By Alan Pearce
When the new national security law came into effect, it looked like the people of Hong Kong had lost their privacy overnight. But, while these may be the most stringent laws of their kind on the planet, they need not prove any real barrier to those determined to hold on to their digital freedoms.
It is important to bear in mind that no matter what counter-measures you may take, you will be engaged in a never-ending game of cat and mouse with no guarantee that your activities won’t be uncovered. That said, there is plenty you can do to stay one step ahead.
Amid a wealth of stringent new laws, three immediate hazards stand out. First, you risk having your smartphone taken from you and examined, which means access to all your social media posts, calls, emails and messaging, contacts, photos, web history and whatever else they can find.
Next, your home or office are liable to be searched, either physically or digitally, without the nicety of a warrant, and everything of importance confiscated for forensic examination.
On top of that, there are the stealth threats that can compromise your digital devices, allowing a secret operator to see and hear all you say and do, track your movements, and watch your online activities in real time.
For now, certain fundamental tools have yet to be banned. These include virtual private networks (VPNs), the messaging system Signal, and the Tor browser which opens to the Deep Web with its own wealth of stealth tools.
Just like everyone else, you are being monitored 24/7 by the finest surveillance tool ever devised – your smartphone. You will need to make a few simple adjustments to your device and you need to be aware of the games that cyber spies play. Fortunately, nothing that follows is too technical and much of it is just plain common sense.
Be alert to “social engineering”, the art of playing on peoples’ gullibility or natural desire to please. The bad guys do this by enticing people to open email attachments or follow links to malicious websites where malware will instantly load in much the same way as a conventional cookie.
Other malware comes hidden inside seemingly harmless apps which run in the background and collect data all day long. Intelligence agencies are known to piggy-back off this data and add it to the pool of profiles.
They will track your locations, browsing and downloads, and collaborate with other running apps to build up a detailed profile. Some will intercept incoming calls or activate the microphone. Many apps harvest contacts, while some collect passwords.
Be alert when an app asks permission to use your current location – many don’t bother to ask – and never give out email addresses or any personal details.
Install in all your devices a good anti-spyware program such as Avast. This will generally alert you whenever somebody sends you a malicious email attachment. You can also use the programme to scan suspicious files. Equally, never follow any link that you are unsure of, especially so if the address is a shortened URL. Again, Avast should warn you when you arrive at a suspicious website and prevent unauthorized downloads.
Begin by clearing out from your smartphone and tablet any unwanted or unused programmes, especially the games.
Then install a good anti-spyware program. Also install a VPN which hides your activities from any watchers and is an essential tool when accessing Wi-Fi points. Hotspot Shield is a free alternative.
Install a secure messaging app such as Open Whisper Systems Signal and encourage your friends and contacts to do the same. This will prevent anyone listening in on your calls or reading your messages.
Always cover your webcam – on all of your digital devices. These cameras are never safe and can very easily be tapped into, opening your life to deep scrutiny.
Do not let your mobile devices out of your sight and this includes leaving them unattended anywhere. If, at airports or border crossings etc, the authorities insist on taking your device away, there is the possibility that they may scan the memory or plant malware inside.
Android users can remove the SD card that acts as the phone’s additional memory. Some people keep two cards, one for the everyday sort of things with friends, family and colleagues as contacts. The other card contains the useful programmes that vanish once the card is removed. This is where you should install your VPN and the Signal app, private browser and Tor.
Remove the battery or leave your phone behind when meeting contacts. If meeting in a group, do not all remove the battery at the same time as this appears ultra-suspicious to anyone observing any members of the group.
Most intelligence agencies and law enforcement use military-grade malware which they generally send to people in spoof emails, allowing agents to take control of smartphones and other devices.
To avoid infection via email, disable HTML in your email program via the Settings tab. Look for and untick Display attachments online or tick View message body as…plain text.
Never open attachments or click on links if you are unsure of their origin. If you must open a suspicious attachment, first scan it with your anti-spyware programme. Malware can be hidden inside most digital files. Also install a powerful file shredder.
Be aware of social media posts with enticing links, many of which are often shortened so you don’t know where you are heading. Short URLs can be enlarged with a URL enlarger.
It is vital to tighten security for your home and office wireless networks, the Wi-Fi. The simplest solution is to refer to the router’s handbook online and change the administrator password for the router. Hackers can look up the manufacturer’s default password and easily break in, intercepting all the data you send and receive.
You should also switch off SSID (Service Set Identifier) broadcasting and change the default SSID name to something not easily identifiable. Additionally, always enable encryption in your router connection settings, preferably WPA or else WEP encryption. Ideally, select WPA2 or WPA3 if available on your router.
Important documents and files should not be stored locally if you fear a 4 am knock at the door. Anything seriously important should be stored elsewhere. One option is the easily-accessible Deep Web. Think of it this way, down in this murky world your adversary won’t just be looking for a needle in a haystack. You will be a needle in a universe of haystacks.
Despite the most sophisticated spy technology, in reality they can only find things if they know where to look. Down in the Deep Web, by mixing and matching different technologies, you can stay out of sight and make it seriously difficult for any adversary to locate you.
Within this Deep Web are an unknown number of hidden networks; one of which is Tor, which stands for The Onion Router. Here you will find websites, chat rooms, forums, blogs, file hosts, social networks and other features of the Surface Web.
You can take your smartphone or tablet onto Tor Mobile. This will also allow you to surf the Surface Web anonymously. Additionally, the free Tor/Firefox bundle is available for most operating systems.
In certain situations, Tor-enabled devices can still connect to the mobile versions of regular social networks and websites when they are blocked by the authorities.
Tor works by diverting your traffic through a worldwide volunteer network of servers. This conceals your location and your activities, effectively hiding you among all the other users. Tor works by encrypting and re-encrypting data multiple times as it passes through successive relays. This way the data cannot be unscrambled in transit.
Take these simple steps and you are on your way to operating under the radar. But please bear in mind the importance of not “going dark”. The US successfully tracked down Osama bin Laden partly because he was hiding in the only house in town without an internet connection or mobile phone contract.
Continue using your regular email and messaging systems to keep in touch with friends, family and work colleagues. Post the same nonsense on social media and say nice things in the comments of news sites. Give them something to monitor. And, if you ever feel that you are being monitored, throw them a few curveballs.
When you make your leap into the Deep Web, be sure to activate your VPN first to add an extra layer of security. Then, go to the duckduckgo.com search engine and seek out the “The Hidden Wiki” as your starting point.
From here you will find a wealth of security tools and places to store your data away from prying eyes, as well as many security tutorials.
Alan Pearce is the author of Deep Web Secrecy and Security and Sherlock Holmes Handbook for the Digital Age. Follow him via his website, alanpearce.com.