What is threat modeling and where do I start? Anchor link

Threat modeling helps you identify threats to the things you value and determine from whom you need to protect them. When building a threat model, answer these five questions:

1. What do I want to protect?
2. Who do I want to protect it from?
3. How bad are the consequences if I fail?
4. How likely is it that I will need to protect it?
5. How much trouble am I willing to go through to try to prevent potential consequences?

Let’s take a closer look at each of these questions.

What do I want to protect?

An “asset” is something you value and want to protect. In the context of digital security, an asset is usually some kind of information. For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices may also be assets.

Make a list of your assets: data that you keep, where it’s kept, who has access to it, and what stops others from accessing it.

Who do I want to protect it from?

To answer this question, it’s important to identify who might want to target you or your information. A person or entity that poses a threat to your assets is an “adversary.” Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network.

Make a list of your adversaries, or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.

Depending on who your adversaries are, under some circumstances this list might be something you want to destroy after you’re done threat modeling.

How bad are the consequences if I fail?

There are many ways that an adversary can threaten your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data.

The motives of adversaries differ widely, as do their attacks. A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing.

Threat modeling involves understanding how bad the consequences could be if an adversary successfully attacks one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all your phone records and thus has the capability to use that data against you. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities.

Write down what your adversary might want to do with your private data.

How likely is it that I will need to protect it?

Risk is the likelihood that a particular threat against a particular asset will actually occur. It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low.

It is important to distinguish between threats and risks. While a threat is a bad thing that can happen, risk is the likelihood that the threat will occur. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not).

Conducting a risk analysis is both a personal and a subjective process; not everyone has the same priorities or views threats in the same way. Many people find certain threats unacceptable no matter what the risk, because the mere presence of the threat at any likelihood is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem.

Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.

How much trouble am I willing to go through to try to prevent potential consequences?

Answering this question requires conducting the risk analysis. Not everyone has the same priorities or views threats in the same way.

For example, an attorney representing a client in a national security case would probably be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos.

Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.

How Does End-to-End Encryption Work? Anchor link

When two people want to communicate securely (for example, Akiko and Boris) they must each generate crypto keys. Before Akiko sends a message to Boris she encrypts it to Boris's key so that only Boris can decrypt it. Then she sends the already-encrypted message across the Internet. If anyone is eavesdropping on Akiko and Boris—even if they have access to the service that Akiko is using to send this message (such as her email account)—they will only see the encrypted data and will be unable read the message. When Boris receives it, he must use his key to decrypt it into a readable message.

End-to-end encryption involves some effort, but it's the only way that users can verify the security of their communications without having to trust the platform that they're both using. Some services, such as Skype, have claimed to offer end-to-end encryption when it appears that they actually don't. For end-to-end encryption to be secure, users must be able to verify that the crypto key they're encrypting messages to belongs to the people they believe they do. If communications software doesn't have this ability built-in, then any encryption that it might be using can be intercepted by the service provider itself, for instance if a government compels it to.

You can read Freedom of the Press Foundation's whitepaper, Encryption Works for detailed instructions on using end-to-end encryption to protect instant messages and email. Be sure to check out the following SSD modules as well:

• An Introduction to Public Key Cryptography and PGP
• How to: Use OTR for Windows
• How to: Use OTR for Mac

Text Messages Anchor link

Standard text (SMS) messages do not offer end-to-end encryption. If you want to send encrypted messages on your phone, consider using encrypted instant messaging software instead of text messages.

Some end-to-end encrypted instant messaging services use their own protocol. So, for instance, users of Signal on Android and iOS can chat securely with others who use those programs. ChatSecure is a mobile app that encrypts conversations with OTR on any network that uses XMPP, which means you can choose from a range of independent instant messaging services.

Email Anchor link

Most email providers give you a way of accessing your email using a web browser, such as Firefox or Chrome. Of these providers, most of them provide support for HTTPS, or transport-layer encryption. You can tell that your email provider supports HTTPS if you log in to your webmail and the URL at the top of your browser begins with the letters HTTPS instead of HTTP (for example: https://mail.google.com).

If your email provider supports HTTPS, but does not do so by default, try replacing HTTP with HTTPS in the URL and refresh the page. If you’d like to make sure that you are always using HTTPS on sites where it is available, download the HTTPS Everywhere browser add-on for Firefox or Chrome.

Some webmail providers that use HTTPS by default include:

• Gmail
• Riseup
• Yahoo

Some webmail providers that give you the option of choosing to use HTTPS by default by selecting it in your settings. The most popular service that still does this is Hotmail.

What does transport-layer encryption do and why might you need it? HTTPS, also referred to as SSL or TLS, encrypts your communications so that it cannot be read by other people on your network. This can include the other people using the same Wi-Fi in an airport or at a café, the other people at your office or school, the administrators at your ISP, malicious hackers, governments, or law enforcement officials. Communications sent over your web browser, including the web pages that you visit and the content of your emails, blog posts, and messages, using HTTP rather than HTTPS are trivial for an attacker to intercept and read.

HTTPS is the most basic level of encryption for your web browsing that we recommend for everybody. It is as basic as putting on your seat belt when you drive.

But there are some things that HTTPS does not do. When you send email using HTTPS, your email provider still gets an unencrypted copy of your communication. Governments and law enforcement may be able to access this data with a warrant. In the United States, most email providers have a policy that says they will tell you when you have received a government request for your user data as long as they are legally allowed to do so, but these policies are strictly voluntary, and in many cases providers are legally prevented from informing their users of requests for data. Some email providers, such as Google, Yahoo, and Microsoft, publish transparency reports, detailing the number of government requests for user data they receive, which countries make the requests, and how often the company has complied by turning over data.

If your threat model includes a government or law enforcement, or you have some other reason for wanting to make sure that your email provider is not able to turn over the contents of your email communications to a third party, you may want to consider using end-to-end encryption for your email communications.

PGP (or Pretty Good Privacy) is the standard for end-to-end encryption of your email. Used correctly, it offers very strong protections for your communications. For detailed instructions on how to install and use PGP encryption for your email, see:

• How to: Use PGP for Mac OS X
• How to: Use PGP for Windows
• How to: Use PGP for Linux

Create a Secure Machine Anchor link

Maintaining a secure environment can be hard work. At best, you have to change passwords, habits, and perhaps the software you use on your main computer or device. At worst, you have to constantly think about whether you're leaking confidential information or using unsafe practices. Even when you know the problems, some solutions may be out of your hands. Other people might require you to continue unsafe digital security practices even after you have explained the dangers. For instance, work colleagues might want you to continue to open email attachments from them, even though you know your attackers could impersonate them and send you malware. Or you may be concerned that your main computer has already been compromised.

One strategy to consider is cordoning off valuable data and communications onto a more secure computer. Use that machine only occasionally, and when you do, consciously take much more care over your actions. If you need to open attachments, or use insecure software, do it on another machine.

If you're setting up a secure machine, what extra steps can you take to make it secure?

You can almost certainly keep the device in a more physically safe place: somewhere where you are able to tell if it has been tampered with, such as a locked cabinet.

You can install a privacy- and security-focused operating system like Tails. You might not be able (or want) to use an open source operating system in your everyday work, but if you just need to store, edit and write confidential emails or instant messages from this secure device, Tails will work well, and defaults to high security settings.

An extra, secure computer may not be as expensive an option as you think. A computer that is seldom used, and only runs a few programs, does not need to be particularly fast or new. You can buy an older netbook for a fraction of the price of a modern laptop or phone. Older machines also have the advantage that secure software like Tails may be more likely to work with them than newer models.

You can use the secure machine to keep the primary copy of confidential data. A secure machine can be valuable in cordoning off private data in this way, but you should also consider a couple of extra risks it might create. If you concentrate your most treasured information onto this one computer, it may make it more of an obvious target. Keep it well hidden, don't discuss its location, and don't neglect to encrypt the computer's drive with a strong password, so that if it is stolen, the data will remain unreadable without the password safe.

Another risk is the danger that destroying this one machine will destroy your only copy of the data.

If your adversary would benefit from you losing all your data, don't keep it in just one place, no matter how secure. Encrypt a copy and keep it somewhere else.

The highest level of protection from Internet attacks or online surveillance is, not surprisingly, not connecting to the Internet at all. You could make sure your secure computer never connects to a local network or Wifi, and only copy files onto the machine using physical media, like DVDs or USB drives. In network security, this is known as having an "air gap" between the computer and the rest of the world. Not many people go this far, but it can be an option if you want to keep data that is rarely accessed but you never want to lose. Examples might be an encryption key you only use for important messages (like "My other encryption keys are now insecure"), a list of passwords or instructions for other people to find if you are unavailable, or a backup copy of someone else's private data that has been entrusted to you. In most of these cases, you might want to consider just having a hidden storage device, rather than a full computer. An encrypted USB key kept safely hidden is probably as useful (or as useless) as a complete computer unplugged from the Internet.

If you do use the secure device to connect to the Internet, you might choose not to log in or use your usual accounts. Create separate web or email accounts that you use for communications from this device, and use Tor to keep your IP address hidden from those services. If someone is choosing to specifically target your identity with malware, or is only intercepting your communications, separate accounts and Tor can help break the link between your identity, and this particular machine.

A variation on the idea of a secure machine is to have an insecure machine: a device that you only use when you are going into dangerous places or need to try a risky operation. Many journalists and activists, for instance, take a minimal netbook with them when they travel. This computer does not have any of their documents, usual contact or email information on it, and so is less of a loss if it is confiscated or scanned. You can apply the same strategy to mobile phones. If you usually use a smartphone, consider buying a cheap throwaway or burner phone when travelling or for specific communications.

In the Meantime, Here are Some Things to Keep in Mind When Crossing the US Border: Anchor link

• Have you backed up your devices? This may help in case one or more of your devices is seized. You can use an online backup service or an external hard drive, though we don't recommend carrying both your laptop and your backup hard drive at the same time.

• Do you need to be carrying so much data? We suggest minimizing the amount of data you are carrying over the border. Consider traveling with a "clean" laptop, and note that simply dragging files to your trash doesn't delete them completely. Make sure you securely delete your files.

• Are your devices encrypted? We recommend full-disk encryption on your devices (laptops, mobile phones, etc.) and choosing secure passphrases. If a border agent asks for your passphrase, you do not have to comply. Only a judge can force you to reveal such information. However, refusal to comply could bear consequences: for noncitizens, you may be refused entry into the country; for citizens, you may be detained until the border patrol decides what to do, which may include seizing your computer, phone, camera, USB sticks, etc.

• When you enter a new country, consider purchasing a temporary phone and transferring your SIM card over or getting a new number. This phone will carry far less data than your normal phone.

• When dealing with border guards, remember these three things: Be courteous, do not lie, and do not physically interfere with the agent’s search.

What is a VPN Good For? Anchor link

You can use a VPN to connect to the corporate intranet at your office while you’re traveling abroad, while you are at home, or any other time you are out of the office.

You can also use a commercial VPN to encrypt your data as it travels over a public network, such as the Wi-Fi in an Internet café or a hotel.

You can use a commercial VPN to circumvent Internet censorship on a network that blocks certain sites or services. For example, some Chinese users use commercial VPNs to access websites blocked by the Great Firewall.

You can also connect to your home network by running your own VPN service, using open-source software such as OpenVPN.