π

Snowden on Personal Security and Privacy

Show Sidebar

Starting with the following tweet, Edward Snowden published a thread with recommendations of device/application choices and configuration measurements for maximizing security and privacy .

In recent interviews, I've gotten questions over if or how I use a smartphone. They're so dangerous for someone like me, so it's quite difficult to give an in-depth answer. But I published a paper with @bunniestudios a few years ago discussing some risks
Tweet by Snowden with link to https://www.tjoe.org/pub/direct-radio-introspection/release/2

This blog entry is an excerpt of this thread of tweets, not only but also to my personal reference.

Thread from Twitter

Tweet: In recent interviews, I've gotten questions over if or how I use a smartphone. They're so dangerous for someone like me, so it's quite difficult to give an in-depth answer. But I published a paper with @bunniestudios a few years ago discussing some risks: [[https://www.tjoe.org/pub/direct-radio-introspection][Against the Law: Countering Lawful Abuses of Digital Surveillance ยท The Journal of Open Engineering]]
Tweet: Phone security has been something I've struggled with for a long time. I once spoke with @VICE's @ShaneSmith30 about how it's possible to physically remove internal microphones and cameras from a phone, but even that only mitigates a portion of the threat.
Tweet: But as long as your phone is turned on, even with "location permissions" disabled, the radios in the phone that connect it to all the nice things you like are screaming into the air, reporting your presence to nearby cell towers, which then create records that are kept forever.
Tweet: Software is equally important. The iOS and Android operating systems that run on nearly every smartphone conceal uncountable numbers of programming flaws, known as security vulnerabilities, that mean common apps like iMessage or web browsers become dangerous: you can be hacked.
Tweet: If I were configuring a smartphone today, I'd use @DanielMicay's @GrapheneOS as the base operating system. I'd desolder the microphones and keep the radios (cellular, wifi, and bluetooth) turned off when I didn't need them. I would route traffic through the @torproject network.
Tweet: I wouldn't use WiFi at home, because global maps of every wireless access point's unique ID—including yours—are free and constantly updated. I would use ethernet; yes, ethernet on a phone. I would deny network permissions to any app that doesn't need it using an app firewall.
Tweet: I would use an ad blocker. I would use a password manager. I would block third-party cookies in the browser. These last three are steps that absolutely everyone should consider, because they're simple, cost little or nothing, and protect you while making your phone faster.
Tweet: I'd disable javascript, tracking, and fingerprinting in the browser, and even then I'd avoid the browser unless I had no choice. Better to browse on a laptop (w/ @QubesOS) which does not have a history of everywhere I've been, since it lacks GPS & Wifi, and has @Whonix built-in.
Tweet: I would not (and do not) use email, except as throwaways for registration. Email is a fundamentally insecure protocol that, in 2019, can and should be abandoned for the purposes of any meaningful communication. Email is unsafe. I'd use @Signalapp or @Wire as a safer alternative.
Tweet: This is only a partial list, but I'll stop here. Even with all of these precautions, I still wouldn't consider a smartphone "safe," merely "safer." The technologies underpinning our most basic systems of communication are insecure, and often insecure by design.

Ending notes from Karl

I've blogged on security, privacy and surveillance in the past. If you want to follow, what software choices I made and what ad-blockers I recommend, follow this page. I'm a fan of Signal app since ages and also wrote about QubesOS. However, Snowden's choices are way more strict than my personal environment. His potential threats might be stronger as well. Find your own level and stay informed to do so in a proper way.

Comment via email (persistent) or via Disqus (ephemeral) comments below: