A primer on security, privacy, and anonymity of IT systems

Users of the internet who share information, e.g. by participating in public discussions, may protect their identity or control the audience with whom they share information. One basic reason is that individuals act as members of various social groups (e.g. family, rugby club, church choir, colleagues from oil company,…) who have different values and social norms. Although in theory it may be desirable to always show one’s true identity and honest opinions to everybody, in practice this will cause a lot of problems, social friction, and  – in fact – may endanger social stability and peace in society itself.
For these reasons, environmental activists should be aware of tools to control their presence in the internet and use them appropriately to avoid harm for themselves or others, for which the following aspects are fundamental (in laymen’s terms):

  1. Security:
    1. Problem: Control functionality of the used software and protect it from showing any harmful behaviour, e.g. by executing malicious code
    2. Solution: Apply virtualization of program components, so any malicious component cannot affect other components of the system, which are basically act as separate operating systems
    3. Example: Qubes-OS Linux, TAILS Linux
  2. Privacy
    1. Problem: Control receivers and hide contents, which were transmitted based on a specific technical protocol
    2. Solution:  (multiple factor) authentication of receivers and encryption of the contents. for example using
    3. Example:
      1. Multiple factor authentication: user name & password (factor knowledge), personal mobile phones (factor: possession), and finger print (factor: unique biometric features)
      2. Encryption: End-to-end encryption, e.g. Proton Email (https://protonmail.com), Wire (https://wire.com), CryptPad (https://cryptpad.fr) using secure protocols, e.g. HTTP via TLS (HTTPS), SSH FTP (SFTP), or Secure SHELL (SSH)
  3. Anonymity of user (or content):
    1. Problem: Disassociate the identity (or content) in virtual reality (internet) from the user’s real life identity
    2. Solution: Remove person-related data which can be used as a unique identifier in a population of individuals
    3. Example: The Onion Network (https://www.torproject.org), Pastebin (https://pastebin.com)
  4. Content:
    1. Problem: Processing content which is against the interests of other entities, e.g. individuals, organizations, or governments, which may give these actors motivation to identify the sender, decrypt the content, or corrupt the user’s IT system and harm the user and its associates.
    2. Solution: Share only trivial content (or see points 1-3+4)
    3. Example: Sharing recipes for apple pie vs a plan to destroy the fossil-fuel industry
  5. Intelligence:
    1. Problem: Produced (combined) information by using the internet can describe the user uniquely in a population of individuals, e.g. browser information, screen resolution, individual spelling mistackes (sic!)
    2. Solution: Use only standard settings, follow only standard behavior, provide only trivial information
    3. Example: Use default settings in browser, e.g. do not adjust TOR browser window to full screen resolution of your personal screen

Following these guidelines, the risk of experiencing harmful consequences caused my opposing entities can  be minimized, yet never completely avoided. Depending on the motivation and ressources of the opposing entity, an IT system may be corrupted, authentication corrupted, information decrypted, or users identified, exposing the user to potentially harmful consequences.

A combination of systems which fulfills the requirement of security, privacy, and anonymity to a high degree and, therefore, may  be recommended to interested users is:

  1. Security: TAILS Linux (https://tails.boum.org)
  2. Privacy: HTTPS (https://www.mozilla.org/de/firefox/) , SFTP (https://filezilla-project.org), SSH (https://www.openssh.com/)
  3. Anonymity: TOR (https://www.torproject.org)
  4. Installation on portable medium, eg USB stick (so you can boot your system on various devices without changing the default installation)

The efficacy of this combination has been described multiple times [1] and is emphasized by the fact that each IP address (or associated user) which is using these legal, open source software programs, such as TAILS Linux or TOR, will be automatically added by the program Xkeyscore of the NSA to a database of extremists [2]. (It will be interesting to learn what this means if such a TOR user is entering the USA in terms of interaction with  US border control). However, the good thing is the more people use TAILS Linux or TOR, the less useful the collected information will be for the NSA. Just to clarify, the identity of a single user, while he/she is using TOR, will be still very hard to crack by the NSA by using tedious manual work of human ressurces.

Disclaimer: I provided this information to the best of my knowledge without any warranties whatsoever.

[1] https://en.wikipedia.org/wiki/Tor_(anonymity_network)

[2] https://de.wikipedia.org/wiki/Tor_(Netzwerk)