Robert Molenaar is an IT engineer with RNW, specialising in network security. Watchdogs Under Watch is a series of personal stories from journalists, bloggers, and activists around the world, as they encounter and combat surveillance and cyber security issues. This series and corresponding report, written for the Center for International Media Assistance, is in partnership with Radio Netherlands Worldwide.
Unfortunately, there is no one-size-fits-all answer to the issues involved. But there are many tools that can help you a long way. In the end, there is always one link in the chain which technology cannot influence and that’s you.
Stop, think and act
Many courses or clinics that prepare people for stressful situations (first aid courses, evacuation drills) use the slogan “Stop! Think! Act! ” It’s a highly appropriate slogan for cyber security too.
First of all, it’s important to know the risks you are running and what you are trying to protect or avoid. You yourself may not be a ‘person of interest’ or a potential target, but the people you are communicating with might be.
Carrying out a risk assessment is always worthwhile. Simply write down what or who you want to protect, what the ‘threats’ are, which ‘adversaries’ you may face and what they might be interested in. And, of course, finish your assessment with a safety plan, describing the steps you could take to minimize risks. I know, this doesn’t sound easy and it does sound like work, but once you start writing you’ll soon make progress. And of course, getting the right sources can be a great help.
Basically, I believe everyone is responsible for whatever they do or don’t do on the internet. But once you’re dealing with other people online, you will have to agree on a protocol and make some kind of security arrangements before you go any further. You must be sure that the other people know what they are doing (did they do a risk assessment?).
I believe cyber security is a grey area where you have to ask yourself “How far should I go?” I know people who keep their work and private lives completely separate. They have a separate laptop and phone for instance; one for personal use and one for business use.
An increasing number of people use ‘burner’ phones or laptops when they go and work in certain countries. Burners are basic, ‘clean’ devices which don’t carry any (important) data. They are specially prepared for one particular journey; all data will be completely erased and all software will be re-installed afterwards. Just to make sure that sensitive information doesn’t cross borders. After all, something that is not regarded as controversial or sensitive at home might very well be taboo or even banned in other countries or regions.
Encryption = Anonymity?
Encryption is certainly a good start – and sometimes even a basic requirement to communicate – but remember that all of this communication data can still be (automatically) stored. At present, this stored information may be indecipherable by third parties, but this may not be the case for a new generation of supercomputers in the future. Nobody except you can fully determine the value of the data you’re sending.
There are tools that provide both encryption and anonymity, but most of these tools tend to focus on one or the other. PGP (Pretty Good Privacy) for example, a commonly used method to encrypt text messages in particular, basically doesn’t give you anonymity. When you send a PGP encrypted email, the sender and recipient are (more or less) ‘public’ data. Online eavesdroppers will be able to see that person A has sent an encrypted mail to person B. In some cases, it might even be more interesting for them if person A shares encrypted data with person B.
Anonymity = 100% security?
The use of many anonymity tools (such as Tor) can to be detected on any network. In other words, a network administrator can spot certain traffic occurring on his network. Moreover, anonymous traffic is not always encrypted as a rule.
First things first
It’s obvious but worth repeating that first and foremost, your PC must be protected by the latest antivirus software. Another key measure is to install computer and browser updates on a regular basis. If you don’t have these aspects of your computer in order, your first line of defense will be broken.
And finally, it is important that you want to learn – because I understand that for many people, cyber security is an entirely new playing field. But it’s one everybody has to start dealing with.