- Apr 24, 2013
By Cory Bennett - 11/28/14 02:54 PM EST
The first thing to know about securing your phone is that you can’t secure your phone.
“If [National Security Agency officials want] to get into your phone, they’re going to get into your phone,” said Chris Soghoian, the principal technologist for the American Civil Liberties Union (ACLU).
“Spying on the content of cell phone communications is trivially easy,” added Eva Galperin, global policy analyst with the digital rights advocate Electronic Frontier Foundation (EFF).
That said, the last year has seen a booming desire to make spying more difficult. Since former NSA contractor Edward Snowden revealed the government was collecting data on Americans’ phone records and Internet activity, average people now ask: How can I keep the NSA from snooping on my phone?
The market has responded.
Major tech companies like Apple and Google promoted their new phones by highlighting the encryption methods they claim will lock out the government. A slew of apps to encrypt text messages and voice calls have popped up. Previously obscure Internet encryption methods are being adopted by non-technophiles.
And though hacking teams at the NSA and FBI will almost always win-out when sufficiently motivated, the rise of widespread encryption has worried law enforcement officials.
FBI Director James Comey calls it the “going dark problem.”
It’s set up a standoff. Law enforcement on one side, privacy advocates and major tech companies on the other.
If you’re looking to go dark, here are a few easy steps you can take to avoid government snooping.
1. Get an encrypted phone.
In September, Apple and Google claimed their new phones would lock down all pictures, contacts and messages, keeping them off limits to anyone — including government officials with a warrant.
The encryption behind this claim is solid enough that the Justice Department (DOJ) met with Apple. According to The Wall Street Journal, the second-ranking DOJ official even told Apple officials children would die as a result of the police’s inability to search a suspect’s iPhone.
While both Apple and Google have made similar security claims about their devices, Soghoian favors Apple.
“I think Apple is probably doing a better job on the security of their smartphones than any other electronics company,” he said.
However, “security of Apple’s encryption is only as good as the password you use on the device,” he added.
And even well-encrypted phones with strong passwords are made fallible through cloud backups. For many users, Apple phones automatically back up data to the iCloud. Google’s Android phones have similar features.
“Much of the data that law enforcement cannot get from the device, they can still get from the cloud,” Soghoian said.
It’s possible to disable cloud backup, but be warned, Soghoian said. "With no backup, a lost phone or forgotten password means the phone “basically self destructs.”
2. Secure your text messages.
WhatsApp, the world’s most popular messaging service with over 600 million users, recently introduced end-to-end encryption, meaning only the sender and receiver can read a message.
The company behind the encryption software, Whisper Systems, called it “the largest deployment of end-to-end encrypted communication in history.”
Whisper Systems has its own secure messaging app, TextSecure. It’s the free app privacy advocates and technologists most often recommend, as does Snowden himself.
Soghoian likes to point out the initial technology underlying TextSecure was subsidized by the U.S. government. As a taxpayer, you might as well get some value for your money, he said.
For now, Android users are better positioned to secure their messages than Apple devotees. WhatsApp doesn’t yet have end-to-end encryption for iPhone users and TextSecure is Android only.
That won’t last long, Soghoian said. “It’s a matter of weeks, not months.”
3. Secure your phone calls.
Both Android and Google boast highly-recommended apps to make encrypted phone calls.
Privacy advocate favorite Whisper Systems has RedPhone for Android users and Signal for iPhone users.
Unfortunately the two apps are not yet interoperable — RedPhone users can only call other RedPhone users.
If you’re willing to spring for a paid app, Silent Circle offers encrypted calling plans that will allow you to encrypt your end of a call to anyone around the world, Silent Circle member or not.
For member-to-member calls, the apps from Whisper and Silent Circle all got perfect scores on EFF’s Secure Messaging Scorecard.
4. Secure your Internet browsing.
Public Wi-Fi networks and normal web browsers leave mobile devices vulnerable.
“These are often the kinds of hot spots that are compromised by a potential attacker,” Galperin said.
For roaming Wi-Fi connections, Galperin recommends a virtual public network (VPN), which gives users Internet access while bypassing local Wi-Fi networks.
A VPN “takes all of your communications and basically tunnels it via an encrypted tunnel to wherever the VPN is being run from,” Galperin explained. Any outside eavesdroppers “only see the tunnel and not the contents of your communications.”
Galperin uses Freedom for her VPN, but doesn’t have a preferred smartphone VPN.
However, using a VPN will not erase the link between your Internet browsing record and your phone’s IP address, the number assigned to a device while connected to a computer network.
Tor, an online anonymity software, will eliminate that link, Galperin said. Tor’s mobile version Orbot “allows you to browse a website on your phone without giving away your ip address,” she said. “It decouples your identity from your IP address.”
It’s “the best thing we have” to enable anonymous Internet browsing, Soghoian said, but it’s not perfect.
Tor will not give you “magical protection and anonymity on the Internet,” Galperin said.
And Tor works much better through a single Wi-Fi network than it does for mobile users in transit.
Tor functions by routing your Internet traffic through three servers to anonymize online movements, Soghoian explained.
If you’re moving with your phone — walking, driving, riding the train — Tor is constantly having to find three new servers through a different network.
“Every 30 seconds your Internet connection is interrupted,” Soghoian said. “That can make Tor more difficult.”
5. Understand you’ll never go completely dark.
Despite security experts’ best efforts at encryption, the government still has nearly unfettered access to location data and metadata — the “to and from” and timestamp of any communication.
“Your phone is a tracking device,” Galperin said. “There’s actually nothing you can do about that.”
For cell phones to function, they regularly ping cell towers.
“That cell tower has a pretty good idea of where you are,” Soghoian said.
And even the top encryption methods still expose some metadata, especially with voice calls.
“It’s really difficult to hide metadata,” Soghoian said. “The technologies that computer security people know how to build to protect metadata by their very nature add delays that are intolerable in a voice call.”
Combining location and metadata, “reveals a huge amount of information about what you’re doing,” he added.
Don’t expect that to change any time soon. It would take a huge jump in technology to create security software that hides metadata and “we don’t know how to build cell phones that don't reveal location,” Soghoian explained.
“It might never happen.”