The first step toward greater security is ‘easy’. Install Signal on your phone and start using it to talk to your friends. This assumes you have a smartphone, of course, and friends who will give a new app a try. The UI isn’t too bad, though, and there’s a Chrome app for the desktop (but maybe you shouldn’t do that part, it’s less secure).
Now that you’ve taken care of secured communications, go turn on two-factor authentication (2FA) for all your accounts. Yes, even that email you never log into, and your Twitter account, and Facebook, and twenty other things. Decide whether to use SMS or an authenticator app (do you trust those? I have some feelings about Google (but we can talk about that another time)) or a hardware token (I hope you aren’t going to lose your keys!)
Next: let’s set up a VPN. Do you know of a reliable service, or are you going to install the whole thing yourself? How much can you afford to spend?
Oh, and maybe you should get off Android. It has a lot of vulnerabilities and who knows whether your version is fixed.
I’m over-dramatizing a little, but this is how it feels for me when I step back and look at the security advice that’s being offered from most sources. The starting landscape for a person, even one with technical experience, who hopes to increase the security of their private data is complex and bewildering. We have to watch out for commonplace account hacking and financial fraud, the mass tracking of our behaviors when we browse the web, and eavesdropping on communication by carriers and governments that can happen even if we haven’t committed a crime.
This is the second time The Recompiler has covered security, and we’ve barely touched the array of topics we could discuss. Security is so big. It affects every part of our lives and individual users start from a complete disadvantage. Advertising networks track your every movement online, and they can sell any part of that data that isn’t in a fairly narrow category of sensitivity. The US government has built a massive surveillance infrastructure and continually looks for ways to circumvent the protections we use. Even if you’re living and working in a different country, your data and internet connections may end up here. This is a global discussion.
We’re used to thinking about the risks in our lives in terms of whether we choose dangerous actions, and whether we’re the bad actor. This shows up in policy discussions all the time: “only a criminal would need that” or “just don’t do anything wrong”. Many of us expect the laws are on our side, and that we’re safe as long as we’re ‘good’. This belief does not match the facts—especially for people of color—and many of us can become criminalized through bad luck or implied associations. How often do you jaywalk without checking for cops? When it comes to modern security, we start out hanging over the cliff, and we are all presumed to be guilty of something.
While editing this issue, I bumped against questions that didn’t always have good answers: How do we explain an instruction across the varied contexts the user might be working in? Is this step too technical, or not enough? How do we talk reasonably about the chance the reader might be scrutinized by law enforcement, regardless of the intent of their actions?
We can’t help each other if we ignore the costs involved: the monetary aspects of upgrading devices and buying new services, the mental and emotional expense of digging into an intimidating topic, and the different risks we each have in our lives. Some of these questions don’t have one true answer. It may come down to what scares you most, and what you absolutely have to protect.
I know you won’t all start using GPG for your emails, or set up your own XMPP server—but some of you will. I know we all have accounts somewhere with bad passwords and no 2FA, and we hope there wasn’t any important data stored there. I know we might not truly know if we’re at risk until it’s too late. The purpose here isn’t to scare you into inaction. Any step you can take will help increase your own security and that of the people around you. You don’t need a Ph.D. in crypto to do something meaningful. The bigger problem we deal with is the environment, and environmental problems can only be solved by working together. The articles in this issue suggest a number of starting points, from increasing your own awareness to building industry-wide support. Pick one and take your first step this week.
Audrey is the editor and publisher of The Recompiler. She likes cats.