YOU ARE BEING TRACKED: Countering Surveillance Oppression in Kenya (Part 2)

This article follows directly from Part 1: Understanding Surveillance Oppression in Kenya. However, it can be read on its own as a separate self-contained document.

Reccommendations

The following are some recommendations, which when followed even in part, will inculcate an attitude of defensive security, not only during political agitation but also as a pre-emptive strategy against all forms of rogue actors.

Personal defensive security

A. Digital

Texts and calls

1. Do not use the standard calls and SMS offered by telecommunications providers to communicate. They do not protect you from breaches of your privacy.

2. Use apps such as WhatsApp, Telegram, Signal, or Wire instead, all of which have encryption systems that prevent eavesdroppers from accessing your texts and calls.

Going online: digital etiquette

1. Do not use public Wi-Fi networks to browse the web or to access social media apps. Those who set them up can spy on your internet activity and will collect your banking information, and the login and passwords to your social media apps and email. If you really must use public Wi-Fi, use a reliable Virtual Private Network (VPN) such as ProtonVPN to encrypt your internet connection. To shield your digital activities even more, integrate Tor with your VPN. Tor is an additional layer of security: it routes your internet traffic through multiple nodes, making it exponentially harder for surveillance entities to trace digital activity back to you.

2. Create anonymous accounts to separate your digital and online identities from your real-life identity.

3. Use pseudonyms and placeholder names: avoid using your real name whenever you are online and interacting in public forums.

4. Do not use your main social media accounts to interact online when you suspect, even briefly, that your privacy and security are at risk. Switch to a ‘dummy’ account.

5. Stop posting personal information that could lead to your identification or that could aid location tracking: do not pin or do a social media check-in to broadcast the places you go shopping, to eat, etc, either in real-time or in delayed time. This information can be used to identify your whereabouts and locate where you live, and it will compromise your privacy and security.

6. Regularly review and adjust the privacy settings on all your social media platforms: you should always control who can see your posts and personal information. Ensure that only trusted persons known to you personally can see these.

7. Enable 2FA on all your social media and email accounts. This will protect you even when someone acquires or cracks your passwords. Also, instead of using SMS to verify your identity, use authentication apps such as Authenticator, Okta Verify, and Zoho OneAuth. Remember, an SMS will always be intercepted, do not use SMS!

8. When going online, avoid creating predictable patterns that could be easily tracked and cross-referenced with your offline activity. Vary the times you go online, the devices you use, and even the types of online activities you engage in. Diversification is a powerful form of digital camouflage: be unpredictable.

Advanced Operating Systems

1. For greater anonymity and security initiated at the operating system level, consider switching from Windows to Tails or Qubes, both which are engineered for privacy. Tails is a live OS that leaves no trace on your machine after use and routes all internet traffic through Tor, ensuring anonymity. Qubes compartmentalizes all activities that you perform on your computer into isolated virtual machines, protecting your core data. Even if one application, such as your browser is compromised, everything else remains safe.
2. Acquire a security-focused smartphone running on GrapheneOS, which offers better privacy controls.

Email Security

1. Switch to secure email providers like ProtonMail that offer end-to-end encryption by default. Also, set up more than one email address, or use email-forwarding services offered natively by your browser, so that you can use alternate sign-up emails to mask your digital identity and activity. If your tech skills are more advanced, use encryption tools such as PGP for more secure email exchanges.

2. Never use the same password twice! Instead of relying on your memory to generate and remember passwords, use Password Safe and similar password management apps. For Desktop, use inbuilt browser-based password managers in Firefox, Safari, Edge, and others. Protect your password managers with a strong password.

3. Never click on unsolicited links or open unknown attachments. Always verify the sender’s information, ensuring they are known to you, before engaging the link or attachment.

Data Security

1. If you store your data on physical devices like USB sticks and hard drives, encrypt them using tools like VeraCrypt for disk encryption or GnuPG for individual files. Don’t leave your storage devices and files unencrypted, as anyone who gains physical access to your devices, with or without your consent, will be able to breach your privacy.

2. Alternatively, use encrypted cloud services such as Mega, Tresorit and SpiderOak, which offer strong encryption and have a good reputation for protecting user data. Again, use strong and unique passwords, generated using a password manager.

3. Keep as little amount of sensitive data on your devices as possible. Set up a schedule to regularly review your downloaded files and purge unnecessary files that contain private and sensitive data (monthly is a good start).

Spyware and Malware

1. Use a reliable antivirus and anti-spyware software to regularly scan devices.

2. Keep all your software updated, including the operating system, applications, plugins, etc… Software is usually updated to close detected security vulnerabilities, and many hacking and surveillance tools usually target devices running older software versions that have known vulnerabilities. Generally, updated software is safer than old software.

3. Use browsers focused on privacy, such as DuckDuckGo and Brave. Use DuckDuckGo in your mobile device, and turn on Web Tracking Protection, App Tracking Protection, Email Protection and Private Search.

Location data

1. Always turn off GPS, location and Wi-Fi on your devices when not needed. Also, review your settings to restrict which apps have permission to access your location data. Regularly check the privacy settings on your devices.

2. Always use a VPN to conceal your real IP address, which can be used to estimate your location.

3. Use aeroplane mode when you want to stop your phone from communicating with the outside world. Airplane mode disables cellular, Wi-Fi, and Bluetooth transmissions.

4. Regularly review and remove geolocation data embedded in photos and social media posts before sharing them.

Physical Security

Devices

1. Always lock your computers and mobile devices when you are not using them. Use strong and unique passwords. Avoid using facial recognition, fingerprint and other biometric passwords as these can be extracted from you without your consent. Keep your device’s main password in your brain: it cannot be extracted from there without your consent.

2. Cover your webcams with tape when not in use and consider using microphone blockers. When digital integrity is at risk, it’s better to just default to face-to-face interactions. Choose varied nondescript locations for meetings. Switch off your electronic devices before arriving at the meeting location and store them far away from the meeting room, preferably locked in a cabinet in a distant room.

3. When disposing of your old devices, both phones and laptops, ensure they are thoroughly wiped using appropriate tools designed for secure deletion. Ask a competent techie to do this for you. For phones, perform a factory reset. For PCs and drives, you’ll be better off removing the hard drive and destroying it.

4. Use physical security keys (e.g., YubiKey) for 2FA: even if your security is breached, the key will protect you against account takeovers.

5. Acquire Faraday cages or a bag with an inbuilt Faraday cage compartment, where you can store your devices while in transit. Although your device will no longer be able to receive calls, remote hacking attempts and unauthorized access will also be impossible. You should also store your passports, credit cards, and other documents with RFID chips in this Faraday cage, and they will be completely protected from surreptitious scanning and cloning. If you sense that your device has been hacked or is being accessed remotely, you can also put it inside the Faraday cage, which will disable remote access immediately.

6. Do not share your whereabouts with strangers online: preserve that information for your family and close friends. In addition, be aware of how social engineering attacks can trick you into revealing this information: if a stranger or acquaintance offers to meet you somewhere “close to your home for your convenience”, meet them in the city instead: they could be trying to narrow the approximate location radius of your home. Train yourself and your family on how to recognise and respond to these social engineering attacks.

In the practice of democracy

1. When exercising your democratic rights to assemble and express yourselves in public spaces, follow the example of security agents who also wear a cloth or face mask to obscure their faces. Also, wear headgear to obscure your hair. This will ensure that pictures taken by others may not be useful in identifying you later.

2. Do not use the same routes or converge to the same spots regularly, and do not always go to the front lines: switch it up. Also, do not linger too long at the same spot in your democratic gatherings. Change your behaviour to confuse data analytics tools that are being used to identify your collective behavioural patterns, especially those using phone location data to breach your privacy to locate “interesting persons”.

3. Always wear comfortable shoes that are easy to run in. Carry a bottle of water, some tissues, and a small first-aid kit containing wound-dressing items and painkillers. Be always ready to save your life and that of others.

Legal and Operational Security

1. Talk to a lawyer and use advanced AI legal resources such as Haki to understand the legal protections available to you, including what can be legally done to you if you are detained or questioned. For businesses, contract cybersecurity experts to perform security audits on your personal and organizational digital infrastructure. In addition, familiarize yourself with both national and international legal frameworks concerning surveillance. Knowledge is your strongest shield.

2. Have a plan for what to do if you believe you are unsafe. This might include switching devices, using different forms of transportation, or seeking assistance from security professionals. Develop this plan with your family and friends, detailing how they will respond to security incidents: such as your abduction or arrest. This must include contacts for legal assistance, backups of critical data, and protocols for alerting them and other critical allies.

3. Connect with other like-minded fellows privately and securely using encrypted apps: do not doxx yourselves or each other on Twitter for clout. Share knowledge and resources with each other generously, but do not share sensitive information that you have not thoroughly verified, or without consent. Also, build a security-conscious network with your friends. Together, you can stay several steps ahead of rogue actors. Enhance your security through collective action: 100 brains are far more powerful than one, there is power in unity.

4. Living under surveillance is exhausting. Work with your family, friends and therapist to develop strategies to maintain your mental health. Do regular digital detoxes and take care of your mental health.

In conclusion

Kenya’s democracy is under attack. To defend it, start by defending yourself. And remember, defensive security is a cornerstone of democratic societies, for it protects the essential element of any democracy: its people. Protect yourself, and protect your fellow citizen.

Proverbs 28:15 – “Like a roaring lion or a charging bear is a wicked ruler over a helpless people.”

Mahatma Gandhi – “When I despair, I remember that all through history the way of truth and love has always won. There have been tyrants and murderers, and for a time, they can seem invincible, but in the end, they always fall. Think of it—always.”

#RejectFinanceBill2024

V.