One of the questions we are asked most often at Motherboard is “how can I prevent myself from getting hacked?”
Because
living in modern society necessitates putting an uncomfortably large
amount of trust in third parties, the answer is often “not a whole lot.”
Take, for example, the massive Equifax hack that affected roughly half
of the American population: Few people voluntarily signed up for the
service, and yet their information was stolen anyway.
Hackers steal hundreds of millions of passwords in one swoop and occasionally cause large-scale blackouts. The future is probably not going to get better, with real-life disasters caused by internet-connected knick-knacks, smart home robots that could kill you, flying hacker laptops, and the dangers of hackers getting your genetic data.
Meanwhile, an ever-growing and increasingly passive surveillance
apparatus that has trickled down to state and local police is an
ever-present threat to our digital privacy.
That doesn’t mean
it’s hopeless out there. There are lots of things you can do to make it
much more difficult for hackers or would-be surveillers to access your
devices and accounts, and the aim of this guide is to give you clear,
easy-to-follow steps to improve your digital security. There are,
broadly speaking, two types of hacks: Those that are unpreventable by
users, and those you can generally prevent. We want to help you mitigate
the damage of the first and prevent the second from happening.
You,
as an individual user, can’t do anything to prevent your email
provider, or the company that holds your financial details, from getting
hacked. But you can avoid phishing attacks that will let a hacker get
into your individual email account, and you can also prevent a password
obtained in a larger hack from being reused on another, separate account
you have.
This guide isn’t comprehensive and it’s not
personalized; there is no such thing as “perfect security” and there are
no one-size-fits all solutions. Instead, we hope this will be a
jumping-off point for people looking to batten down the hatches on their
digital lives.
That’s why we’ve tried to keep this guide as accessible as possible,
but if you run into any lingo you don’t know, there’s a glossary at the
end of this guide to help out.
This guide is the work of many
people on Motherboard staff both past and present, and has been vetted
by several of our sources, who we owe a great debt to. Large sections of
it were written by Lorenzo Franceschi-Bicchierai, Joseph Cox, Sarah
Jeong, and Jason Koebler, but the tips within it have grown out of years
of writing and research on digital security by dozens of reporters and
infosec professionals. Consider it a forever-ongoing work-in-progress
that will receive at least one big annual refresh, as well as smaller
updates when major new vulnerabilities are exposed. Special thanks to
Matt Mitchell of Crypto Harlem, and Eva Galperin, of the Electronic
Frontier Foundation for reviewing parts of this guide.
Anyways, enough. This is the Motherboard Guide to Not Getting Hacked.
THREAT MODELING
Everything in this guide starts with “threat
modeling,” which is hacker lingo for assessing how likely it is you are
going to get hacked or surveilled. When thinking about how to protect
your digital communications, it is imperative that you first think about
what you’re protecting and who you’re protecting it from. “Depends on
your threat model” is a thing infosec pros say when asked questions
about whether, say, Signal is the best messaging app or Tor is the most
secure browser. The answer to any question about the “best” security is,
essentially: “it depends.”
No one security plan is identical to any other. What sort of
protections you take all depend on who may try to get into your
accounts, or to read your messages. The bad news is that there are no
silver bullets (sorry!), but the good news is that most people have
threat models in which they probably don’t have to live like a paranoid
recluse to be reasonably safe online.
So before doing anything
else, you should consider your threat model. Basically, what are you
trying to protect, and who are you trying to protect it from?
The Electronic Frontier Foundation recommends asking yourself these five questions when threat modeling:
What do you want to protect?
Who do you want to protect it from?
How likely is it that you will need to protect it?
How bad are the consequences if you fail?
How much trouble are you willing to go through in order to try to prevent those?
Is
your threat an ex who might want to go through your Facebook account?
Then making sure they don't know your password is a good place to start.
(Don't share critical passwords with people, no matter who they are; if
we're talking Netflix, make sure you never reuse that password
elsewhere.) Are you trying to keep opportunistic doxers from pulling
together your personal information—such as your birthday—which in turn
can be used to find other details? Well, keeping an eye on what sort of
stuff you publish on social media would be a good idea. And two-factor
authentication (more on that below) would go a long way to thwarting
more serious criminals. If you are an activist, a journalist, or
otherwise have reason to fear government, state, or law enforcement
actors want to hack or surveil you, the steps you must take to protect
yourself are significantly different than if you’re trying to keep plans
for a surprise party secret from your best friend.
Advertisement
Overestimating
your threat can be a problem too: if you start using obscure custom
operating systems, virtual machines, or anything else technical when
it's really not necessary (or you don't know how to use it), you’re
probably wasting your time and might be putting yourself at risk. At
best, even the most simple tasks might take a while longer; in a
worst-case scenario, you might be lulling yourself into a false sense of
security with services and hardware that you don’t need, while
overlooking what actually matters to you and the actual threats you
might be facing.
In certain places, this guide will offer
specific steps to take if you have a threat model that includes
sophisticated actors. But, in general, it’s designed for people who want
to know the basics of how to strengthen their digital security. If your
threat model includes NSA hackers or other state-sponsored groups like
Fancy Bear, we recommend that you speak to a trained professional about
your specific situation.
KEEP YOUR APPS UP TO DATE
Probably
the most important and basic thing you can do to protect yourself is to
update the software you use to its newest version. That means using an
updated version of whatever operating system you're using, and updating
all your apps and software. It also means updating the firmware on your
router, connected devices, and any other gadgets you use that can
connect to the internet.
Bear in mind that, on your computer, you
don't necessarily have to use the latest iteration of an operating
system. In some cases, even slightly older versions of operating systems
get security updates. (Unfortunately, this is no longer the case with
Windows XP—stop using it!) What's most important is that your OS is still receiving security updates, and that you're applying them.
Advertisement
So if you come away with one lesson from this guide is: update, update, update, or patch, patch, patch.
Many
common cyberattacks take advantage of flaws in outdated software such
as old web browsers, PDF readers, or spreadsheet and word-processing
tools. By keeping everything up to date, you have a way lower chance of
becoming a victim of malware, because responsible manufacturers and
software developers quickly patch their products after new hacks are
seen in the wild.
Hacking is often a path of least resistance:
you go after the easy, soft, targets first. For example, the hackers
behind the destructive ransomware outbreak known as WannaCry hit victims
who had not applied a security update that had been available for
weeks. In other words, they knew they were going to get in because the
victims had not changed the lock to their door even though their keys
had already been made available to everyone.
PASSWORDS
We
all have too many passwords to remember, which is why some people just
reuse the same ones over and over. Reusing passwords is bad because if,
for example, a hacker gets control of your Netflix or Spotify password,
they can then use it to get into your ridesharing or bank account to
drain your credit card. Even though our brains aren't actually that bad at remembering passwords, it's almost impossible to remember dozens of unique, strong passwords.
The
good news is that the solution to these problems is already out there:
password managers. These are apps or browser extensions that keep track
of passwords for you, automatically help you create good passwords, and
simplify your online life. If you use a manger, all you have to remember
is one password, the one that unlocks the vault of your other
passwords.
Advertisement
That
one password better be good though. Forget about capital letters,
symbols, and numbers. The easiest way to make a secure master password
is to make a passphrase: several random but pronounceable—and thus
easier to memorize—words. For example: floodlit siesta kirk barrel
amputee dice (don’t use this one though, we just burned it.)
Once
you have that you can use unique passwords made of a lot of characters
for everything else, as long as you create them with a password manager
and never reuse them. The master password is better as a passphrase
because it's easier to memorize, and the other passwords don't need to
be memorized because the manager will remember them.
Intuitively,
you might think it's unwise to store your passwords on your computer or
with a third party password manager. What if a hacker gets in? Surely
it's better that I'm keeping them all in my head? Well, not really: The
risk of a crook reusing a shared password that has been stolen from
somewhere else is far greater than some sophisticated hacker
independently targeting your database of passwords. For example, if you
used the same password across different websites, and that password was
stolen in the massive Yahoo! hacks (which included 3 billion people), it
could easily be reused on your Gmail, Uber, Facebook, and other
websites. Some password managers store your passwords encrypted in the
cloud, so even if the company gets hacked, your passwords will be safe.
For example, the password manager LastPass has been hacked at least
twice, but no actual passwords were stolen because the company stored
them securely. LastPass remains a recommended password manager despite
those incidents. Again, it's all about understanding your own threat
model.
Advertisement
So, please, use one of the many password managers out there, such as 1Password, LastPass, or KeePass. there's no reason not to do it. It will make you—and the rest of us!—safer, and it'll even make your life easier.
And
if your employer asks you to change passwords periodically in the name
of security, please tell them that's a terrible idea. If you use a
password manager, two-factor authentication (see below), and have unique
strong passwords for every account there's no need to change them all
the time—unless there’s a breach on the backend or your password is
stolen somehow.
TWO-FACTOR AUTHENTICATION
Having
unique, strong passwords is a great first step, but even those can be
stolen. So for your most important accounts (think your email, your
Facebook, Twitter accounts, your banking or financial accounts) you
should add an extra layer of protection known as two-factor (or two-step
or 2FA) authentication. A lot of services these days offer two-factor,
so it doesn’t hurt to turn it on in as many places as you can. See all
the services that offer 2FA at twofactorauth.org.
By
enabling two-factor you'll need something more than just your password
to log into those accounts. Usually, it's a numerical code sent to your
cellphone via text messages, or it can be a code created by a
specialized app (which is great if your cellphone doesn't have coverage
at the time you're logging in), or a small, physical token like a USB
key (sometimes called a U2F security key or YubiKey, named after the
most popular brand).
Advertisement
There's been a lot of discussion in the last year about whether text messages can be considered a safe “second factor.” Activist Deray McKesson's phone number was hijacked,
meaning hackers could then have the extra security codes protecting
accounts sent straight to them. And the National Institute of Standards
and Technology (NIST), a part of the US government that writes
guidelines on rules and measurements, including security, recently discouraged the use of SMS-based 2FA.
The
attack on Deray was made possible by “social engineering.” In this
case, a customer service rep was tricked by a criminal into making Deray
vulnerable. The attack involved getting his phone company to issue a
new SIM card to the attackers, allowing them to take over his phone
number. That means when they used his first factor (the password) to
login to his account, the second factor code was sent directly to them.
This is an increasingly common hack.
It's hard to defend against
an attack like that, and it’s a sad truth that there is no form of
perfect security. But there are steps you can take to make these attacks
harder, and we detail them below, in the mobile security section.
SMS-based
two-factor can be gamed, and it’s also possible to leverage
vulnerabilities in the telecommunications infrastructure that carries
our conversations or to use what’s known as an IMSI-catcher, otherwise
known as a Stingray,
to sweep up your cellphone communications, including your verification
texts. We don’t write this to scare you, it’s just worth noting that
while all forms of two-factor authentication are better than nothing,
you should use an authentication app or better yet a physical key if at
all possible.
Advertisement
You
should, if the website allows it, use another 2FA option that isn't
SMS-based, such as an authentication app on your smartphone (for
example, Google Authenticator, DUO Mobile, or Authy), or a physical token. If that option is available to you, it's great idea to use it.
Don't use Flash:
Flash is historically one of the most insecure pieces of software
that's ever been on your computer. Hackers love Flash because it's had
more holes than Swiss cheese. The good news is that a lot of the web has
moved away from Flash so you don't really need it anymore to still
enjoy a fully-featured and rich browsing experience. So consider purging it from your computer, or at least change the settings on your browser so you have to click to run Flash each time. Do use antivirus: Yes, you've heard this before. But it's still (generally) true. Antiviruses are actually, and ironically, full of security holes,
but if you're not a person who's at risk of getting targeted by
nation-state hackers or pretty advanced criminals, having antivirus is
still a good idea. Still, antivirus software is far from a panacea, and
in 2017 you need more than that to be secure. Also, be aware that
antivirus software, by definition, is incredibly invasive: it needs to
reach deep into your computer to be able to scan and stop malware. This
reach can be abused. For example, the US government accuses Kaspersky Lab,
one of the most well-known antivirus software in the world, of having
passed sensitive documents from one of its customers to the Russian
government.
Advertisement
Do use some simple security plugins:
Sometimes, all a hacker needs to pwn you is to get you to the right
website—one laden with malware. That's why it's worth using some simple,
install-and-forget-about-it plugins such as adblockers, which protect you from malware embedded in advertising
presented by the shadier sites you may wander across on the web, and
sometimes even legitimate sites. (We'd naturally prefer if you
whitelisted Motherboard since web ads help keep our lights on.)
Another useful plugin is HTTPS Everywhere,
which forces your connection to be encrypted (when the site supports
it). This won't save you if the website you're going to has malware on
it, but in some cases, it helps prevent hackers from redirecting you to
fake versions of that site (if there's an encrypted one available), and
will generally protect against attackers trying to tamper with your
connection to the legitimate one. Do use a VPN: Virtual
Private Networks are a secure channel between your computer and the
internet. If you use a VPN, you first connect to the VPN, and then to
the whole internet, adding a layer of security and privacy. If you're
using the internet in a public space, be it a Starbucks, an airport, or
even an Airbnb apartment,
you are sharing it with people you don't know. And if some hacker is on
your same network, they can mess up with your connection and
potentially your computer. It’s worth doing some research on VPNs before
getting one, because some are much better than others (most of the free
ones don’t do a great job of protecting your privacy). We recommend
Freedome, Private Internet Access, or, if you’re a technical user, Algo.
Advertisement
Do disable macros: Hackers can use Microsoft Office macros inside documents to spread malware to your computer. It's an old trick, but it's back in vogue to spread ransomware. Disable them! Do back up files:
We're not breaking any news here, but if you're worried about hackers
destroying or locking your files (such as with ransomware), then you
need to back them up. Ideally, do it while you're disconnected from the
network to an external hard drive so that even if you get ransomware,
the backup won't get infected. Don't overexpose yourself for no reason:
People love to share pretty much everything about their lives on social
media. But please, we beg you, don't tweet a picture of your credit
card or flight’s boarding pass,
for example. More generally, it's a good mindset to realize that a post
on social media is often a post to anyone on the internet who can be
bothered to check your profile, even if it's guessing your home address
through your running routes on a site like Strava, a social network for
runners and cyclists.
Personal information such as your home
address or high school (and the school’s mascot, which is a Google away)
can then be used to find more information via social engineering schemes. The more personal information an attacker has, the more likely they are to gain access to one of your accounts. With that in mind, maybe consider increasing the privacy settings on some of your accounts too.
Advertisement
Don't open attachments without precautions:
For decades, cybercriminals have hidden malware inside attachments such
as Word docs or PDFs. Antiviruses sometimes stop those threats, but
it's better to just use commons sense: don't open attachments (or click
on links) from people you don't know, or that you weren't expecting. And
if you really want to do that, use precautions, like opening the
attachments within Chrome (without downloading the files). Even better,
save the file to Google Drive, and then open it within Drive, which is
even safer because then the file is being opened by Google and not your
computer.
We now live in a world where smartphones have become our primary computing devices. Not only we use cellphones more than desktop computers, but we keep them with us pretty much all the time. It goes without saying then, that hackers are targeting mobile phones more and more every day.
The
good news is there are some basic steps and some precautions you can
take to minimize the risks, and we’re going to tell you what they are.
MOBILE THREAT MODELING
Most
people use passcodes, passwords, or patterns to “lock” their phones. If
you don’t do this, you absolutely should! (Patterns are far easier to
guess or “shoulder surf” than pins or passcodes, however, according to a recent study.)
One
of the biggest mobile threats is someone who has physical access to
your phone and can unlock it. This means your security is only as good
as your passcode: If at all possible, avoid giving out your code or
password, and avoid using easily guessed passcodes such as your birthday
or address. Even simple passcodes and passwords are great to stop
pickpockets or street thieves, but not so great if what you’re worried
about is an abusive partner who knows your PIN, for example.
Advertisement
With that in mind, here's a few basic things you can do to prevent other common threats to your cellphone.
GET AN iPHONE
Pretty much everyone in the world of cybersecurity—except perhaps the engineers working on Android—believes
that iPhones are the most secure cellphone you can get. There are a few
reasons why, but the main ones are that iOS, Apple’s mobile operating
system, is extremely locked down. Apps go through extensive checks
before getting on the App Store, and there are extensive security
measures in place, such as the fact that only code approved and
digitally signed by Apple (a measure known as code-signing) and the fact
that apps are limited from reaching into other apps (sandboxing). These
features make it really hard for hackers to attack the most sensitive
parts of the operating system. Because Apple controls the iOS
infrastructure, iPhones get immediate, regular security updates and
patches from Apple; critical security updates for many Android devices
can take weeks or months to be pushed to users. Even the iPhone 5s,
which was launched in 2013, is still supported.
So if you are
paranoid, the iPhone is the most secure cellphone out of the box. But
unless you have a really good reason for it, do NOT jailbreak it. While the jailbreaking movement and the hackers behind it
have contributed to make the iPhone more secure, jailbreaking an iPhone
at this point doesn’t really provide you any feature that’s worth the
increased risks. In the past, hackers have been able to target at scale only jailbroken iPhones.
Advertisement
Nothing is unhackable though. We know some governments are armed with million-dollar hacking tools
to hack iPhones, and perhaps some sophisticated criminals might have
those too. Still, get an iPhone, install the updates, and don’t
jailbreak it and you’ll probably be fine.
BUT I LOVE ANDROID! FINE...
Android
has become the most popular operating system in the world thanks to its
decentralized, open-source nature and the fact that many handsets are
available at prices much lower than iPhones. In some ways, this
open-sourced nature was Android’s original sin:
Google traded control, and thus security, for market share. This way,
critical security updates depend on carriers and device manufacturers,
who have historically been lackadaisical about pushing them out.
The
good news is that in the last two years this has improved a lot. Google
has been pushing partners to give users monthly updates, and Google’s
own flagship devices have almost the same kind of regular support that
Apple provides to iPhones, as well as some of the same security
features.
So your best bet is to stick to Pixels or Nexus
phones, whose security doesn’t depend on anyone but Google. If you
really don’t want a Google phone, these cellphones have a good track record of pushing security updates, according to Google itself.
Whatever
Android phone you own, be careful what apps you install. Hackers have
traditionally been very successful at sneaking malicious apps on the
Play Store so think twice before installing a little-known app, or
double check that the app you’re installing really is the one you want.
Earlier this fall, a fake version of WhatsApp was installed by more than a million Android users.
Also, stick to the Play Store and avoid downloading and installing apps
from third-party stores, which may very well be malicious. On most
Android phones, installing third-party apps is not enabled by default,
leave it that way.
Advertisement
To
protect the data on your Android phone, make sure full disk encryption
is enabled. Open your Settings app, go to “Security” and click on
“Encrypt Phone” if it’s not enabled already. (If this doesn’t work on
your device, Google for instructions on your specific handset).
Finally, while not mandatory, it might be a good idea to install a mobile antivirus such as Lookout or Zips. While these can be effective against criminal’s malware, they probably won’t stop government hackers.
LOCK-UP THAT SIM CARD
Recently we revealed that hackers had been exploiting a nasty bug on a T-Mobile website to pull the personal data of customers
in an attempt to gather data that they could then use to impersonate
the victims and socially engineer T-Mobile support technicians into
issuing new SIM cards. These kind of attacks, known as “SIM swapping”
or “SIM hijacking,” allow hackers to take over your cellphone number,
and in turn anything that’s connected to it. SIM hijacking is what makes
two-factor authentication via SMS so dangerous.
Your phone number is likely the gateway to multiple other, perhaps more sensitive, parts of your digital life: your email, your bank account, your iCloud backups.
As
a consumer, you can’t control the bugs that your carrier leave open for
hackers. But you can make it a bit harder for hackers to impersonate
you with gullible tech support employees. The solution is easy, although
not that many people know about it: a secondary password or passcode
that you need to provide when you call your cellphone provider. Most US
carriers now offer this option.
Advertisement
Call
your provider and ask them to set this up for you. Motherboard
confirmed that Sprint, T-Mobile, Verizon and U.S. Cellular all give
customers this option. Verizon and U.S. Cellular have made this
mandatory, according to their spokespeople. Of course, make sure you
remember this phone password, or better yet, write it down in your
password manager.
Image: Koji Yamamoto & Seth Laupus
In the wake of September 11th, the United States built out a massive surveillance apparatus, undermined constitutional protections, and limited possible recourse to the legal system.
Given
the extraordinary capabilities of state surveillance in the US—as well
as the capabilities of governments around the world—you might be feeling
a little paranoid! It’s not just the NSA—the FBI and even local cops
have more tools at their disposal to snoop on people than ever before.
And there is a terrifying breadth of passive and unexpected surveillance
to worry about: Your social media accounts can be subpoenaed, your
emails or calls can be scooped up in bulk collection efforts, and your
cell phone metadata can be captured by Stingrays and IMSI catchers meant
to target someone else.
Remember, anti-surveillance is not the
cure, it’s just one thing you can do to protect yourself and others. You
probably aren’t the most at-risk person, but that doesn’t mean you
shouldn’t practice better security. Surveillance is a complicated thing:
You can practice the best security in the world, but if you’re sending
messages to someone who doesn’t, you can still be spied on through their
device or through their communications with other people (if they
discuss the information you told them, for instance).
Advertisement
That’s
why it’s important that we normalize good security practices: If you
don’t have that much to be afraid of, it’s all the more important for
you to pick up some of these tools, because doing that will normalize
the actions of your friends who are, say, undocumented immigrants, or
engaged in activism. Trump’s CIA Director thinks that using encryption “may itself be a red flag.”
If you have “nothing to hide,” your use of encryption can actually help
people at risk by obfuscating that red flag. By following this guide,
you are making someone else safer. Think of it as herd immunity. The
more people practice good security, the safer everyone else is.
The
security tips provided earlier in this guide still apply: If you can
protect yourself from getting hacked, you will have a better shot at
preventing yourself from being surveilled (when it comes to surveilling
iPhones, for instance governments often have few options besides hacking the devices). But tech tools don’t solve all problems. Governments have a weapon in their hands that criminal hackers do not: the power of the law. Many of the tips
in this section of the guide will help you not only against legal
requests and government hacking, but also against anyone else who may be
trying to spy on you. You don’t have to turn yourself into a
security expert. Just start thinking about your risks, and don’t be
intimidated by the technology. Security is an ongoing process of
learning. Both the threats and the tools developed to address them are
constantly changing, which is one of the reasons why privacy and
security advice can often seem fickle and contradictory. But the tips
below are a good starting point.
Advertisement
THREAT MODELING (privacy and surveillance edition)
Keep
in mind that different tools address different problems. Without threat
modelling, it’s easy to feel overwhelmed by how many tools are out
there. Threat modeling for surveillance is similar to threat modelling
for hacking, but there are of course some nuances that vary in every
situation.
It’s easy for some people to say “use Signal, use
Tor,” and be done with it, but that doesn’t work for everyone. For
example, a friend used to message people about her abusive ex-partner
using the built-in Words With Friends messenger, because she knew that he read her text messages and Gchats. Words With Friends
does not have a particularly secure messaging system, but in this case
it was a better option than Signal or Hangouts because he didn’t think
to read her messages on the game.
When it comes to state actors,
it might be helpful to think of surveillance in two different forms:
surveillance of metadata (who you are, who you’re talking to, when
you’re talking) and surveillance of content (what you are saying). As
with all things, when you dig a little deeper, it’s not as simple as
that. But if you’re thinking about this for the first time, it’s a good
start.
Surveillance law is complicated, but long story short,
both the law and current technological infrastructure make it easier to
grab metadata than content. Metadata isn’t necessarily less important or revealing
than content. Say Planned Parenthood called you. Then you call your
partner. Then you call your insurance. Then you call the abortion
clinic. That information is going to be on your phone bill, and your
telephone provider can easily give it up to the government. Your cell
provider might not be recording those calls—the content is still
private. But at that point, the content doesn’t matter—it would be easy
for someone with the metadata alone to have a reasonable idea of what
your calls were about.
Advertisement
Start
thinking about what is open and exposed, and what you can protect.
Sometimes, you have to accept that there’s very little you can do about a
particular channel of communication. If circumstances are dire, you’re
going to just have to work around it.
SIGNAL
Signal is
an encrypted messaging service for smartphones and desktop computers.
It is, for many—but not all—people, a good option for avoiding
surveillance. Because the government has the capability to intercept
electronic messages while they’re being transmitted, you want to use
end-to-end encryption for as many of your communications as possible.
Using
Signal is easy. You can find it and install it from your phone’s app
store. (In the iOS App Store and the Google Play Store, it’s called
“Signal Private Messenger,” and it’s made by Open Whisper Systems.)
If
you have the other person’s phone number in your contacts list, you can
see them in Signal, and message them or call them. As long as the other
person also has Signal, the messages automatically encrypt—all the work
is invisible.
It even has a desktop app, so you can use it the
way that iOS/Mac OS people use iMessage on both their phones and
computers. Go to the Signal.org website and download the app for your
preferred operating system. Just follow the instructions—trust us,
they’re easy.
Signal also lets you set a timer for messages to
automatically expire, thus deleting them from all devices. You can set
the timer for all kinds of lengths, including very short ones. This is a
great feature for journalists who are concerned about protecting their
sources or their conversations with editors.
Advertisement
These
are great features, and they’re part of the reason why we recommend
Signal over many other end-to-end messaging apps. iMessage and WhatsApp
also use end-to-end encryption, but they both have drawbacks.
We do not recommend WhatsApp, because WhatsApp is owned by Facebook, and has been sharing user information with its parent company.
While this is only metadata, it is ultimately a rollback of a privacy
promise made when WhatsApp was acquired by Facebook. We think this says
something negative about the overall trustworthiness of the company in
coming days.
It is a very good thing that Apple encrypts iMessages end-to-end. But iMessage also backs up messages to iCloud
by default, which is why you can message from all your Apple devices.
This is a great and fun feature, but if you’re concerned about
government surveillance, remember that Apple complies with lawful
government demands for data in your iCloud: “iMessage and SMS messages
are backed up on iCloud for your convenience,” Apple’s privacy page
states. You can turn this feature off, but in theory Apple could be
forced to access the iMessages you’ve sent people who still have the
feature enabled.
Signal keeps very little information. We know
this, because Open Whisper Systems was subpoenaed by the government last
year, and was forced to hand over information. But the information it
had—by design—was pretty minimal. Signal retains phone number, account creation date, and the time of the user’s last connection to Signal servers. Yes, that’s still something, but as you can see, it’s not very much.
Advertisement
There are worse products to use than iMessage and WhatsApp. For example, you absolutely should avoid using Telegram
for sensitive communications. And Google can read your GChats unless
you take additional steps to encrypt them end-to-end. There are several
other products on the market that are decent alternatives (for example, Wire),
but like WhatsApp and iMessage, they’re created and maintained by
for-profit companies, and we don’t know how they’re planning to monetize
in the future. Signal is an open source, nonprofit project. That has
its own drawbacks (for example, Signal is not as slick as iMessage, nor
does it have the luxury of having a large security team behind it), so
maybe donate money when you download it?
One
thing that’s worth mentioning about Signal is that it requires you to
associate the device with a phone number. This means that you need to
trust the people you’re messaging to have your phone number (or need to jump through hoops to use Signal with a dummy phone number);
there are many reasons why you might want to message people without
giving them your phone number, which is one of the potential drawbacks
of Signal. If this is a concern for you, consider another option.
Another
thing to remember is that just because a communication is end-to-end
encrypted doesn’t mean it’s invisible to the government. It just means
the contents are encrypted between endpoints. You can see the
message, your recipient can see the message. If it’s intercepted in
transit, it’s completely garbled, and the content of your message is
protected from spying eyes.
Advertisement
But
if an “endpoint” is compromised—in other words, if your own phone is
hacked or physically seized by the government, or your texting partner
is screencapping your conversation—it’s game over.
Encryption
doesn’t make it impossible for the government to snoop, it just makes it
way more challenging. The point is that introducing friction into the
equation does provide privacy.
SOCIAL MEDIA
If you post
publicly on social media, know that local police (and likely federal
agencies as well) keep tabs on activists online. For example, Facebook,
Instagram, and Twitter have all fed data to social media monitoring
products that police departments used to track Black Lives Matter activists.
Even
if you keep your privacy settings on lockdown, social media companies
are subject to subpoenas, court orders, and data requests for your
information. And often times, they’ll fork over the information without
ever notifying the user that it’s happening. For the purposes of social
media, assume that everything you post is public. This doesn’t mean you
should stop using social media, it just means you have to be mindful of
how you use it.
If you’re an activist, consider using a
pseudonym for your activism. If you post online at all, take others’
safety and privacy into consideration as well.
Who are you
tagging into your posts? Are you adding location information? Who are
you taking a picture of, and why? Be particularly careful with photos or
posts about protests, rallies, or meetings. Facial recognition technology
is fairly sophisticated now, so even if you leave people untagged,
theoretically an algorithm could scan for and identify activists in a
photograph of a rally. You can already see this at work in Facebook’s
tag suggestions.
Advertisement
When
you take a picture of someone at a protest, make sure that they
consent, and that they know the implications of having a photo of
themselves out there.
DEVICE CAMERAS AND MICROPHONES
Do
you live around any cameras? If you use internet-connected security
cameras inside your home, or have a webcam running, don’t leave these
things unsecured. Make sure that you’ve changed any passwords from the
default that they shipped with, and cover them when you’re not using
them.
If you have a laptop or a smartphone, use a sticker to
cover the front-facing camera. You don’t have to stop Facetiming and
taking selfies, you just want to cover things up so no one’s looking at
you when you don’t want them to. The Electronic Frontier Foundation
sells removable laptop cover stickers
(five for $5) that won’t leave a residue on your camera, so you can
take it on and off whenever you need it. Consider buying several and
giving them to friends who might be shorter on cash.
Finally,
there is absolutely no way to make sure your microphone is not
recording. If you’re concerned about being wiretapped, consider turning
off your phone and putting it in the microwave ( temporarily, with the microwave off), or leaving your phone in the other room. Turning your phone off alone does not necessarily protect you! And consider leaving all your devices outside of the bedroom when you have sex with your partner.
In 2012, Khadija Ismayilova, an Azeri journalist, was blackmailed with a surreptitiously filmed sex tape.
The blackmailer told Ismayilova to stop publishing articles critical of
the government, or else have her tape released. (Ismayilova went
public, and the tape was posted on the internet.) In 2015, the
Azerbaijan government sentenced her to seven and a half years in prison on tax evasion charges. She is currently out on probation.
Advertisement
Governments at home and abroad have used sex to blackmail dissenters. Be aware of that, and protect your privacy.
LOCK SCREEN
Put
a password/passcode on your phone and your computer. Don’t rely on your
thumbprint alone. The police are more likely to be able to legally
compel you to use your fingerprint to open up your phone. You may have a stronger constitutional right not to speak your password.
USE OTR FOR CHATTING (if you have to)
It’s
best to use Signal for desktop when chatting with people. But here’s
another option that’s particularly useful for journalists.
Close
your Gmail window and use OTR (Off The Record) instead to chat. Keep in
mind that you can only use OTR if the other person is also using OTR.
Mac users can install Adium, PC (and Linux) users will have to install Pidgin and the OTR plugin.
You
can use your Gmail account as your chat ID. So what’s going on is that
you’re engaging in Gchat, but with a layer of encryption on top. Open up
a chat window and click the lock icon to begin encryption. And make
sure you tweak your settings so that you’re not retaining chat logs
during encrypted conversations.
Again, end-to-end only goes so far. If the other person is logging your conversations, it might not matter that you went this far. If you’re concerned, ask your friend to stop logging.
THE TOR BROWSER
Tor—which
takes its name from an acronym for “The Onion Router”—scrambles your
internet traffic by routing it through several layers of computers. This
way, when you access a website, it can’t tell where you’re connecting
from. The easiest way to use Tor is just to install the Tor Browser. It’s just like Firefox or Chrome or Internet Explorer, just a lot slower because of the privacy it provides.
Advertisement
Using
Tor for everything will give you a big privacy boost, but it’s a bit
unwieldy. Don’t, for instance, try to stream Netflix over Tor.
Evaluate
your needs and figure out how much Tor you need in your life. Always
remember that your IP address (which can give away where you are, and
therefore, who you might be) is laid bare if you aren’t using it.
There are four reasons why you might want to use Tor.
You’re trying to keep your identity hidden.
You use a lot of public WiFi.
You’re trying to get around government censorship.
You are protecting the other people who use Tor.
If
you’re an activist who is trying to hide their identity, you need Tor
to mask your IP address. This is a limited use case scenario. For
example, it’s self-defeating for me to open up Tor, log into my public
Twitter account, and tweet, “What up, everyone, I’m tweeting from the
Vice Media offices in New York City.” I am giving away all the
information that Tor is masking for me—because when it comes down to it,
in that use case scenario, I was never planning on keeping it private.
If
you connect to a lot of public Wi-Fi (think Starbucks, a hotel, or the
airport), though, you should use Tor. It provides similar benefits as
VPNs , but without many of the drawbacks of a VPN (see the next section
for a discussion of that).
If the United States begins to censor parts of the web, as many other governments do,
Tor might be able to help you get around that. Tor certainly helps
people connecting to the internet from other countries that practice
internet censorship.
Finally, the thing about Tor is that the
more people use it, the less trackable everyone else is. When a lot of
random, unaffiliated people from all over the world use it, it becomes
stronger and stronger. If you take the time to use Tor every day, you
are helping people who really do need it.
Advertisement
A couple caveats, here: Tor is not bulletproof. The government has been known to hack groups of users on Tor, just like it’s been known to hack VPN users en masse.
Tor, by itself, does not make it more unlikely for you to get hacked.
Tor is for privacy, not security. And Tor is designed to make it hard to log your traffic, not impossible, so there’s always a risk that you aren’t being hidden.
The
computers that make up the Tor network—the ones that your traffic
bounces through—are run by volunteers, institutions, and organizations
all over the world, some of whom face legal risks for doing so.
They are not supposed to log the traffic that goes through them, but
because it’s a volunteer network, some might. The risk is mitigated by
the fact that each node only sees a snapshot of the traffic running
through it, and nobody has access to both the user’s IP and their
unencrypted traffic. A bad actor would have to run a very large number
of Tor nodes to start logging meaningful traffic—which would be
difficult—and the Tor project monitors for behavior that suggests
anybody might be doing that.
Ultimately, for the purposes of state surveillance, Tor is better than a VPN, and a VPN is better than nothing.
It’s
not clear whether Tor will continue to exist into the future. Tor is
run partly through grants from the government. (Like many cutting edge
technologies, Tor was originally developed by the US military.) It’s
possible Tor will lose most of its funding in the very near-term.
Consider donating to the Tor Project.
Advertisement
VIRTUAL PRIVATE NETWORKS
When
it comes to state surveillance, VPNs won’t help much. A VPN will
obscure your IP address, but when it comes to state surveillance, VPNs
can be subpoenaed for user information that may ultimately identify you.
For example, many VPN companies keep logs
on what IP addresses log on when and what sites are accessed—which can
end up pinpointing you, especially if you used your credit card to pay
for a VPN subscription.
Some VPN companies claim not to log user
information. You need to evaluate how much you trust these companies,
and make that decision for yourself. If what you’re concerned about is
government surveillance, our recommendation is that you stick with Tor.
PGP (probably isn’t worth the trouble)
The
only reliable way to encrypt your email is PGP—also known as Pretty
Good Privacy. However, PGP is incredibly obnoxious to use. Even PGP’s creator Phil Zimmermann has stopped using it, since he can’t use it on his phone. The problem isn’t just that you have
to figure out PGP, everyone you talk to also has to figure it out.
Telling someone to download Signal is a lot easier than walking them
through public/private key encryption. This is where your threat model
comes in handy, to help figure out if PGP is actually worth it to you.
If you absolutely must use encrypted email, this guide to PGP might be helpful. It’s tricky, so you might want to go to a crypto party and have an activist or technologist help you set it up.
Advertisement
PRIVATE EMAIL SERVERS (don't do it)
If 2016 did anything, it convinced everyone not to run their own private email server.
It’s
true that Google and other companies have to comply with court orders
for your information, including your emails. But on the other hand,
Google knows how to run email servers way better than you do. Email
servers are hard! Just ask Hillary Clinton.
If you are
encrypting email, Google can only hand over the metadata (who’s sending
to whom and subject headers). Since encrypting email is a huge pain, try
to keep all your sensitive stuff away from email, and in end-to-end
encrypted channels instead. Don’t abandon your third-party email
account, just be aware that the government can get at what’s inside.
ENCRYPT YOUR HARD DRIVE
Good news: this isn’t as hard as it used to be!
Full-disk
encryption means that once your device is locked (when it’s off, or
when it’s on but showing a lock screen), the contents of your hard drive
can’t be accessed without your password/key.
A lot of
smartphones come with full disk encryption built in. If you own an
iPhone with a recently updated operating system (like, in the last three
years, really), just slap a passcode on that sucker and you’re golden.
If
you own an Android phone, it might already be encrypted by default
(Google Pixel is). But chances are, it’s not. There isn’t an up-to-date
guide on turning on encryption on all Android devices, so you’re going
to have to poke around yourself, or ask a friend. And if you own a
Windows phone, god help you, because we can’t.
Advertisement
As
for computers, things are again, much easier than they used to be. Use
your operating system’s full disk encryption option instead. For
MacBooks running Lion or newer, just turn on FileVault.
Windows, on the other hand, is a lot more complicated. First off, some users have encryption by default. Some more users can turn it on, but it’s kind of a pain. And if you’re using Microsoft’s Bitlocker, you’re going to have to fiddle with some additional settings to make it more secure.
Apple doesn’t retain the capability of unlocking your devices.
Famously, if the government goes to Apple, Apple can’t just decrypt your
phone for the feds, not without coming up with a hack that will affect every iPhone in the world.
But Microsoft isn’t doing quite the same thing—in some cases they use
what’s known as “key escrow,” meaning they can decrypt your machine—so
you have to take additional steps (outlined in this article) to get that same level of protection.
You may need to resort to using VeraCrypt.
A lot of older guides will say to use TrueCrypt, regardless of
operating system. This is now outdated advice. VeraCrypt used to be
TrueCrypt, and the story of why it's not any more is a convoluted crypto
soap opera with plot holes the size of Mars, and it is frankly outside
the scope of this guide. Long story short, there’s nothing wrong with
VeraCrypt as far as the experts can tell, but if you have the option,
use the full disk encryption that your operating system already
provided.
Advertisement
If you use Linux, your distro probably supports encryption out of the box. Follow the instructions while installing.
CREDIT CARDS
Know
that credit card companies never stand up to the government. If you pay
for anything using your credit card, know that the government can get
that information pretty easily. And remember that once your identity
touches something, there’s a chain that the government can follow all
the way back.
For example, if you get a prepaid Visa gift card
using your personal credit card, and pay a VPN company with that, the
government can just go backwards through the chain and find your
personal credit card, and then you. If you pay a VPN company with
Bitcoin, but you bought the Bitcoin through a Bitcoin exchange using
your personal credit card, that’s traceable as well.
This applies
to anything else you use money for, like buying domains or cheap,
pay-as-you-go phones, known as burners. Practically speaking, there’s
not a lot you can do about this. It’s one of the reasons why we
recommend Tor instead of a VPN service.
It’s also one of the reasons why it’s so hard to get a burner phone that’s really a
burner. (How are you going to pay for continuing phone service without
linking your name to it?) There is no easy answer here. We’re not going
to pretend to be able to give good advice in this instance. If you find
yourself in a situation where your life depends on staying anonymous,
you’re going to need a lot more help than any internet guide.
Advertisement
One more thing: For now, organizations like the ACLU and NAACP have a constitutional right to resist giving up the names of donors. But your credit card or PayPal might betray you anyways. This doesn’t mean you shouldn’t
donate to organizations that resist oppression and fight for civil
rights and civil liberties. Rather, it makes it all the more important
that you do. The more ordinary people do so, the more that individual
donors are protected from scrutiny and suspicion.
SPECIAL NOTES FOR JOURNALISTS
Want
to protect your sources? Your notes, your Slack chats, your Gchats,
your Google Drive, your Dropbox, your recorded interviews, your
transcripts, and your texts can all end up in court. Depending on what
kind of court case it is, it might not matter that it’s encrypted.
Don’t
wait until a lawsuit is imminent to delete all your stuff. That might
be illegal, and you might be risking going to jail. Every situation is
different: your notes might be necessary to get you out of trouble. So
if you’re the type to hoard notes, know the risk, talk to a lawyer, and
act responsibly.
THE FUTURE (?)
Which brings us to our
next point: we don’t know what the future holds. This guide was written
with the current technical and legal capabilities of the United States
government in mind. But that might all change in the future. Strong
encryption might become illegal. The United States might begin to
practice internet censorship the way that China and other countries do.
The government might institute a National ID policy for getting online,
making it near-impossible to post anonymously.
Advertisement
These things are harder to enforce and implement, so they’re not likely to happen quickly.
It’s
also not infeasible that the government pressures app stores to take
down Signal and other end-to-end encryption applications. This guide
might be only be so good for so long. That’s all the more reason to
become proactive against surveillance now, and to keep adapting to
changing circumstances.
LOG OFF
Many public places have cameras, some spots are wired with microphones.
And there’s always the possibility that you are being individually
targeted for surveillance. But ultimately, it’s a lot harder to surveil
someone in person than to collect the electronic communications of many
people at the same time.
Take a break from the wired world and
meet people in person. If you stay out of earshot, you won’t be
overheard, and your words will melt into the air, unsurveilled and
unrecorded.
And besides, if you’re reading this guide, chances are that you really need a hug right now.
So
meet up with your friends, verify your Signal keys, and give each other
a big hug. Because you’re probably both scared, and you need each other
more than you need any of this technology.
GO OUT THERE AND BE SAFE
That
is all for now. Again, this is just meant to be a basic guide for
average computer users. So if you're a human rights activist working in a
dangerous country or a war zone, or an organization building IT
infrastructure on the fly, this is certainly not enough, and you'll need
more precautions.
Advertisement
But these are common sense essential tips that everyone should know about.
Of
course, some readers will leap at the chance to point out everything
that may have been missing from this guide, and we'd like to hear your
feedback. Security is a constantly changing world, and what's good
advice today might not be good advice tomorrow, so our goal is to keep
this guide updated somewhat regularly, so, please, do reach out if you
think we have something wrong or missing something.
And remember, always be vigilant!
Hoping for answers about blocks on internet calls, NGOs take telecom regulator to court
The temporary outage of internet-based calling services like WhatsApp and Viber caused a social media storm in October 2015, but the episode left more questions than it answered: Are internet-based calling services illegal in Egypt? Was the block imposed by the National Telecom Regulatory Authority (NTRA)? And where do telecom companies and consumer rights fit into the equation?
A lawsuit scheduled to be heard Wednesday in the Administrative Court is hoping to force some answers. The suit, which was already postponed earlier this month, was filed against the NTRA by the NGOs Support Center for Information Technology and the Association for Freedom of Thought and Expression.
The lawsuit aims to force the NTRA to release a list of the services or websites that have been blocked in Egypt in recent month and to divulge the criteria upon which they were blocked, explains Aziza al-Taweel, the Support Center’s lawyer.
So far, Taweel says, the NTRA denies blocking WhatsApp and other voice calling services, but also maintains that such apps provide unlicensed international calls and are therefore illegal. “They are claiming that they need to be licensed first, while denying any blockage at the same time,” Taweel explains.
NTRA spokesperson Karim Soliman confirmed to Mada Masr that the regulatory body considers these services to be illegal, but added no further comments.
Did the NTRA block VoIP?
Questions about the NTRA’s stance on internet calls came to public attention in October 2015, when social media went into a rage after many users reported being unable to use internet calling apps like Viber, Skype, WhatsApp on 3G networks and ADSL. Disgruntled users’ reaction worsened after a few scattered statements by customer service operators of telecom companies on social media confirmed that the services had been blocked.
Shortly after, the services went back to working, with the usual poor quality on 3G networks. Both the telecom companies and the government regulator assured the public there was no blocking whatsoever.
Exactly what happened was, and remains, unclear. After nearly six months, there has been little clarification about the incident, highlighting the lack of transparency among the agencies responsible for enabling and regulating telecommunications in Egypt.
When Mada Masr investigated the issue in November 2015, Egypt’s Ministry of Communications and Information Technology deflected any questions about the government’s plans for internet voice calls. Ministry spokesperson Mariam Fayez said such matters are in the hands of the National Telecom Regulatory Authority. Fayez declined to answer direct questions about whether the government is considering blocking VoIP services. The ministry is only concerned with strategic work, she said.
Meanwhile, the NTRA’s official media office refused repeated requests for information. Ali Anis, the NTRA’s Societal Interaction Director, told Mada Masr the authority has not blocked any services so far, and is not planning to do so.
All three of Egypt’s mobile phone companies — Mobinil, Etisalat and Vodafone — also insisted they took no action to block VoIP applications, apart from Skype, which has been blocked on 3G networks since 2010. Any problems with other applications were due to individual mobile phones or the applications themselves, company representatives said.
Telecom Egypt, the country’s landline monopoly and a major internet service provider, also insisted it is not blocking any applications, but refused to answer any further questions.
One could almost believe reports of service outages were a series of strange coincidences magnified by social media, or perhaps a technical glitch that affected users on different mobile networks, using different applications on different devices. And yet, a few accounts dispute the official narrative.
Before and during the outage in October, customer service representatives on Twitter clearly stated that the NTRA gave orders to block VoIP services.
One NTRA representative also reportedly told a journalist for news site DotMsr.com that the agency had blocked VoIP — reports the NTRA later denied. This call, however, has been used in court by Taweel and the defense team as a proof.
An industry insider, who would only speak on condition of anonymity, also told Mada Masr the telecom companies did indeed block VoIP services, and on direct orders of the government.
Who does the NTRA work for?
Whether or not the NTRA is actually behind the block on VoIP applications, the episode raises questions about whose interests the regulator serves.
By law, the NTRA’s mandate is to protect users and their rights, a responsibility the agency is given in Article 2 of Egypt’s 2003 telecommunication regulation law. However, Article 4 of the telecommunications law requires the NTRA to protect “National Security and the state’s top interests.” Attempts to regulate the use of VoIP apps shows what happens when user rights and national security come into conflict.
“It is arguable that the NTRA is enforcing the ban on unlicensed trafficking of international calls, which is a crime according to Article 72 of the Telecom Act. However, it is also arguable that in enforcing this ban, the NTRA is also preventing users from making VoIP calls to other users in Egypt, even if those calls are routed internationally via the internet,” says independent researcher Amr Gharbeia.
One of the arguments against VoIP services is that, without cooperation from app developers, Egyptian authorities are unable to trace or monitor calls made over apps — unlike international or local phone calls made on landlines and mobile phone networks. This, opponents of the technology say, is a major security issue. “Legally speaking, if a crime occurred and you wanted to check call records of a suspect for example, they won’t agree. A famous examplehappened in Italy, where they tried to get records from the VoIP operators but they refused to even negotiate,” says Khaled Hegazy, external affairs and legal director at Vodafone Egypt.
Amr Gharbeia, an independent researcher, believes the telecom companies’ opposition to VoIP stems more from financial motivations than security concerns. Every free or low-cost call through VoIP apps takes money out of the phone companies’ pockets. This is especially true for lucrative international calls, all of which have to run through Telecom Egypt’s infrastructure, keeping rates high. “The reason for banning VoIP is all economic and is hardly a privacy or security issue. The telecoms want to keep the users paying higher fees for services they can get for much better prices or for free, so they are trying to monopolize the international calls market,” Gharbeia explains.
Vodafone, for example, has clearly expressed its desire to block VoIP, in particular WhatsApp’s voice calling feature. In March 2015, after WhatsApp's voice calling service was launched, Vodafone Egypt sent a letter to NTRA asking about the legality of blocking the service “for the negative impact it has on the telecom sector.” However, according to Hegazy, NTRA never replied.
Hegazy, says that the telecom sector in Egypt, and in particular Telecom Egypt, has been hurt by these applications, although he was not willing to quantify how companies are affected.
“Telecom Egypt is the main international gateway for Egypt, so any international call must go through it. I think they are the most negatively affected in terms of revenues,” he says. “We earn almost the same amount from international calls as we do in local ones, so we are not really affected,” he adds, speaking of his own company.
However, telecom companies’ financial disclosures appear to belie claims that VoIP services are seriously affecting the industry.
Despite a sharp drop in landline subscribers over the last five years, Telecom Egypt, announced a 360 percent increase in Q3 net profits for this year, reaching LE1.2 billion, while Q2 net profits increased by 55 percent. Vodafone Egypt revenues rose from LE6.4 billion in the first six months of 2014 to LE7.01 billion in the first half of 2015.
Even Mobinil, which incurred losses from 2012-2014, appeared to rebound in 2015, reporting a 5.3 percent increase in profits three quarters of the way into 2015. Etisalat Misr’s revenues grew by 2.6 percent by the end of 2014 as well.
Anis of the NTRA also dismisses the idea that VoIP apps are doing serious damage. “The financial impact of these applications in not big to begin with, and it affects the telecom companies, not the sector as a whole,” he says.
Ironically, phone companies don’t seem to have a problem with using VoIP services when it suits them. Expanding Egypt’s call center industry remains a hallmark of the country’s economic development strategy. Among the most prominent call center operators is Vodafone Egypt, which provides call center services for affiliates around the world, from the UK to New Zealand. These businesses would not be sustainable if operators had to pay international calling rates to route calls through the landline network. “Call centers in Egypt do use VoIP services. However, it is not illegal, they have obtained a license since they started operating in the country, because otherwise, no one will come here and firms will open its call centers in other countries like India,” an industry source says.
This presents another bind for the NTRA, and perhaps explains some of their ambiguity about VoIP. Any economic or security interests that would be served by blocking VoIP have to be balanced against the potential fallout of speaking too strongly against the technology.
Digital security researcher Ramy Raouf says officially blocking VoIP would have particularly bad repercussions for the digital economy. “If you block Viber for example, you will also block a number of advertisers alongside it, which will severely affect traffic levels and investment," he says. “In 2011, when the internet was blocked during the revolution, the economy lost a lot of money as a result.”
Uncertainty about the official reaction toward these applications is not reassuring for any investor trying to enter the market, since it gives a bad idea about the Egyptian market as a whole, says Mahmoud al-Banhawy, a digital freedoms officer at the Support for Information Technology Center.
Hegazy disagrees. “Blocking these service in Saudi Arabia and UAE did not scare potential investors, nor will it do so here,” he argues.
With such mixed messaging about VoIP, the role and real intentions of the sector’s regulator remain a mystery. The Communications Ministry deflected questions, as did the NTRA’s media office. Anis, the agency’s social interaction director, simply says the NTRA is currently studying the situation as a whole, in attempt to reach a compromise among competing interests. "We are only trying to set some determinants," he says. Customers, meanwhile, are left wondering where their rights fall into the equation, and waiting to see if VoIP apps are blocked overnight — a situation Wednesday’s lawsuit hopes to change.
