance Programs
|
||||
icon: material/bank-outline
|
||||
---
|
||||
|
||||
title: Avoiding Mass Surveillance
|
||||
icon: material/domain
|
||||
---
|
||||
|
||||
You are not being paranoid if government mass surveillance concerns you.
|
||||
|
||||
In 2013, an NSA contactor named Edward Snowden [leaked thousands of classified reports](https://www.pbs.org/wgbh/frontline/article/how-edward-snowden-leaked-thousands-of-nsa-documents/) detailing the bulk data collection practices operated by the United States intelligence community. Among them were two top secret programs operated by the National Security Agency: [PRISM](https://www.theverge.com/2013/7/17/4517480/nsa-spying-prism-surveillance-cheat-sheet) and [XKeyscore](https://arstechnica.com/information-technology/2013/08/building-a-panopticon-the-evolution-of-the-nsas-xkeyscore/). Although both were supposed to [target foreigners](https://www.nbcnews.com/politics/congress/section-702-foreign-intelligence-surveillance-act-congress-what-know-rcna96259), they ended up collecting the personal data of [millions of Americans](https://www.eff.org/pages/Incidental-collection) as well.
|
||||
|
||||
PRISM was a classified program that allowed the NSA to collect data directly from the data centers of major [U.S. tech companies](https://money.cnn.com/2013/06/07/technology/security/nsa-data-prism/index.html) like Google, Facebook, Apple, and Microsoft. This included emails, chat messages, video calls, and file transfers. What made PRISM troubling was how quietly and efficiently it worked. Cooperating companies provided direct access, often [without users knowing their data was being provided].
|
||||
|
||||
XKeyscore, on the other hand, was a "search engine" used to collect and analyze nearly everything a user does on the internet. It allowed analysts to search through emails, browsing histories, and social media activity in real time. XKeyscore could identify users by their browsing behavior or even [past associated usernames](https://www.lawfaremedia.org/article/nuts-and-bolts-xkeyscore), leading to the widespread use of techniques like [fingerprinting](https://www.techradar.com/features/browser-fingerprinting-explained) to identify and track people across the web.
|
||||
|
||||
## How Does Mass Surveillance Work?
|
||||
|
||||
Mass surveillance operates on the collection and analysis of vast amounts of data: both the content of communications and the digital trails people leave behind. Even when content is encrypted, surveillance programs can infer much through indirect means, relying heavily on [communications metadata](https://freedom.press/digisec/blog/metadata-102/) and [browser fingerprinting](https://blog.torproject.org/browser-fingerprinting-introduction-and-challenges-ahead/).
|
||||
|
||||
To put it shortly, communications metadata refers to information that describes communications between two individuals. Many people mistake end-to-end encryption as foolproof; however, investigators may find the [circumstances](https://abcnews.go.com/blogs/headlines/2014/05/ex-nsa-chief-we-kill-people-based-on-metadata) of a given conservation useful even if they cannot read its content. Examples of this include send time, message size, subject headers, and even the IP addresses associated with a conversation.
|
||||
|
||||
Fingerprinting, on the other hand, is used to identify users based on the unique characteristics of their devices and software. Details like screen resolution, time zone, installed fonts, and browser extensions can create a unique profile that allows state actors to track individuals across websites and sessions. XKeyscore and similar tools use these methods to follow users, even if they try to hide behind anonymizing tools.
|
||||
|
||||
## Why avoid Mass Surveillance?
|
||||
|
||||
Mass surveillance can threaten the safety of journalists, activists, whistleblowers, and anyone with dissenting opinions. By minimizing your digital footprint and understanding how data is collected and shared, you protect your rights and make bulk data collection more expensive and less effective.
|
||||
|
||||
It thrives on convenience and passive data collection. Breaking that cycle means making intentional choices on how you browse the internet and communicate with other people.
|
||||
|
||||
## Best Practices
|
||||
|
||||
### 1. Utilize Anonymizing Software
|
||||
|
||||
To reduce your exposure to mass surveillance, adopting [anonymization software](https://www.privacyguides.org/en/advanced/tor-overview/) is one of the first steps. Start by masking your IP address and browsing behavior with tools like [Tor Browser](https://www.privacyguides.org/en/tor), or go even further with [Linux distributions](https://www.privacyguides.org/en/os/linux-overview/) such as [Tails or Whonix](https://www.privacyguides.org/en/desktop/) that route all traffic through Tor. For regular internet browsing, [virtual private network](https://www.privacyguides.org/en/vpn/) providers (VPNs) like Mullvad VPN or Proton VPN can help obscure your IP address from your internet service provider and visited websites; however, it does not enhance your anonymity at all. Your [browser](https://www.privacyguides.org/en/desktop-browsers/) also matters: Mullvad Browser and Brave offer increased protections against fingerprinting. Installing [browser extensions](https://www.privacyguides.org/en/browser-extensions/) like uBlock Origin can also protect you against malicious advertisements and trackers.
|
||||
|
||||
### 2. Reduce Communications Metadata
|
||||
|
||||
Even when your messages are encrypted, the metadata around your communications can still identify your identity and habits. That is why you should use [end-to-end encrypted messengers](https://www.privacyguides.org/en/real-time-communication/) designed with metadata reduction in mind. Signal, SimpleX, and Briar minimizes the exposure of metadata like who you're talking to and when. You should also consider [removing the metadata](https://www.privacyguides.org/en/data-redaction/) associated with the pictures or files you create before sending it online. When you must use email, [encrypted email providers](https://www.privacyguides.org/en/email/) such as Proton Mail and Tutanota help protect content data, while features like automatic message deletion and disabling read receipts or typing indicators further reduce metadata leakage.
|
||||
|
||||
### 3. Consider Jurisdiction
|
||||
|
||||
Where your data is stored can be just as important as how it’s stored. [Jurisdiction](https://www.techradar.com/vpn/why-does-vpn-jurisdiction-matter) affects which laws govern access to your data, so choosing services based in comparably privacy-respecting countries like Switzerland or Iceland can provide stronger protections. Conversely, avoid companies headquartered in surveillance-heavy countries if your threat model includes this factor. If you do not trust cloud-based services, consider [self-hosting](https://www.privacyguides.org/en/file-sharing/#nextcloud-client-server) your services with Nextcloud, which allows you to maintain greater control over your information. However, its end-to-end encryption implementation is [inferior](https://eprint.iacr.org/2024/546.pdf) compared to alternatives like [Proton Drive or Cryptpad](https://www.privacyguides.org/en/cloud/). Regardless, you should always stay informed about domestic and foreign laws that govern data retention and disclosure obligations.
|
||||
|
||||
@@ -2,42 +2,3 @@
|
||||
title: Targeted Attacks
|
||||
icon: material/target-account
|
||||
---
|
||||
title: Avoiding Targeted Surveillance
|
||||
icon: material/domain
|
||||
---
|
||||
|
||||
While mass surveillance collects vast amounts of data from the general population, [targeted attacks](https://www.amnesty.org/en/latest/campaigns/2020/10/stopspying/) are different. it focuses specifically on individuals or groups deemed "persons of interest" by governments, corporations, or malicious actors. This kind of surveillance can be far more invasive and precise; however, it is also less likely to occur for most people.
|
||||
|
||||
# How Do Targeted Attacks Work?
|
||||
|
||||
Targeted attacks uses several techniques to infiltrate a person's digital and physical life. It often involves direct attacks on devices, network interception, and even human intelligence.
|
||||
|
||||
[Device Exploitation](https://www.kaspersky.com/resource-center/definitions/what-is-zero-click-malware) is one of the most common methods. Attackers might use malware, spyware, or vulnerabilities in your phone, computer, or IoT devices to gain persistent access. Tools like [Pegasus](https://www.theverge.com/2021/7/18/22582532/pegasus-nso-spyware-target-phones-journalists-activists-investigation) have shown how even encrypted apps can be compromised once the device itself is under control.
|
||||
|
||||
[Network surveillance](https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/) targets the transmission of your data. By attacking the infrastructure between you and your services, adversaries can conduct man-in-the-middle attacks, monitor unencrypted traffic, or inject malicious payloads.
|
||||
|
||||
[Social engineering](https://www.crowdstrike.com/en-us/cybersecurity-101/social-engineering/) remains one of the most effective ways to target a device. Phishing emails, malicious attachments, impersonation, and psychological manipulation are used to trick targets into handing over sensitive information or installing malware themselves.
|
||||
|
||||
# Who Is At Risk?
|
||||
|
||||
Targeted attacks can be devastating. It can expose sensitive conversations, reveal confidential information, endanger lives, and destroy trust. Whether you are a journalist communicating with sources, a whistleblower exposing corruption, or simply someone advocating for civil rights, protecting yourself against targeted attacks is essential to maintaining your freedom and safety.
|
||||
|
||||
Victims often suffer from feelings of helplessness and anxiety. Recognizing your risk before a targeted attack and preparing accordingly is crucial for this threat model.
|
||||
|
||||
# Best Practices
|
||||
|
||||
## 1. Harden Your Devices
|
||||
|
||||
Ensure that your devices are secure: Keep your operating systems and apps up to date with the latest security patches. Ideally, you should purchase the latest [mobile devices](https://www.privacyguides.org/en/mobile-phones/) that are known for security, such as Pixel phones with GrapheneOS or iPhones with lockdown mode enabled. Install only trusted apps and limit permissions as much as possible.
|
||||
|
||||
As for your desktop and laptop computers, full-disk encryption should be enabled everywhere. For sensitive tasks, you should consider installing [Linux](https://www.privacyguides.org/en/desktop/). An amnesiac distribution like [Tails OS](https://www.privacyguides.org/en/desktop/#tails), or a security-focused distribution like [Qubes OS](https://www.privacyguides.org/en/desktop/#qubes-os) works well in this threat model. This step reduces the severity of a potential malware infection.
|
||||
|
||||
## 2. Encrypt Everything
|
||||
|
||||
Communicate using [end-to-end encrypted services](https://www.privacyguides.org/en/real-time-communication/) whenever possible. For messaging, rely on tools like [Signal](https://www.privacyguides.org/en/real-time-communication/#signal) or [SimpleX Chat](https://www.privacyguides.org/en/real-time-communication/#simplex-chat). For [emails](https://www.privacyguides.org/en/email/), prefer PGP-encrypted communications or use privacy-focused providers like [Proton Mail](https://www.privacyguides.org/en/email/#proton-mail) and [Tuta](https://www.privacyguides.org/en/email/#tuta). Use encrypted software such as [Cryptomator](https://www.privacyguides.org/en/encryption/#cryptomator-cloud) or [VeraCrypt](https://www.privacyguides.org/en/encryption/#veracrypt-disk) for sensitive files, and always [verify the identities](https://www.privacyguides.org/articles/2022/07/07/signal-configuration-and-hardening/?h=contact#signal-pin) of your contacts before sending anything.
|
||||
|
||||
## 3. Be Skeptical and Vigilant
|
||||
|
||||
Be suspicious of unexpected messages, links, and attachments that can be used to deploy zero-click attacks. Use [multi-factor authentication](https://www.privacyguides.org/en/multi-factor-authentication/) (preferably hardware tokens like [YubiKey](https://www.privacyguides.org/en/security-keys/)) to secure accounts. Regularly audit your [digital footprint](https://www.privacyguides.org/en/basics/account-deletion/): check what information about you is public, remove unnecessary exposure, and practice good operational security (OpSec) principles like minimizing what you share online.
|
||||
|
||||
This approach also applies to your family members and colleagues. Often, a threat actor will also target the [associates of their victims](https://www.pbs.org/wgbh/frontline/article/pegasus-spyware-jamal-khashoggi-wife-phone-washington-post/) even if the intended target practices good OpSec. If you believe that this could happen to you, communicate this possibility to potential victims and [educate them](https://www.privacyguides.org/en/basics/why-privacy-matters/) on mitigation steps.
|
||||
|
||||
Reference in New Issue
Block a user