Tools to Outsmart Big Brother
Your Guide to Asymmetric Defenses
Note: this is part 8 of a series on how to go further by integrating asymmetrical defenses against overeager states.
Here are the 7 articles in the series:
As we saw in the previous article, using end-to-end encryption tools is an excellent asymmetrical defense against overly intrusive governments.
So how do you use end-to-end encryption? Here are the end-to-end encrypted programs I recommend:
Email provider
So forget Gmail, Hotmail, Yahoo and company, which, in addition to not being end-to-end encrypted, scan your e-mails to serve you targeted advertising. Here are the tools you can use instead:
Proton Mail. Based exclusively in Switzerland, and which I use personally.
Tutanota. Only based in Germany.
Calendar
Forget Google Calendar! Instead, use the calendar provided by your chosen end-to-end encrypted email software. I use Proton Calendar.
Files in the cloud.
Forget Dropbox, Google Drive, Apple iCloud, Microsoft OneDrive and company. Instead, choose :
Sync.com, based solely in Canada, which I use personally.
Proton Drive, by the same company as Proton Mail (based in Switzerland only), which you can access via the same account.
Tresorit, based in Switzerland, Hungary and Germany.
Note-taking in the cloud
Forget Evernote, Apple Notes1 or Microsoft OneNote. Instead, use :
Standard Notes, recently acquired by the Proton company. The software I personally use.
Obsidian, often described as a "2nd brain".
Communication Apps
Messages sent by WhatsApp, the most popular messaging service, are indeed end-to-end encrypted, BUT not the backup of these messages in the cloud: if you back up your WhatsApp messages, or your correspondents do, you're at the mercy of serious hacking of this backup.
You'll never guess how many people were convinced that their WhatsApp messages weren't saved in the cloud, and how many were stunned to discover that this was in fact the case after I insisted they check (it's almost 100%).
Skeptical about this? Be a good skeptic: check now in your iCloud or Google Drive settings on your smartphone :)
Note that *even* if you don't save your WhatsApp messages in the cloud, it's enough for your correspondents to do so for your messages to end up there without end-to-end encryption.
If you're in a WhatsApp group with dozens of people, all it takes is ONE person to have backup enabled for ALL messages in the group to be saved without end-to-end encryption.
Note that WhatsApp officially offers end-to-end encryption for backup2.
But it's a scam. Why? Because it's not enabled by default.
The result?
Hardly anyone does (or even knows about this feature), so all it takes is for your correspondents not to have activated this option, and your messages end up in the cloud without end-to-end encryption.
Instead, use Signal, which is the best app with excellent default security and has all the important features of WhatsApp, plus a few of its own.
And it's impossible to save Signal messages, which is a good thing.
Of course, the major problem with Signal is that fewer people use it than WhatsApp. So what I do is, by default, I suggest that people exchange on Signal, and if they don't know the software, I switch to WhatsApp.
And I try to "welcome" them to Signal as much as possible. For the most part, web entrepreneurs are pretty open about it, because they understand the importance of being smooth squares (even if they haven't usually phrased it that way) and protecting their privacy.
Other important tools
These tools are not end-to-end encrypted, but still provide additional security and privacy.
VPNs
First of all, let's talk about VPNs: as I explained in this series, a VPN is simply a piece of software that creates an encrypted connection between your IP address and an intermediary site, often located in another country.
They are very useful for 1) securing your connection in public places (cafés, airports, hotels, etc.), 2) enabling you to bypass censorship by the government of the country you're in, and 3) geolocating you in another country if you need to access blocked content.
Note, however, that when you use a VPN, you're transferring the trust you place in your ISP (which can normally see absolutely all the sites you visit) to your VPN provider (which can therefore see all the sites you visit, while your ISP only sees that you're connecting to your VPN's IP address).
To be clear, your ISP, and your VPN provider when you use it, can see all the sites you visit, and the Internet services you use, but, if the connection is encrypted between you and the server (which is true today in over 95% of cases), they can't see the content you consult or send to that site or service.
So, for example, your ISP or VPN can see that you used WhatsApp from such and such a time to such and such a time, and that you sent and received such and such an amount of data, but not exactly what data was exchanged or to whom it was sent.
They can also see, for example, that you visited Wikipedia, or a porn site, or Facebook, or such-and-such a website, from such-and-such a time, with the volume of data exchanged, but not exactly which page(s) you consulted, nor their content.
On the other hand, if you visit an unsecured website, these two providers can see everything. Fortunately, these sites are now so rare as to be a curiosity.
Rather than NordVPN, which you see everywhere, I recommend these VPNs, which have a better reputation for privacy and, crucially, are committed to keeping no trace of your browsing: this is important, because otherwise your VPN would have a complete history of the sites you use when you visit it. This is the "no log" policy.
For this to happen, the company responsible for the VPN must be located in a country that authorizes it not to keep a history of its users.
Ideally, the company should also accept payments in cash and/or crypto, to add a layer of protection by ensuring that even the company doesn't know who you are, if you wish.
Important: note that, unless you're using a cryptocurrency that includes mechanisms designed to protect your privacy by default (such as Monero3 ), paying in Bitcoin, Ethereum or other "classic" cryptos doesn't give you much extra anonymity if you're using cryptos you've bought on a marketplace that follows KYC/AML standards, and has therefore asked you for identification documents.
The only advantage in this case is that the company offering the VPN will not know your identity directly.
I therefore recommend :
Proton VPN
Which I personally use.
It accepts payments in cash, as well as Bitcoin, but the latter only for account renewal, and not for the purchase of a first one, which renders null and void any anonymity that buying with this crypto might confer, unless you created your account by paying cash.
IVPN
Based solely in Gibraltar, this VPN lets you pay in cash, Bitcoin and... Monero, which is, at the time of writing, the most private and untraceable cryptocurrency possible.
What's more, you don't need an email address to create an account, so you don't have to set up a special address for this purpose, or inadvertently use your personal email when you want to remain anonymous!
Mullvad
A VPN based solely in Sweden, which also requires no email address, and accepts payment by cash, Bitcoin and Monero.
Tor
You're likely to have heard of it, as it's such a famous piece of software, probably in an article about an exploration of the nether reaches of the Internet, known as the dark web, or about the arrest of a criminal despite the use of this software.
But what is Tor, basically?
It's "just" a modified version of Firefox for connecting to the web in a particular way, designed to prevent adversaries, including the state, from being able to identify the sites you visit, and from being able to block certain sites.
It works by connecting to a network of servers managed by volunteers scattered around the world.
When you want to access a website or online service, your request doesn't go directly to that site. Instead, it's encrypted and routed through several of these servers (called "nodes") in the Tor network.
Each node only knows where the information it receives comes from and where it must send it next, but not the entire route. In particular, unlike the TCP/IP protocol (the basis of all Internet communication), the source IP address (which identifies you) is known only to the first relay, and not to the others.
This means that no individual node can see the entire path of your request.
To understand this, imagine you're passing a message via a chain of people, in which each person knows only who has passed the message on to them and to whom they must pass it on next.
Finally, the request reaches the website or online service you wanted to reach. This is done by a special exit node, which decrypts the final request and forwards it to its destination.
The website or online service responds to the request, and this response is sent back through the Tor network following a different path, making the process even more difficult to trace.
For the user, this process considerably enhances anonymity, data confidentiality and the ability to bypass Internet censorship.
U.S. Naval Research Laboratory vs the CIA
Tor was originally developed with the support of the U.S. Naval Research Laboratory to help secure the communications of the U.S. government, particularly its intelligence officers stationed abroad.
To significantly increase the number of users, and thus enable American agents to blend in, the technology was made public and open source, allowing any developer to contribute.
Tor soon provided political dissidents and journalists in dictatorships with a tool for secure communication, earning it the support of government agencies such as the U.S. State Department... whose donation in 2012 accounted for 80% of its budget4. By 2020, this proportion had risen to 38%, for a total annual budget of $7.4 million5.
This tool fulfills its original purpose, but as I pointed out in “The Good News about the Snowden Revelations”, it has also become a thorn in the side of the CIA, NSA and other intelligence agencies6 , revealing a major contradiction from which states suffer: governments would ideally like to be able to break encryptions whenever they want, while having protocols that are unbreakable by adversaries the rest of the time.
This is obviously impossible, and leads to contradictory actions, as here: a program built with the support of one branch of government, which becomes a problem for another branch of government.
And of course, Tor also helps criminals. It's always the same story: you can't offer a tool that helps dissidents and journalists without also helping criminals. A tool is a tool, and a hammer can become a deadly weapon if someone decides to use it that way.
The two main ways to use Tor
Many users are unaware that there are two main ways of using Tor, both with different levels of security.
1st way : “Normal" Internet surfing
You use Tor like a normal browser, connecting to "classic" Internet sites and services.
Your connection diagram is roughly as follows:
Your computer or smartphone -> entry node or "gatekeeper" -> the Tor internal network (one or more relays) -> exit the internal network via the "exit node" to the "normal" web -> classic website/service
In this case, the website/service you're accessing will just see the IP address of the exit node, but not the IP address of your Internet connection.
But you have to be smart: if you're using Google via Tor, Google won't know it's you who's using it... unless you log in to your Google account, of course.
The same applies to all sites to which you log in with an account that identifies you. What's more, these sites will know that you're using Tor.
And understand that the input node can see :
Your IP address
Your data volume (but not the sites you visit)
And of course the fact that you use Tor
However, some countries prohibit the use of Tor: if you're in one of these countries, connecting to an entry node 1) located in that country and 2) monitored by an agency in that country can reveal that you're using Tor, if you're connected from an IP address that's linked to your identity (your home connection, for example).
To avoid this risk, connect from a non-identifiable IP, such as that of a café or restaurant, or use a no-log VPN (more on this later).
Also, understand that the exit node can see :
On which site you connect, but without knowing who this "you" is, or your original IP address
As well as the other sites you visit from the same "circuit" (Tor connection path), which changes every 10 minutes or so.
If the connection to the end site is not encrypted (i.e., if the site is http and NOT https) then the exit node will be able to see everything:
Exactly which pages you visit
The contents
Any information you send
This means that if you send identifying information via an unsecured site, the exit node will be able to identify you.
However, as I mentioned in “The Good News about the Snowden Revelations”, 95% of the world's websites were encrypted in 2022, and this figure is rising steadily: so make sure you don't connect to the minority of unencrypted sites (Tor warns you when this is the case).
2nd way : Staying in the Tor network
You're connecting to sites designed to be accessible only via the Tor network, so-called "onion sites": they use domain names ending in .onion, rather than .com for example.
When you connect to an onion site, you stay inside the Tor network: there's no exit node, so it can't observe your activity.
Beyond onion sites, which exist only in this form, several popular sites offer onion versions, often to enable activists, dissidents and journalists from censored countries to use their services, such as Facebook, Proton Mail, the DuckDuckGo search engine, or the New York Times.
To find these onion sites, simply type "onion site name or service" into a search engine.
Advanced use: VPN + Tor
Can I use a VPN AND Tor at the same time?
Absolutely. The recommended "way" is to connect to the VPN, then launch Tor. This way, the entry node will see the IP address of your VPN, but not the IP address of your Internet connection, which can enhance your browsing privacy.
This configuration also prevents your ISP from detecting that you're using Tor: it will "just" see that you're using a VPN. However, your VPN will see that you're using Tor: again, using a VPN means transferring trust from your ISP to your VPN provider.
In the end
Tor is unlikely to be useful in the vast majority of cases. What's more, the way it works makes it slower to use than a VPN.
But it can help you out from time to time, especially for accessing censored sites, if your VPN is blocked: so I recommend you have it on your computer and smartphone, just in case.
Note that at the time of writing, there is no official Tor browser for iOS, but the Foundation recommends the Onion Browser.
Onion Browser warns, however, that "iOS has full control over some network traffic", which "may result in this traffic (including audio or video) being routed via your normal connection and not via Tor".
How to use Tor and VPNs in countries that censor them?
If you've ever been to a country that censors these tools and tried to download them, you'll have realized that it's often impossible to do so.
Why? Because these countries are trying to prevent you from accessing these tools.
In general, it's best to arrive in these countries with these tools already installed on your computer and smartphone.
But if you find yourself in a situation where you're blocked, here's what to do: most of these countries simply block any domain that contains "VPN" or "Tor" in its name.
To get around this limit, simply download your VPN or Tor from a site that does not contain these words in its domain name:
You can visit a reputable software download site, such as Cnet Download.
From there, you can easily download Tor, which will allow you to access your VPN software.
Or download many VPNs directly.
You can use a "standard" browser that integrates Tor, such as Brave
Or a browser that integrates a VPN, like Brave and Opera.
You can install an extension to your current browser that allows you to connect to Tor or a VPN.
For example, Proton VPN offers an extension for Chrome (and therefore Brave, Edge and Opera) and Firefox, to connect to it directly from the browser.
Your smartphone's app store is only censored if you're using one from a country that has asked Google or Apple to remove all VPNs: if you're using an account from another country, VPNs should be available for download on your smartphone without any problem.
What's more, on Android, you can use an alternative store like FDroid, which is not censorable.
You can ask a friend in another country to download the software for you, and put it in a Dropbox (or even better, a Sync.com or a Tresorit), or send it via WeTransfer.
Etc. etc.
The possibilities are endless, and you'll see that with a little perseverance, it's usually very easy to get around these censors, allowing you to see first-hand just how difficult it is for nation-states to control the Internet.
Graphene OS
If you're looking for a smartphone operating system that maximizes your privacy and security, I recommend Graphene OS, a modified version of Android that works with all modern Google Pixels, and lets you install all Android-compatible apps.
And it's free.
Coming soon
In the next article, we'll look at how to properly use cryptocurrencies to maximize your privacy and security
Stay tuned ! In the meantime, feel free to follow Disruptive Horizons on X/Twitter & Linkedin, and join the tribe of Intelligent Rebels by subscribing to the newsletter :
And here are the 7 articles of this series :
Which is not end-to-end encrypted by default, unless you activate the "Advanced Data Protection" option in your iCloud account.
"Launch of end-to-end encrypted backups on WhatsApp", WhatsApp blog.
Not all exchanges offer Monero: to see which ones do, go to the "Get Monero" site www.getmonero.org. You can also exchange bitcoins for moneros with the Cake Wallet application.
"US government increases funding for Tor, giving $1.8m in 2013", Alex Hern, The Guardian, 2014.
"The NSA is trying to crack Tor. The State Department is helping pay for it.", Andrea Peterson, The Washington Post, 2013.
I wonder how Substack's cybersecurity compares to other Social Media Apps?
Very interesting, thanks!
Curious to know, how do you handle document creation?
(i.e. how do you substitute MS Office apps or Google Workspace)
Thanks!