How to avoid the UK’s new online surveillance powers

If the government wants to hack you, it will, but you can stop the police from just scooping up your web history.

The UK is about to pass into law sweeping surveillance legislation that will force ISPs and mobile operators to keep a complete record of every citizen’s browsing history for up to a year. This information will be accessible without a warrant to intelligence services, the police, and a number of other government agencies — including, bizarrely, the likes of the Gambling Commission and the Food Standards Agency.

While much of the legislation is concerned with how the government can track down serious criminals like terrorists and child abusers, it’s the wholesale collection of every citizen’s web activity that has a lot of people worried. After all, there’s very little oversight about how the information is accessed, and it’s private companies that have to store the data, there is a good chance it will get stolen by hackers at some point. (If this sounds too pessimistic, remember that in the last year alone, there have been two major attacks in the UK stealing customer data from the ISP TalkTalk and the mobile operator Three.)

So, if you’re a UK citizen who doesn’t want their browser history to end up in a government vault, how do you protect yourself?

Use a Virtual Private Network

This is really the simplest advice for anyone looking to use the internet with a little more privacy. A VPN or Virtual Private Network is a service that passes your internet traffic through different servers around the world. Not all VPNs are created equal, though, and companies differ on whether or not they encrypt that traffic, or whether they keep logs of users’ activity. (This doesn’t mean recording browser history, per se, but can include basic information like “computer with IP address X used our VPN network for Y hours on Z day.

Ed Johnson-Williams, a member of the UK’s Open Rights Group, and someone who briefs journalists and NGOs on how to avoid surveillance for a living, says that if you want quality, you should expect to pay for your VPN. In the UK this could cost between £25 and £40 a year. “That is an investment that you just have to make if you want to take privacy seriously,” says Johnson-Williams. There are free VPNs available, but he advises against them. “A free VPN company will itself probably be analyzing what sites you’re looking at, or inserting its own advertising into your webpages to make money,” he says.

The website TorrentFreak publishes a yearly survey of VPNs, and asks them questions about what information they store on their customers, where they store it, and how they deal with government requests for data. As the survey shows, most paid-for VPNs don’t keep logs and don’t hand over data, but at the bottom of the page you can find a list of companies you’ll probably want to stay away from. Some popular paid services include NordVPN, AirVPN, and Private Internet Access.

Alternatively, use Tor

If you don’t want to pay for a VPN (and again, if you’re worried about privacy, you should) then one alternative is to use Tor. Like VPNs, Tor bounces your internet traffic through different servers around the world making it difficult — but not impossible — to track. You can download a browser with Tor pre-installed for different operating systems here, and the whole thing is open source, meaning it’s verifiable by third-party security analysts.

Compared to VPNs, Tor can be pretty slow (you’re not going to be able to stream 4K video on it) but it’s become a lot easier to use in recent years, and is being taken up by more widely. “It has in some circles got a bad reputation for being the browser of choice for people who distribute images of child sexual abuse and other online crimes,” says Johnson-Williams. “My view on that is that bank robbers use cars, but that doesn’t mean we ban cars.”

Use an encrypted messaging app

Although the police are not going to be picking up your phone conversations, or the content of your chats in Facebook Messenger or WhatsApp (not without hacking your phone anyway, and they’ll need a warrant for that), you might want to start using a more secure messaging app all the same. Experts agree that the best pick is Signal, which not only offers secure one-to-one conversations, but also group chat, and voice calling.

Services like WhatsApp and iMessage do also encrypt your conversations, but are less secure in other ways. WhatsApp, for example, has the right to keep metadata about your chats (that includes date, time stamp, and phone numbers involved), and it also shares some user data with parent company Facebook. Signal doesn’t store any of this. You can read a more thorough of Signal, WhatsApp, and Google messaging app Allo here.

Think about why you want to stay private

Johnson-Williams says that when advising companies and individuals on security he asks them to think about a threat model for how they use the internet. “It’s kind of like digital risk management,” he says. “It’s important that people think about what data they have, what data they want to protect, how likely it is that that data would get into the wrong hands, and how serious that would be if it happened.”

For a journalist, that might mean protecting their sources; for a business person, their company’s secrets. For everyone else, they might just be information that could embarrass them, reveal something they don’t want to be public knowledge, or that could be used for blackmail.

The advice in this article certainly won’t protect anyone against determined government surveillance. If the security services of the UK — or any other nation for that matter — want to hack your phone or your computer, there’s really very little you can do to stop them. But, if you simply object on principle to the idea of being watched online constantly, you might want to follow some of these steps all the same. It’s up to you.

And while I’ve got you here…

Okay, so this information isn’t necessary to stop government surveillance, and I’m not your parent or anything, but if you are thinking about online security, there’s so much more you can do! You should definitely start by downloading a password manager like LastPass (it’s free!) or 1Password, and then use it to create hard-to-crack passwords for all the sites you use. With a password manager you only need to remember one password, and your accounts will be safer because of it. It’s win-win.

And while we’re at it, please don’t use the same password for different websites. Type your username or email into this site and it will tell you if services you use have ever been compromised. If they have, chances are hackers can find your password pretty easily. And if you use that same password for everything, including your bank account..? Well that is bad news and I feel bad for you.

And, lastly, you should definitely turn on two-factor authentication for any site you can. This means that when you (or a hacker) tries to log in to your account on a strange computer, they’ll have to get a code generated by an app on your phone to do so. Two factor authentication isn’t perfect, but it’s better than not having it. You can find a full list of sites that use two-factor here, but to get you started, here are the links for setting it up for Gmail, Amazon, Facebook, Twitter, and Apple.

Remember: it’s cool to be Safe Online.

Via: The Verge