2

If I know someone is trying to spy on me, and they are tracking me both online and in the physical worls, what steps can I take to neutralize the risk? Keep in mind that I'm a normal person with limited resources.

These steps come to mind:

  1. Set up & use a self-hosted VPN service (to prevent ISP as Man-in-The-Middle and prevent DNS Leaks), on a trusted hosting provider.
  2. Encrypt all my emails with PGP keys, and make sure that the usage of PGP keys is the default.
  3. Secure login to all chat apps, with Password/Fingerprint.
  4. Encrypt the full disk of my computer.

In general, I think of:

  1. Securing the communication on the internet (using VPN, fake identity, PGP Keys..etc).
  2. Securing the data on devices by encryption, and add authentication layers.

Is there something more I miss?

schroeder
  • 125,553
  • 55
  • 289
  • 326
MaskedUser
  • 39
  • 5
  • 6
    Those are all good sensible things to do if nobody is targeting you. Just normal good practice. If the government is spying on you and you are a target of interest, then those steps are not going to help you. So I'm not sure this question will get any useful answers. Sorry. Nation state resources can and will trump anything you can do. We have various posts on this already. I'll try to find a useful duplicate. – Rory Alsop Aug 19 '20 at 07:43
  • What the government can do? I’m thinking about the internet like a mathematical graph, so if I manipulate my connection and make a complex chain for my connection with secured tunneling, it’s almost hard to scope me on the internet. But, the problem comes when I see the physical devices. I don’t know what government agencies can do with them even I encrypt them and make sure that it’s clean, moreover they can use legitimate services to catch me up in reality. Am I right? – MaskedUser Aug 19 '20 at 10:29
  • 3
    The government can simply ask for and get access to all those legitimate, trusted providers you mention. And if that does not get them the info they need, they can simply infect your device remotely and get access to what they want, no matter how much you protect what you send out over the Internet. – schroeder Aug 19 '20 at 10:48
  • Not a duplicate, but the answers here may still be of interest to you: – Conor Mancone Aug 19 '20 at 12:26
  • https://security.stackexchange.com/questions/194353/police-forcing-me-to-install-jingwang-spyware-app-how-to-minimize-impact/194376#194376 – Conor Mancone Aug 19 '20 at 12:26
  • @schroeder how can they infect my device remotely? – MaskedUser Aug 19 '20 at 22:24

2 Answers2

5

How to avoid being spied on? Become someone else.

It always comes down to this solution in the end. The more resourceful and experienced the opponent is, the more you need to put dedication into it. It is easier to do if you are still "flying under the radar" undetected by your opponent.

How to become someone else? That depends who your opponent is. If it's a stalker, you might just need to change social apps accounts (cutting some social links in the process) and move from where you live. If your opponent is a national intelligence agency that is already spying on you... You might have ditch your computers, phone, friends, home, job, etc. and try to live without identification papers (or SSN if you are in the US) and associated services.

If you are tech savy, you can build from scratch one online persona per activity. Each persona should be disconnected from the others. The best is to use one internet connection and computer for each. If that not possible, the next best option is to use a new computer with the Qubes OS distribution (or different Tails configurations), configured with one Tor router per persona. Never set up Tor hidden services, because they are not hidden from intelligence agencies resources. Do not use phones for those personas. Never connect those personas with your physical activities. You would still be spied on personally, but your personas may have a chance to avoid being spied on. However, be warned that Tor is not fully reliable against national intelligence agencies. Be also warned that every connection exiting the Tor network is likely to be heavily spied on by intelligence agencies, so the personas will attract attention on themselves. Distrust VPN services.

If your main identity must be hidden from national intelligence agencies, being tech savvy will not help much. You just have to look at what happened to Snowden or Kim Dotcom, who were tech savvy. The best option is to stay safe, stay legal.

As a side note: Encryption is just a tool. It might prevent intelligence agencies to read the content, depending on how properly it is done, but alone it will not prevent them from knowing who is talking to who, and they might even guess the kind of content of the communications based on the context alone. In your question you focus on protecting your data (stored at home or in transit), but what you really need is to protect your identity ; protecting your data is just one of the steps towards that goal.

A. Hersean
  • 10,173
  • 3
  • 29
  • 42
  • What if I know that they are a high-level government agency, but they are tech-savvy? What steps do you suggest? Is what I listed enough? – MaskedUser Aug 19 '20 at 10:16
  • @MaskedUser I extended my answer to address your comment. What you listed is _far_ from enough, as said Rory Alsop in his comment. – A. Hersean Aug 19 '20 at 12:07
  • @a-hersean Thank you. Your answer is very helpful, but makes me feel that the internet is and will stay insecure. Thank you again. – MaskedUser Aug 19 '20 at 22:22
  • Against organizations with this much resources and legal power, there's only so much you can do. That has nothing to do with internet. For most practical matters however (most people are not targets of intelligence agencies), internet can be rather secure. – A. Hersean Aug 20 '20 at 07:52
3

This is a very broad question and probably impossible to answer. The steps you listed are a good, general approach to staying safe online and in a digital world.

As soon as you have a specific attacker, your defence needs to be specific as well. You need to come up with a threat analsis and develop a security plan. If the attackers are state-sponsored with near unlimited resources, defending yourself will also consume a lot of resources.

A threat can usually be boiled down to its three components: attacker, vulnerability and motivation. You can mitigate the threat by looking at the components, especially vulnerability and motivation: Can you address the vulnerability (unencrypted communication, tracking through a smartphone etc.) or the motivation (why are you a person of interest? What do they want from you?)

The Electronic Frontier Foundation has a Surveillance Self-Defense Portal, which lists current and recommended ways for self-defence.

Start with the Security Plan and develop your own set of defence mechanisms based on that and the provided Guides and Scenarios.

schroeder
  • 125,553
  • 55
  • 289
  • 326
phisch
  • 1,305
  • 10
  • 14