Secure Messenger Scorecard (May 2017)

This is a draft.

I’m starting my own Secure Messenger Scorecard based on the prior work of the Electronic Frontier Foundation.

I’ve created an editable Google Doc for further input and development.

Please scrutinize and contribute by Signaling me, emailing me or tweeting at me.

version one

version two

version three

Custom stamp for my Signal fingerprint

I ordered a self-inking, custom, wood “1.25 x 2 Rubber Stamp” from rubberstamps.net. I ordered it on a Monday and got it the following Thursday.

Text Line 1: +1.XXX.XXX.XXXX
Text Line 2: 05 b8 6d 44 95 5c 5b 6b f5
Text Line 3: 61 09 22 33 05 b2 c4 c5 db
Text Line 4: f3 85 4a 4b a1 e8 aa 12 36
Text Line 5: 70 20 19 00 0e 4c .. .. ..

Font: Courier New (for all lines)
Justification: L (for all lines)
Style: Bold (for the first line only)

Ink: (added separately) Versafine, crimson red

I added the “.. .. ..” at the end because the preview seemed like it was going to auto adjust toward the center a little bit. I did this to be safe, but it might not be needed.

With 3-5 business days shipping, the total was $29.12.

Top
IMG_20151119_175903

Bottom
IMG_20151119_175911

Card (before)
IMG_20151119_180048

Card (after)
IMG_20151119_180147

Highly recommended!

End-to-end encryption for organizing groups

This post has more questions than answers.

At TA3M Seattle and Seattle Privacy Coalition I’ve been pushing for the use of a better communications platform. Email is not a sound decision anymore. PGP is too high an expectation, even for privacy advocates because too many things can go wrong and it doesn’t scale when communicating with stakeholders (people without PGP). I’m trying to find a better way.

What doesn’t work

E2EE (end-to-end encryption) is a requirement for better communication, including metadata. PGP doesn’t protect metadata. StartTLS helps protect some metadata, but when 5 or 10 (or more) people are emailing each other, not even privacy advocates are going to check the StartTLS status of each recipient.

OTR (off the record) encrypted messaging, typically used with Jabber/XMPP, is not a solution either. Like IRC, people are not going to stay logged in to a service, so not all messages are going to be delivered to all stakeholders.

What might work

I’ve been focusing on using TextSecure/Signal. It’s not perfect either. It has modern E2EE, most importantly for group messaging. It’s open source and the mobile apps are free to download.

TextSecure/Signal have downsides, but I don’t think they’re disconcerting for the groups I’m involved with. Each participant has to share their TextSecure/Signal number with everyone else, and for most people this means sharing their real cell number. While members can be easily added to a group conversation, anyone group participant can add anyone else, but this is also a benefit. More importantly, group participants cannot be removed, they have to voluntarily leave. Another thing to keep in mind that I discovered by accident is that creating a group on your TextSecure/Signal device, even if you don’t send any messages, automatically creates that group “discussion” on each participants device. Be warned!

Another TextSecure/Signal drawback is that it is for short-form text communications. Email can’t be completely abandoned since long-form writing is often necessary.

Importantly, TextSecure/Signal messages, even if just for communicating project statuses or meeting details, will reach each group member, and they don’t have to reply or acknowledge the information. It will be on their device for when they need it.

Please email or tweet at me your suggestions or concerns!

How to use an iPod Touch as a secure calling and messaging device

Published: 2015-Sep-12
Updated: 2015-Oct-10, revision 64

IMG_20150922_152941-02

Modern communication technologies are abundant, but legacy phone calling and texting (SMS, MMS) are inherently insecure. Communications content in addition to metadata is collected and stored by various organizations and for many years. People have a responsibility to safeguard their personal communications with strong encryption technologies because only then will your friends and family be able help collectively defend your rights. In professions where privacy is expected between you and clients (law, journalism, etc), policy should dictate to either communicate securely or not at all.

Encryption technology is not new but default strong encryption in mass-market devices is. We’re slowly evolving. The political cost of default security is at an all-time low while the social expectations of strong encryption are at an all-time high. Modern telecommunications largely depend on legacy communications infrastructure which is unfortunate:

  • All cell phones transmit insecure content and metadata because cell networks were designed for surveillance.
  • All cell phones not broken, off, or in airplane mode can be easily tracked.
  • All cell phones contain baseband processors with system wide access that can be remotely controlled.
  • The majority of SIM cards require registration using government-issued ID.
  • Android’s default is unencrypted storage.
  • Androids get slowly patched, if at all.
  • Carrier modified versions of Android are poorly developed.
  • Until the next version of Android, apps have near limitless access to other local data.
  • Microsoft’s and Amazon’s phones are a joke in terms of capability and security.

“Nobody is listening to your telephone calls” –President Obama

President Obama is technically correct. It is not possible for the US government employees to listen to every phone call. The data requirements for maintaining recorded phone calls is feasible, but what is cheaper and more effective is to transcribe voice data to text. The solution is easy: don’t give it to them.

What is bad for the FBI is also bad for all other malicious actors. It is up to us to cause the social change that in turn lowers the financial liability and cost of default security.

The financial cost of surveillance equipment is also at an all-time low. Mobile IMSI catchers can be built and deployed by anyone technically savvy enough to learn how to build one, and law enforcement has large budgets for more feature rich devices. The most effective way to assure that you are not a victim of cell tracking or attack is to not use those systems.

The Apple iPod Touch

ipod2

The modern iPod fills a much needed space. WiFi only. Generations 5 and 6 support iOS 8 which is the minimum requirement for Open Whisper System’s free and open source Signal application.

Note: WiFi only iPads could also be used and may be a better solution for people with poor eye sight.

Please review my post Signal, TextSecure, and RedPhone ecosystem notes if you would like to learn more about Signal’s capabilities and limitations. Also review my post TextSecure, RedPhone, and Signal threat modeling if you would like to learn more about Signal’s threats and adversaries in comparison to legacy cellular telephony.

Advantages

  • Network: the iPod does not have inherent baseband insecurities or SIM card insecurities.
  • Network: you can control which WiFi networks to expose your device to.
  • Data at rest: The iPod employs default device encryption.
  • Data at rest: Signal employs default message database encryption and isolation.
  • Data in motion: Signal only uses modern protocols and state-of-the-art encryption.
  • OS security: Apple pushes security patches relatively quickly and the iPod is a more challenging device to infect with malware when used correctly.
  • Verifiability: Signal allows users to compare and verify encryption key fingerprints.
  • Verifiability: Signal is a free and open source software project that is publicly audited.
  • Scalability: other people with an iPod, iPhone or Android can freely install and use Signal.
  • Liability: when employed in a work place with supportive policy, work-oriented communications are compartmentalized from personal devices.

Disadvantages

  • Configuration: using Signal on an iPod requires additional steps to get setup.
  • Network: WiFi access is not as abundant as cellular data.
  • Privacy: iOS requires an Apple ID account to download apps — alternative information can be given if Apple is an adversary in your threat model.

Cost

If you use your iPod minimally to maintain good system health, there is no reason to get anything above 16GB. That is enough free space to upgrade to iOS 9. A new 16GB iPod has 11.7GB usable. A USB wall charger is not included when buying a new iPod, you must buy one or use an existing one (don’t plug it into any computer). If you will be making voice calls with Signal, a required additional purchase is any manner of corded headset.

Apple’s prices:

  • 16GB – $199
  • 32GB – $249
  • 64GB – $299
  • 128GB – $399
  • 16GB – 229€
  • 32GB – 279€
  • 64GB – 339€
  • 128GB – 449€

U.S. Costco prices, only available with membership:

  • 16GB – $189 in store
  • 32GB – $229 in store
  • 64GB – $289 online

Phone number

Signal, for the foreseeable future, requires a phone number to use for registration. Since an iPod does not have a SIM card or any other phone service, we have to use a phone number that you have SMS or voice access to. It is possible to use any manner of burner phone number, but this guide will not instruct how to do that since there are inherent risks with using a number you don’t have long term control of. If someone gains SMS or voice control of a phone number you use with Signal were to register that number with their own Signal device, you would no longer be able to communicate with that number, and someone else could impersonate you if your contacts blindly trust a new key fingerprint.

PC Magazine has a decent article covering VoIP options.

Below are some example procedures when using the following services, or modify them to fit your needs:

Landline

If your home or work has a landline phone number that can be called directly–no extensions to jump through–then you can register that number with Signal. This is ideal for journalists or lawyers who already have landline numbers that people already have in their phone books.

  1. Enter your landline phone number into Signal for registration.
  2. Click verify this device.
  3. Click call me instead.
  4. Open Whisper Systems will call your landline number and provide you an auditory verification code. Enter that code into Signal to verify.

Skype

Skype allows anyone to buy a phone number for $18 every 3 months or $60 every 12 months. Skype can’t receive SMS so you will need to install the desktop client onto your computer and be able to receive a Skype call.

  1. Enter your Skype phone number into Signal for registration.
  2. Click verify this device.
  3. Click call me instead.
  4. Open Whisper Systems will call your Skype number and provide you an auditory verification code. Enter that code into Signal to verify.

Google Voice

Google Voice is a great option for most people in the United States as long as you have a number you can forward calls to. Google will provide any US Gmail account a free, long term phone number. Voice has the added benefit of setting up voicemail which could be useful in case legacy phone calls attempt to call — you can let them know in voicemail to call back with Signal or RedPhone.

  1. Enter your Google Voice phone number into Signal for registration.
  2. Click verify this device.
  3. Open Whisper Systems will send a verification code to your Google Voice account via SMS. Enter that code into Signal to verify.

Twilio

Twilio allows anyone to register a voice and SMS number for $1 a month.

  1. Enter your Twilio phone number into Signal for registration.
  2. Click verify this device.
  3. Open Whisper Systems will send a verification code to your Twilio account via SMS. Enter that code into Signal to verify.

Operational security practices

Define a strict use case for your iPod for when certain groups of people ask. If you routinely travel, possibly through airport or border security, you don’t want to raise suspicion of your device. It is an iPod after all, people will have expectations that it is for listening to music. You may be coerced to provide access to the device to prove its legitimacy. Plan ahead.

  • If your iPod is for professional services (like law, journalism, etc) only certain groups of people, maybe clients, should be aware of your communications practices. Your organization may even make certain policy decisions like making it public information that you can be reached via Signal for secure communications.
  • If your iPod is for personal use, since you can’t risk connecting the iPod to computer systems to sync files, perhaps use it for photography and picture viewing.

Also:

  • Buy your iPod Touch in cash or at least in person.
  • Don’t risk infection or leave behind security certificates: do not connect your iPod into any computer system or automobile.
  • Only charge the iPod via wall charger or firewalled USB charger.
  • Don’t use any third-party apps that aren’t Signal. No Web browsing, social media, or email.
  • Keep the iPod physically safe — maybe even keep it in an actual safe when not in use.

Firewalled charging options:

Directions

Be aware that several privacy settings must be reconfigured once you upgrade to iOS 9. Review these settings once you update.

Set up your iPod:

  1. Connect to WiFi
  2. Disable location services
  3. Set Up as New iPod Touch
  4. Sign in, or Create an Apple ID
  5. Don’t use iCloud
  6. Don’t use Siri
  7. Don’t send Diagnostics

Configure your iPod:

  1. Settings > Bluetooth > Off
  2. Settings > Passcode Lock > Simple Passcode (Off – set an alpha-numeric passphrase)
  3. Settings > Passcode Lock > Erase Data (On)
  4. Settings > Privacy > Advertising > Limit Ad Tracking (On)
  5. Settings > Software Update > Download and Install

Set up Signal:

  1. Open the App Store
  2. Don’t install any new apps other than Signal.
  3. Search for an install “Signal – Private Messenger” by Open Whisper Systems
  4. Open Signal
  5. Enter the phone number that you’ve chosen to use (VoIP, landline, etc)
  6. Depending on how you need to verify Signal (SMS or call), perform that action (see examples above)
  7. If and when it asks, allow Signal to send notifications

Once Signal is installed:

  1. Settings > Notifications > Signal > Show on Lock Screen (Off)
  2. Signal > Settings > Privacy > Fingerprint (Tap to copy)

ACLU-WA encryption evangelism internship proposal

Goal

Further the use of FOSS encryption technologies within Washington legal and journalism circles.

Tor

Tor relay and Tor exit relay adoption by organizations because of resources and stability. EFF “Tor Challenge” is unsuccessful at gaining long-term relays because they are focused on individuals that are largely not focused or lack stable resources. ACLU-WA support could happen in three ways: write to local organizations who are likely to
deploy a Tor relay, provide written education or in-person training, and create public reports on successes and failures. Supporting Tor supports human rights work 24/7/365, globally.

HTTPS and StartTLS

Many organizations who require privacy lack website/service transport security. Focusing on specific types of organizations, such as law firms and news agencies, would benefit the public and overall Internet health. HTTPS is critical for keeping private specific pages and forms visited in addition to any transmitted information. StartTLS is critical for keeping entire emails confidential. In light of recent developments in Texas [1], it would be timely to push Washington state legal policy organizations to adopt similar rules. The “Let’s Encrypt” project has been pushed out to November 16th, 2015 [2] — it would be great to have 2 months to start an ACLU-WA parallel initiative (focused on law firms and news agencies, for example) when it launches in order to benefit and enhance the initial press.

TextSecure, RedPhone, & Signal

While HTTPS and StartTLS are important for public and private communication, mobile apps can greatly strengthen inter-org privacy. Classic telephony and SMS communications are insecure. The Open Whisper Systems ecosystem uses state of the art encryption, is scalable, and is free and open source software. Purchasing 5th gen iPod Touch devices is a small cost for law firms and allows lawyers to register their work phone number with Signal. Doing so would let anyone with their regular work phone number to leverage end-to-end encryption instead. No wiretaps, no SS7 tracking, no IMSI catcher tracking, and no baseband or SIM card vulnerabilities that are inherent with any cellular device.

SecureDrop

Whistleblowing is a critical part in a democracy by keeping the public informed and organizations accountable. SecureDrop, by Freedom Press Foundation, is a powerful tool that allows anyone to leak information to targeted organizations. SecureDrop has been around for 2 years and is largely used by news agencies. That being said, a very small fraction of news agencies support SecureDrop which creates two problems: overall diversity and market diversity. Overall, there are too few options in terms of trusted organizations for whistleblowers to choose from. If a specific person who has access to specific information is only comfortable providing information to a specific organization or person, but secure a whistleblowing platform does not exist, nothing will get leaked. Similarity, if only news agencies support secure
whistleblowing platforms, other NGOs who might be better equipped to handle response will not get leaks. ACLU-WA could work with Freedom Press Foundation to focus on evangelizing SecureDrop to NGOs.

Conclusion

It is ethics and education apathy that is preventing people from adopting FOSS security systems that provide privacy. It is one thing to be apathetic in our personal lives, but it is not acceptable in professions that demand privacy in order to keep people safe.

1 http://ridethelightning.senseient.com/2015/07/when-must-lawyers-ethically-encrypt-data-texas-answers.html

2 https://letsencrypt.org/2015/08/07/updated-lets-encrypt-launch-schedule.html

Using Google Fi for a relatively private phone service

Created 2015-Aug-24
Updated 2016-Apr-19

In this post I’ll discuss ways to leverage the new Google Fi service in ways that are possibly more secure or more private when juxtaposed to regular AT&T, Verizon, Sprint, or T-Mobile phone service. Good planning and good practices can help people who are sensitive to physical location data sharing avert certain kinds of passive surveillance and in turn may prevent future active surveillance. While this information may be useful, it is not intended to solve your specific needs. You are ultimately responsible for understanding why you are performing these actions and non-actions.

Regarding SS7 attacks, the common way for such attacks to work requires that an attacker know your real cell phone number. Google Voice numbers are not vulnerable to these attacks. The same could be said for a landline phone number or any VoiP number like Skype.

Regular, long-term cell service wrongs:

  1. Requires government issued ID, which basically means connecting your government issued identity to a SIM card and other hardware identifiers.
  2. Requests (and at times requires) a Social Security Number, which also, basically, means connecting your government ID to hardware IDs.
  3. Requests the availability of voicemail, a service that is remotely accessible and is unlockable by a simple 4-digit pin code.
  4. Does not support two-factor authentication for access to sensitive account information.
  • Google Fi does not ask for identification, period. It is also possible to use prepaid credit/debit cards. As of April 2016, the Google/LG Nexus 5X is the cheapest phone, and you can buy it online or from a local retailer. Related notes: AT&T locks the SIM, so you can’t use an AT&T Google Nexus until AT&T (or a third party service) gives you a SIM unlock code. T-Mobile does not lock the SIM.
  • Voicemail is also an option with Fi. Fi support has stated that “Once you have set up your voicemail with Project Fi, it is impossible to turn off your voicemail,” and, “It will not be turned on until you activate it.” However, I presume that once Fi voicemail is activated, it is remotely accessible like regular voicemail service. If you perform the below steps, you will have no use for Fi Network voicemail, so don’t activate it.

Steps

The following configuration utilizes Google’s Hangout Dialer app that you will install and leverage on your Google Fi Nexus. The Hangouts Dialer will be able to make and receive all calls and texts using a Google Voice phone number. Two Google accounts are needed.

If your personal Google account has Google Voice presently, you will be forced to either give up that number or make it your Google Fi phone number. Either way, you will lose Google Voice functionality completely and is why a second Google account is needed.

  1. Register for Google Fi service using Google account #1 including ordering a new Nexus 6, 5X, or 6P.
  2. Do not share your Fi Network phone number. With anyone. Not your friends, family, or any services. Period.
  3. With Google account #2, register a Google Voice phone number.
  4. Download Google’s Hangouts Dialer. Google account #1 will automatically log in. Log in with Google account #2 (the Google Voice account). Then sign out from Google account #1 — only sign out in the Hangouts Dialer app, not from the Nexus completely.
  5. Configure Hangouts Dialer as follows: Settings > Enable merged conversations (yes), > account2@gmail.com > Incoming phone calls (yes), Messages (yes), > Customize invites > People who have your phone number (can contact you directly).
  6. Give out your Google Voice number to friends, family, and services. Calls and plain SMS will come through in the Hangouts Dialer app.
  7. Always make calls with the Hangouts Dialer app so the receiver’s caller ID shows your Google Voice number. It is best to remove the regular phone dialer app from the Android system tray and replace it with Hangouts Dialer.
  8. Added security

    1. Employ Google Authenticator two-factor authentication (2FA) for both accounts as soon as possible for better security. Avoid SMS 2FA because of the inherent vulnerabilities.
    2. Download Signal onto the Nexus and register your Google Voice phone number in Signal. While Signal will open up showing the real Google Fi phone number, delete it and enter the Google Voice number. The SMS verification will fail, so wait for the 2 minute countdown to expire then click “call me” for automated voice verification.
    3. Through the Google Voice web interface, optionally create a voicemail greeting that requests people to install and call back with Signal. Enabling “do not disturb” will enhance this goal because then nobody can call you and can only leave voicemails.
    4. If you haven’t already, talk to your friends and family about our need for privacy and security and inform them about Signal.

    Added anonymity

    The following are added steps in case you wish to also have probable anonymity to the service providers, in this case, Google, Sprint, and T-Mobile:

    1. If anonymity from the cellular provider is your goal, you’ll need to use cash to buy a Nexus 6, 5X, or 6P from a local retail location with cash and a prepaid debit card for monthly service. If you go this route, you will still need to order a Fi Sim Kit from Google with Google account #1 and have it shipped to you. If anonymity is your goal, consider renting an AirBnB or a hotel room using a pre-paid debit card and alias during the window of delivery.
    2. During registration for Google Fi service, account registration will require a “service address”. Use the above mentioned AirBnB address or be creative. You can always change the service address at a later date. All billing is electronic.
    3. You can consider not using your Nexus phone in any anchor points, including home or work. To do this, you would need to keep the device turned off at all times except when out and about. This makes it harder for service providers to identify you, but keep in mind that Google, Sprint, and T-Mobile can see network metadata and they can always record your voice when not using Signal. It’s still a tracking device with a microphone and camera!
    4. Consider removing the microphone and camera.

    Creating Google accounts

    Use an Android to create one or more Google accounts (Settings > Accounts > Add account > Google). Creating new Google accounts this way does not require the creator to enter in an existing email or phone number. Creating new Google accounts while using Tor will result in an account auto-lock. However, once an account is setup with two-factor authentication, you can log in via Tor Browser or Tails elsewhere. If you are trying to stay anonymous to Google, you’ll have to use a new Android (device IDs never before used by your real identity) and turn it on at a location far from any of your anchor points. Keep in mind that Google will know where your Fi device is when using the Fi network, but depending on your preparation/operational security, will not know the identity of the user.

    In retrospect

    Google, in addition to sporadic use of Sprint and T-Mobile network infrastructure, will be the only ones who know the identity (phone number and hardware IDs) of the subscriber. But you have much better control over defining the data and information that is linkable to this service.

    1. Adversaries can’t “ping” your cell phone if they can’t determine what your phone number is. However, if they run around your house with an IMSI catcher, it will not be hard for them to determine what number you’re using for service. It’s good practice to activate airplane mode when you enter into your home neighborhood, especially if your friends and family predominantly use Open Whisper Systems apps (Signal).
    2. Remote adversaries can’t track your physical location via possible SS7 vulnerabilities if they don’t know your real phone number.
    3. Network adversaries (telecommunication corporations or federal/local governments) can still inject or monitor your activity to “better service you” (sell your data to advertising networks), but unless they can connect that activity to a known identifier, you, personally aren’t vulnerable to said forms of surveillance.
    4. Network adversaries may employ voice recording and recognition technologies. The employment of said technology will only increase since it is a biomarker that financial institutions have started using for account verification purposes. If network adversaries are using this technology, there is no way to hide a real phone number or hardware device IDs from them unless you step up your paranoia and use a voice changer. Using Signal (end-to-end encryption) will mitigate only the voice print vulnerability. You will always divulge your hardware device IDs to a cellular network when using cell service.
    5. Endpoint adversaries (medical offices, food services, financial services, friends with or without Signal, etc) may also employ voice recording and recognition technologies. If you make calls using your Voice number (caller ID) to endpoint services, doing so will make it hard or impossible for a third party to link your personal ID to hardware ID.

Another attempt to get someone to use good encryption

I have something that I want to talk with you about over a trustworthy medium or in person. I presume you’re using an iPhone these days which is cool. Signal is the iOS app that uses the Axolotl encryption protocol that is compatible with my Android (TextSecure). It’s a platform that I know you’d appreciate if you learned about it. Moxie Marlinspike (a pseudonym) is the hacker/activist behind Open Whisper Systems. That’s the not-for-profit org behind the crypto and app development. It really is state of the art encryption– you don’t have to trust any middle-people because the protocol is end-to-end.

Anyway, I’d really appreciate it if you could install it and send me a text. It’s not about “nothing to hide”, it’s about creating safe, trustworthy spaces for people to be themselves, independent of people mining everything you say and storing it or sharing it. It’s an unobtrusive app made to be straight forward and easy to use. I’d also love to get coffee or lunch sometime. I presume you’re in the area but I don’t know.

I hope you’re well!

Apps disabled on stock Motorola Moto E (2nd gen)

The following apps and/or services were ones I disabled. Some of them are Motorola services, some are Google apps, and some of them are apps that don’t provide any identifier at all yet have access to my phone. Before giving a new phone any network access (no cell network, no Wi-Fi), I disable these services.

This time around (I’ve tried many different mobile device configurations for security), this device is kept locked (not rooted) and lightly used (in this case TextSecure, RedPhone, and Flock are my only apps). I don’t have a browser like Chrome or Firefox because the web isn’t safe. I don’t use any social media apps because they suck up the contact list. The only software that I choose to run on this device (I have others) is from Open Whisper Systems.

Apps/services disabled:

Android Work Assistant
Basic Daydreams
Camera (replaced with “Open Camera”)
Chrome
Cloud Print
ConfigUpdater
CQATest
Device Management
Docs
Drive
Email
Exchange Services
Gallery (replaced with “Gallery ICS”)
Gmail
Google Backup Transport
Google Contact Sync (replaced with “Flock”)
Google Hindi Input
Google Korean Input
Google Launcher Config
Google One Time Init
Google Partner Setup
Google Pinyin Input
Google Play Books
Google Play Games
Google Play Movies & TV
Google Play Music
Google Play Newstand
Google Text-to-speech Engine
Google+
Hangouts
Help
HP Print Service Plugin
iWnn IME
Maps
Market Feedback Agent
Moto
Moto Actions
Moto Display
Motorola Alert
Motorola Boot Services
Motorola Checkin
Motorola Migrate
Motorola Notification
Motorola One Time Init
Motorola Sensor Services
Motorola Services
Motorola System Service
OMA Client Provisioning
Photos
Preset
Print Spooler
Setup
Setup Wizard
Sound Recorder
Storage Optimizer
Street View
TalkBack
Trusted Face
YouTube

Securing voice communication for lawyers, clients, journalists, and sources

Introduction

Lawyers need to talk to their clients securely. Journalists need to talk to their sources securely. It is through good security tools and good security practices that privacy can be achieved. Securing the conversation (content) is important. Revelations made possible by Edward Snowden show the dangers of unsecured content and metadata. This guide does not aim to create an anonymous communication device by way of anonymizing either content or metadata, only securing the content by way of employing Open Whisper Systems Signal (iOS or Android).

In February 2014, documents publicized by James Risen and Laura Poitras revealed proof of the United States explicit and illegal action of spying on lawyers. The National Security Agency’s technological capabilities, also being made public, provide facts that the public needs in order to understand the complex threats that alone chill freedom of association. Even though you might not be a law firm “representing a foreign government in trade disputes with the United States,” the threat and probability of occurrence are clear. Your voice communication can be passively swept up into a global surveillance dragnet.

This guide’s target audience are people needing to protect their day-to-day phone calls and thus the privacy of the people involved. If you want to be successful at using technology to perform your work, you need to be open to learning some technical information and theory. Without sacrificing too many comforts when it comes to communicating via phones, this guide aims to bridge the gap between easy-to-use, state-of-the-art encryption and tools that are readily available.

Prior but related guides

Notes for Signal

Signal threat modeling

Create an anonymous Signal phone number w/ Android

Goals

Provide a public or private phone number that:

1. Uses an iOS or Android device with Signal to securely communicate with your clients or sources. “Security” is gained by having an independent device that is only used for encrypted communication. Calls will be end-to-end encrypted for protecting the content of your conversations.

2. Falls back on a voicemail recording so normal (unencrypted) telephone callers hear an automated message to install Signal and to remake the call after getting it installed.

Additionally this guide will discuss basic operational security to protect the physical device and thus its contents.

Signal simply needs a telephone number to get setup. You do not need a cell phone with active cell service. When done correctly, your voicemail will be reachable by a regular phone caller but said caller and Signal calls will be routed to your Signal device.

Your options:

– A new or used iPod Touch (5th generation with iOS 8), a new or used iPhone 5, 5S, or 6 (iOS 8), or Android (OS version 5, or “L”, is ideal). The Motorola “Moto E” is inexpensive and the Google Nexus line runs “pure” Android and gets updates the quickest. Operating the phone in airplane mode with Wi-Fi enabled creates a similar device as the iPod Touch in terms of which communication networks it uses.

– Any voice-over-internet-protocol (VoIP) service that gives you a long-term phone number. I also suggest a service that provides voicemail in order to warn normal callers to call again with Signal.

Register a land line, cell phone, or VoIP number?

Installing Signal on to your iOS or Android device simply requires a phone number that can either receive a text message confirmation code or an automated telephone/audio confirmation code. Open Whisper Systems’ software does not care what type of phone number it is, they just need to be able to call it for setup confirmation. It is possible for you to do any number of the following:

1. Register a land-line phone number with Signal. Doing so will automatically route Signal callers to your Signal device. Regular, unencrypted callers will still reach your land-line phone.

2. Register a cell phone number on the same device as the SIM-registered number. This is what most people do when they install and use Signal, and it is the common scenario that your callers will implement.

3. Register a cell phone number on a different device as the SIM-registered number. The original, SIM-registered cell phone will continue to receive normal, unencrypted phone calls, but Signal calls will get automatically routed to the secondary device. Doing this compartmentalizes the communications metadata and device exploitation risk.

4. Register a VoIP phone number on a new iOS or Android device. This guide focuses on this scenario to benefit from voicemail options to alert normal, unencrypted callers to install Signal and call again.

Instead of a VoIP service, you could, in fact, use your work land-line phone number to register Signal. I advise against that based merely on the fact that using the same number may confuse your clients/sources on what is and is not a secured line. Giving them a separate Signal phone number creates cognitive dissonance. However, maybe your target audience is aware of the differences between unsecured and secured (Signal) calls. You must assess the risks involved.

Clients/sources will undoubtedly save your Signal number in to their phones. This name-number association will end up on Google’s, Apple’s, Facebook’s, Twitter’s (they steal contact databases from phones), etc servers, so keeping the number private is not probable. What you have to focus on is making it easiest for your clients/sources to contact you securely, with them knowing that the content of the call is private. Maybe you have a combination of 1+4 or 2+4, where 4 in either scenario is a private, non-publicized Signal number. Maybe you give out business cards with this number with explicit directions not to save this number into the client’s/source’s phone book. Keeping a number completely private can be difficult.

Requirements

– At least one lock-and-key safe, ideally a fireproof/waterproof safe with alphanumeric keypad entry.

Unavoidable information and metadata leakage

As stated above, without explicit direction, your clients/sources will likely store your contact number digitally. This digital database, on their iOS or Android smart phone, is continuously copied by other applications that people use, either out of convenience (to backup contact lists) or because of capitalism (direct marketing, relationship linking). Either way, state-actors make it a point to obtain these databases so that they can know who communicates with whom. As a lawyer or journalist, the likelihood that a state actor wants to know whom you work with is much higher than normal.

Apple (or Google if you use an Android) will have a name-to-device information. This means that US surveillance agencies will probably have the same information. This guide does not attempt to create an anonymous phone number (where the device is not linked to you or your company’s identity).

Even though this guide is written to use an iPod Touch which requires the use of a wireless access point and thus at least one internet service provider, and even though Signal network traffic is end-to-end encrypted, encrypted network traffic creates metadata that indicates:

A) you’re using the Internet at all, and
B) that you’re generating encrypted network traffic.

It is possible, with deep packet inspection, that your adversary will be able to identify what kind of encrypted traffic that it is, maybe even as specific as the application being used. So, theoretically, you will, for sure, create metadata, recorded by the internet service provider, that you (or your company) is making Signal calls, when, and for how long. A state actor such as the NSA, with global dragnet surveillance capabilities, may even be able to associate that traffic to the destination. These are critical issues if your threat is a well-funded surveillance agency with legal/political/global reach. A simple minimization procedure, to avoid network metadata leakage, would be to only use the Wi-Fi of at public locations such as coffee shops or libraries. But doing so is not a silver bullet.

A supplementary read: Cell Phone Opsec

If you choose to purchase a registered cell phone instead, which may be required for your work/reach-ability, you must be aware that state actors can track the physical locations of said device whenever the device is on. Movements and non-movements are very informative to adversaries. Cell phone tracking is made painless with IMSI-catchers when governments and companies can afford it.

Guide

1. Purchase and setup your device. Download and install Signal by Open Whisper Systems.

2. Choose a VoIP service.

To test Signal calling from an iPod Touch, I bought a Microsoft Skype phone number that is registered to my long-time Skype account. Skype is convenient because you simply purchase a Skype phone number with a debit/credit card, install Skype, install Signal, and you use Skype to receive the confirmation code. Yes, Skype, is a PRISM participant, and records (of you purchasing a Skype number and receiving a confirmation call from Open Whisper Systems) are guaranteed to end up in the hands of any government agency. Yes, Skype is backdoored by design. But Registering a Skype number with Signal makes the routing of said calls managed by completely different infrastructure. Skype calls are not end-to-end encrypted. Signal calls are.

An alternative to Microsoft Skype is Google Voice. Google Voice, by way of a Gmail address, has the added benefit of 2-factor authentication (2FA). Skype does not offer 2FA, so your account is remotely accessible if your password is stolen. Voice gives you a perpetual phone number that is tied to your Gmail address. Yes, Google is a PRISM participant, too. Like with Skype, calls made by Signal using a Google Voice phone number will not use Google infrastructure.

3. Setup voicemail

The value of using a dedicated, VoIP-based phone number is the ability to setup voicemail. This way, when people call with a normal, unencrypted phone number, they can get the automated message to call back after they’ve installed Signal.

Signal does not have voicemail. If they call you with either and you do not answer, it will only ring.

4. Physically secure your device.

Make sure that your iPod password is secure. Use a strong passphrase and not a simple, 4-digit “Simple Passcode”.

It is critical that you habitually store your device(s) anytime they are not in use. If your work requires that you be available 24/7, you may need to purchase a second, isolated safe for home use for when you bathe/sleep/etc. Never leave your device unattended or in the possession of someone you do not trust.

5. Share your contact number.

Depending on the nature of your work, you should decide how you want to share your number. If you’re a lawyer, you would want to share your public phone number on your website. In this case it is prudent to ensure your website is serving content via HTTPS (data in motion) so that an adversary cannot inject/disinform your clients/sources with a bad number. Similarly, having a secure website (data at rest) is equally important so that the integrity of the public information is unchanged.

It is also prudent to include minimal directions on installing and using Signal. Guiding them to EFF’s Surveillance Self Defense guide is a good option.