Planning a trip to Russia? As you’re probably aware, the government in Moscow is doing everything it can to make it easier for law enforcement agencies to read your private messages. At recent protests in the capital, moreover, police have even confiscated demonstrators’ phones and tried to unlock them. Given the present situation in Russia, Meduza recommends a few simple steps to protect yourself against the prying eyes of state officials and ne'er-do-wells. These measures won’t guard you against sophisticated hackers, but follow this advice and you’ll no longer be an easy target.

Always access the Internet through a VPN, whether on your phone or computer

Yes, we’re throwing a highly technical initialism at you, right off the bat, but don’t let “VPN” alarm you. Using virtual private networks is easy as pie: you just download an app, log in, and the rest happens automatically. VPNs create a kind of layer between your device and the Internet, securing the connection by making it almost impossible to intercept your Web traffic.

It’s risky to use free VPN services, however, because these companies might sell your personal data, which is why Meduza recommends buying a subscription. Always choose a service that promises not to share your data, and submits to independent audits. Two services you might consider are ExpressVPN and NordVPN.

Almost every VPN provider uses the OpenVPN protocol in their apps. Roskomnadzor (Russia’s federal censor) recently threatened to take action if the company that developed OpenVPN doesn’t start blocking access to online resources blacklisted in Russia. Officials haven’t clarified if they intend to block all networks using the protocol, or just the company’s subsidiary VPN provider. One alternative to OpenVPN now in development is a new protocol called WireGuard, which could offer faster speeds and better reliability. For now, however, WireGuard comes with some noteworthy drawbacks, including privacy concerns. The VPN “Perfect Piracy” warns that this protocol is currently “not usable without logs,” meaning that it has to register every active device its customers are using and assign static IP addresses on its VPN servers. But some companies are already developing solutions to enhance this new protocol’s privacy.

Bear in mind that your IP address can still “leak,” even with a VPN activated, due to an improperly configured domain name system (DNS) or Web Real-Time Communication (WebRTC) enabled in your Internet browser (which allows audio and video communication to work inside Web pages through peer-to-peer communication). You can usually use your VPN provider’s website to check if you’re “leaking,” or use a free third-party service.

Abandon biometrics all ye who enter here

If you’re using an Android device, disable unlocking by fingerprint, facial recognition, and retinal scan. On iOS, turn off Touch ID and Face ID. If you leave these functions active, and your phone ends up in someone else’s hands, they could unlock it against your will by shoving it in your face or holding it up to your fingertips.

A personal identification number or alphanumeric passcode is safer under these conditions, especially if you set your phone to wipe itself after a certain number of invalid entries. On iOS devices, by default, you cannot repeatedly enter PIN codes for an extended period of time.

Use strong passwords. Use different passwords! And you don’t need to remember them!

Forget your favorite password. You know the one we’re talking about. It’s the same one you’ve got on your computer, your email account, your Facebook account, and everywhere else. You need to get a password manager, for example: 1Password, KeePassXC, or Firefox Lockwise. With these services, you’ll only need to remember one (albeit long) password, and the passwords for all your other accounts will be different. If somebody cracks your Facebook password, for example, they won’t automatically get access to your email.

It’s hard to choose a reliable password that’s based on anything recognizable. Ideally, your password will use both letters and numbers — and better yet a few “special characters,” like commas or different symbols you find on your keyboard, after hitting the Shift Bar.

Enable two-factor authentication wherever possible

This is your second line of defense. Two-factor authentication relies on your password and your device. Even if hackers are able to crack your email password, for example, they won’t be able to open your account without access to your device. This makes hacking enormously more difficult.

The best way to use two-factor authentication is to install a special app on your device that auto-generates one-time, time-based passwords that change twice every minute. Two popular options here are Google Authenticator and 1PassWord.

Authentication apps will usually ask you to photograph a QR-code from your computer screen or manually enter a long sequence of characters. The app saves this code and uses it to auto-generate the changing passcodes.

Do not use text messaging for two-factor authentication

If you’re traveling abroad in Russia, will you will likely need to install a local SIM card (making text messages sent to your usual phone number inaccessible). Intercepting text messages is a well known and popular means of hacking online accounts, and there’s evidence to suggest this tactic was used in May 2016 to break into Russian activists’ Telegram accounts.

Enable two-factor authentication on all the following basic services popular with Russians:

Google

Facebook

VKontakte

Instagram

Telegram

Apple (iCloud)

Twitter

Yandex

Dropbox



Don’t text or make any regular phone calls

That thing in your hand isn’t a telephone: it’s a high-powered Internet-enabled device. Instead of sending your messages and voice over the easily intercepted airwaves, limit all these communications to apps with end-to-end encryption, like Signal, WhatsApp, and . You can use these messengers to make voice calls, as well. If you use services that are not end-to-end encrypted, you're exposing yourself to snooping. Tech companies in Russia are legally required by the government to store recordings of all your correspondence, which is then accessible to law enforcement. Local telecoms will still archive copies of your encrypted communications, but they will be unable to decrypt this data. You should avoid any correspondence over Russian social networks (like VKontakte and Odnoklassniki), because these companies are notorious for sharing people’s private data with the authorities, frequently resulting in police investigations against ordinary Internet users.

Learn how to spot when somebody is eavesdropping on your messages and calls

It’s pretty simple to spot so-called “man-in-the-middle” attacks. To be sure that no third parties are peeping in, you and the person on the other end of a call or message just need to verify the “fingerprint” assigned to your communication thread. In WhatsApp, there is an optional verification process where each chat’s security code is displayed as a QR code or 60-digit number. “These codes are unique to each chat and can be compared between people in each chat to verify that the messages you send to the chat are end-to-end encrypted,” WhatsApp explains. Telegram, for example, also offers numerical codes and “identicons” (visualizations of encryption keys) to verify that secret chats are “200 percent secure.” Telegram calls also display special four-emoji chains on a device’s screen, which you can describe to whomever is calling you, to confirm that no one is eavesdropping.

This is what Telegram’s emoji sequences look like when receiving an audio call. In the calls between these two accounts, the four emojis displayed in the screens’ top right match, meaning that no one is listening in.

Enable file-system encryption

File-system data is usually enabled by default on devices running either iOS or Android, but Android-users should double-check. You can usually find this option in your security settings, listed as “encrypt device” and “encrypt external SD card.” (The encryption process can take an hour or more, and you’ll want a fully powered device, because this is going to drain your battery. When it’s done, the device will reboot and ask for your passcode.)

If you don’t encrypt your device’s file data, even end-to-end encryption won’t protect your communication records, if your hardware falls into the wrong hands.

You can encrypt the files on your computer, too. If you’re running the Professional, Enterprise, or Education editions of Windows 10, you can enable either “Device Encryption” or “Bitlocker” by following these instructions. Windows 10 Home doesn’t support Bitlocker, but “Device Encryption” is available for these users, if their computers meet certain hardware requirements. On Macs, the file-encryption feature is called FileVault, and you can find setup instructions here.

Disable lock-screen message notifications

This safeguards not only your messages’ privacy, but also your bank account’s inviolability. If you’re using text messages for two-factor authentication, for example, extremely sensitive information (like login names and temporary passwords) could be displayed in lock-screen notifications.

For the same reason, it’s important to set a PIN code for your SIM card, otherwise third parties can steal your phone, insert your SIM card into their device, and begin sending and receiving text messages from your phone number.

Also, you’ll want to disable Siri from reading your text messages aloud.

Install every update

As far as habits go, this is a good one. The main reason to update your software is to patch the vulnerabilities that hackers are constantly discovering. As a bonus, you’ll often get new features and improved service. Theoretically, you could be hacked by installing an update, if you unknowingly download malware, but you needn’t lose any sleep over this slim risk.

Learn to spot when your contacts are behaving strangely

Maybe you get a message in the morning from your night-owl friend. Or someone you always communicate with through Facebook is now messaging you on WhatsApp. Perhaps you never discuss business over email with someone, and now they’re suddenly asking you to download and read some document. Behavior like this could indicate that hackers are posing as contacts and trying to gain access to your data.

Teach your contacts everything that you’ve read here

Your messages are only as safe as the weakest device where they’re stored. If you’re talking to somebody in Russia, remember that you’re sending your data to their device, which needs all the same safeguards we’ve described above.

For your basic data security

Disable the ability to unlock your phone by fingerprint (Touch ID) or facial recognition (Face ID)

Get a password manager

Enable two-factor authentication on all basic services

Buy access to a VPN service

Enable file-system encryption

Apple (iCloud)

Disable messages on your lock screen



Text by Denis Dmitriev Translation by Kevin Rothrock