Menu
Hacklab

Blog

Back to listing

Don't Get Snooped!

The deep dark web and your security in the wake of the Snoopers’ Charter

 

As the Investigatory Powers Act 2016 comes into force, it’s predicted that there will be a lot of people attempting to lock down their data to avoid the ‘Snoopers’ and the possible risks that come from having everything you do scrutinised on the internet. While the old argument ‘if you’re not doing anything wrong, you have nothing to hide’ is being trotted out on a regular basis, there are those among us who don’t feel it’s ok to have the government monitoring everything we do online on a daily basis, as well as having total access to all of our personal details and information.

The snooper’s charter boils down to this: the UK government now requires internet service providers and phone companies to retain records of their customers’ browsing data for up to one year. Furthermore, these records will be accessible to dozens of public authorities upon the issue of a warrant. It’s kind of like Theresa May giving any government agent the right to read your personal diary upon request. While this may not concern some people (What would the government want with my diary anyway?), there are a large number of information security professionals and industry leaders who are mortally concerned about the implications of this bill, as well as the precedent it sets for privacy laws around the globe. It also raises some interesting questions about privacy in the Information Age – what constitutes a national border or jurisdiction online? Can the government collect data about Chinese citizens who visit UK hosted websites, or access data held here? What about your love letters, marital conversations and amateur phallic photography..? Is there even a way to distinguish between useful and useless information?

It’s interesting to note at this juncture that Denmark recently repealed their own similar ‘session-logging’ surveillance program started in 2007…for the second time. They did this stating that the cost was far too great in comparison to the utility of the program after it was only invoked in a single investigation over the whole time it was in force. Our own ‘Snooper’s Charter is expected to cost somewhere in the vicinity of £1,200,000,000,000 (that’s Billion with a B) pounds to implement, and then there will be the ongoing running costs of the program (around £170-180 million per year.)

For one thing, collecting everyone’s personal data in one single repository opens up a whole can of worms about what happens if that data is compromised. Nothing is ‘hack-proof’, and someone who can attain access to that kind of information could wreak all kinds of havoc on the unsuspecting public, as well as make themselves a tidy profit on the black market. We’re seeing more and more instances of far-reaching hacks on state entities, often by other state entities (the recent US Election hacks and leaks, for example); what kind of implications might that have for us in the future when a whole country can be doxxed by an unknown malicious entity or a foreign agency with an axe to grind?

For another thing, the Bill will start asking device manufacturers to become compliant with the bill or possibly face having their devices made illegal in the UK. There is the famous example of Apple refusing to build a piece of firmware into their devices to allow the FBI to break into anyone’s iPhone. It’s a bit concerning that governments now find it acceptable to ask companies to completely disregard the privacy and security of their users by creating a universal key to unlock our personal devices. What happens when the key falls into the wrong hands, as it inevitably will?

However, in the immortal words of the mad genius Douglas Adams: DON’T PANIC. There are a few ways you can organise yourself to guard against the new Bill, which we will explain here in simple terms. It’s not that complex, despite the amount of jargon being flung around in the media in an attempt to drum up clicks and views. So, in the same spirit we do everything at HackLab, let me ‘break it smooth down’ for you:

  1. Get a VPN (Virtual Private Network):

A Virtual Private Network is something that we’re going to be hearing a lot about in the months and years to come. If you don’t already know; a VPN takes all the internet traffic from your devices, encrypts it and runs it through a proxy server somewhere else in the world. From there, you then access the services and sites you want. Think about it like this: You want to get to your friend’s house across town, but you know you will be followed by the school bully, who will track you to your friend’s place and beat you up. So you instead cross the road to a safe house, then use the back door and jump the fence onto a rear footpath to get where you’re going. The bully knows you entered the house over the road, but after that your pathway is obscured to him. That’s kind of how a VPN works. It means that the snoopers can see the VPN you use, and not much more.

There are loads of VPN services available, some of which are free; but some free ones require a bit of knowhow to set up, and some are notoriously unsafe. (To be honest, paying a little for a lot more security is a sensible option.) I could give you a full breakdown of the best services online at the moment, but since TorrentFreak already did that, I’ll let you have a look at their recommendations. One other issue is that if you love you Netflix account, you may not be able to access it through a VPN as they have been clamping down on Geo-spoofing lately (pretending you are in another country to access more/better content), though some VPN providers are working on compatibility with Netflix to avoid this problem. (Until then you can use Kodi - blog post pending, stay tuned.)

  1. Get Tor Browser:

If you don’t already use it, Tor is the bomb. It used to be primarily used to access the deep or dark web (most notoriously for buying illegal stuff from the Silk Road), but since privacy has become such a huge issue, loads of ordinary users have started converting to The Onion Router browser to protect their online privacy. Tor is free, and it uses a system of routing to provide anonymity online. The Tor Project themselves explain it like this:

“Using Tor protects you against a common form of Internet surveillance known as ‘traffic analysis.’ Traffic analysis can be used to infer who is talking to whom over a public network. Knowing the source and destination of your Internet traffic allows others to track your behaviour and interests.”

For those at home, this means that it takes your internet traffic and bounces it around the globe a few times, through a bunch of servers hosted by volunteers, called nodes. This enables you to surf/download/communicate fairly anonymously, but it does slow your roll somewhat. But when you want security and anonymity, speed is a fair trade-off. A Ferrari will go fast, but it won’t provide the protection and cover that an Abrams tank can… choose your weapon.

Tor is also available as a prophylactic for your android devices in the form of Orbot, an app which runs all your internet traffic through the Tor system. You’ll find that, again, some apps won’t like you using Orbot, but you can quickly and easily switch it off and on at will, through your status bar at the top of your screen.

  1. Get encrypted services like ProtonMail or Signal:

Some services provide further encryption of your data at the point of use. ProtonMail is one excellent FREE example of an online mail service that values your privacy. They take several steps to ensure it, in fact. For a start, all messages are stored on ProtonMail servers in encrypted format. Not only that, but they are also transmitted in encrypted format between ProtonMail’s  servers and the end user devices. Because your data remains encrypted at all points along the journey, the risk of message interception is pretty much zero.

Not only that, but ProtonMail have what’s called zero access architecture. That means that even they don’t have access to your encryption key, as it’s encrypted on the client side. They essentially just manage the encrypted data for you without ever decrypting it along the way. In their minds, your encryption is your own business, and they want to help you maintain it at every step of the communication. The one downside to that is that it also relies upon you for your own security to some extent: if you forget your password, all your data is gone.

When it comes to messaging, Signal is still the most secure option, but your friends probably aren’t on it unless they are hackers, or at least a bit more concerned with their own privacy than the average user. While WhatsApp is also encrypted end-to-end, their metadata is still pretty leaky and can tell curious people about your messaging habits as well as your social network structure, even if they can’t read your actual messages. You can tell this by looking at the way WhatsApp can tell you if someone is typing right now, and when they read your message. (A vital function for millennials who absolutely must know how long someone has sat on the message before replying.) Also, the way that WhatsApp stores the message backups isn’t super secure. It’s stored in plaintext to your Google drive, and this is only encrypted by your username and password for the google account – if that ever got breached (which you can check here), your message history is right there for everyone to see.

In short, if you want to protect yourself from government snoopers, you can. There are services and methods out there available to you if you want to avail yourself of them, but it seems the majority of the public are still in the ‘I’m not doing anything wrong, why would they snoop on me?’ school of thought. To those people I say: If you think privacy is unimportant for you because you have nothing to hide, you might as well say free speech is unimportant for you because you have nothing useful to say. Think about it.