Censorship and Surveillance in the Digital Age: Part Two
The continuation of a multi-part series on methods of censorship and surveillance, why they matter, and how to circumvent them.
Circumventing Online Censorship and Surveillance
Introduction
When WikiLeaks, the organization founded by Julian Assange in 2006 and responsible for publishing leaked data about war crimes and human rights violations, needed a way for whistleblowers to securely and safely transfer documents, they turned to the anonymous and encrypted Tor browser and the live operating system Tails. These two tools are discussed in more detail below, but these two tools as well as .onion sites, which sources can access through the OnionShare tool, have become one of the mainstays of modern journalism. According to isabela on the Tor Blog:
This trinity of tools--.onion sites, Tor Browser and the Tails operating system--has become a 'basic kit' for modern investigative journalism. Their adoption spread across the globe, with numerous news organizations incorporating these technologies to protect their work and sources. SecureDrop, developed by the Freedom of the Press Foundation, and SafeBox, used by the Forbidden Stories project, are other examples of how Tor-powered tools have been adopted to keep journalists and their sources safe.
Part two of this series presents an overview of Tor and Tails, as well as other tools that can be used by aspiring journalists, dissidents, and concerned citizens to circumvent censorship, do research, and avoid surveillance. This is an overview designed to introduce readers to the subject. Use of these tools does not serve as a substitute for operational security, and no tool can guarantee complete anonymity and privacy.
Virtual Private Networks
The most straightforward technology to use is probably a virtual private network (VPN). A VPN creates an encrypted tunnel that masks a user's IP address and location. A good example is ProtonVPN, which, allows connections through many different regions and countries. So, a person could connect to ProtonVPN through a server in Miami, and their IP address will be masked and will appear to originate from a computer in Miami instead of the address of their home or office network or personal computer. A good VPN will also provides DNS protection as well. When using use a good quality paid VPN, it is possible to check the IP address and check for DNS leaks using whatsmyipaddress.com and dnsleaktest.com. Neither should show the actual IP address or location. Below is a screenshot from whatsmyipaddress.com:
It shows the connection originating from a location in Maryland, while the actual user is in another part of the country. The advanced testing on dnsleaktest.com should show only VPN servers.
There are a couple of things to keep in mind with VPNs. Nothing is free; a free VPN provider is recouping their money some other way, possibly from selling user data. Also, location of the VPN company matters. ProtonVPN is Swiss, and NordVPN is based in Panama, which both have strict privacy rules. Using one based in one of the “Five Eyes,” The United States, the UK, Australia, New Zealand, and Canada, probably isn’t ideal. A VPN also should allow a choice of country of origin for the connection, effectively bypassing content restrictions. Note that when using a VPN with an IP address in the United States, it is possible to run across restrictions that prevent accessing websites that exist behind internet infrastructure providers. Companies like Cloudflare flag U.S.VPN addresses. The reason provided is that the IP Address is not recognized so could be a security risk. A more pessimistic assumption is that blocking is done because a VPN prevents websites from capturing information about users, Changing the VPN connection to another country like Sweden or Iceland may allow access to the websites without restrictions. This same strategy could allow a journalist or activist in a heavily censored country to access information they otherwise would be blocked from. This diagram from cactusvpn.com shows how a vpn works:
It is important to keep in mind that a even the best VPN is going to do little to protect against browser fingerprinting. A VPN encrypts internet traffic, but can't hide things like what browser you are using or other parameters like computer hardware, configurations, mouse movements and myriad other things that can be used to create a fingerprint.
Preventing Browser Fingerprinting
Browser fingerprinting and tracking can be avoided by choice of browser and a few add-ons and tweaks. Using the Firefox browser with the following add-ons available from the Firefox extension site should be effective in preventing both fingerprinting and tracking:
uBlock Origin is an ad blocker which also blocks third-party trackers
User-Agent Switcher changes the browser a web server sees
uBlock Origin, User-Agent Switcher, and other add-ons on the Firefox taskbar:
In the my experience, many "experts" suggest multiple add-ons such as Privacy Badger, HTTPS Everywhere, Canvas Blocker, and Java Script blockers. The problem is, too many add-ons are likely going to make your browser more unique, so more easily fingerprinted. uBlock Origin and some similar add-ons can, with appropriate settings, allow disabling Java Script and blocking of most trackers, so the others are probably redundant. Also, enforcing HTTPS for all websites can be set in the Privacy and Security settings for most browsers. There are steps published online for "hardening" the Firefox browser, but other browsers seem to do a better job of preventing fingerprinting. There is a fork of Firefox called LibreWolf that comes preset with a lot of the recommended Firefox settings by default. It can download for Windows, Mac, and Linux from their website. Two other browsers, the Brave Browser and the Mullvad Browser by the Tor Project, performed better on tests for blocking fingerprinting and trackers. You can test your browser at https://coveryourtracks.eff.org/. If your life or freedom depends on strict privacy and anonymity, though, use the Tor Browser.
The Tor Browser
For greater protection, there is the Tor Browser. Tor uses what is known as “onion routing” to route encrypted internet traffic through multiple nodes throughout the world. The nodes are maintained by volunteers. Originally designed by the Naval Research Laboratory, Tor uses layers of encryption and onion routing to maintain anonymity. If downloaded and used as directed, it does a very good job of hiding an internet user's identity. Only expert users should tamper with the configuration settings, and it is best not to download documents and print them on the same computer. Also, if a person uses Tor to connect to the internet from their home or office, their ISP can probably detect that they are using it. The way around this is Tor-over-vpn, where a VPN is started and then connection is made to the Tor network using the Tor Browser. This will encrypt your entire connection end-to-end (Tor doesn't encrypt data after it leaves the last exit node). Tor works on Windows, Linux, and Mac and can be downloaded from the Tor Project web site. There are versions available for Android and iOS as well, but care must be taken to download the official apps, such as Onion Browser for iOS.
Tor is also the access point for the deep web and the dark web. This is important. People who know a little about Tor or the dark web assume that they exist only for criminal behavior. While it is true that the dark web has many sites offering anything from illegal drugs to weapons, it is also used by journalists, activists, and dissidents to bypass censorship and surveillance. There are sites that allow secure file transfers, and the general anonymity on Tor protects them from detection by malicious government entities. When using Tor, deep web sites are accessed by what are known as .onion addresses. They are found on sites such as The Hidden Wiki. Below is a great diagram from torpoject.org and eff.org showing how the Tor browser works:
Linux Operating Systems
A very good skill to develop is the use of a Linux operating system instead of Windows or Mac. Operating systems like Ubuntu, Debian, Fedora, and others can be loaded onto an old laptop. Linux has a little more of a learning curve than Windows, but user-friendly versions like Ubuntu are made for people wanting to transition from mainstream operating systems. Most Linux OS’s are open source, which means their code can be accessed and evaluated by anyone. They are also highly customizable for the same reason. There are Linux-based operating systems that function solely for privacy and anonymity: the Whonix OS routes all data through the Tor Network (Whonix requires using a virtual machine). Qubes is an operating system that can be installed on better quality laptops and is highly secure. Other Linux OS's are used for ethical hacking and penetration testing.
Tails
Tails is a live Linux OS that can be launched on any computer from a USB drive or an SD card. It uses Tor to access the internet, and everything done during the live session disappears when the computer is turned off. So, no information would be left for forensic analysis. Tails would likely be the go to operating system for anyone needing ultimate privacy, anonymity, and protection from forensic analysis. Tails can be downloaded from https://tails.net for Windows, Mac, or Linux and then transferred to the USB drive or SD card using Rufus (https://rufus.ie/en/), a program for creating bootable drives. The drive or card is inserted before starting the computer, and it might be necessary to change the boot order on your computer in the BIOS settings.
Virtual Machines
A way to add another layer of security is to use a Linux operating system on a virtual machine. A virtual machine (VM) is a complete operating system running inside of a program like VirtualBox on a host computer like a Windows 11 laptop. The VM uses the host computers resources, but has a unique IP number and MAC address (a unique number assigned to all hardware accessing the internet). The VM can also be deleted along with all files if necessary. This is actually the preferred way to use Tor other than Tails. There is a learning curve, but knowing how to use virtual machines is a valuable skill. VirtualBox and the operating system downloads are free.
Kali Linux VM running on a Windows Computer. The VM is using a VPN on the host computer to mask location and the IP address:
Alternative Search Engines
Search engines like Google track users and store any data they can get, but there are several search engines that don't track or store any data. A popular choice is DuckDuckGo, which is also the search engine used by the Tor Browser. Another is Startpage, which submits internet queries to Google from it’s own servers and returns the results without Google's knowledge. Some others include:
Quant - Based in France and so has to conform to European data laws.
SearX - Doesn't share IP Addresses or search histories. Also prevents third-party tracking.
Gibiru - Like Google before ads and trackers. Also very fast.
Swisscow - Family-friendly and doesn't store any data
Mojeek - Searches the web without filters
Metager - another metasearch engine that pulls results from 50 different search engines. Encrypted and can use Tor for anonymity.
Brave - A newer search engine that appears to offer good privacy and also can use the Tor Network. Based in the United States.
Yandex - A Russian search engine
Baidu - a Chinese search engine
Getting in the habit of using more than one of these browsers is ideal, since they all have different strengths.
SMS and Encrypted Calling
There are many apps that purport to offer encrypted text and calling, but the Signal app is widely accepted to be the most secure messaging app available. Signal users do have to provide a phone number, but it is end-to-end encrypted with an encryption protocol that is accepted by intelligence agencies. Facebook Messenger, Telegram, Apple Messages, or WhatsApp (owned by Facebook), or the texting service on your Android or Google phone are not recommended when communicating sensitive information. Besides Signal, other options include Threema, Silence, Session, or Wickr Me. Threema has the advantage of not requiring a phone number or other personally identifiable information (PII). Wickr provides "military-grade encryption," and is popular for businesses due to its "enterprise-level functionality." Like Threema, Sessions doesn't require a phone number, and is end-to-end encrypted. Sessions also uses a distributed network, so there are no centralized servers where data could be stored.
Email
Not all email services are secure by default, and the way they are utilized can also impact their security. According to Bryan M. Wolfe at TechRadar.com:
The myth that email services are automatically secure is misleading and dangerous, potentially leaving users vulnerable to cyber threats. It is essential to recognize that while email service providers implement numerous security features, the responsibility for email security is shared. By taking proactive steps to secure their accounts, being aware of potential threats, and following best practices for email safety, users significantly reduce their risks and help ensure that their digital communications remain secure. Email security is not guaranteed—it's an ongoing commitment. It's an email provider that offers comprehensive security features tailored to your needs.
There are two good options for secure email. The first involves setting up PGP encryption on an email provider. This involves making a public and private key. The public key is then usually uploaded to a keyserver so recipients can decode messages encrypted with the sender's private key. It is very secure if done right. It can also be a lot of work. Some email providers, like Protonmail or Tutamail, are secure and encrypted if both parties are using them. Both offer free versions, and Tutamail can be set up with virtually no personal information. Protonmail stores data on their private servers in a vault in Switzerland, safe from prying eyes. Other email services may offer encryption, but not necessarily by default, so be sure to check.
Secure Storage
The most secure storage would be to keep all documents and pictures in an encrypted file on a device, or encrypt the entire device (see below). VeraCrypt and KeePass are both open source programs that work on Windows, Mac, and Linux. Both allow the creation of very secure, encrypted files that are opened with a master password or phrase. VeraCrypt can also be used to create hidden encrypted files and can encrypt entire drives. Just don't forget the password.
A search of cloud storage providers can be a little bewildering, because every article seems to make different recommendations. The recommendations made by online sources can be affected by sponsors and affiliate links, so it's probably wise to take a lot of them with a grain of salt. At the least, look for zero-knowledge end-to-end encryption (that means data at rest and data in transit), multi-factor identification, location of stored data, preferably open-source software. Some options to consider:
ProtonDrive - End-to-end encrypted, based in Switzerland, zero-knowledge encryption, open source
NordLocker - End-to-end encrypted, based in Panama, zero-knowledge encryption, open source
Tresorit - End-to-end encrypted, based in Switzerland (data stored in Ireland), zero-knowledge encryption, maybe better for businesses
NextCloud - Open source, self-hosted, end-to-end encryption, data can be hosted on your own servers
Computer Encryption
It is possible to encrypt the entire drive on a Windows computer. Mac has it’s own encryption and Linux OS’s can often be encrypted when installed. Bitlocker, the standard encryption on Windows Pro versions, is not secure enough to rely on if it really matters. VeraCrypt can encrypt the entire drive on a PC with SHA-512 encryption. When encrypted this way, the OS will not boot without a passphrase. SHA-512 is a very secure type of encryption, as described by Reason Labs:
SHA-512 carries insurmountable importance in terms of data protection, particularly in the present times of proliferating cyber threats. As a cryptographic hash function, it provides a robust, seemingly uncrackable method for confirming the integrity of information and reducing the occurrence of data duplication in expansive infrastructures. Whether through the development of impenetrable antivirus software or trust certificates for websites, simply put, the fundamental purpose of SHA-512 is to successfully identify, differentiate, and protect data.
For added security USB ports on a computer can be disabled from the setup menu. Also, from the same menu, an administrative password can be added to prevent an adversary from accessing the computer before the OS boots. The setup menu is typically accessed by pressing and holding (or repeatedly pressing) a key such as F2, esc, or delete while the computer starts up. Note: it is necessary for the USB or SD card ports to be enabled to use a live operating system like Tails!
Alternative DNS and Secure DNS
Since DNS can be blocked or poisoned, it is advisable to change DNS providers from the one provided by the ISP. Windows, Mac, Linux, iPhone, and Android all allow the default DNS provider to be changed. A reasonable choice might be Google at 8.8.8.8 or Cloudflare at 1.1.1.1. A better choice is a service like Quad9, run by the Swiss-based Quad9 Foundation, or DNSWatch. Quad9 is at IP address 9.9.9.9, and DNSWatch is at 84.200.69.80. OpenDNS is a paid service, although there may be privacy concerns with this service. Firefox and LibreWolf have settings for enhanced protection using DNS over HTTPS as shown in Appendix A.
There are two types of secure DNS. The first, DNS over TLS (DOT), uses the same encryption protocol as HTTPS. DOT adds the TLS encryption on top of UDP (see the section on Important Terms). The other is DNS over HTTPS (DOH), where DNS requests are sent encrypted via HTTP as opposed to UDP, so DOH looks like normal HTTPS traffic.
Part Three will discuss self-censoring, news bias, and fact-checking.
Sources
https://blog.torproject.org/wikileaks-case-study-on-journalism-and-encryption/
https://en.wikipedia.org/wiki/WikiLeaks
https://www.cactusvpn.com/beginners-guide-to-vpn/vpn-encryption/
https://cyberpedia.reasonlabs.com/EN/sha-512.html
https://www.forbes.com/sites/larsdaniel/2024/12/20/5-secure-messaging-apps-for-2025/