Link

How to protect yourself (and your phone) from surveillance

I understand what the person interviewed for this article is suggesting: smartphones are incredibly good at conducting surveillance of where a person is, whom they speak with, etc. But proposing that people do the following (in order) can be problematic:

  1. Leave their phones at home when meeting certain people (such as when journalists are going somewhere to speak with sensitive sources);
  2. Turn off geolocation, Bluetooth, and Wi-fi;
  3. Disable the ability to receive phone calls by setting the phone to Airplane mode;
  4. Use strong and unique passwords;
  5. And carefully evaluate whether or not to use fingerprint unlocks;

Number 1. is something that investigative journalists already do today when they believe that a high level of source confidentiality is required. I know this from working with, and speaking to, journalists over the past many years. The problem is when those journalists are doing ‘routine’ things that they do not regard as particularly sensitive: how, exactly, is a journalist (or any other member of society) to know what a government agency has come to regard as sensitive or suspicious? And how can a reporter – who is often running several stories simultaneously, and perhaps needs to be near their phone for other kinds of stories they’re working on – just choose to abandon their phone elsewhere on a regular basis?

Number 2 makes some sense, especially if you: a) aren’t going to be using any services (e.g. maps to get to where you’re going); b) attached devices (e.g. Bluetooth headphones, fitness trackers); c) don’t need quick geolocation services. But for a lot of the population they do need those different kinds of services and thus leaving those connectivity modes ‘on’ makes a lot of sense.

Number 3 makes sense as long as you don’t want to receive any phone calls. So, if you’re a journalist, so long as you never, ever, expect someone to just contact you with a tip (or you’re comfortable with that going to another journalist if your phone isn’t available) then that’s great. While a lot of calls are scheduled calls that certainly isn’t always the case.

Number 4 is a generally good idea. I can’t think of any issues with it, though I think that a password manager is a great idea if you’re going to have a lot of strong and unique passwords. And preferably a manager that isn’t tied to any particular operating system so you can move between different phone and computer manufacturers.

Number 5 is…complicated. Fingerprint readers facilitate the use of strong passwords but can also be used to unlock a device if your finger is pressed to a device. And if you add multiple people to the phone’s list of who can decrypt the device then you’re dealing with additional (in)security vectors. But for most people the concern is that their phone is stolen, or accessed by someone with physical access to the device. And against those threat models a fingerprint reader with a longer password is a good idea.