How do you survive in a world where surveillance is too easy with a fully automated zero click spyware from which there is no protection, and even accomplished cyber defense analysts say “Primarily I’m here just to keep the death count”. While some have argued for surveillance reform, banning sale of spyware, which is the legal and norms development approach, it will take a long time for it to happen, because governments which operate outside any legal framework, would fight self-regulation in this arena, to the very end and public opinion is hard to sway in short time.
What then should judges, politicians, journalists and anyone else who is a potential target do in the interim? Giving up modern communication devices such as smartphones and switching to good old feature phones, is not an option, as some have suggested, because the Central Monitoring System—whose technical architecture is a 'state secret' and hence is freely available in the internet with a deployment guide and user manual—has solved the problem of tapping any phone at scale, a decade ago.
Everyone Should Start Behaving Like an 'Intelligence Officer'
Going back to an era of pen, paper, chits and dead drops are not an option, too, because if anything, a lack of digital trail leads to more suspicion and is followed by even more aggressive physical surveillance, as the long dead Osama Bin Laden would attest to, if resurrected back from his sea grave.
This impossible world of having the convenience of the world in one’s fingertips (smart phone) which is also a constant spying device, happened because the phone is a product of the cyber domain, where everything is always and irrevocably dual use. It is both useful and is a handicap, It informs but also dis-informs and so on. Knowing this reality offers a different way out because there exists one profession, which experiences this on a daily basis—intelligence officer.
While this may be a stretch to imagine journalists, judges, politicians as intelligence officers, the noted security analyst Dan Geer, did point out that in a condition, where surveillance is ubiquitous, the only operational definition for any individual who seeks privacy would not be the legal definitions proclaimed by well meaning lawyers and government spokespersons, but the “capability to mis-represent themselves”.
Simply put, this means, individuals who are always surveilled have no choice, but to deploy active deception techniques to have any semblance of privacy.
Why Creating Multiple Identities Has Become Necessary
The first lesson in 'mis-representation' is to not have one identity that can be linked to everything and is dead simple to surveill, but to have multiple identities that are easier to create and even easier to destroy, after a single use or after a time period.
When faced with an opponent like Pegasus, the identity in question is not the human, but the phone number linked with the human.
Creating multiple phone numbers, hence, is the first line of defence, where one has to assume that the primary phone number is already under surveillance either via Pegasus or via the CMS.
A reasonably safe approach is to confine the primary phone number to a single device and use secure messengers on another unconnected device, which has one purpose only—external communication with trusted sources.
To ensure operational security, the communication device can never have anything that connects to any identity (including Apple IDs, Google IDs, Email IDs) or other applications. This has the advantage of reducing the attack surface on the device as it avoids identity convergence.
Online services such as Twilio, Sinch and others allow anyone to rent a VoIP mobile number anywhere in the world for a small fee of USD 1 per month, which is no different in capabilities than a number that comes with a SIM card. Secure messengers (Signal, WhatsApp) do allow using these numbers, as long as the SMS verification code can be input during installation and setup, which both these platforms make available via a dashboard.
Bypassing the Use of Phone
While the truly paranoid could abandon the mobile device itself, Pegasus only works on the mobile devices as of today, there exists other E2E messengers that do not even need a phone number to work, such as Threema.
For a small one time fee of $3, it allows anyone to reach anyone else if both parties use it. Threema Identities are just random letters (and not phone numbers) and hence can be exchanged with each other via even paper based solutions.
When both parties use this approach, there is reasonable protection against Pegasus, because they have bypassed a fundamental requirement for pegasus infection: a known public identifier like phone number, Apple ID, Google ID et al attached to a device.
Disaggregation of the device, identity singularity, and creating disconnected, disjoint pairs of identity and device coupled with niche messengers that offer E2E, thus, represent the first line of defence against pervasive surveillance that exploits the singularity of identity convergence for the purpose of convenience, at scale.
Cat Pictures Come to the Rescue
Another approach that works well with “active misrepresentation” is the barbell approach, where the surveilled lives an unremarkable life in the full knowledge that they are under surveillance, but create digital trails that are extremely mundane.
This is the idea behind differential privacy, where junk or trivial or false information is injected into a large dataset to hide in plain sight. For instance, one can just fill their public surveilled device with cat pictures taken at regular intervals, interspersed with other aspects of their life, such as attending parties which are public anyway.
This can be coupled with other deep anonymity strategies for document exchange such as Secure Drop. Originally called “dead drop”, it is a common strategy, where sources drop documents in well placed public locations—think of a postbox or a garbage box—without ever having to talk to the journalist, who can then vet it later.
Secure Drop, uses the same construct but in the digital world and guarantees anonymity as it does not log any information including IP addresses, as it sits on the TOR network, only costs around $2,500 to operate and is even used by the US government for anonymous vulnerability disclosure.
Limiting Damage Once Your Devices are Compromised
While multiple identities, devices, dead drops, and trivia flooding work well, in practice a breach is inevitable because the surveilled are facing nation states, which have infinite resources in comparison. Compartmentation offers some amelioration, by limiting damage on what a compromised identity or device can reveal.
A common mistake—naively committed by many journalists, politicians and others—is to segregate their devices with different identities (eg phone numbers obtained on the name of their relatives or house help), but always carry them physically together. Modern mobile devices by their very nature ping the base station every few seconds, which makes it trivial to correlate the devices as belonging to the same person, within minutes (a key feature of CMS).
Another elementary mistake made by journalists is exposing their 'rolodexes', in a single device and sharing it across devices via a central synchronising solution (like Google Contacts, Apple iMessage). While this is convenient, a data hygiene thumb rule is that between the trio of security, convenience, and freedom only any two can be chosen at a given point in time. A rolodex sharing across compartments which share differential resilience against spyware, will definitely compromise the compartmentation.
Buck Up For a New Dystopian Future
Speaking truth to power has always been a daring enterprise with its attendant risks and journalists and whistleblowers have generally succeeded in it, with just pen, paper, documents, mobile devices, and raw courage.
However, in an environment where a pandemic rages and predatory spywares abound, not levelling up on cyber hygiene and relying on old habits, would be the equivalent of facing a tank with a pea shooter.
The principles of compartmentation along with the capacity to misrepresent oneself improves the odds tremendously, while limiting damage. One might even argue that, embracing the practice of thinking like an intelligence officer and adopting operational security, until laws and norms around surveillance changes, would separate the serious journalists from stenographers and apparatchiks who masquerade today as reporters.
Perhaps in that future, whistleblowers can identify those news rooms which have a better institutional history of clean and safe digital habits and would seek them out, just like how matrimonial advertisements work, for their lives would depend on it.
(Anand Venkatnarayanan is a Privacy and Security researcher and is the Author of: The Art of Conjuring Alternate Realities - How Information warfare shapes your world. This is an opinion piece and the views expressed are the author's own. The Quint neither endorses nor is responsible for them.)
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)