How to reduce government spying on me

2018-12-11 — 2026-03-05

Wherein the citizen’s traffic is obscured by hidden DNS queries, Bluetooth is kept silent, and papers are conveyed by SecureDrop’s onion gate, whilst civic leagues are supported.

computers are awful
computers are awful together
confidentiality
security
wonk
Figure 1

Many people today are living in surveillance states with weak protections for citizens: persecution of citizens who blow the whistle on state wrongdoing, rapid erosion of privacy, criminalization of failing to become a state informer, even of counselling resistance, and attacks on the free press, all without oversight by the public.

That’s Australia. Things seem worse in Yemen, India, China, Russia, Saudi Arabia, etc. I’ll say it: on balance, strong encryption is a good thing for society—one bulwark against surveillance societies—and for the plain safety of business communication. In practice, we all use consumer-grade encryption, even the army. There are some interesting options for solidarity among software designers, as Eleanor Saitta points out, or, if you prefer, design challenges so stringent that our tech sector is unlikely to meet them.

I’m less and less optimistic that unilateral action to avoid state spying works, as the level of ambient recording goes up and the level of legal protection goes down. Still, we can at least increase the cost.

Better yet: change the system. Contribute to our local civil liberties organisation. In Australia that means various entities, for example:

I’m no opsec expert and these are a few things I’ve learned while trying to dispel complacency for some of my less technical friends. If you are doing things that your local government finds threatening, you need better advice than this grab bag, and you need to triage them with a concrete threat model.

1 Firstly, avoid corporate surveillance

Don’t put our information in the hands of corporations that will sell it to the state. See reducing corporate spying.

Patrick Merer, How to use Facebook if you are a repressive regime. We should bear in mind that, even in notionally democratic regimes, Facebook provides your data to the police without warrants.

2 General skills

EFF’s Surveillance Self Defense course is a good starting point.

They talk us through the theory and practice of different types of security, modelling the risks we face and trying to minimize them for different scenarios.

Maciej Cegłowski observes, discussing the related problem of securing political campaigns:

Campaigns have small budgets and operate in an unusually hostile environment. Not only are there people whose job it is to attack campaigns, but those people enjoy their work, get a government pension when they retire, and live happy, fulfilled professional lives.

I presume (hope?) he’s talking about hostile foreign actors, but who knows these days?

Okay, there is a lot to do, but let’s start with the basics. First, minimize our exposure to corporate surveillance.

Next, we probably want to lock down our computer. Maybe lock down our everyday computer a little bit, and also get a second, hard-core locked-down computer for our secret stuff.

3 DNS

Hiding Domain Name System queries makes it harder for us to be profiled based on the sites we visit. See DNS servers.

4 Sharing confidential information anonymously

OK, you are doing something that the Australian state finds threatening, such as exposing possible murder by government employees to public oversight, and for which they will send you to prison for the crime of sharing that information. The state will indeed mobilize the full force of the law to get at you.

Obviously, a journalist reporting these stories needs legal protection for their whistleblowers, but this seems tenuous at best in Australia.

A partial solution to the erosion of press freedom is the ability to transfer documents anonymously.

SecureDrop is one option:

SecureDrop is an open source whistleblower submission system that media organizations and NGOs can install to securely accept documents from anonymous sources. It was originally created by the late Aaron Swartz and is now managed by Freedom of the Press Foundation.

There’s an instance run by DuckDuckGo at dmys7duszeb2salo.onion that we can use to transfer documents.

5 Encryption

5.1 SSH

There’s a lot of fiddling with SSH.

To lock it down, we need to defeat 1024-bit DH keys sigh. The NSA is reading our comms with keys shorter than 2048 bits.

researchers Alex Halderman and Nadia Heninger presented compelling research suggesting that the NSA has developed the capability to decrypt a large number of HTTPS, SSH, and VPN connections using an attack on common implementations of the Diffie-Hellman key exchange algorithm with 1024-bit primes. […] In this post, we present some practical tips to protect yourself from the surveillance machine, whether you’re using a web browser, an SSH client, or VPN software.

There are more steps to secure SSH.

5.2 GPG etc

Tedious

5.3 Secure chat

Worth trying. See secure chat.

6 USB

USB is another security nightmare. See e.g. BadUSB malware: O.M.G cable (explanation for the busy), Poisontap, lanturtle usbarmory… We imagine that if the DIY world can so readily destroy us via USB, then state actors are pretty good at it too. Oh, Thunderbolt is broken too. Essentially, peripherals are a disaster.

Countering such attacks? USB condoms such as USG could probably help if we need to use USB, which we do. That is, if we don’t mind carrying a large, inconvenient device whose job is to reduce the functionality and speed of our peripherals. Few of us feel likely enough to be targeted that this is worth doing, although as the cost of these attacks keeps dropping, that might change.

7 Hardened Desktop OS

See hardened OSes.

8 Hardened smartphones

See hardened smartphones.

9 Dazzle camouflage

The future will ruin fashion! One day vintage will mean something different.

Confuse automated surveillance by being weird. (While at the same time attracting non-automated surveillance.) I have mixed feelings about this. Effective? Practical? I’m not sure. Fun? Probably.

Figure 2: Mac Pierce’s Opt-out cap is presumably how we opt out of future profiling?
Figure 3: Banksy

10 Bluetooth is cursed

Do we really need Bluetooth? It’s probably not secure; turn it off if we don’t.

11 Incoming

How can we keep our data secret if a state actor is compromising the very hardware of the servers that store our information, or if network security in general is a disaster because of terrible, ubiquitous decisions? Note: even if we don’t buy the Bloomberg article, there’s no reason to suppose it won’t eventually be true.

12 References

Jonah Aragon (text), and Firestorm Books (layout). 2025. The Protesters’ Guide To Smartphone Security Zine.