Under President Obama, people became increasingly concerned about government surveillance both at home and abroad. If you thought Obama was bad, though, imagine Donald Trump—known for his vindictiveness and his lack of respect for the Constitution—in charge of the powerful U.S. government surveillance apparatus. While campaigning, Trump called on Apple to break into the phone of one of the San Bernardino shooters and publicly called for a boycott of the company until it did. In the immediate aftermath of Trump’s victory, Twitter was abuzz with online security tips for those concerned with a dystopic surveillance state that could put people—particularly women, minorities, and activists—at risk.
Hey, no joke, and I'm paraphrasing smarter people. If you plan on opposing Trump:— John Rogers (@jonrog1) November 9, 2016
Get a VPM
2FA on your emails.
“All of this advice is good security advice” in general, says Micah Lee, a security engineer and journalist at the Intercept. “A Trump presidency makes it more pressing because Trump seems to be eager to abuse his power, but everyone has been able to abuse their power and do these sorts of things for a long time.”
The National Security Agency has extraordinary access to data on U.S. citizens, and as John Napier Tye, a former State Department section chief for internet freedom and a whistleblower, wrote in Future Tense last week, the possibility of Trump using it for nefarious purposes—such as collecting and leaking private information on his enemies—doesn’t exactly seem far-fetched. Whether the Obama administration will succeed—or even attempt—to meaningfully rein in NSA powers before Jan. 20 remains to be seen. Government requests to companies make a big difference in whether any steps to limit surveillance are effective, and the Foreign Intelligence Surveillance Court, which approves electronic surveillance in the United States, is already a rubber stamp under Obama.
For now, here is a look at some of the security tips being suggested and what protection they may provide.
Two-factor authentication for email
Two-factor authentication adds an extra layer of security for your email accounts. It works by requiring you to enter a temporary code from a phone app (like Google Authenticator) or a text message in addition to your username and password or by plugging a security key such as YubiKey into your USB port.
But would it protect you if you’re one of Trump’s targets? “I think it depends on how Trump goes about trying to get revenge on his enemies,” says Lee. If you’re an activist under investigation by the Trump Justice Department, two-factor probably won’t help you because the government can just put in a data request into Google to get access to your emails. (It can even send a national security letter accompanied with a gag order.)
But if you’re using a foreign email provider that’s not responsive to U.S. government requests for data, or if the government is trying to hack into emails, then two-factor may help.
“Hypothetically, there is such a thing as parallel construction,” says Harlo Holmes, a digital security trainer at the Freedom of the Press Foundation. (Parallel construction is when law enforcement builds parallel evidence for a criminal investigation to conceal how it began—for instance, by hacking without a necessary warrant or approval.) “It’s conceivable that an account that’s easy to hack could be infiltrated by an agency that would use parallel construction to support what they already learned from the hacking.”
If nothing else, two-factor authentication does offer some protection against run-of-the-mill hackers.
Virtual private networks
A VPN can be used to route traffic through an encrypted connection to the VPN’s server.
It’s not anonymous—the VPN provider knows who you are—but if you’re worried about someone sitting in an unmarked van outside of your house and monitoring your Wi-Fi network (hey, it’s happened before) a VPN could offer some protection. “It has the benefit of giving you a bit of location privacy,” Lee says, because it allows you to log in with the same IP address whether you’re at home, at your office, or at a coffee shop. Otherwise, you may have a different IP address from different locations, which makes it easier to know when you’ve switched locations. (Some workplaces even have their own IP addresses that list the names of the businesses.) Connecting using your carrier’s network may only deliver your general location (usually just the city and state), but authorities could always ask your carrier for specific information. Additionally, commercial outfits such as Skyhook Wireless are capable of providing users of their service with very specific location data based on hotspot IP addresses.
That said, many VPNs have issues of their own. Some log data, which could easily be handed over to the government in response to a data request. And there are many shady VPNs—and no easy way to verify security claims made by VPNs on their sites (or on the many affiliate-based review sites). You also have to pay for a VPN, usually about $4.99-$15 per month.
The Tor browser
Unlike VPNs, the Tor browser (Tor stands for “the onion router”) does offer anonymity by running traffic through multiple relays—and it’s free. Additionally, Tor’s bundled browser has been heavily modified to maximize privacy on the web by disabling Flash and clearing cookies when a window is closed.
Lee emphasizes that since we don’t yet know what Trump would do, it’s too early to say that you should always use Tor exclusively. Tor is slow and actually blocked by many sites (such as Yelp), and it’s not perfect, particularly when it comes to real-time attacks, as opposed to gathering your data after the fact. “If your attacker can watch the traffic coming out of your computer, and also the traffic arriving at your chosen destination, he can use statistical analysis to discover that they are part of the same circuit,” Lee says.
But Tor could well prove useful for individuals perusing potentially sensitive sites—like information on converting to Islam or researching online activism. And as Holmes points out, “Tor has a million other uses.” For instance, it can allow you to look up medical symptoms without your searches becoming a part of an advertisement profile.
Signal is a scrappy, free phone app created by Open Whisper Systems that’s available for both Android and iOS. Open Whisper Systems can see your metadata, but it doesn’t log it, which limits its ability to turn info over to the government.* When the company received a request for data through a grand jury investigation, it was only able to respond with the most recent time and date the user logged into his or her account.
The government could theoretically try to force Open Whisper Systems to modify its service to make it more surveillance-friendly (just as it tried to force Apple to do), but Signal is far more secure for things like activist organizing than, say, Facebook groups.
Passwords and encryption
Lee says that smartphones are a big attack vector right now and that Android users should enable disk encryption on their phones. (It’s on by default on iOS, but of course you’d need a good password as well.) Using a password manager such as KeePass, 1Password, or LastPass and setting strong, unique passwords for each service you use—as well as your phone—could help you if you are in danger of being detained.
An uptick in future street harassment by law enforcement is more than possible, with stop-and-frisk proponent Rudy Giuliani being floated as a possible attorney general pick—which would put him in charge of the Justice Department and give him oversight of the FBI. Using strong, unique passwords and encrypting your phone offers protection against run-of-the-mill hackers as well. This is a better option than TouchID, since some courts have ruled that it’s constitutional to force suspects to unlock their phones with their thumbprints, but so far, it seems that forcing users to input passwords is not.
Some have called for Google, Facebook, and other companies to take greater responsibility for user privacy. For instance, New York Times columnist Zeynep Tufekci tweeted, “tech companies should immediately go to end-to-end encryption and ponder alternative financial models.” Others suggest the companies could give people better tools to scrub their behavioral data. In fact, Google does have some options available for users to prune their account data, which is a good practice, but it’s not clear whether deleting user data is effective against the state—it depends on where Google stores it, for how long, how it’s intercepted, and other factors.
“If you really need to make sure law enforcement or anyone that Trump is controlling doesn’t have access to a lot of your private information, then don’t give it to Facebook and Google,” Lee recommends. Stick to encrypted messaging apps such as Signal, and consider paying to use email or service providers that you trust and that have a policy of fighting unconstitutional government requests for data, such as Electric Embers or Riseup. (That said, there’s a bit of a trade-off as well—smaller providers that are likely to resist government requests for data have fewer security staffers and are not immune to being hacked themselves.)
OK, these tips may sound a bit on the paranoid side. But these tools are versatile and offer some protection not just against mass surveillance, but against run-of-the-mill hackers as well. Fear of how a Trump presidency might tap into NSA surveillance capabilities provides a good opportunity to take better stock of our own security and encourage others to do so as well.
Correction, Nov. 10, 2016: Due to an editing error, this piece originally misstated that Open Whisper Systems can see users’ data (though it doesn’t log it). Open Whisper Systems can see only the metadata, not the contents of the messages. (Return.)