Can you feel it? Your data...it's being retained right now. Greens Senator Scott Ludlam gave us all some great advice on what is being tracked by the Government's new metadata retention scheme, as well as a few basic ways to get around the legislation. This is the master class in dodging data retention from Pirate Party Australia members. Here's how to get around metadata retention using everything from encrypted calls and messaging services on mobile and desktop platforms, using Tor and keeping your email safe.
The new Data Retention regime in Australia puts you and your family's privacy at risk. To assist in preventing your personal information from falling into the wrong hands you should take action to protect yourself now. What follows is a simple guide to some sample technologies that can help protect your privacy.
For more in depth information on protecting your privacy that goes beyond this guide, a good starting point is the EFF's "Surveillance Self Defence" site. In fact, many of the links below in regard to specific items will send you there.
Please note that this guide is intended for average everyday citizens desiring to take some action to protect their metadata from the ubiquitous mass surveillance of the new Australian data retention regime. If you are a journalist, a dissident, a whistleblower or political activist, or have some other higher order threat model, then you should seek further more specific technical & professional advice than this guide.
But for an easily digestible overview of a range of options to minimise your risk from the incoming Australian Data Retention regime, see below.
Whether you are using your desktop computer, or a mobile device, you should protect your actions from indiscriminate surveillance. Despite claims that data retention does not intend to collect and store your browsing history, any interaction online that is not encrypted will leak private data about you, your activities and connections. The below options will go some way to protect your actions from some aspects of casual surveillance if set up correctly.
Important: How careful you are and what tools you choose to use will depend on decisions you make about your "Threat Model".
What is a VPN? • VPN stands for Virtual Private Network. • VPNs work by creating an encrypted tunnel between your computer and another server. • Your ISP cannot read the traffic in this tunnel; they can only see that you are connected to the server and sending/receiving (encrypted) data. • VPNs are widely used in business: they allow people working from home to connect to their office network securely, which is vital for people working with sensitive information. • VPNs will also allow you to bypass website blocking from the government's new anti-piracy regime, including any sites that could be accidentally blocked due to collateral damage. • VPNs can also be used to bypass geo-blocking restrictions. (Have you ever been watching YouTube and seen that "This video is not available in your country" message? That's geo-blocking. If your IP address showed you as coming from country where that video was allowed to be seen, you could watch that video, but for various licensing reasons you cannot. Aside from privacy benefits, getting around geo-blocking to access services that aren't available in Australia had traditionally been one of the key uses for VPNs! Read More.) • Using a VPN is legal.
Using a VPN • The easiest way to use a VPN is to purchase a service from a VPN provider. • The provider will manage the server and will usually provide you with software and simple instructions on configuring your connection. • Remember that a VPN provider outside of Australia would not be subject to Australian data retention requirements, but may still keep logs of your Internet use. • While a little dated, this article may also be of help in further securing your VPN connection. • For discussions on VPNs and some tools to help test and use your VPN you may wish to try looking here.
Choosing a VPN • Torrentfreak has provided a list of (self-proclaimed) anonymous VPN providers in this article here. Crikey has a Aussie data retention specific guide to choosing a VPN here, and Gizmodo has one too. • See also the EFF's SSD guide: Choosing the VPN That's Right for You. • The above /r/vpn subreddit link may also be of use in choosing a VPN provider.
Downsides & caveats to a VPN • You will need to pay monthly fees (although often not very high). • It can be slower - your traffic is routed through a server outside of Australia. • Content unmetered by your ISP will count towards your monthly quota. • Your traffic is only protected until it reaches the server. Instead of trusting your ISP, you are trusting the VPN provider: a disreputable provider could still log and monitor your traffic. • It only protects data in transit: if your computer is compromised (e.g. by a virus or snooping software), your data will still be vulnerable. • Loss of localised experience: some websites such as Google serve up different content based on your location. When your VPN is located outside of Australia, many websites may behave differently. For example, if using a German VPN connection, a website may give you its German language version. • Note: protecting yourself from the Australian data retention regime is not the same as protecting yourself from NSA programs. • VPNs, while very useful and possibly one of the best front-line defences against data retention are not a magic bullet. Note that the legislation requires mobile internet providers to log each connection your phone makes, and the location of your device as it makes that connection. On a modern "smart phone", with a VPN turned on, the phone will still make frequent connections (on the order of every few minutes) to check email, push notifications, updates etc. and your location during each of these connections will be logged - there is nothing a VPN can do to protect you from the location-logging data retention issue. In addition, please note that this guide is intended for average everyday citizens desiring to take some action to protect their metadata from the ubiquitous mass surveillance of the new Australian data retention regime. If you are a journalist, a dissident, a whistleblower or political activist, or have some other higher order threat model then you should seek further, more specific and more technical & professional advice than this guide.
Creating your own VPN • Unless you are an expert user and know exactly what you are doing, we would not recommend creating your own VPN. • Personally created VPNs may very well suit some people's use cases, with these people being happy to make some compromises. • Keep the server and all its software updated, and if necessary spend time recovering from breakages. • Generate and keep secure very strong certificates and keys. • Know that they're easily identifiable, should someone in their host country be listening. • Be comfortable knowing they aren't able to physically secure the server running their VPN. • You will however at least know for sure that the VPN company isn't keeping and sharing the logs with the NSA or ASIO, since the 'company' will be you. However this presumes any third party servers you use, or your own systems are secure and not compromised. • As unlikely as it is, content companies would love the government to ban the use of VPN service providers. If you insist on trying it, here's a guide. But do so at your own risk, and do your research.
• Tor stands for The Onion Router. • You can access it here. • Tor uses a wide network of voluntarily participating nodes to distribute your traffic to a number of anonymised exit nodes. (i.e. it Tunnels your browsing through several other nodes) • Makes it harder for someone to monitor your activities. • Is censorship-resistance due to how the protocol works. • Here's a Guide for Installation and usage.
What Tor Does Not Do: • Does not guarantee anonymity. • Does not protect you from unencrypted communication tampering at exit nodes. • Does not do operational security for you. • Tor can be slow. Due to its voluntary nature, whilst it is free and generally reliable it can be slow, frustratingly so, and is not recommended for high volume transmissions like file transfers, peer to peer (torrents) and the like. It is recommended to limit Tor use to web browsing if possible and to stuff you really wish to keep private. Because Tor is relayed through many extra locations and countries to disguise the true source of travel the distance travelled by the data is greater and goes through more 'hops' to get to you. • It's not particularly safe to log in to your regular services with Tor, as the "Exit nodes" are impossible to trust with any of your credentials. Tor is for anonymous browsing, not every-day browsing that you want to keep private. Tor is also available for Android mobile devices: • It is available for Android tablets and phones ONLY, via the Orbot package available on the Android Market. • Tor is NOT available for iOS Tablets and Phones, and any app you see on Apple's App Store claiming to be a Tor client at this stage is most likely a dangerous fake. • Note: please don't use Tor for data intensive activities like torrenting, streaming HD video or large innocuous downloads. Some people rely on Tor for their safety and protection from oppressive regimes and while more Tor users are useful, unnecessary congestion on the network could make things a lot more difficult for people who rely on it. • Also: Use Tor at your own risk. Using Tor itself is enough reason to flag you for further attention from security agencies and could increase the likelihood they may pay closer attention to your activities by presuming you have 'something to hide'.
Tails • If you are concerned enough about your privacy to use Tor you may also wish to consider using a specialised privacy protection oriented operating system, for example "Tails". Tails is a security focused Linux distribution which can be run from a DVD or USB drive.
Beyond the basics: More privacy protection tools
If you are worried about Data Retention, then you may also be concerned about other means by which companies, security agencies, governments and so on can track what you do and build a picture via your online activity.
Even if the current definition of what is to be retained under the data retention regime is limited to certain information, there is the likelihood that this definition will expand at a later date. Additionally there is the threat that innocuous activity could inadvertently raise suspicion through false positive identification. This could in turn increase the amount of warrants issued on innocent people, warrants which will then cause the retention of extra content in relation to these people. Thus, average users could be more likely to come under the increased scrutiny of a preservation order so protecting data that is outside the purview of the mandatory data retention regime may be advisable.
Keeping these expanded threats in mind, there are some other general tools and practices that you may also wish to start employing as a result of the new data retention regime and a general increase in surveillance of communication activities.
(Don't forget there are also the wide ranging NSA programs, copyright violation monitoring, censorship efforts, and criminal activities such as identity theft, in addition to our new domestic data retention regime).
This article from the Sydney Morning Herald gives a general overview of why just masking your IP address through a VPN may not be enough to protect you.
General Good Online Practices
• HTTPS Everywhere is a simple browser extension made by the EFF. It will automatically push your browser to the HTTPS URL when a website supports HTTPS. • This forces an encrypted connection when connecting to a website that supports such encryption. Guide for Installation and usage. • Mobile support is available for this extension only for the Firefox Browser, and only on Android devices.
Tracker Blocking Note: tracker blocking plugins often break the functionality of image galleries, video playback, commenting/discussion systems and social media widgets. You may have to whitelist trusted websites.
Ghostery • An add-on for your browser which detects and blocks tracking which a website may be trying to do. • Ghostery is proprietary, but cost-free. • Available for all major browsers.
Privacy Badger • A browser extension for the Firefox and Chrome that will block all non-consensual tracking. • Privacy Badger is open source, cost-free, a project of eff.org and in Beta. • As the Tor Browser is based on Firefox, Privacy Badger will also work with that.
Disconnect • A browser extension which blocks advertising, analytic and social media requests which are without consent. • Disconnect is open source and cost-free. Disconnect also offer additional non-free services, like limited VPN access. • Disconnect is available for all major browsers.
The proposed Australian Data Retention regime does not purport to retain the contents of your email communication. Whereas the key methods for protecting your email communication will primarily protect the contents.
The proposed Data Retention regime will however potentially store the time you send an email, to whom you send it, what path it travels to get there, from where you sent it and the subject. The means of protecting this information starts to get beyond the scope of this site/guide.
While one could argue it is not 'necessary' to protect the contents of all your email with the below methods, you should always be aware of the potential for harm should the contents of emails become public or fall into the hands of unintended recipients (especially emails that contain sensitive information). Keep in mind that there are also a range of other government programs outside of Australia that may seek to obtain your email contents. However the encryption of all your emails, especially for an average user, could be considered overkill. Your levels of desired protection should reflect your threats and the contents of your emails.
For the various reasons detailed above, we will not go into too much detail on protecting email. But due to common queries about protecting emails, we provide some information and links below.
PGP stands for "Pretty Good Privacy", and its main feature is encrypting messages (although it can do a lot more). Its most common use is to encrypt the content (but not the metadata) of emails. A more detailed explainer on what PGP is and what in can and cant do is available here.
Technically if you use an offshore webmail provider such as Gmail, your data will not be included in the data retention regime, whereas if you use your local ISP email services it will be.
Anyone can see the issue with this insofar as any purported effectiveness of the data retention regime. However, don't forget that many services such as gmail may be accessible to Australian authorities via information sharing agreements with US agencies as part of the five-eyes surveillance programs. Also note, that if you use your foreign hosted email to email someone using an Australian hosted service, then that metadata will be available via retention of your recipents data.
This is an ever changing area as email services come and go, and so we will not provide any specific product or service recommendations here since what is ostensibly safe today, may not be tomorrow. If your personal threat model requires security of your email contents and metadata then we suggest you get further advice beyond this guide.
Encrypted Phone Calls
There are a number of services like Wickr (as used by Malcolm Turnbull recently, he has since moved on to Signal) which provide endpoint to endpoint encryption; or encryption between their servers and all endpoints. These provide an unknowable level of protection and it cannot be guaranteed that there are no backdoor agreements between these services and any governments.
One should be especially careful when using a service that does not run on open source or freely auditable code as you are placing trust entirely within the organisation to deliver what they advertise. There have been examples where a company claims to protect your security and privacy have been found wanting when exposed to closer scrutiny.
The value of these services is often pinned on your trust of the company in question. The below apps are widely considered the best options at this time (but make your own judgement call).
• Android mobile app that allows for encrypted voice calls. • Uses Wi-Fi or data connection. • Allows you to use your mobile phone number. • Made by Open Whisper Systems. • Free and open source! • Uses end-to-end encryption, forward secrecy. End-to-end encryption (E2EE), which is non-certified or uncertified, is a digital communications paradigm of uninterrupted protection of data traveling between two communicating parties without being intercepted or read by other parties except for the originating party encrypting data to be readable only by the intended recipient, and the receiving party decrypting it, with no involvement in said encryption by third parties. The intention of end-to-end encryption is to prevent intermediaries, such as Internet providers or application service providers, from being able to discover or tamper with the content of communications. End-to-end encryption generally includes protections of both confidentiality and integrity.
In cryptography, forward secrecy (FS; also known as perfect forward secrecy, or PFS and also key erasure) is a property of key-agreement protocols ensuring that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future. • Note: Can only encrypt calls between two RedPhone users (or RedPhone and Signal users). • Familiar interface, get from the Play Store. • Guide for Installation and usage
• iOS mobile app that allows for encrypted voice calls and texts. • Made by the same group as RedPhone (Whisper Systems). • Free and open source! • Compatible with RedPhone on Android. • Uses wi-fi or data connection. • Allows you to use your mobile phone number. • Get it from the Apple App Store. • Guide for Installation and usage
Encrypted Text Messaging
• Secure Text Messaging app for Android - use your mobile to send encrypted, secure messages to another TextSecure user. • Made by the same group as RedPhone and Signal (Whisper Systems). • Uses end-to-end encryption, forward secrecy What does this mean? • Can use it as your default texting app. • Will store your messages encrypted on your phone. • Encrypts where possible. • Get it from the Play Store. • Guide for Installation and usage.
• Signal 2.0 has recently been released for iOS that now includes TextSecure support. • Get it from the App Store. • Note that they are phasing out support for encryption for traditional SMS/MMS, so if you use signal to send standard SMS text messages they will not be encrypted. But you can get the same functionality by using Signal to send and receive • "TextSecure" messages in encrypted formats. Make sure you are aware of which version you are using and what it does and doesn't encrypt.
The Electronic Frontier Foundation have released a Secure Messaging Scorecard for voice and text messaging apps. Telegram rates well on this scorecard, and is open source, cost free and available on all for all major mobile and desktop operating systems. There are also proprietary and for-fee services available, like that offered by Silent Circle.
Encrypted Instant Messaging
Pidgin + OTR Plugin
• Open source "universal chat client". • Can be used with Google Hangouts/XMPP, Yahoo, and apparently Facebook accounts. • With OTR you get end-to-end encryption and forward secrecy. What does this mean? • Note that OTR is a separate plugin that you need to obtain separately and add to Pidgin. • Guide for Installation and usage. • Note: OTR will not provide secure end-to-end encryption if you're the only one using it. Make sure those you talk to also install the plugin.
Apple OS X
Adium + OTR Plugin
• Adium is a free and open source instant messaging client for OSX. • It is based on the same core as Pidgin but has a shiny Mac interface. • OTR is a protocol that will encrypt your conversations. • With OTR you end-to-end encryption, forward secrecy. What does this mean? • OTR comes built into Adium, you do not have to install it as a separate plugin. • Guide for Installation and usage. • Note: OTR will not provide secure end-to-end encryption if you're the only one using it. Make sure those you talk to also use OTR.
Chatsecure • Open source, XMPP client that supports OTR out of the box. • OTR is a protocol that will encrypt your conversations. • With OTR you get end-to-end encryption and forward secrecy. What does this mean? • Get Chatsecure from Play Store or App Store. • Guide for Installation and usage.