Click here to see a range of techniques and tools that can help protect you from the dangerous privacy violations of data retention

"There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. But at any rate they could plug in your wire whenever they wanted to. You had to live-did live, from habit that became instinct-in the assumption that every sound you made was overheard, and, except in darkness, every movement scrutinized." - George Orwell, 1984

The German data retention regime, while it was implemented, had a negative impact upon people accessing online resources due to privacy concerns. Research institute Forsa found that one in two Germans would refrain from seeking help from professionals such as marriage and drug abuse counsellors and psychotherapists by telephone, mobile phone or email because of privacy concerns. One in thirteen people had already refrained from using telecommunications at least once due to data retention, which put the number at an estimated 6.5 million people 6 . The negative impact on the health and wellbeing of citizens caused by the lack of privacy should be reason alone to reject the data retention proposal.

People under constant surveillance stop behaving like free people; to the detriment of society. Data retention plans similar to the proposed regime in the terms of reference have been enacted in Europe under the Budapest Convention on Cybercrime 4 to widespread opposition, with legislation being rejected by Sweden and overturned in Germany, Romania and the Czech Republic as unconstitutional. In the German case the Judges determined that blanket surveillance could "cause a diffusely threatening feeling of being under observation that can diminish an unprejudiced perception of one's basic rights in many areas," as stated by the President of the Court, Hans-Jürgen Papier. They considered that "such retention represents an especially grave intrusion" into citizens' privacy 5 .

This page contains an overview of what this is and what it means to you (also, there are some handy videos to watch and share as well).

This creates a mass surveillance regime that will target all Australians at a time when other countries have abandoned this approach, more info and Australians will likely pay for this increased surveillance through taxes and additional phone and Internet charges. This is despite overwhelming evidence that mandatory data retention schemes do not work to reduce serious crime and are a substantial assault on privacy.

This data retention scheme takes effect on October 13, 2015. See here: "Data regime will see us funding our own surveillance", Leanne O'Donnell, 08/10/2015 for a good recent overview of the scheme.

The Australian Federal Parliament voted to give law enforcement and intelligence agencies access to an unprecedented amount of information on all Australians . The Coalition Government and Australian Labor Party goose-stepped together to pass legislation requiring telecommunications service providers to store enormous amounts of personal data of every Australian for a minimum of two years under the mandatory data retention scheme.

What You Can Do The new impending Data Retention regime in Australia puts you and your family's privacy at risk. To assist in preventing your personal information from falling into the wrong hands you should take action to protect yourself now. What follow is a simple guide to some sample technologies that can help protect your privacy. For more in depth information on protecting your privacy that goes beyond this guide, a good starting point is the EFF's "Surveillance Self Defence" site. In fact, many of the links below in regard to specific items will send you there. Please note that this guide is intended for average everyday citizens desiring to take some action to protect their metadata from the ubiquitous mass surveillance of the new Australian data retention regime. If you are a journalist, a dissident, a whistleblower or political activist, or have some other higher order threat model, then you should seek further more specific technical & professional advice than this guide. But for an easily digestible overview of a range of options to minimise your risk from the incoming Australian Data Retention regime, see below.

How to protect yourself and your family from Data Retention

Web Browsing/Internet

Whether you are using your desktop computer, or a mobile device, you should protect your actions from indiscriminate surveillance. Despite claims that data retention does not intend to collect and store your browsing history, any interaction online that is not encrypted will leak private data about you, your activities and connections. The below options will go some way to protect your actions from some aspects of casual surveillance if set up correctly. Important: How careful you are and what tools you choose to use will depend on decisions you make about your "Threat Model"

VPNs

What is a VPN? VPN stands for Virtual Private Network. VPNs work by creating an encrypted tunnel between your computer and another server. Your ISP cannot read the traffic in this tunnel; they can only see that you are connected to the server and sending/receiving (encrypted) data. VPNs are widely used in business: they allow people working from home to connect to their office network securely, which is vital for people working with sensitive information. VPNs will also allow you to bypass website blocking from the government's new anti-piracy regime, including any sites that could be accidentally blocked due to collatoral damage. VPNs can also be used to bypass geo-blocking restrictions. What does this mean? Have you ever been watching YouTube and seen that "This video is not available in your country" message? That's geo-blocking. If your IP address showed you as coming from country where that video was allowed to be seen, you could watch that video, but for various licensing reasons you cannot. Aside from privacy benefits, getting around geo-blocking to access services that aren't available in Australia had traditionally been one of the key uses for VPNs! (and doing so is not illegal) More info: https://www.choice.com.au/electronics-and-technology/internet/internet-privacy-and-safety/articles/bypass-geo-blocking http://www.zdnet.com/article/competition-review-supports-tackling-australia-tax/



For a more comprehensive censorship bypassing guide see here: http://en.flossmanuals.net/bypassing-censorship/ Using a VPN is legal.



Using a VPN The easiest way to use a VPN is to purchase a service from a VPN provider. The provider will manage the server and will usually provide you with software and simple instructions on configuring your connection. Remember that a VPN provider outside of Australia would not be subject to Australian data retention requirements, but may still keep logs of your Internet use. While a little dated, this article may also be of help in further securing your VPN connection: http://torrentfreak.com/how-to-make-vpns-even-more-secure-120419/ For discussions on VPNs and some tools to help test and use your VPN you may wish to try looking here: http://www.reddit.com/r/vpn



Choosing a VPN Torrentfreak has provided a list of (self-proclaimed) anonymous VPN providers in this article here. Crikey has a Aussie data retention specific guide to choosing a VPN here: http://www.crikey.com.au/2015/03/24/keen-to-evade-data-retention-heres-how-to-choose-a-vpn/ See also the EFF's SSD guide: Choosing the VPN That's Right for You: https://ssd.eff.org/en/module/choosing-vpn-thats-right-you The above /r/vpn subreddit link may also be of use in choosing a VPN provider.



Downsides & caveats to a VPN You will need to pay monthly fees (although often not very high). It can be slower - your traffic is routed through a server outside of Australia. Content unmetered by your ISP will count towards your monthly quota. Your traffic is only protected until it reaches the server. Instead of trusting your ISP, you are trusting the VPN provider: a disreputable provider could still log and monitor your traffic. It only protects data in transit: if your computer is compromised (e.g. by a virus or snooping software), your data will still be vulnerable. Loss of localised experience: some websites such as Google serve up different content based on your location. When your VPN is located outside of Australia, many websites may behave differently. For example, if using a German VPN connection, a website may give you its German language version. Note: protecting yourself from the Australian data retention regime is not the same as protecting yourself from NSA programs. What does this mean? There are a range of NSA programs such as PRISM which collect data from various social media and internet services. This can mean that once you log into a website like Facebook or Google, you could be traceable back to your point of origin utilizing the NSA's PRISM system and other voluntary agreements with the US and other Governments, due to the secretive nature of the systems and the revelations via whistleblower leaks, it would be prudent to assume this data accessible by Australian Authorities. Your level of caution or paranoia on this issue should relate to your threat model. For an average user, this could be an acceptable risk. For a dissident, activist or whistleblower you may wish to exercise more caution. Such as ensuring you never log into one of these services while using your VPN. (Note: if your actions are high risk enough that your freedom or life depends on your anonymity, then you should be using a more complex guide to your security than those available on this page)



See also Threat Modeling VPNs, while very useful and possibly one of the best front-line defences against data retention are not a magic bullet. For example Note that the legislation requires mobile internet providers to log each connection your phone makes, and the location of your device as it makes that connection. On a modern "smart phone", with a VPN turned on, the phone will still make frequent connections (on the order of every few minutes) to check email, push notifications, updates etc. and your location during each of these connections will be logged - there is nothing a VPN can do to protect you from the location-logging data retention issue. In addition, please note that this guide is intended for average everyday citizens desiring to take some action to protect their metadata from the ubiquitous mass surveillance of the new Australian data retention regime. If you are a journalist, a dissident, a whistleblower or political activist, or have some other higher order threat model then you should seek further, more specific and more technical & professional advice than this guide. VPNs will likely not protect you from a concerted attack or targeted efforts against you specifically.



Creating your own VPN Unless you are an expert user and know exactly what you are doing, we would not recommend creating your own VPN. Personally created VPNs may very well suit some people's use cases, with these people being happy to make some compromises: Keep the server and all its software updated, and if necessary spend time recovering from breakages. Generate and keep secure very strong certificates and keys. Know that they're easily identifiable, should someone in their host country be listening. Be comfortable knowing they aren't able to physically secure the server running their VPN. You will however at least know for sure that the VPN company isn't keeping and sharing the logs with the NSA or ASIO, since the 'company' will be you. However this presumes any third party servers you use, or your own systems are secure and not compromised. As unlikely as it is, content companies would love the government to ban the use of VPN service providers. If you insist on trying it, here's a guide: https://www.webdigi.co.uk/blog/2015/how-to-setup-your-own-private-secure-free-vpn-on-the-amazon-aws-cloud-in-10-minutes/ - But do so at your own risk, and do your research.





Tor

Tor stands for The Onion Router.

https://www.torproject.org/

Tor uses a wide network of voluntarily participating nodes to distribute your traffic to a number of anonymized exit nodes.

i.e. it Tunnels your browsing through several other nodes.

Makes it harder for someone to monitor your activities.

Is censorship-resistance due to how the protocol works.

Here's a Guide for Installation and usage : https://ssd.eff.org/en/module/how-use-tor-windows

: https://ssd.eff.org/en/module/how-use-tor-windows Warning! There are some things Tor does not do. It: Does not guarantee anonymity. Does not protect you from unencrypted communication tampering at exit nodes. Does not do operational security for you. Tor can be slow. What does this mean? Due to its voluntary nature, whilst it is free and generally reliable it can be slow, frustratingly so, and is not recommended for high volume transmissions like file transfers, peer to peer (torrents) and the like. It is recommended to limit Tor use to web browsing if possible and to stuff you really wish to keep private. Because Tor is relayed through many extra locations and countries to disguise the true source of travel the distance travelled by the data is greater and goes through more 'hops' to get to you. A more detailed explanation is here:

https://www.torproject.org/docs/faq.html.en#WhySlow It's not particularly safe to log in to your regular services with Tor, as the "Exit nodes" are impossible to trust with any of your credentials. Tor is for anonymous browsing, not every-day browsing that you want to keep private.

There are some things Tor does not do. It: Tor is also available for Android mobile devices: It is available for Android tablets and phones ONLY, via the Orbot package available on the Android Market. https://play.google.com/store/apps/details?id=org.torproject.android Tor is NOT available for iOS Tablets and Phones, and any app you see on Apple's App Store claiming to be a Tor client at this stage is most likely a dangerous fake.

Note: please don't use Tor for data intensive activities like torrenting, streaming HD video or large innocuous downloads. Some people rely on Tor for their safety and protection from oppressive regimes and while more Tor users are useful, unnecessary congestion on the network could make things a lot more difficult for people who rely on it.

please don't use Tor for data intensive activities like torrenting, streaming HD video or large innocuous downloads. Some people rely on Tor for their safety and protection from oppressive regimes and while more Tor users are useful, unnecessary congestion on the network could make things a lot more difficult for people who rely on it. Also: Use Tor at your own risk. Using Tor itself is enough reason to flag you for further attention from security agencies and could increase the likelihood they may pay closer attention to your activities by presuming you have 'something to hide'.





Use Tor at your own risk. Using Tor itself is enough reason to flag you for further attention from security agencies and could increase the likelihood they may pay closer attention to your activities by presuming you have 'something to hide'. If you are concerned enough about your privacy to use Tor you may also wish to consider using a specialised privacy protection oriented operating system, for example "Tails". What is Tails? It is a security focused Linux distribution which can be run from a DVD or USB drive. Wikipedia entry: https://en.wikipedia.org/wiki/Tails_%28operating_system%29 Tails website: https://tails.boum.org/



Tor Animation video from

https://blog.torproject.org/blog/releasing-tor-animation





How Tor works diagram from EFF



Beyond the basics: More privacy protection tools

If you are worried about Data Retention, then you may also be concerned about other means by which companies, security agencies, governments and so on can track what you do and build a picture via your online activity. Even if the current definition of what is to be retained under the data retention regime is limited to certain information, there is the likelihood that this definition will expand at a later date. Additionally there is the threat that innocuous activity could inadvertently raise suspicion through false positive identification. This could in turn increase the amount of warrants issued on innocent people, warrants which will then cause the retention of extra content in relation to these people. Thus, average users could be more likely to come under the increased scrutiny of a preservation order so protecting data that is outside the purview of the mandatory data retention regime may be advisable. Keeping these expanded threats in mind, there are some other general tools and practices that you may also wish to start employing as a result of the new data retention regime and a general increase in surveillance of communication activities. (Don't forget there are also the wide ranging NSA programs, copyright violation monitoring, censorship efforts, and criminal activities such as identity theft, in addition to our new domestic data retention regime). This article from the Sydney Morning Herald gives a general overview of why just masking your IP address through a VPN may not be enough to protect you: Will Australia's metadata retention scheme track your digital browser fingerprints?

General Good Online Practice

HTTPS HTTPS Everywhere. A simple browser extension made by the EFF. Will automatically push your browser to the HTTPS URL when a website supports HTTPS. This forces an encrypted connection when connecting to a website that supports such encryption. Guide for Installation and usage : https://www.eff.org/https-everywhere Mobile support is available for this extension only for the Firefox Browser, and only on Android devices.



Ad-blocking Note. This section is under review. Adblock has been sold and there are questions in regard to how much it should be recommended now due to the "acceptable ads" program and other reasons. In the meantime uBlock Origin has been suggested as an alternative:

https://github.com/gorhill/uBlock Chrome Extention Firefox Add-on Adblock or Adblock plus. These are Browser extensions. Despite name similarity, they are separate competing software products. Blocks popup ads, some ad banners and some tracking. Blocking ads and associated items like tracking cookies etc will cut down on the amount of 'metadata' you generate and assist in protecting your privacy. Adblock: https://getadblock.com/ Adblock plus:https://adblockplus.org/



Tracker Blocking

Note: tracker blocking plugins often break the functionality of image galleries, video playback, commenting/discussion systems and social media widgets. You may have to whitelist trusted websites.

Ghostery An add-on for your browser which detects and blocks tracking which a website may be trying to do. Ghostery is proprietary, but cost-free. Available for all major browsers. Privacy Badger A browser extension for the Firefox and Chrome that will block all non-consensual tracking. Privacy Badger is open source, cost-free, a project of eff.org and in Beta. As the Tor Browser is based on Firefox, Privacy Badger will also work with that. Disconnect A browser extension which blocks advertising, analytic and social media requests which are without consent. Disconnect is open source and cost-free. Disconnect also offer additional non-free services, like limited VPN access. Disconnect is available for all major browsers.

Note: tracker blocking plugins often break the functionality of image galleries, video playback, commenting/discussion systems and social media widgets. You may have to whitelist trusted websites.















Email

Encrypted Phone Calls

There are a number of services like Wickr (as used by Malcolm Turnbull recently, he has since moved on to Signal) which provide endpoint to endpoint encryption; or encryption between their servers and all endpoints. These provide an unknowable level of protection and it cannot be guaranteed that there are no backdoor agreements between these services and any governments. One should be especially careful when using a service that does not run on open source or freely auditable code as you are placing trust entirely within the organisation to deliver what they advertise. There have been examples where a company claims to protect your security and privacy have been found wanting when exposed to closer scrutiny. The value of these services is often pinned on your trust of the company in question. The below apps are widely considered the best options at this time (but make your own judgement call).

for Android

Redphone Android mobile app that allows for encrypted voice calls. Uses wi-fi or data connection. Allows you to use your mobile phone number. Made by Open Whisper Systems. Free and open source! Uses end-to-end encryption, forward secrecy. What does this mean? End-to-end encryption (E2EE), which is non-certified or uncertified, is a digital communications paradigm of uninterrupted protection of data traveling between two communicating parties without being intercepted or read by other parties except for the originating party encrypting data to be readable only by the intended recipient, and the receiving party decrypting it, with no involvement in said encryption by third parties. The intention of end-to-end encryption is to prevent intermediaries, such as Internet providers or application service providers, from being able to discover or tamper with the content of communications. End-to-end encryption generally includes protections of both confidentiality and integrity.

http://en.wikipedia.org/wiki/End-to-end_encryption In cryptography, forward secrecy (FS; also known as perfect forward secrecy, or PFS and also key erasure) is a property of key-agreement protocols ensuring that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future.

http://en.wikipedia.org/wiki/Forward_secrecy Note : Can only encrypt calls between two RedPhone users (or RedPhone and Signal users). Familiar interface, get from the Play Store. Guide for Installation and usage:

https://ssd.eff.org/en/module/how-use-redphone-android





for Apple iOS

Signal iOS mobile app that allows for encrypted voice calls and texts. Made by the same group as RedPhone (Whisper Systems ) Free and open source! Compatible with RedPhone on Android. Uses wi-fi or data connection. Allows you to use your mobile phone number. Get it from the Apple App Store. Guide for Installation and usage:

https://ssd.eff.org/en/module/how-use-signal-–-private-messenger





Encrypted Text Messaging

for Android

Text Secure Secure Text Messaging app for Android - use your mobile to send encrypted, secure messages to another TextSecure user. Made by the same group as RedPhone and Signal (Whisper Systems ). Uses end-to-end encryption, forward secrecy What does this mean? Can use it as your default texting app. Will store your messages encrypted on your phone. Encrypts where possible. Get it from the Play Store. Guide for Installation and usage:

https://ssd.eff.org/en/module/how-use-textsecure-android





for Apple iOS

Signal Signal 2.0 has recently been released for iOS that now includes TextSecure support. More information: https://whispersystems.org/blog/the-new-signal/ Get it from the Apple App Store. Note that they are phasing out support for encryption for traditional SMS/MMS, so if you use signal to send standard SMS text messages they will not be encrypted. But you can get the same functionality by using Signal to send and receive "TextSecure" messages in encrypted formats.

More info: https://whispersystems.org/blog/goodbye-encrypted-sms/ So please make sure you are aware of which version you are using and what it does and doesn't encrypt.





Other options

The Electronic Frontier Foundation have released a Secure Messaging Scorecard for voice and text messaging apps.

for voice and text messaging apps. Telegram rates well on this scorecard, and is open source, cost free and available on all for all major mobile and desktop operating systems.

rates well on this scorecard, and is open source, cost free and available on all for all major mobile and desktop operating systems. There are also proprietary and for-fee services available, like that offered by Silent Circle.



Encrypted Instant Messaging

for Windows/Linux

Pidgin + OTR Plugin Open source "universal chat client". Can be used with Google Hangouts/XMPP, Yahoo, and apparently Facebook accounts. With OTR you get end-to-end encryption and forward secrecy. What does this mean? Note that OTR is a separate plugin that you need to obtain separately and add to Pidgin. Guide for Installation and usage:

https://ssd.eff.org/en/module/how-use-otr-windows Note : OTR will not provide secure end-to-end encryption if you're the only one using it. Make sure those you talk to also install the plugin.





for Apple OSX

Adium + OTR Plugin Adium is a free and open source instant messaging client for OSX. It is based on the same core as Pidgin but has a shiny Mac interface. OTR is a protocol that will encrypt your conversations. With OTR you end-to-end encryption, forward secrecy. What does this mean? OTR comes built into Adium, you do not have to install it as a separate plugin. Guide for Installation and usage:

https://ssd.eff.org/en/module/how-use-otr-mac Note : OTR will not provide secure end-to-end encryption if you're the only one using it. Make sure those you talk to also use OTR.





for Mobile (Apple iOS/Android)

Chatsecure Open source, XMPP client that supports OTR out of the box. OTR is a protocol that will encrypt your conversations. With OTR you get end-to-end encryption and forward secrecy. What does this mean? Get Chatsecure from Play Store or App Store. Guide for Installation and usage:

https://ssd.eff.org/en/module/how-install-and-use-chatsecure



