Friday, August 27, 2021

Communications security when everyone is listening

 

I've had a number of questions from readers about a seeming contradiction in some of the advice I've given about personal security and preparations in our current environment.  They point out that it's almost impossible to stop outside forces or agencies "snooping" on our communications with each other - so how is it feasible to plan ahead for contingencies when our plans can't be kept to ourselves?  The sort of scenarios that have been mentioned include (but are not limited to):

  • Like-minded people getting together to plan local security for a region that might be plagued by extremists trying to intimidate residents;
  • People working together to coordinate emergency preparations (reserves of food, water filtration, "bug-out" plans, etc.);
  • Training sessions, where people will get together at a given location to practice weaponcraft, learn new skills from each other (e.g. food canning, gardening, makeshift repairs, etc.) and so on;
  • Storing equipment and supplies against future need, and to avoid potential losses due to various causes.

There's quite a lot that can be done to preserve confidentiality in planning and communications.  However, it all requires forethought, hard work, and consistency.  Any failure at any point in the chain may expose one's plans to others.  Therefore, those involved in the process have to be trustworthy, and monitor each other rigorously, and hold each other accountable for keeping things under wraps.

The first thing to remember is that any and every electronic communication (cellphone conversations, text messages, e-mails, Internet chat rooms, whatever) is by definition insecure.  The NSA routinely intercepts every telephone call, and monitors the entire Internet.  Google and other companies scan every e-mail you send, ostensibly to target advertisements to you, but also, I'm sure, to keep an eye over who's saying and/or doing what, and whether this might be of interest to the authorities.  Your Internet service provider logs every Web site you visit.  If you visit certain sites regularly, you might be flagged as an extremist, or classified as a member of "a group of interest".

One can do a certain amount to preserve privacy, such as using a VPN or anonymized browsing (e.g. the TOR network), but that can only go so far.  Today's communication analysis tools are so far-reaching and so capable that one simply can't assume that we have any online privacy left at all.  (For example, the FBI cracked TOR years ago.)  One certainly can't trust "free" or "open-source" encryption hardware and software.  Most of it has been compromised, some before it even hits the market through prior arrangement between the authorities and its originators by incorporating "backdoor" access.  Also, hackers have found ways to penetrate most such offerings.  (Remember, too, that merely using such services may make one a person of interest to the authorities.  "If you have nothing to hide, what are you trying to hide, and why?"  They certainly won't accept any arguments about your privacy, because in their world view, nobody should have any privacy.  Sound familiar?)

Electronic communications have been insecure for quite a long time, actually.  Back in World War II the German armed forces had a saying:  Alle funkverkehr ist Landesverrat - "all radio traffic is treason".  That's because, even if an enemy couldn't decipher or decrypt the message, he could learn a lot by traffic analysis, evaluation of the individual Morse code technique of individual operators (thus enabling a listener to track those individuals as they moved between units and postings), code names (and changes in them), and so on.  Every transmission would reveal something, whether the sender liked it or not.

That means, if we want to use electronic communication in any form, we have to use code words or phrases to describe what we're talking about, and change them frequently.  We must expect and assume that someone, somewhere, is listening.  That may well mean that for important subjects, they're not discussed online at all.  It's that simple.  We can also use alternative methods of electronic communication, less likely to be intercepted (but still vulnerable to some extent, so caution is still necessary).  Walkie-talkie-type radios, CB radio, ham radio, etc. can all be useful tools.

For anything really important, the only foolproof protection against electronic eavesdropping is not to use electronics.  Older methods of communication will come into play.  The mail and/or commercial courier services are only partly secure.  Remember, the US Postal Service photographs the addresses on every single item sent through its network, and courier services record the same information electronically.  Patterns of communication (traffic analysis) can thus be established relatively easily, making it simple to target certain correspondence for further investigation.  (Incarcerated prisoners try to get around this by using false "from" and "to" addresses, having made arrangements for the mail to be hand-delivered to the right person upon arrival.  It requires constant vigilance from corrections officers.)

For highly sensitive arrangements, some people use codes and ciphers.  I think this is overblown;  there are very few legal things so sensitive as to require this.  Nevertheless, book ciphers and other simple techniques have been used in that way for decades, if not centuries.  If properly used, with appropriate security precautions, they're very hard to crack.  For those who've had cryptography training in the military, there are other options;  and commercial code programs and hardware are freely available, if you have the money to buy them.

I know of several groups who are heavily into preparing for hard times, working together to ensure mutual security, etc.  They take security very seriously, because they don't want to be described as a "militia group" (which they're not, but journalists will sensationalize anything), or singled out for confiscation of their reserves in hard times (when authorities are likely to accuse every "prepper" of "hoarding", in an attempt to curry favor with an angry populace).  They generally don't talk about their programs at all over electronic media.  It's all face-to-face, word-of-mouth communication, plus some innocuous-seeming notices in public media and places where everyone else can read them without signing in or otherwise identifying themselves as being interested.  Some of those groups have been operating that way for years.  (The "Moscow Rules" are widely known, and can be useful on occasion.)

So, if you're worried about security, there are options available.  However, I caution that if the authorities get seriously interested in you, or in anyone holding certain opinions, the odds of keeping your activities secret are very poor indeed.  That's just the way it is in our surveillance society.  (Besides, there are plenty of neighborhood busybodies who'll be delighted to inform on you if that's the way to get benefits for themselves.)

I'm sure I'm on several lists, thanks to the opinions I've expressed on this blog and elsewhere.  I simply shrug and carry on regardless.  If things go to hell in a handbasket, I'll just have to stand (or fall) on what I believe in - as will we all.

Peter


9 comments:

heresolong said...

Shrug, carry on, stand or fall as the case may be. Good advice. We all die sometime and luck may have as much to do with it as anything else.

“I wish it need not have happened in my time," said Frodo.
"So do I," said Gandalf, "and so do all who live to see such times. But that is not for them to decide. All we have to decide is what to do with the time that is given us.”

Jonathan H said...

Don't go completely offline either; that can get noticed and in some cases trigger investigation also...

WL Emery said...

Communications have always been a good deal less than confidential. Every whispered conversation is likely to have an eavesdropper who read lips.

I never cease to be surprised by the number of people who believe that email is confidential, and are outraged and horrified when they find out it isn't. The very first rule of email privacy is, "Don't send anything in email that you aren't prepared to shout in a crowded room."

All that being the case, Pretty Good Privacy (PGP) should fulfill anyone's needs. If you suspect a back door to PGP, get the source code and read it, then compile it with your own C compiler. Encrypt your messages, attach them to an email, and have fun.

Be aware, however, that the entire alphabet soup of government security agencies will start tracking you. Also, PGP can be broken. It takes exclusive use of a super-computer and a long time, but it is possible. That's one super-computer working on one message.

For my part, I've always planned to shelter in place. Should my place fail, I have a few alternatives.

Francis Turner said...

BTW if you plan to meet someone confidentially LEAVE YOUR SMARTPHONE BEHIND

Even if it doesn't listen to the conversation, it is trackable and (see the recent Catholic priests & Grindr) possible to de-anonymize "anonymous" metadata so any number of apps that you have running on your phone are busily telling everyone where you are (presuming of course that the government doesn't just send a subpeona to your carrier anyway)

Likewise new electric cars tend to be trackable because they call home with telemtry so don't drive one.

And (of course) don't pay for things with a card.

Francis Turner said...

@WL Emery
I never cease to be surprised by the number of people who believe that email is confidential, and are outraged and horrified when they find out it isn't. The very first rule of email privacy is, "Don't send anything in email that you aren't prepared to shout in a crowded room."

All that being the case, Pretty Good Privacy (PGP) should fulfill anyone's needs. If you suspect a back door to PGP, get the source code and read it, then compile it with your own C compiler. Encrypt your messages, attach them to an email, and have fun.


I'm fairly sure that a protonmail email to another protonmail email user is encrypted in ways that the NSA will find very hard to decrypt. Protonmail is hosted in Switzerland which is good WRT not responding to subpoenas but bad because you have to connect to Switzerland to send/read mail. That means the NSA definitely gets to see the metadata telling the world that you have a protonmail account

Unknown said...

OpenSource software doesn't guarantee that there are no bugs or backdoors, but it does mean that people can look for them and fix what they find.

closed source security code has no such guarantee, and it's much easier for the powers that be to lean on one company to do something in secret (or even break into their systems and modify the source, expecting that it won't be found) than it is to convince all the different contributers (across multiple countries) to include a backdoor.

David Lang

Chip Anderson said...

First rule of computer security, don't use a computer. If you have to use a computer, don't turn it on. Used to do tempest attacks, in the '80s.

Jimmy said...

All,
Quantum computers have started crunching bits now. So PKI-based encryption (which is pretty much all email encryptions, including proton, pgp,et al, and Cryptocurrencies) will expire very, very soon. And private key encryption is only good for one time.

And all agencies are waiting for a good enough quantum computer to start crunching their archives.

Tschifty Mccoy said...

I have heard that a semi secure comm system is to create a draft email but never send it. In other words, create an innocuous email acct, share password only by word of mouth only change often as possible, and communicate by reading and revising the drafts then delete when done, moving to new accounts after a few uses. I'm sure all those drafts could and would be looked at if the snoops had you as a high priority to get access through the mail provider but at least it's better than sending through the NSA monitoring system, right?