A Right2Know Campaign report titled Big Brother Exposed has detailed how activists and community leaders were “monitored and harassed” by South Africa’s intelligence agencies.
In a series of nine case studies, drawing on interviews with 16 people, Right2Know detailed how activists and civil servants were monitored through physical and digital surveillance.
Right2Know asked how the State Security Agency could view some of the activists as threats to national security, and why it is investigating lawful action.
It added that when the police Crime Intelligence department monitors community activists who engage in protest, it is wasting resources which should be spent on stopping organised crime.
Right2Know also listed possible signs that someone is monitoring you:
- A member of Crime Intelligence phones you before a meeting or protest to get information about your organisation and its activities.
- A member of Crime Intelligence attends any meeting where you are present, especially the “Section 4” consultation between the protest organisers and local police/authorities, before a march or protest.
- A member of SAPS takes photos/videos of your protest, writes down slogans, or interviews the convener of the protest.
- Police or authorities have information about your movements or activities, but you don’t know how.
- A member of your organisation or someone in the community is approached in private to spy on the organisation.
- You are contacted at any point by a member of the State Security Agency (SSA).
Secure your communications
The report warns that you should assume your communications are not private, and recommends several smartphone apps to improve communication security.
“Unfortunately there is still unequal access,” said Right2Know. “More secure facilities are available to smartphone users, while feature phones are less secure.”
For Android users, Right2Know recommended TextSecure for encrypted SMS, and Red Phone for encrypted calls. iPhone users can download the Signal Private Messenger app, which will let them communicate with TextSecure and Red Phone users
For encrypted instant messaging, it recommended Telegram.
Right2Know said these tools alone do not guarantee your security. Someone who is a target for state surveillance should expect these tools to be cracked.
Not all surveillance is targeted, though, and the vast majority of it is ‘bulk collection’, or mass surveillance, said Right2Know.
“Better security makes this practice more difficult and expensive. If enough people adopt better security, mass surveillance becomes impossible.”
The report failed to mention a number of important considerations when recommending these apps, though.
TextSecure, Red Phone, and Signal were developed by Open Whisper Systems. The apps are open source and the company has a good reputation in the online security community.
However, Open Whisper Systems recently announced it had removed support for encrypted SMS and MMS messaging for a variety of reasons, including that they are a “security disaster”.
Instead, TextSecure and Signal offer secure data-based messaging that could be used instead of services such as WhatsApp and Telegram.
Right2Know’s recommendation to use TextSecure and Signal for encrypted SMS is therefore incorrect.
Similarly, the security of Telegram has repeatedly been questioned by the security community. Although it uses standard cryptographic building blocks, its protocol is custom-built and unverified as its source code isn’t open to public scrutiny.
Telegram has said all its code will be released eventually, but the fact remains that its security can’t be verified independently.
Information security expert and chief technology officer at SensePost Dominic White said if his life depended on the secrecy or confidentiality of his communication, or anonymity, he would avoid Telegram.
White went on to list the features you should be looking for in apps that promise secure communications:
- Peer-reviewed, open-source apps that use known and/or trusted encryption schemes – secret, or custom-made cryptography has a higher risk of problems.
- Secrecy/Confidentiality – the ability to only let certain parties see your content, and not others.
- Destructibility – the ability to know that content, even encrypted content, is not stored if you don’t want it to be. Future attacks may be used against these messages years from now.
- Anonymity/Deniability – the ability to deny that communications were sent by you.
- Authentication – the ability to authenticate that you are talking to who you intend to talk to (per chat rather than per login to the app).
- Default-secure – the app should default to secure communications, as complex non-default setups won’t end up being used.
- Un-downgradable – It shouldn’t be possible to use the blocking of secure comms as a way of having the app fall over to insecure comms.
- Easy/anonymous registration – you don’t want to send your whole phone book or give your maiden name.
- Usability – all the usual features of a messaging app: fast, push notifications, group chat.
Better secure app recommendations
Taking the above into account, here is a list of recommendations for secure communications.
|Encrypted SMS/MMS||None. Avoid.|
|Encrypted text messaging||Android: TextSecure
|Encrypted phone calls||Android: RedPhone
More advanced set-ups than the above recommendations are possible using the Tor network and apps such as Orbot, and the more technically inclined are encouraged to investigate such options.