Cyber

survival
kit
 citizens
under
surveillance
In July 2018, FIDH, together with Cairo Institute (CIHRS),
the Human Rights League (LDH) and the Arms Transfers
Observatory (OBSARM), published an explosive report
on the sale of weapons and surveillance technologies by
France to Egypt. 

In all likelihood, this equipment was used by Egyptian

President Abdel Fattah al-Sisi’s regime to arrest, prosecute,
and repress political opponents, human rights defenders,
journalists, and writers.

Somewhat earlier, in January 2018, FIDH published another

report, through the Observatory for the Protection of Human
Rights Defenders, on the dire situation of women defenders in
Saudi Arabia. The report focused on the systematic tracking
by Saudi authorities of the positions taken by these brave
women on social networks.

It has become clear that digital activity exposes the defenders

in our Federation—as it exposes everyone throughout the
world—to real dangers and violations of their rights. While
awareness of this fact is now widespread, one question
remains unanswered: How do you protect yourself from such
insidious, yet discreet, intrusions? The purpose of this guide is
to provide information that can help answer this question.

The first step is to understand the dangers. However, this

guide goes further and also offers specific tools to protect
oneself online.  

There is no infallible and ultimate solution to shield our private

lives from invasion in cyberspace or to counter globalised
sales of our personal data. Nevertheless, we can collectively
heighten our level of vigilance. The target audience for this
guide is human rights defenders, but all citizens can also
benefit from the information provided. We all have a role in
ensuring our own digital security: Watch Out!

Here you will find links to all ressources mentioned in this

guide: bit.ly/cyber-survival-kit
1
Protecting
one’s
privacy

We are all affected!
Mohamed Ramadan is an Egyptian lawyer, specializing in
the protection of human rights.  you share them by publishing content
On 10 December 2018, as he was stepping off a bus and
returning home, he was arrested by three plainclothes of-
ficers from Egypt’s national security agency.  The reason
for his arrest? Mohamed had shared a photo of himself on
Facebook sporting a yellow vest and explained how to ob-
tain one. He now stands accused of having «joined a ter-
rorist group and promoting its ideas.» Indeed, the sale of
yellow vests, the symbol of a wave of protests in France,
has been prohibited in Egypt.  from its intended use. Because
His family and his lawyers did not learn his whereabouts
until his first hearing the following day on charges inclu-
ding “belonging to a banned group”, "spreading false in-
formation through social networks”, and ”inciting social
unrest”.
What does
that mean?
Protecting one’s privacy means
becoming aware that all your digital
actions leave a trace that can be
retrieved by others. There is no need
to hack your computer to access vast
amounts of information related to
your private life. Most personal data
are made public by users themselves:
on social networks or you offer
them free of charge by accepting
the General Conditions of Use of a
service or application. Collecting
personal data is such a common
practice that it has given rise to an
industry. Such data collection can
become very intrusive and be diverted
people share photos, Facebook, for
example, holds the largest database
of faces in the world and has
developed the most sophisticated
facial recognition software.
It must also be borne in mind that
information, once shared on the
Internet, is very difficult to erase. Once
you have posted a photo or document
on social networks, for instance, you
can no longer control who copies or
publishes it elsewhere; the information
is henceforth out of your control.
Before sharing information on the
Internet, even when you believe you
are sharing it privately, it is wise to
consider the damage that it could
cause. There have been countless
cases of people being fired for
posting photos on Facebook or of
arbitrary arrests linked to publications
condemned by an authoritarian regime.
What are data and who
has access to them?
Definitions vary from one country
to another, but personal data are
considered to be any information
relating to a physical person who has
been or can be identified, directly
or indirectly, by reference to an
identification number or one or several
elements specific to that person.
More generally, data are anything that
contains a piece of information. That
can be something very concrete: your
name, your address, a photo of you
on vacation, an appointment on your
calendar, people whom you follow on
Instagram, etc. It can also be more
abstract: a Google search, a site that
you have consulted several times, the
device you are using, the Wi-Fi network
through which you are connected, your
geolocation, the different accounts
(identifiers and passwords) memorised
in your browser, etc. All these elements
provide information on you: they
are your personal data, they refer to
you, and you cannot control them.
Without realising it, you are
disseminating that information
at every stage of your digital life,
and different actors retrieve it.
— On your Web browser: It records
your browsing history, the cookies
from sites visited, your downloads,
your searches from the address
bar, and even your location.
— On the sites that you visit: Whether
it be a social network, media site,
or online boutique, the websites
that you have consulted record
your clickstream, the pages viewed,
the number of visits, time spent on
a given page, etc. They also have
access to data in any cookies that
they have put on your computer.
— On your search engine: It records
the search history, but also how
many times and when searches
were conducted, as well as the
results on which you clicked.
— On storage sites and cloud
services: Your information stored in
the cloud is not protected, and the
site or service can keep track of the
people with whom you have shared
content and when you shared it.
— On social networks: They record all
information that you publish, but also
your behavioural data: what content
you like, who your friends are, the
people with whom you interact most
often, what content they like, etc.
— On mobile applications:
By validating the GCU, you agree to
share certain data: location, telephone
identifier, and the account data
(without this always being justified by
the intended use of the application).
Lastly, everything that you
willingly publish online and that
is even remotely linked to your
identity may be viewed by others
without your knowledge.
What are the
risks for your
personal life?
Taken individually, your data do
not necessarily provide a lot of
information about you. Yet when the
different data are collated, others
can deduce many things about you.
One example: For the past month,
your telephone has located you every
Wednesday evening at café A.
You have also made several searches
on political history; you have become
friends on a social network with three
people who have indicated that they
like a given political party.
These same people go to café A at
the same time as you. By compiling
these data, a system can automatically
classify you as a political activist
and anticipate the date of your next
meeting, without requiring any human
action because an algorithm will
have done this cross-referencing.
How to protect
yourself
Your digital survival starts with
awareness of the information that you
are sharing, voluntarily or involuntarily,
through all of your actions on the
Web. Generally speaking, if you do not
use services entailing cryptographic
techniques, such as those that
will be suggested in the following
chapters, you should consider that
any information exchanged on the
Internet could potentially be accessible
by others, including in the private
context of a messaging service.
Nonetheless, you can limit access
to this information and minimise
your traces by taking a certain
number of precautions.
Systematically adjust
your privacy settings
Privacy settings determine the
quantity of information that you make
public (that is, accessible by anyone)
when you use a given service. These
settings vary depending on the social
network or service, and are often
set by default when you register
on a site or application. You must
therefore change them yourself: in
most cases, you can choose to limit
both visibility of your information and
its transmission to others. That will
not prevent the service or the social
network from keeping and using
your personal data itself, but it will
make it possible to limit the degree
to which they are disseminated.
Vary your identifiers,
pseudonyms and passwords
Use of a pseudonym makes you
neither anonymous nor protected. It
can even be dangerous if it is always
the same one, as it becomes possible
to retrace your presence on all the
sites or the services that you use with
this identifier. It is recommended that
you use a different pseudonym, email
address, and password (which can
also be used to track an individual)
on every site where you share
personal or sensitive information.
Monitor and moderate the personal
information published about you
Using tools such as Google Alert that
provide notification when specified
content is published on the Web,
you can track information published
by others about you. If another
person publishes information that
you would like kept private, it is
sometimes possible to contact the
publication and request its deletion
directly on the site. Otherwise,
you can email or send a letter to
the relevant service (in the site’s
“Privacy Policy” or “Legal Notices»
sections). You can also request that
search engines remove a site from
their index, so that it no longer
appears in the results of a search.
Avoid storing your data in the cloud
Avoid storing your personal files in
an online service, especially delete
automatically, as offered by many
services. For instance, when you
save data from your smartphone in
the cloud (with a service like Google
Photos or iCloud), all the data are
transmitted and kept in servers
that you do not control. Even if
these data are not public, they can
be used, analysed (for example,
using facial recognition), or even
hacked by ill-intentioned persons.
Carefully choose the services
and the software that you use
Opt for a search engine that pledges
not to store your data. For example, the
French search engine Qwant does not
save any cookies or information on its
users. DuckDuckGo is a search engine
that does not use any user data and
offers results based on reference sites
such as Wikipedia, Bing, and Yahoo.
Open-source software is software
whose source code is public, which
gives greater assurance that it will not
secretly transmit your data to others.
Regularly erase traces
of your browsing

It is important to empty the cache

of your browser (browsing data kept
on your computer) and cookies
regularly. It is also recommended that
you use a browser respectful of your
data (Brave, Waterfox, Firefox, or Tor
Browser) and avoid the most widely
used browsers such as Google Chrome
and Safari, which keep personal data.
You can also use extensions that
help protect your privacy: on Firefox,
there is uBlock Origin (ad blocker);
Privacy Badger (which identifies
trackers); HTTPS Everywhere (which
guarantees that the sites visited use
the HTTPS protocol, ensuring a secure
connection); NoScript (which blocks
the Java and Flash scripts used by
hackers); Disconnect (which shows and
deletes traces left by browsing), etc.

There are several online resources to help you learn more about managing
the use of your data.

privacy.net/analyzer:
enables you to see all that a Website knows about you

webkay.robinlinus.com :
what your Web browser says about you

adssettings.google.com/authenticated :
what Google knows about your interests

google.com/maps/timeline :
all the locations that Google knows you have visited
2
Browsing
anony-
mously on
the Web

We are all affected!
In August 2016, the Egyptian Internet was disturbed by a
series of anomalies, indicating that the security services
were targeting the network’s infrastructure in order, ac-
cording to technical experts, to install a system capable of
massively intercepting online communication.  compromise all your efforts to remain
Many opposition activists, writers, and LGBTI persons
are under surveillance and constantly being intimidated.
According to the Egyptian Initiative for Personal Rights
(EIPR), the Ministry of the Interior uses a snowball method
to find targets by creating a database with the names and
the identity card numbers of people who contact or visit
individuals previously arrested for “debauchery.”
There is mass surveillance of people’s online activity,
which is immediately linked to their identity, making it
possible to target and categorise them according to their
searches, habits and social relations.
What does
that mean?
It is essential to protect your personal
data on the Internet. However,
occasionally taking precautions to
erase one’s traces on one’s computer
is not enough. Browsing anonymously
means ensuring that you do not leave
any traces while browsing or thereafter.
Browsing anonymously means
ensuring that no outside person can
link your online activity to your identity.
It is an additional means of protecting
your privacy and your freedom.
What are
the risks
of browsing
on the Web?
You must first understand how the Web
works in order to know what you are
protecting yourself from.
When you access a website, your
query passes through different devices
(such as servers) before returning to
your computer with the information
requested. Every time your query
passes through a device, it leaves
pieces of information behind. These
are vulnerabilities that external actors
(hackers, states, etc.) can exploit. The
most common risk is that information
left behind will be used for advertising
purposes, but it may also be
intercepted by a third party and used
for malicious purposes.
By browsing anonymously on the
Internet, you prevent such actors
from linking these data to your
computer and thus to your identity.
Browsing anonymously also enables
you to hide your location and,
therefore, circumvents certain types
of censorship (many states demand
that access providers block certain
sites in their country; for example,
YouTube and Netflix are inaccessible
from China). Browsing anonymously
consists of hiding your data and
making it undecryptable at each stage
in the browsing process. Indeed, a
single breach in the chain suffices to
discreet.
How to browse
anonymously
While there is no perfect solution, here
are the most highly recommended
ones:
Use a VPN
A Virtual Private Network is an
intermediary that enables you
to anonymise and encrypt your
communication. It acts like a private
tunnel, which encrypts your data,
thereby directing your Internet traffic
to transit through a tunnel.
When you make a query from your
browser, all the data are encrypted and compromised or under surveillance, it
sent to a VPN server. The VPN server is possible to intercept data and trace
decrypts these data, makes the query it back to the Web user (for instance,
for you from the website, and then for a government agency).
sends you the data encrypted. That
way, if your data are intercepted, they The Tor Browser is available on the USB
are impossible to read. key provided with this kit or can be
downloaded at the following address:
This solution does have its limits: https://www.torproject.org/download/
VPNs are private services. While your
data are inaccessible to third parties,
they are accessible to the company
providing the VPN. So, you have to
know whom you can trust.

Use Tor

Tor (an acronym for “The Onion

Router”) is a global network of routers.
A user’s connection is relayed through
a worldwide network of thousands
of computers called relay nodes.
Connections between these relays are
encrypted and thus it becomes very
difficult to identify the Web user who
launched the initial query.

The Tor network is thus a way of

making you anonymous by “losing”
those attempting to track you. There
are several ways of connecting to it,
but they are not always user-friendly
for neophytes. The simplest is the To go even further:
Tor Browser. It is a browser, like
the one that you use to surf online Tails is an operating system that enables you to use your computer (such as
(Safari, Internet Explorer, Firefox, Windows, Mac OS or Linux). What sets Tails’ software apart is that it can be
Brave, Waterfox, etc.), except that launched on your computer from a USB key. Once started up, it is as though you
it automatically goes through the were using a machine inside your machine. Tails is a secure operating system
secured Tor network. because it does not leave any trace on your computer. Once you turn it off,
everything that has happened in your computer disappears. What’s more, all
Nonetheless, Tor also has its limits. First Internet connections automatically go through the Tor network.
of all, queries pass through a multitude
of relays and your connection may
become very slow, thus limiting
capacity with respect to watching Beware: In some countries, simply owning these tools or software may be
videos and downloading heavy files. grounds for arrest. Look into the security context in your country or in countries
Moreover, if one or several relays are where you travel before installing and using them.
3 
Creating
and
managing
secured
passwords

What does
that mean?
Today, passwords are needed to
access most online services used on
a daily basis. It is thus essential to
use strong passwords and manage
them carefully to protect your data
and your communication. There are
many hacking methods, more or
less sophisticated, that identify your
password and access services you use,
as well as your personal information.
We are all affected!
In recent years, many prominent activists in Egypt have
been targets of phishing attacks seeking to access their
email messages and remotely control their computers
by retrieving their passwords through malicious links
What are
and then intercepting codes sent by SMS to their mobile
phones. In March-April 2016, this hacking strategy was
the risks to
used to target well-known journalist and blogger Wael Ab-
my passwords?
bas, graphic artist and activist Mohamed Gaber, as well as
lawyer and journalist Nora Younis.
To be able to protect yourself, you must
be aware of the risks and the different
techniques that make it possible to
retrieve a password.
Brute force attack  real address of the sender in order to
A brute force attack is a widespread
method that consists of trying all
possible combinations of characters
until the right password is found.
Such attacks are carried out by
computers with the capacity to test
from a few thousand to several million
combinations per second.
Phishing
Phishing is a fraudulent practice meant
to lure Web users into communicating
their personal or professional data
(account information, password, etc)
by pretending to be a trusted third
party. It could be a fake message,
email address, SMS or telephone call
claiming to be from a bank, social
network, telephone operator, energy
provider, e-commerce site, public
service, etc.
— How does it work?
In your inbox, you receive an email
from a sender, who is pretending to
be a trusted entity, urging you to read
a message by clicking on a link. This
link leads you to a site that imitates the
official site of that entity. This phishing
site asks you to enter your user name
and password on a login page, which
resembles the login page of the official
site. 
— How to avoid phishing traps? 
1 • Never communicate sensitive
information through instant messaging
or telephone.
2 • Before clicking on a dubious link,
position the cursor of your mouse on
the link (without clicking) to show the
check its credibility.
3 • Check the address of the site that
appears in your browser. If it does not
match perfectly the site concerned,
then it is most definitely a fake site.
At times, only one character in the
site’s address has been altered to
more easily fool the victim. Check
also that the site’s address begins not
with “http”, but with “https”, which
is a secured protocol that offers
a certain level of protection from
hacking. If you have the slightest
doubt, do not provide any information
and immediately close the page in
question.
4 • Opt for your usual method of
accessing the site (through your
favourites, a search engine, or by
typing the address of the site directly
into your browser) rather than clicking
on the link received by email.
Installing a keylogger
The keylogger method consists of
installing spyware on your computer
unbeknownst to you. It records
your keystrokes and sends them to
a malicious third party. This type of
programme can make it possible
to steal your identifier and your
password. Installing appropriate anti-
virus software may sometimes enable
you to detect this type of malware
and block it when the software
includes a firewall. An alternative
method consists of manually
monitoring the activity of the network
using software such as GlassWire on
Windows or Little Snitch on Mac that
makes it possible to identify spyware
when it sends data.
How to protect
your passwords
To prevent this type of attack
and protect your information and
communication, it is essential to create
robust and safe passwords, that is,
ones that are difficult to unpuzzle with
the help of automated tools and to
guess by a third party.
The best practices to adopt when
creating and managing your
passwords:  you have to do is remember a combination of a symbol and a
1 • Use a unique password for every
service. That way, if one of your
passwords is stolen, only that service
will be vulnerable.
2 • The most important password is
the one for your email. Indeed, it often
enables you to reset the password of
the different services that you use.
3 • Create complex passwords.
It is advisable to create a password
containing at least 12 characters,
mixing uppercase and lowercase
letters, numbers, and special
characters. Avoid creating passwords
that use personal information,
which is easy to find, such as your
children’s names or birth dates. Also
avoid simple logical sequences like
1234567, azerty and abcdef that are
among the most common and the first
combinations tried in the case of brute
force attacks.  personal messaging: if it is hacked, all
4 • Never give your passwords to other
people. A password must remain
secret.  A manager will enable you to centralise
3 methods to help you
— The first letter method
Example: Save money for traveling with my parents to
Germany: SM4twmp2G
— A password card
This type of card (randomly generated on passwordcard.org)
has a unique grid of random letters and digits on it. The rows
have different colors, and the columns different symbols. All
color, and then read the letters and digits from there.
— A password manager
A software that generate complex, unguessable passwords
for your accounts, storing them all in an encrypted vault, and
filling out login forms for you automatically. All you need to
remember one secure master password (best is to make it a
passphrase) to unlock all your services.
5 • Do not store passwords in a file on a accessible by using a single master
single computer or on a piece of paper password. This solution thus allows
that is easily accessible; you to opt for the longest and most
complex passwords for all of your
6 • Never send your own passwords by online services and applications,
without having to remember them
your passwords will be compromised. individually. You will enhance security
of each of your accounts. That
7 • Use a password manager. nevertheless means entrusting all of
your passwords to another person in
all your codes in one database whom you have the utmost confidence.
Which password
manager should
you choose? 
Keepass is the open source password
management software of reference.
This software is free and enables you to
store passwords safely. You can keep
this tool on your desktop or integrate
it into your Web browser. This software
also provides a feature that generates
complex and random passwords. 
It is available on the USB key in this kit
or can be downloaded at the following
address: https://keepass.info/

For more information:

Install Keepass step by step: securityinabox.org/fr/guide/keepass

Factsheet on passwords at les-infostrateges.com

Do you really know how to recognise phishing?

Do the online test: phishingquiz.withgoogle.com

Has your information been compromised by a public breach?

Do the test with your email address at haveibeenpwned.com
4 
Protecting
your files
on your
computer

What does
that mean?
It is essential to secure your online
data. Yet, even if you keep all your
important files on your computer, there
is no 100% guarantee that you are safe
because it is connected to the Internet
and therefore vulnerable.
What are
the risks?
There are many types of attacks
that retrieve data from computers.
The most common attacks involve
malware whose purpose consists of
accessing devices (computers, tablets,
smartphones, or connected objects)
and altering or retrieving files and
personal data found on the devices.
There are many types of programmes
that can access your device and its
contents:
1 • Viruses: A computer virus
reproduces from one file to the next on
one computer. That is the oldest and
most widespread type of malware.
2 • Worms: A computer worm does
not reproduce from one file to the next
but from one computer to another via a
local network or Internet network.
3 • Spyware: Spyware is installed
on a computer or mobile device in
order to collect and transfer personal
information, unbeknownst to the user.
4 • Trojan horses: A Trojan Horse,
or trojan, is an invisible programme
hidden within an application that
appears legitimate. The programme
contained therein (or automatically
downloaded subsequently) can include
any type of parasite: virus, keylogger,
spyware...
5 • Keyloggers: Already mentioned in
the previous chapter, a keylogger is a
programme that records all keystrokes
on the infected computer and sends
them to a hacker. Often, its goal is to
intercept identifiers and passwords.
How to protect
your files
The only effective way to provide
digital protection for your data is to
encrypt them. 
Encrypting data means depositing
them into a locked and secured safe.
Only those who have the combination
(an encrypting key or a passphrase)
can access the content. Encryption
consists of transforming data that
can be read by anyone (called “clear”)
into data that can only be read by
its creator and its addressee (called
“encrypted” or a cryptogram).
It is advisable to encrypt all your data
rather than just a few folders. If you
have some particularly confidential
files, it is also recommended that you
put them into a separate encrypted file.
Some history...
Encryption dates back to the Babylonian civilisation
approximately 300 years before the Common Era. Several
encryption methods have existed [Atbash used by Hebrew
people (-500), the scytale in Sparta (-400), the Polybius square
(-125)], and the most famous in history is the Caesar Cipher.
Caesar did not trust his messengers when he had to send
messages to his generals. He therefore decided to replace
the letter A in his messages with the letter D, and B with E, and
so on and so forth. That method is referred to as the «simple
substitution cipher.» 
Example :
Clear alphabet:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
Scrambled alphabet:
DEFGHIJKLMNOPQRSTUVWXYZABC
Cleartext: Errare humanum est, perseverare diabolicum
Encrypted text: Huuduh kxpdqxp hvw, shuvhyhuduh
glderolfxp
NB: this primitive method of encryption is obsolete and no
longer allows us to secure data communication.
Most smartphones or recent and activate it when you define a code.
computers now offer encryption of the
entire disk as an option: For computers:
— Android offers encryption of — Apple proposes a built-in disk
the entire hard drive during initial encryption feature for the entire hard
configuration of your telephone drive on Mac OS called FileVault in
for recent devices, or at any time “System preferences.”
subsequently in settings for “Security”
of all devices. — The Linux versions usually offer
encryption of the entire hard drive
— Apple devices such as the iPhone or during initial configuration of your
the iPad speak of “protection of data” system.
— Windows Vista and later versions
offer an encryption feature for the
entire hard drive called BitLocker.

There also exist specialised software

tools to encrypt your data.

VeraCrypt

VeraCrypt is a multiplatform freeware

(Windows, Mac, and Linux) that allows
you to encrypt your data, and those
of your hard drives or USB keys. It is
an enhanced version of the project
TrueCrypt. It is a tool that functions like
an electronic safe, in which you can
keep your files secure.

Veracrypt protects your files by

encoding them with the help of a
passphrase. It creates a secure space
on your computer or your external
storage device. However, if you forget
your secret passphrase, you lose
access to your data. There is no way
to recover a lost passphrase. Also bear
in mind that the use of encryption is
illegal in certain jurisdictions.

It is also recommended that you

regularly update software that is on
your computer, tablet, or smartphone,
because updates include security
patches. Updating software is crucial
if you want to protect your data from
attacks. 
5 
Securing
your emails

We are all affected!
Antonio Capalandanda is a human rights defender and
journalist on the website Voz da América (Voice of Ameri-
ca) in Angola. He regularly investigates political violence,
human rights violations, and corruption.  that your email is like a postcard sent
In early January 2013, António Capalandanda was fol-
lowed several times by unidentified men in a vehicle who
parked near his residence and followed him as soon as he
would leave home to go to work. During the same period
his electronic mail was hacked and consulted by unknown
persons, according to his email service provider. All the
personal information contained in his email was com-
promised. He and his family were harassed and received
death threats.
What are
the risks linked
to email?
Email has become the means of
communicating and sending files
that is used by most companies
and individuals. Moreover, email
addresses are used as the identifier
for the creation of many accounts
(social networks, online services, bank
accounts) and are often the target of
attacks. What you must know is that
your emails are by default written in
cleartext, i.e. unencrypted. That means
by regular mail: if someone intercepts
it, that person will be able to read
the text that you have written. That
makes surveillance very easy. You
do not have to be directly targeted;
if your interlocutor is targeted, your
information is also compromised.
The primary cause of email account
hacking is human error. More often
than not, you yourself give access to
your email account by revealing your
password to a hacker pretending to be
a trusted interlocutor (this is phishing,
as explained in Chapter 3). Be sure to
use a protected password and to avoid
phishing traps by checking the identity
of the sender.
Similarly, an attack may consist of
fooling you as to the identity of your
real interlocutor. An ill-intentioned
person can easily change the display
of their name as sender or create
an address that closely resembles
the regular email address of your
interlocutor. In case of doubt, click on
the sender’s name and check that the
email address that appears matches
the address with which you are
familiar. Before sending any sensitive
information, verify by other means
of communication (for example, the
telephone or another messaging tool)
that you are exchanging with the right
interlocutor.
Lastly, in the case of espionage or
cyber surveillance by a state, your
emails can be intercepted at all
stages in the chain of transmission:
between your email service and the
server, on the server itself, between
servers, and between the server and
the email service of your addressee.
It then becomes difficult to secure
your emails, and impossible to know
whether others can read them.
How can
you protect
yourself?
With so many vulnerable spots,
it is almost impossible to prevent
interception of your emails: you
can secure the connection between
your machine and the email server,
but if your interlocutor has not done
likewise, your communication can be
intercepted and read.
While it is virtually impossible to
prevent interception of messages,
one solution is to prevent them from
being read by encrypting your email
messages. Just as for encryption
of a file, it’s a matter of making the
text completely illegible by all other
persons except those with the requisite
key to decrypt them. However, if one
of the interlocutors does not use a
solution for email encryption, either
the email message will be illegible
(because it will have been encrypted
without the interlocutor being able
to decrypt it), or it will be sent as
cleartext (unencrypted). You can take
all precautions possible on your side,
but if your interlocutor does not do
the same, your communication is
vulnerable. Protecting your emails
requires perfect security at all stages
of transmission, by all interlocutors.
Thus, if securing an email sent to one
person is complex, securing email
sent to 20 people is nearly impossible.
That is why we do not recommend
communication by email, despite its
popularity. As much as possible, opt for
secured instant messaging tools whose
communication is encrypted by default
for all users.
Nonetheless, there are several
software programmes that enable
you to encrypt your emails. The best
known among them is GPG, an open-
source software programme based
on OpenPGP, one of the most widely
used encryption methods. However,
this solutions requires technical
knowledge and thus is not easily
accessible for untrained users.
For neophytes, there are email
services with built-in encryption:
if your interlocutor uses the same
service, the email content will be
encrypted and thus illegible to others,
without you having to do anything.
Among existing solutions are two
open-source services provided on
the USB key in this kit: 
— Protonmail
Directly accessible from a browser
(secure if possible), Protonmail allows
you to send encrypted emails to other
users of Protonmail or users of similar
services, as long as you import their
encryption, PGP or symmetrical key
(in this case, it requires a specific
configuration).
— Tutanota
Also accessible from a browser,
this software enables you to send
encrypted emails to other users. You
can also send messages encrypted
end-to-end to users of other electronic
messaging services with symmetrical
encryption as long as you share the
key by other means.
Tutanota does not have the OpenPGP
standard built in, but has the advantage
of also being available on mobile
devices with an iOS or Android
application.
6 
Protect
your instant
conversa-
tions on
mobile
devices

We are all affected!
The human rights NGO Amnesty International reported
that one of its employees, while working on Saudi Arabia,
was targeted by the software Pegasus of the Israeli group
NSO when he was setting up a campaign for the release
of women human rights defenders unfairly imprisoned in
that country. In early June 2018, an Amnesty International
staff member received a suspicious WhatsApp message
written in Arabic. The text contained detailed information
about a supposed demonstration in front of the embassy
of Saudi Arabia in Washington and a link to a Website. The
investigations conducted by Amnesty International com-
puter engineers showed that clicking on this link would
have, as far as they knew, installed a «Pegasus,» which
would have infected the user’s smartphone, monitored his
keystrokes, taken over control of the camera and micro-
phone, and consulted the list of contacts.
A Saudi human rights defender based in London, Yahya
Assiri, director of the NGO ALQST, also received the
same message. He had often been in contact with Jamal
Khashoggi, the Saudi journalist from the Washington Post
who was killed inside the embassy of Saudi Arabia in Istan-
bul in October 2018.
What does
that mean?
Mobile telephones are an integral part
of our daily conversations: calls, SMS/
MMS, and instant messaging. In recent
years, there has been a net increase
in the number of features included in
mobile phones. “Smartphones” have
become portable mini-computers
that are constantly connected to
the Internet and equipped with
sophisticated locating features. Once
your telephone is connected to the
Internet, everything that you do on
it is as vulnerable as it would be on a
computer.
What are
the risks?
Your communication, whether vocal
or written, is almost never secure by
default, and can therefore be easily
intercepted, read, recorded, and
modified. Information that passes
through your instant messaging
applications may compromise not
only your security but also that of the
people listed in your address book or in
different messaging applications that
you use, as well as in files exchanged.
Among the different messaging
applications that exist, WhatsApp is
the number 1 worldwide, boasting
1.5 billion users. In May 2019, a
security breach was detected on
the application. Unbeknownst to the
user, it allowed the installation of
spyware on their telephone, even if
the user did not answer the “infected”
call. According to the Financial Times,
this flaw was exploited to install
Pegasus spyware from the Israeli
company NSO Group, which supplies
software to the security forces of many
countries, regardless of whether they
have democratic regimes or not. This
programme makes it possible to collect
the geolocation of its target, read its
messages and emails, and trigger the
microphone and the video camera
unbeknownst to the user.
WhatsApp, like all applications,
is therefore not infallible, and its
popularity has made it a target
for hackers. There are, however,
specialized applications that can
secure your conversations by using
end-to-end encryption.
How to protect
your instant
conversations
Use Signal to encrypt your calls
and text messages
Signal is a free open-source application
that enables you to encrypt, by default,
communication that passes through
it, including both written and vocal
communication. The service, which is
commercial-free, also offers a self-
destruction mode for messages, in
other words, the possibility of making
your written conversations ephemeral
(by erasing the data after a certain
period of time).
End-to-end encryption is the way
to make a message secret. No one
other than the two correspondents
can decrypt the conversation, not
even the provider of mobile access
or a “spy”. Signal’s only weakness is
that, by default, it relies on a “user
directory”, distributing user A’s public
key to user B. The directory is operated
by a software developer, and it serves
as a trusted third party between users,
thereby allowing the server — or a
third party who would take control
of it — to decrypt communication
between A and B. In order to protect
their correspondence completely, both
users can exchange an encryption
key directly. This chain of characters
(or safety numbers, to use Signal’s
terminology) must be exchanged
secretly through another means of
communication. Though the procedure
is optional, it is highly recommended
for all Signal users who share sensitive
information.
The Electronic Frontier Foundation,
an American NGO specialising in the
protection of freedom of expression
on the Internet, gives Signal the best
possible rating in terms of security,
and Edward Snowden, the American
whistleblower and former CIA and NSA
employee, uses it on a daily basis.
Use Olvid, an application that
protects your data
This new French instant messaging
service attacks the root of the problem:
to protect your data, Olvid encrypts
them entirely (metadata included),
even on its own servers. This means
that all information stored by the
messaging service is encrypted, and
that not even the service can access
it. In the case of an attack on or
breach of their servers, the data and
the conversations are impossible to
read. Olvid is thus the only messaging
service that guarantees complete
security of user data. All other
messaging services, Signal included,
rely on their structurally vulnerable
servers (centralised directories)for
security. Olvid has overcome that
security risk. Olvid is mostly dedicated
to companies and operates on a
fee-based model in order not to be
dependent on any external entity.
This model of security, which for
the time being has no known flaws,
undoubtedly represents the future in
secure communication.
7 
Protecting
yourself
from
espionage
via your
mobile
devices

We are all affected!
In 2019, journalists brought to light the fact that Chinese
customs officers on the border between Kyrgyzstan and
the Xinjiang Region install spyware on Android smart-
phones of tourists who are entering China. The verifica-
tion procedure of terminals is different for an Android
mobile than for an iPhone. In the case of an Android ope-
rating system, a spyware-type application is installed. For
iPhones, the smartphone is simply connected to a scanner.
The application used to scan the telephone is, in theory,
uninstalled, but it appears that the customs officers some-
times forget the last procedure. The fact that the appli-
cation would be withdrawn after the procedure suggests
that its purpose is not to track each individual by GPS —
even if some technical information about the mobile (MAC
address, N° IMEI, telephone number, etc.) is collected in
passing. According to the investigation, the application
is mainly supposed to search for content with terrorist
propaganda, but also passages of the Quran, documents
relating to the Dalai Lama, and even a Japanese heavy me-
tal band called Unholy Grave (due to a song called Taiwan:
Another China), or anything that could compromise the
authority of the national government.
What does
that mean?
Our mobile devices contain data
about everything in our lives and daily
activities. Many accounts are linked
to applications on our telephone:
Gmail, Amazon, Paypal or AirBnb.
Furthermore, all smartphones, tablets,
and laptops are equipped with video
cameras and microphones that can be
easily transformed into surveillance
tools. No, you’re not dreaming:
advertising agencies already use
mobile microphones to offer targeted
advertising. As mobile usage develops,
an increasing number of attacks
involve mobile devices. The most
common type of attack, addressed in
previous chapters, is phishing. Use of
a mobile device requires ramping up
vigilance and keeping in mind that it
remains a potential surveillance tool,
and that no truly reliable method exists
to protect your device from hacking.
What are
the risks?
Monitoring of data collected
by operators
Governmental intelligence agencies
have long been able to access data
collected by telephone operators
depending on legal rules that vary
from one country to another. A police
service or intelligence agency can
make an official request to an operator
to recover data, or it can resort to
backdoor access installed on servers.
Among these data is geolocation:
when a mobile device is connected
to the network, it is automatically
located by relay antennae that are able
to triangulate the origin of the signal,
even if the “geolocation” option is
deactivated in the devices settings.
The data exchanged with operator’s
servers, such as location, SMS, and
data, are all potentially accessible to
third parties via the operator’s servers.
Using the applications mentioned
in the previous chapters, you can
exchange messages securely by
ensuring that the operator can only
access encrypted data, but that does
not protect you from the device itself
being hacked.
Hacking your mobile device
with spyware
Mobile devices, just like any computer,
function by means of an operating
system that can be infected by
malware, which may be used to
steal data contained in your device.
Spyware is a specific type of malware
designed to spy on your activities.
These applications can be found on the
Internet and do not require specialised
technical knowledge: once spyware
is installed, data are sent to a Web
platform, to which the spy can connect
anonymously.
Spyware potentially gives access
to all data contained on the device
and can even go so far as to develop
sophisticated monitoring features:
listening to and recording telephone
conversations, real-time retrieval of
photos taken with the camera, and
accessing messages, irrespective of
the application being used. It can also
secretly activate the microphone and
the video camera, limit incoming calls
from predefined telephone numbers, or
take a screenshot and record the words
typed on the keyboard, rendering even
the secured applications ineffective to
protect your data.
Using an IMSI-catcher to hack into
your mobile device  that identifies the SIM card used and
It is also possible to locate a mobile
device and access its data directly
from the place where it is located using
an IMSI-catcher, a monitoring device
used to locally intercept traffic of
mobile communication by simulating
a fake relay antenna and inserting
itself between the operator’s network
and the targeted device. The acronym
“IMSI” refers to the International Mobile
Subscriber Identity, a unique number
its owner, and makes it possible to
connect to the mobile device. The
IMSI-catcher must be placed close to
the target to function and can be used
to monitor all data, install spyware, and
even simulate the origin of messages
or calls, giving your telephone the
impression that the number calling you
or the message that you are receiving
is from someone whom you know
whereas in fact it is coming from a
computer nearby.
How should
you protect
yourself?
— Never leave your devices
unattended: while there are many
ways to hack remotely, it takes just
a few seconds of your device being
connected to infect it with malware.
— Update the operating system
on your devices and your different
applications. As many hackers
capitalise on the vulnerabilities of older
versions, updates enable you to reduce
the number of security breaches.
— Do not synchronise your mobile
devices with unknown or unprotected
computers.
— Only install known and “validated“
applications from official stores
(Google Play Store, Apple Store, etc.).
 
— Avoid, as much as possible, public
and unsecured Wi-Fi networks that
can allow your data to be intercepted
and even malware to be installed.
If you must connect to a public Wi-Fi
network, use a VPN and do not send
any confidential information. 
— Only activate your Bluetooth
when you are using it; it provides an
unsecured entry point on your device.
— Do not leave your applications and
Web services that you use on your
mobile device in auto-login mode (the
mode that remembers your password
and connects automatically; often
there is a tick box). Once your device is
hacked, none of your accounts will be
secure any longer.
— If you should have to entrust your
telephone to a third party (authorities,
customs, etc.), always switch
the device off completely. Some
telephones delete any encryption key
when the device switches off, and
require that you enter your PIN code
prior to any subsequent decryption.
— Install anti-virus applications that
will be able to detect malicious
programmes, monitor browsing on the
Internet, and save sensitive data. You
can try CM Security and Avast! Mobile
Security & Antivirus (for Android),
which have the capacity to lock
applications, or Lookout Antivirus &
Security (for Android and iOS), which
also has anti-theft features.
Protecting yourself from tracking and
monitoring via your mobile devices
The simplest way to protect your
device from tracking and data from
being hacked is to remove its battery.
Then, the telephone is totally inactive;
it no longer records, receives, or
sends any information. However, for
numerous mobile devices, this is not
possible without a tool. Switching the
telephone off or activating airplane
mode does not suffice to guarantee
that the device cannot be located
and does not send data. An infected
device, for example, can display a
screen that has been turned off while
some functions continue being used.
An alternative to removing the battery
is air gapping: it consists of completely
isolating the device from the network,
making remote hacking or locating it
impossible. To isolate a device, you
can use a Faraday bag, a case that
replicates the principle of the Faraday
cage, blocking the electromagnetic
field. 
To decrease the chances of this type of
hacking, it can be useful to deactivate
2G and roaming on smartphones that
have this feature so that the device
can only connect to the 3G or 4G
networks, which are better secured.
These measures allow you to avoid
certain types of IMSI-catchers, but
by no means do they constitute real
protection. The only effective way not
to be exposed to an IMSI-catcher is to
totally disconnect your telephone from
the network by removing the battery or
by putting it into a Faraday bag.

Use of a Faraday bag guarantees that

the device can neither send nor receive
signals. By placing your mobile device
into the case of this kit, it becomes
impossible to locate it or hack the data.
Be careful, nonetheless; if the device
has been infected by spyware, it may
continue being used as a surveillance
mechanism due to its microphone,
which can record and transmit data
during reconnection to the network
after having been taken out of
the case.

Protecting yourself from hacking via

IMSI-catchers
For more information:
There is no reliable protection from
IMSI-catchers: as soon as your device Smartphone Surveillance And Tracking Techniques: Understanding Threats,
is connected to a network, it is possible Indices & Protection (medium.com)
to fool it with a fake relay antenna
and hack it. Some applications such ‘State of Surveillance’ with Edward Snowden and Shane Smith
as SnoopSnitch claim to be able to VICE on HBO: Season 4, Episode 13
detect the presence of fake relays,
but that detection remains imperfect. 12 ways to hack-proof your smartphone (The Guardian)
8 
The limits
of
protection
Confidentiality of correspondence,
a right protected in many countries, is
threatened by the very nature of digital
communications. Complying with
the best practices described in the
previous chapters and understanding
the risks provide a starting point for
survival in digital space and the best
possible protection for your data and
exchanges.
Nevertheless, it is important to bear
in mind that there is no infallible
security: electronic tools and
machines were not designed to
protect information exchanges. Once
a device is connected to the Internet,
it is potentially vulnerable and can be
transformed into a monitoring tool;
as soon as you exchange information,
it could potentially be intercepted
and manipulated by a third party.
Therefore, what’s important is not
to rely entirely on protective tools
and techniques that are by nature
imperfect, but to remain vigilant
and aware of the risks that you are
running. The only purpose of the
methods described in the previous
chapters is to limit such risks;
the notion of absolute security is
unrealistic in digital communication.
Here are three points to bear in mind in
order to develop a vigilant attitude:
— Protect your personal data
As soon as you begin using a site,
service, application, or software,
you share some of your personal
information. Using an application or
online service means agreeing to trust
it. Then, it becomes important to know
what type of data that service will
keep and use, by reading the General
Conditions of Use, and by obtaining
assurance from reliable sources that
the service is protecting your data.
Data protection always represents
a compromise between comfort of use
and security. Do not sacrifice security
for comfort: many people use auto-
login features or entrust their browser
or devices with the management
of identifiers and passwords, which
facilitates hacking of their data.
— Compartmentalise your digital
identities
All of your devices, logins/
pseudonyms, email addresses, IP
addresses, etc., are unique identifiers
that can be linked to your identity. The
use of a single email address suffices
to link you to many activities and may
make it possible to spy on you easily.
It is advisable to compartmentalise
data that identify you as much as
possible by using unique addresses
and identifiers for every application.
For example, you can even separate
your activities by using, on top of
your main machine for routine tasks,
a computer dedicated to all your
confidential activities and exchanges.
It could be a simple second hand
laptop using a distinct IP and a
secured OS such as Tails, applying
all the practices described above.
The device must never be connected
to a Google or Facebook account, or
any other account that could allow
association between the machine
For more information:
101 Data Protection Tips: How to Keep Your Passwords, Financial & Personal
Information Safe in 2019 (digitalguardian.com)
The Verge guide to privacy and security (theverge.com)
A set of online guides to restore privacy (restoreprivacy.com)
and your real identity. You can also
apply this method to a mobile device
that is dedicated to your confidential
conversations.
— Encrypt your exchanges
of information
As soon as you are browsing on
the Web or exchanging information
via digital devices, you are sharing
data with multiple actors. Browsing
anonymously and communicating
via secured tools that encrypt data
allow you to reduce the risk of your
information being used or monitored,
although it is never an absolute
guarantee. If, for instance, your
machine has been compromised, all
your efforts to remain anonymous
and secure will also be compromised.
Securing your exchanges of
information, in fact, requires constant
and joint effort on your part and that
of your interlocutors. End-to-end
encryption software simply makes life
difficult for potential spies without
ever completely eliminating the risk
of being monitored.