In many countries around the world, both ostensibly democratic and not, providers of communications services are often coerced to support the views of the incumbent political entities and to suppress opposing views. This suppression not only involves the censorship of communication but can also extend to the identification and tracking of individuals to facilitate legal action or worse.
Thailand is no different. As the government comes under more pressure from pro-democracy protests, the administration has already banned opposing media. It will not be long before internet dissidents are targeted.
So how can individuals continue to use the Internet as it was intended, as an open and universal communications system, without being tracked, analyzed, lied to, and threatened? It is possible but it is not as easy as it used to be. It is actually quite difficult and even requires some behavioral changes. But first, it is important to explain why.
The enormous complexity of digital privacy can be broken down into a few simpler questions for the matter at hand:
- Who controls the infrastructure being used?
- What are the technical vulnerabilities?
- What information does each entity have about you?
- Who are you trying to hide your data from?
In cellular networks, the phone company’s control theoretically ends with the SIM card, though it partly extends into the baseband processor, which handles cellular communication. The phone company has full control over the quality of encryption used in the cellular signal, and over whether or not they log any traffic which goes through their network.
With fixed broadband, depending on the type, the ISP’s control ends at the nearest piece of equipment that themselves installed. For fiber and cable internet, this usually includes the GPON or DOCSIS router. It is possible that the device manufacturer also has some diagnostic access to the device. If the router was not purchased clean and configured from scratch by you, it is not under your control. This is also true of mobile phones which bundle 3rd party apps, such as how many Samsung phones include Facebook preinstalled.
With WiFi networks, it is usually easy for a user to see the type of encryption used and to avoid using insecure networks. If a WiFi network is ‘open’ and does not have a password, then it does not provide any encryption to its users. A WiFi network with a 10-character password most likely uses WEP, which is as good as nothing.
- If there is no encryption, anyone can see the traffic.
- If there is WEP encryption, anyone can see the traffic.
- If it’s your network, your neighbors probably can’t see your traffic.
- If it’s in a coffee shop, the staff probably have access.
A common workaround to the public WiFi problem is to use a VPN. A VPN encrypts your traffic between the endpoint (usually your device) and the VPN provider’s server. The web site or service you are connecting to will think you are at the location of the VPN server. That is all a VPN does.
But who controls the VPN?
Every service costs money to run. While there are many people who write good software and share it freely, running a service commercially for thousands of users is expensive. If that service is offered for free, ask yourself how that service can afford to stay running. If the company doesn’t have any other obvious revenue, maybe they are making money by analyzing their user’s traffic.
A well-known alternative to a VPN is sometimes called a darknet. The most common example is Tor. Other examples include i2p and Freenet. Tor is by far the most popular, and can be much safer than a VPN, if it is used correctly.
When used as an alternative to a VPN, it is best to use the Tor Browser, and to use it only for activity that you want to keep private. Tor Browser should not be treated as a normal web browser. Keep in mind that just like a VPN, Tor Browser will only obscure your traffic between your device and the exit node. From the exit node to the destination, there is no additional protection.
Depending on the device used and what you are trying to do, simply installing Tor Browser and running it is probably not enough because it only protects activity within the bundled browser. For a PC (Windows, Mac, Linux, etc) it is possible to configure many apps to use Tor as a local proxy. For recent Android-based mobile devices, Tor can be activated in VPN mode, which tells Android to put all traffic through Tor. This means that the Tor exit node will potentially be able to identify you based on traffic from Android itself or other logged-in apps. While it is possible to use Tor on an iPhone, it is not as straightforward as with Android.
What if you’re arrested
Because of how people interact with their mobile devices, they contain a lot of personal information that cannot be easily removed. Therefore, when going into any situation where you may lose control of your device by force (arrests, confiscation):
- Ideally, do not bring your main device at all.
- The device you bring should contain only what is needed.
- There should be no unnecessary, snitchy apps.
- Delete Facebook, Weibo, Line, etc.
- Log out of all Google services.
- If you know how, re-flash with gapps-free Android.
- Ideally, it should be disposable if necessary.
- It should not be tied to your real identity in any way.
- The device should have a strong password without biometrics.
- Any USB backup/sync functionality should be disabled.
- The device should be encrypted anyway if it contains any data.
- Photos and video should upload in real-time if possible.
- Upload to a new/clean Dropbox/Box/Mega account, not directly to a social account.
- Maybe let someone else post them.
- Avoid cellular networks if possible.
- Disable connecting to open/municipal WiFi.
Apps and Services
It is important to avoid apps and services which do not give you complete and transparent control over what happens to your data. Even during daily life, during ‘normal times’, it is good to avoid using any online service which has had any significant privacy scandal or which is reliably believed to provide personally-identifying information to governments. This includes Facebook, Line, and all China- Russia- and India- based online services.
Whenever you set up an online account, even if it is for temporary use, you should consider it as being yours for life. If you create a social media account for temporary political use, and then request that the service delete the account, it is possible that someone else could register the same account name and rebuild your profile page in order to post incriminating content.
Before deleting any social media account, get confirmation from the service that the account name will either be removed from availability permanently or reserved exclusively for re-use by your e-mail address. Otherwise, keep control over the account for as long as possible, even if you never post anything.