Several RISE members have voiced concerns about security. It's a big topic, and I'm not going to try to take on all of it in one post, but I wanted to give you an overview of how we're thinking about it and things you can do personally to maximize your own security (both as part of RISE and just as a regular person.) As an organization, our goal is to balance our need to be flexible and grow quickly with the need to ensure that our basic communications and infrastructure are being appropriately managed. This first post will focus on IT security. (I learned some of these lessons from a Syrian refugee who told me what he had been taught to do to avoid surveillance from that government. It's so sad to be discussing the same things here.)
In the Trump era people are increasingly concerned about abuses of the government surveillance infrastructure. Equally, it's become apparent that the big tech companies (Google, Facebook, Apple, etc.) are collecting massive amounts of personal information and that the theft and exploitation of personal data in increasingly common. With this in mind, there are some common sense things you can do to enhance your own cyber-security. It's the same stuff we do at RISE HQ. These are ordered roughly from simplest and most important to most extreme. Pick what's right for you.
- Use two-factor auth for your key accounts. Any password is guessable by someone who tries long and hard enough. And if you used the same password for multiple services (let's face it, we all do), someone who breaks into the provider might be able to steal your password and use it elsewhere. To get around this, tech companies have implemented two-factor authentication (sometimes abbreviated TFA) to help keep your account safe. The way it works is that when you try to access your account from a new device, it sends you a text message with an additional code you need to enter. That means that in order to break into your account, they need your password and your cell phone. THIS IS THE SINGLE MOST IMPORTANT THING YOU CAN DO. Instructions are here for Google/Gmail, Facebook, Twitter, and Apple.
- Use secure messaging. Your personal texts, messages, and social media posts do not necessarily disappear. Tech companies like to store all data forever. And they can also be hacked. One easy option is to use a secure messaging app. It used to be WhatsApp, but since Facebook acquired them and started admitting they are also analyzing those supposedly secure messages, WhatsApp may not be a good option. A good alternative is Signal. It's simple to set up and you just need phone numbers to communicate with people like you would in any other texting app. It also supports group messaging.
- Use a VPN when you are on public wifi. A lot of public wifi networks are unencrypted and a lot of apps are lazy about encryption. To be safer, you can use a virtual private network client like BetterNet.
- Disable auto-joining wifi networks. Out of box, your phone automatically connects to wifi networks based purely on their names (e.g. attwifi). Of course, that's really easy for someone to exploit and set up a fake network with that name and monitor your traffic.
- Browse privately. Even if they can't read the data, people listening in on wifi can still see what sites you are accessing unless you use a secure browser like those that implement TOR. You can find these apps by searching for TOR in the Apple app store and Google Play store.
- Consider where you host your email. If you are using Gmail, Facebook Messenger, etc., be aware that these companies can (and do) routinely scan your messages. It's primarily for ad targeting, but the capability could be used in other ways. If you are concerned about this, you might consider a secure email provider that does not profit based on your data. My personal favorite is Protonmail.com. (Big tech has a mixed record about sharing user data with government. They've done a lot of it in the China, so it's quite possible it could happen here too.)