Keep your digital communication private

Updated31 August 2018

Table of Contents

...Loading Table of Contents...

    In order to protect your digital communication, you will need to address a variety of threats. Doing so requires some technical knowledge, like understanding what happens to your messages between your device and that of the recipient, but it also requires good habits like keeping your device secure from malware, using strong passwords, avoiding phishing attempts and maintaining a communication plan that suits your needs.

    What you can learn from this guide

    • What information is vulnerable when communicating digitally
    • Why many webmail and instant messaging services are not secure
    • What steps you can take to protect your digital communication
    • What to look for when choosing tools and services for digital communication
    • What to do if you think someone might be accessing one of your online services, such as your email account

    Introduction to digital communication

    When you hand someone a sensitive note, or chat with them in person, it is relatively easy to imagine who might be able to see or hear the information you exchange. When considering the exposure of your digital communication, you still have to worry about those who might directly observe the messages you send and receive, but you also have to consider things like network infrastructure, provider policies and encryption.

    Whether you are using the Internet, a mobile phone network or some other technology, you probably have a number of different communication methods to choose from. Each of these technologies and methods comes with its own set of advantages and disadvantages in terms of convenience, popularity, cost, performance and security, among other considerations. Examples include:

    • Voice calls on mobile phones and land lines
    • Email
    • SMS text messaging over mobile phone networks
    • Internet-based "messenger" apps, which typically handle text, photos, voice calls, and video calls
    • Online discussion boards and social media platforms

    While some digital security advice is necessarily tailored to a particular tool, networking technology or method of communication, some is more universal. Below are a few general concepts that will help you understand where your digital communication might be exposed and how you can reduce some of those risks.

    Where your messages go

    It is theoretically possible to send digital information in such a way that it passes through devices owned by the sender and the receiver and no one else. You could connect two computers together with a cable, for example. Or hand someone a USB memory stick. Such techniques are only practical for certain types of communication, however. It is also quite unusual to communicate through networking equipment that is owned by a single company or organisation. Perhaps a phone call or an SMS text message between two people, who use the same provider, in a hypothetical country with no government surveillance. Assuming the manufacturer of your phone is not harvesting your data or storing your backups for you.

    None of this means that private communication is impossible! But it highlights the fact that privacy often depends more on encryption than it does on control of the infrastructure. These days, encryption is about as close as you will get to a hidden cable between you and those with whom you need to exchange digital information on a regular basis. We will talk more about encryption below.

    Accessing online services

    When you communicate digitally — setting aside, for now, relatively uncommon scenarios like those described above — the information you send and receive passes through many different devices controlled by many different companies, organisations, government agencies and individuals. While it is not possible to predict the exact route that any specific piece of information will take, it may be helpful to consider a specific but common example.

    When you visit a website on your computer, your browser sends a request for that website. This request uses your WiFi connection to reach your home router, which sends it out over the local infrastructure (typically cables of some kind) to your Internet Service Provider (ISP). It then passes through various servers, often crossing over one or more national gateways, before reaching the ISP of the website. From there, it is likely routed through a server farm to the server where the website is actually hosted. After receiving your request, the website's server replies with the information your browser will need to display a copy of the website. That content will follow a path that is similar, but not identical, to the one described above.

    This is a simplified description, of course. It ignores the Domain Name System (DNS), for example, which is how your browser uses a website's address to find it on the Internet. It also ignores elements of the website that are hosted by third parties, including the web trackers that advertising companies use to build a profile of your browsing habits. In reality, your traffic will pass through even more devices.

    Communicating with other people

    Web based communication is not that different. It typically involves two or more people following pretty much the same steps. If they are using the same service, their paths are connected in the middle by the "website" described above. That website could be Gmail, for example. And social networking platforms, messaging apps, discussion forums and other communication services work in more or less the same way.

    If the people involved are using different services, then the picture gets even more complicated. Say you are a Riseup user sending a message to someone on Gmail. In this case, the two service providers exchange information — including the messages you send and receive — through yet another multi-step path.

    Even mobile phone calls and SMS text messages work in a similar way, assuming at least one participant is on a different network, in a different country or subject to surveillance of some kind. Furthermore, much of our mobile communication relies on Internet services. Regardless of whether you are connecting through WiFi or through mobile data, calendars, fitness trackers, news readers, social networking apps and messengers (such as WhatsApp, Signal or iMessage) all send and receive information using the Internet.

    For more about mobile devices, see the Tactics Guide on how to use your smartphone as securely as possible.

    Points where your communication might be at risk

    Your communication could be targeted by criminals, governments, companies, social groups or individuals. They might be seeking valuable information, harassing people who fit a certain profile or trying to prevent you from doing your work, among other possible motives. While traversing the multi-step paths described above, your digital communication could be monitored or intercepted:

    • On your device, if it is infected with malware or if someone observes your communication directly
    • At your WiFi router, if it is infected with malware or controlled by someone with malicious intent
    • By your ISP or mobile provider, either for their own purposes or on behalf of a third party
    • At a national gateway, sometimes even if all participants and services are located in the same country
    • While passing through a physical cable on the Internet backbone, if it is "tapped" (typically by a state actor)
    • By the ISP or website of the service you are using
    • By the ISP or mobile provider of the people with whom you are communicating
    • On any of the servers that store or route your communication
    • At some other participant's WiFi router, if it is infected with malware or if they have malicious intent
    • On some other participant's device, if it is infected with malware or if someone observes their communication directly

    You can help protect yourself from these risks by: paying attention to your surroundings, keeping your devices up-to-date, avoiding malware, watching out for phishing attacks, relying on trustworthy services, creating strong passwords, configuring your accounts to use two factor authentication, using encryption and helping those with whom you communicate do the same.

    If you are particularly concerned about your communications being intercepted or monitored by your ISP, or by whoever controls your WiFi router, you can use a trusted Virtual Private Network (VPN) to further protect your Internet traffic. You can learn more about VPNs in the Tactics Guide on how to remain anonymous and bypass censorship on the Internet.

    Encryption

    Encryption is a way of using mathematics to scramble the content of a digital file or message so that it can only be decrypted and read by someone who has a particular piece of information, such as a password or an encryption key. Encryption is used in many different ways. You can encrypt the files on your computer's hard drive, for example, or on your mobile device. For more on that topic, see the Tactics Guide on how to protect the sensitive files on your device. In this section, we focus primarily on communication encryption.

    Even in the context of secure communication, encryption shows up in various forms and at various stages. Depending on how your WiFi router is set up, your traffic might be encrypted between your device and the WiFi router. Many services encrypt the traffic between your device and their servers, while still allowing themselves to read the content once it gets there (even if "there" is just a stop over on its way to the intended recipient). You can learn more about this sort of encryption in the TLS and HTTPS section below.

    We will talk a lot about end-to-end encryption in this guide. End-to-end encryption is when the content you send and receive is encrypted throughout the entire path between your device to the device of the person or people with whom you are communicating. It protects that content from your service provider, the service provider of the other participant and anybody else along that path. You can learn more about this in the end-to-end encryption section below.

    Metadata

    End-to-end encryption prevents the content of your communication from being exposed, but other types of potentially sensitive data are more difficult to hide. Examples include sender information, recipient information, the dates and times when messages are sent and received, how much information was sent and various data about the devices used. This kind of "information about information" is often called metadata. Metadata might seem relatively insignificant, but it can reveal quite a lot about your social networks and about your personal and work-related communication patterns, especially if someone is able to analyse a large volume of it.

    Encryption alone cannot address this issue for many types of metadata. Suppose, for example, you are using a tool that encrypts the "timestamp" within a message. Observers along its path could simply make note of the time when they see your (illegible) message pass by. And of course, encrypting recipient information makes it rather difficult for a message to arrive at its intended destination.

    Hiding this kind of information from every device along the path over which you are communicating would be extremely difficult, even when using a service that does not store or share metadata. Keeping it hidden over the course of a long-term, back and forth conversation would be even more difficult. Doing so would require, at a minimum:

    • Use of the Tor Browser or Tails (about which you can learn more from the Tactics Guide on how to remain anonymous and bypass censorship on the Internet)
    • The careful creation of one or more separate, disposable accounts
    • Use of secure, trustworthy services and communication tools that support end-to-end encryption
    • A great deal of patience and discipline

    TLS and HTTPS

    When you visit a secure website, the Uniform Resource Locator (URL) in your browser's address bar should begin with HTTPS:// rather than HTTP://:

    If it does, and if your browser does not display any errors, then you should be communicating through an encrypted connection between your browser and the server where the website is hosted. You may also notice a 'lock' symbol near the Web address. These are clues to let you know that it will be much harder for someone to eavesdrop on your communication with that particular website. Some browsers also flag HTTP websites as "not secure."

    HTTPS traffic is encrypted using Transport Layer Security (TLS), which is the successor to the Secure Sockets Layer (SSL). TLS is used to protect other online services, as well, and is the most common way to encrypt data between a device and a server. HTTPS is now quite common, and you will rarely see a major website that does not support it. (If you manage such a website, have a look at the Let's Encrypt project, which can help you encrypt your visitors' traffic.)

    You should avoid typing your password, or any other sensitive information, into a website that does not support HTTPS. In addition to passwords and financial transactions, HTTPS also helps protect your webmail messages, search engine queries and social media communication as they travel between you and your provider. If you are using a service like this, and it does not offer you an HTTPS connection, you should switch providers.

    If you use Firefox or Chrome as your browser, you can also install the HTTPS Everywhere extension ([Windows] [Linux] [Mac]). It will try to ensure that you do not end up using an insecure connection when you visit sites that do support HTTPS. See the Firefox Tool Guide for additional tips:

    Hands-on: Get started with Firefox and security add-ons for safer browsing [Windows] [Mac] [Linux]

    It is important to remember that TLS and HTTPS only encrypt communication between your device and the service you are using. Once it reaches the server, it will be decrypted, stored, scanned and quite possibly sent elsewhere. Furthermore, if what you have sent is a message to someone else, there is no guarantee that it will be encrypted again before it is passed along toward its final destination. An email you send may travel encrypted between your computer and your server, for example, then continue unencrypted from there to the recipient's server. Whether or not the final step is encrypted will depend on the service used by the recipient.

    Some people send and receive email using a mail client rather than a Web browser. If you use a tool like Thunderbird, Apple Mail or Outlook, you will not have an address bar in which to look for that HTTPS://. But you can still use TLS encryption. In fact, most reputable email providers require this. If you want to know how your current provider measures up when communicating with other mail servers, have a look at STARTTLS Everywhere.

    End-to-end encryption

    As mentioned above, to ensure that only the intended recipient can decrypt the content you send them, you will need to use end-to-end encryption. Different communication platforms rely on different methods to achieve end-to-end encryption. The following section describes email encryption as an example. The subsequent section discusses other tools and additional security features.

    End-to-end email encryption

    One of the most well known forms of end-to-end encryption is called Gnu Privacy Guard (GPG), which is an open source implementation of the OpenPGP specification. ("PGP" stands for Pretty Good Privacy, and the terms are often used interchangeably.) GPG is used for a number of different purposes, but one of them is end-to-end email encryption. (S/MIME is an alternative standard for email encryption, one that is sometimes used within large companies. It is more centralised and, in many cases, less secure.)

    GPG relies on two different types of encryption keys: a private key and a public key. It generates the pair of them automatically, after asking you for a password with which to protect the private key. Your private key is used to decrypt content, and must be kept secret. The public key is meant to be shared with others, who can use it to encrypt content to the owner of the corresponding private key.

    So, when you send an encrypted email with GPG, you need the recipient’s public key. And to read what has been sent, the recipient needs their own private key and its password. This ensures that only the recipient can read the messages you send them. GPG will encrypt the content of an email, including the body of the message and any attachments, but not the metadata. Depending on your configuration, the subject line may or may not be encrypted.

    Many people find GPG a little tricky to understand. This animated explanation of The Key Concept might help.

    Some encryption methods can also help you verify that a sender is really who they claim to be. Among other uses, this kind of verification can help you avoid phishing attacks that "spoof" sender metadata so they appear to come from someone you trust. On the other hand, it is important to understand that signing your emails leaves a trail of mathematical evidence that they were sent by you. GPG provides this feature by allowing you to add digital signatures to messages or files. Signing, with GPG, is the reverse of encryption. You will use your private key to sign a message, and others will use your public key to verify your signature.

    Hands-on: Get started with Thunderbird, Enigmail and OpenPGP for end-to-end encrypted email [Windows] [Mac] [Linux]

    Other end-to-end encrypted tools and additional features

    Not all end-to-end encrypted communication tools work in the way described above. Some newer tools, like Signal, provide similar properties using different techniques.

    Hands-on: Get started with Signal for secure messaging [Android]

    Some such tools offer additional security features, as well. It is a good idea to do some research on whatever software you use to communicate digitally. Doing so will help you make appropriate choices based on your needs.

    Disappearing messages: It is sometimes important to keep a copy of a message, attachment or conversation, but most of us do not need to retain all of our digital communication indefinitely. Messaging platforms like Signal and Wire allow you to set a length of time after which messages to and from a particular user will disappear. This is an easy way to limit the information that might be exposed if a device is lost, stolen, confiscated or infected with malware. Keep in mind, however, that features like this will not prevent the sender or the recipient of a message from making a copy of it.

    Forward secrecy: Much of the GPG encrypted email you receive, over the course of several years, is likely to have been encrypted to the same private key. As a result, someone who obtains a copy of that key will have access to years worth of correspondence. Signal and some other messaging platforms use a different key for each message or session. This greatly limits the amount of information that would be compromised by such an attacker.

    Creating a safe environment for communication

    Much of the above is focused on how to protect your communication as digital information moves back and forth between participants. But keeping your email secure starts with keeping other people from signing into your email account as if they were you. And the same logic applies to other communication platforms. You can learn more about how to do this from the Tactics Guides on how to create and maintain strong passwords and how to protect your device from malware and phishing attacks.

    Communication tools often store a local copy of the content you send and receive, so it is important that you also learn how to protect the sensitive files on your computer.

    Communication is an inherently social activity, and you are not the only one making choices that will affect the safety of the environment in which it takes place. It is important to help the people with whom you communicate take step to protect those involved. Technology cannot prevent people from behaving poorly or misusing the information you share. Nor will encryption protect you from those with whom you intend to share such information. Being careful about who has access to what information can help limit some of these risks.

    Even if everyone involved takes all of these precautions seriously, mistakes and accidents happen. When it comes to sensitive communication, your last line of defense consists of the things you say. It is always a good idea to keep in mind what would happen if those things fell into the wrong hands. In some cases, it might make sense to develop a system of pseudonyms and code words for particularly sensitive names, dates, locations and topics.

    Choosing appropriate tools

    There are times when the easiest way to communicate is verbally, either in person or at a distance through a voice or video call. Other times, a short message or a document is a better fit. Images, videos, and sound recordings also have particular advantages and disadvantages. When sending digital files, including images, remember that they often include metadata that might reveal when and where they were created, details about the device they were created on and other potentially sensitive data. Find out whether the platform you are using strips metadata automatically.

    It is a good idea to look for a set of secure communication tools that includes support for any of these formats that you use regularly. If you cannot find one, make a specific plan to change the way you communicate with relevant contacts. While we recommend Signal, Riseup email and VPN services and GPG, you may need additional options.

    And even if you think you have found the perfect solution, you should still keep an eye out for other options. It is a good idea to have a backup communication plan in case the method you are using stops working, either temporarily or permanently. Otherwise, you may be left unable to communicate securely — or stuck using a tool with which you are unfamiliar — at a critical moment.

    Agreeing on a communication plan

    All methods of communication have trade-offs, and it is helpful to know the limitations of those you rely on most heavily. Propose, discuss and agree upon a specific plan for how you are going to communicate with your contacts, including known risks and steps you will take if something goes wrong. This might involve informal conversations about things like creating backup email addresses, exchanging phone numbers or sharing emergency contacts. It might also involve more formal activities like specifying supported communication methods in an organisational security, data storage or document retention policy.

    Establishing and rehearsing a communication plan can help you take care of yourself and your community in moments of stress or crisis. It is much easier and more effective to make such a plan in advance than to improvise in the middle of an emergency.

    What to do if you think an attacker has access to your account

    While it is rarely possible to know for sure, below are a few clues that an account with a service provider — such as an email, instant messaging or social networking account — might have been compromised:

    • You might notice changes to content, or to your account settings, that you did not make
    • A contact might tell you that they received a message that you did not send (though it is sometimes possible for attackers to "spoof" sender information)
    • You might be unable to login to your account despite knowing that your password is correct
    • You might regularly fail to receive messages that contacts are certain they sent (and that you confirm were not flagged as "spam")
    • You might come to find out that information exchanged exclusively through this account has ended up in the hands of a third party, even though neither the sender nor the receiver(s) shared it with anyone else
    • Under some circumstances, you might receive notification of a successful password change request that you did not make.
    • You might receive notifications of failed password change requests shortly before noticing some of these other indicators
    • You have lost a mobile device, or had one stolen or confiscated, while it was signed into the account
    • If your service provider offers a log of recent account activity, you might notice connections at a time, or from a location, that you could not have made yourself

    If you notice one or more of these indicators — and other explanations seem unlikely — you should consider taking some or all of the following steps:

    Stop using this account to exchange sensitive information, at least until you understand the situation better.

    Change your password immediately if you are able to do so. See the Tactics Guide on how to create and maintain strong passwords.

    Create new, unique passwords for other accounts with similar or identical passwords. Make a list of other services that you have "linked" to this account. (Many third party services allow you to login with your Facebook, Google or Microsoft passwords, for example.) Try to "unlink" them if you can.

    Consider getting expert help. There may be technologists or security researchers in your community who can provide assistance. (Access Now runs a help line that offers direct, real-time, technical assistance and advice for activists, journalists, human rights defenders and other members of civil society.)

    Log out of all sessions if you are still logged in and if your provider gives you the ability to do so. You will have to log back in on each device from which you want to access the account

    Enable two factor authentication if you can (and if your provider supports it). This will prevent anyone who may have obtained your password from accessing your account. You can learn more from the Tactics Guide on how to create and maintain strong passwords. Check the Two Factor Auth website to see if your provider offers this feature. Google, Facebook and Twitter all provide helpful guides on how to setup two factor authentication for their respective services.

    If you are not able to log in to your account, you may be able to contact your email provider to reclaim your account. Some email providers have special procedures in place to help users in such situation, but many others do not.

    Do what you can to reduce the impact on yourself and on those with whom you have communicated using this account. (This will be easier if you have already thought about what steps to take while establishing a communication plan.) Warn contacts, as appropriate, and look for ways that the account might be used to compromise others even if you do retain control of it. Examples might include automatic forwarding options that send copies to the attacker; new "friends" on a social networking account; disabled privacy settings or malicious links added to a blog post, email signature or "out-of-office" message.

    Try to determine what might have gone wrong. Could it have been because of a weak password? Does Have I Been Pwned list any accounts with the same password? Are there signs that one of your devices might have been infected with malware? Are other members of your community experiencing similar issues? The more you know about the circumstances leading up to the account compromise, the better your chance of recovering, protecting your contacts and defending yourself from similar attacks in the future.

    Review the security of other devices that have accessed this account or on which you have stored the password to this account. For more information, see the Tactics Guides on how to protect your device from malware and phishing attacks, how to protect your information from physical threats and how to use smartphones as securely as possible. If you find evidence of a malware infection, consider backing up your data and reinstalling the operating system. After making the above improvements to the security of your devices, you might have to change your account passwords again.

    Consider switching to a more secure service or adopting more secure communication methods in the future. Look for a service that supports two factor authentication, that has a good track record of preventing such attacks and that notifies you about unusual connection attempts. Depending on your circumstances, you might consider using a provider based in a different country. If it is an email account, consider adopting end-to-end encryption. You can learn more about this from the Thunderbird, Enigmail and OpenPGP Tool Guide ([Windows] [Linux] [Mac]). You might also consider working with your contacts to move your sensitive communication to a messaging platform that supports disappearing messages, like Signal.

    Remember, communication security is not just about having strong technical defences. It requires paying attention to how you and your contacts communicate with one other and remaining disciplined about your non-technical security habits.

    Further reading

    • The Gmail Privacy Policy, which you must accept when creating a Gmail account, explains that, "We also collect the content you create, upload, or receive from others when using our services. This includes things like email you write and receive." In fact, all email providers scan your messages, to some extent, so that they can offer anti-spam services and other such features.
    • A series of interviews in 2008 addressed the privacy and encryption policies of several major instant messaging services.
    • A website called Secure messaging apps comparison attempts to specify the security properties of various messaging platforms.
    • Access Now operates a help line, that offers direct, real-time, technical assistance and advice for activists, journalists, human rights defenders and other members of civil society.
    • A list of other secure messaging tools might include: Wire for messaging and calls; XMPP with OTR, Briar or Ricochet for messaging; Jitsi Meet or a trusted Jitsi Video Bridge host for multi-party voice and video calls (not end-to-end encrypted but useful if you trust the service provider); Tutanota or ProtonMail for email, Crabgrass for social networking; and Matrix for team messaging.