fbpx

Secure Messaging: A Spy Primer

Greetings Everyday Spy,

CIA I trained me to control my mind and body under unique circumstances.

I learned how to master social settings, offensive driving, and pain tolerance. I learned how to prioritize information, mitigate risks, predict human behavior and steal secrets. I was issued custom weapons, personalized workouts, concealment devices and even alternate identities. And I learned to rely on training and practice to master my craft.

But there is one element of spycraft that constantly tests field officers.

One area that requires constant vigilance, focus, and patience; a skillset that we cannot compromise under any circumstances.

Secure Field Communication – something we simply called ‘commo.’

Commo is a constant lifeline for anyone forward deployed.

Whether you are uniformed military or deep cover CIA, secure commo is one of the most important tools in you carry. Without it, information cannot be shared with support units or commanders. If it fails, your location and circumstances become unknown and unprotected.

And if it is compromised to the enemy, the damage is beyond measure… 

Secure communication is equally important in everyday life – whether you are talking to your business partner or your life partner.

Personal information is the world’s newest natural resource. And governments and corporations are mining it every day. Sometimes they are looking for threats. Sometimes they are looking for sales.

But there is always someone trying to collect. Someone trying to listen… to learn. 

Whether you invite them or not.

Here is what your personal data is worth on the ‘Dark Web’:

Social Security Number: $1.00

Complete Drivers License: $20.00

Full Credit Card details: $75.00

Even in the ‘legal’ world, your personal information fuels a massive economic engine.

An engine worth more than the NFL and NBA combined;

An engine bigger than the entire US alcohol industry;

 An engine scheduled to surpass the value of all US Agricultural output by 2022.

There are 5 big tech companies in the US actively mining (and lobbying to continue mining) your personal data: 

  1. Google
  2. Amazon
  3. Facebook
  4. Microsoft
  5. Verizon

The raw data collected from an average user can earn a company up to $183/year. Data that gets refined and packaged gains even more value, often exceeding $300/year per user.

Your secure commo is valuable – to you, and to others. 

And you can protect it.

I’ve learned how to protect my communications with some of the world’s best covert communications experts.

And I wanted you to learn from them too. 

So let me introduce my friend, a tactical covert commo expert I’ve encrypted EveryDayHAZARD (EDHAZARD).

EDHAZARD is a special operations commando from an country allied with the US. He specializes in secure field communications and has extensive experience executing tactical operations in hostile environments, including areas denied to American personnel. He continues to work downrange in a sensitive capacity that requires me to protect his identity from public view.

I asked EDHAZARD what an #EverdydaySpy can do to keep their commo secure.

Here is what he had to say…

———————————-TEAR LINE—————————————

Is instant messaging popular?… Just a little.

  • American’s average 94 text messages a day.
  • 18.7 billion instant messages are sent each day worldwide .
  • SMS is the most widely used communication service in the modern world.

We all use messaging in our everyday lives. It’s something that has become a natural part of how we communicate. 

Whether it’s coordinating things for the workplace, wishing a family member good luck or happy birthday, or communicating sales and product info, instant messaging is a core communication tool.

And there are a huge variety of messaging applications available for us to use.

They come with fancy encryption, snazzy user interfaces, and voice and video capabilities that cater to a broad spectrum of users.

However, there is one question I ask anytime I hear about a new messaging system… Is it secure?

The worldwide web is full of people. And some of them are not very nice. 

There are entities out there actively targeting accounts, profiles and pages looking for anything and everything they can collect. Information like phone numbers, geo-tags, pictures, and even personal SMS messages can be used to tailor advertising or exploit unwitting victims.

Heck… Even the nice people collect on you! 

  • Churches want to know how often you visit their website.
  • Schools want to know which parents log-in to view their children’s work.
  • Police stations and congress people are obsessed with their district’s interests and concerns.

User data is extremely important. 

And you can take steps to protect it.  

When I choose a secure messaging app, I pick apps that protect the most important thing to me… my personal data.

There’s a reason why messaging apps are free – they pay for themselves with data.

It is easy to think that messaging apps have your best interests in mind, but profit is the heartbeat behind every new app.

Free messaging services still incur operating and maintenance costs, and they get their income from a variety of outside sources. External public funding, multinational companies, and data sharing agreements are the most popular funding options. 

And all secure messaging must be kept on record to justify outside financial support.

Where this becomes an issue is when you consider the motive of the financier.

  • What are their intentions? 
  • Do they have a legitimate desire to improve everyday communication? 
  • Or do they want to sell your personal data and messaging habits for financial gain?

No company is going to tell you their intentions up-front – their marketing department makes sure of that!

Instead, they have to tell you (or rather, ‘sell’ you) a neatly packaged narrative that mixes idealism, convenience, and – of course – the perception of security.

To assess the company’s intentions for yourself, look at the product’s terms of use. 

‘Terms of Use’ (aka: Terms of Service’) are different from ‘Terms and Conditions.’

Terms of Use/Service offer little/no data protection because they assume a user is engaging in a free service with the company. Terms and Conditions, however, assume a user has engaged in a monetary exchange with the company.

Let me give you some examples. 

First, here is FACEBOOK messengers’ Terms of Service agreement with you…

“We don’t charge you to use Facebook or the other products and services covered by these Terms. Instead, businesses and organizations pay us to show you ads for their products and services…Our data policy explains how we collect and use your personal data to determine some of the ads you see and provide all of the other services described…We use your personal data, such as information about your activity and interests, to show you ads that are more relevant to you.

FACEBOOK is an easy example to start with. Everyone knows them and they have had a lot of oversight to help govern how they use personal data. Even still, their intent is to support business by leveraging your personal data – not protecting it.

But what about an SMS giant like VERIZON?

Here are VERIZON’s ‘terms of use,’ a company you pay to protect your data…

Anyone using this server agrees that Verizon Wireless may monitor the server contents… Verizon Wireless reserves the right to modify, reject or eliminate any information residing on or transmitted to its server that it, in its sole discretion, believes is unacceptable or in violation of these terms and conditions and to suspend or end your service for any operational or governmental reason or violation of these terms and conditions.” 

Verizon can act at its “sole discretion” to modify or eliminate your data. You may be paying them for a service, but their server contents are treated as their own property.

That said, at least acknowledge they are only looking at you… not your contacts.

Unfortunately, messaging services like WhatsApp are more direct about collecting against your personal contacts…

In order to access and use the features of the Service, you acknowledge and agree that you will have to provide WhatsApp with your mobile phone number. You expressly acknowledge and agree that in order to provide the Service, WhatsApp may periodically access your contact list and/or address book on your mobile device to find and keep track of mobile phone numbers of other users of the Service… You hereby give your express consent to WhatsApp to access your contact list and/or address book for mobile phone numbers in order to provide and use the Service.”

It’s hard to tell a messaging service’s intentions.

But they are legally required to explain how they will use your information in their Terms of Use/Service.

A second way to assess the security of your messaging app is through application transparency. 

A good messaging system won’t share your information with others, but it will share their information with you. By having a look at how the application works and what the application does, you can gain a better understanding of how your data is protected. 

Look for specific information about encryption standards, programming code and server locations to determine whether your sensitive information is in fact safe.

  • US servers are more secure than Chinese servers.
  • Open source code is more transparent than proprietary code.
  • Higher encryption bits are stronger than lower encryption bits 

I know what you are thinking… “How am I supposed to understand all that technical jargon even if I can find it?”

Valid question! 

You’ll be happy to know that you don’t personally have to access to it. What you want is for the industry at-large to have access to it. The industry has competing, independent experts that can review and scrutinize messaging platforms. Based on their feedback, you can make a more informed decision.

Don’t look for the code yourself, look for the reviews. 

Conduct your own search on encryption strength and server locations. You will find everything you need in published government reports, blog reviews, and even YouTube walk-throughs. Let the public domain help you decide for yourself.

An awesome messaging app = security + usability + popularity.

Before I sign-off, I want to flag one last thing about security.

Security is important, but remember that a good messaging system must also be balanced with usability and popularity.

No service will go far if it isn’t popular and easy to use.

You should be able to send a text message, picture or video in real time without the extra hassles of having to login, verify credentials, or spend some kind of account credit. It’s called instant messaging for a reason, yeah?

Don’t compromise your data for a system that isn’t secure.

And don’t let yourself get fooled into using a system that nobody else is using.

Understand that messaging systems are collecting your data.

  • Find out how they use your data in their Terms of Use/Service.
  • Assess the security of your data by reviewing a system’s source code and server locations.
  • And always remember that messaging = business.

And like any other business, without you their business fails.

EDHAZARD – signing out.

———————————-TEAR LINE—————————————

That is my friend EDHAZARD.

The nature of his work requires that he stays out of the public light, but I am grateful that I have friends like him to help me make my own commo decisions – in the field and in everyday life.

There is a whole world beyond the fine-print.

A world of compromise and leverage… and that is espionage.

You get to choose what tools you use and how you use them.

The question we face in every field operation is whether the risk is worth the gain. And in everyday life, that is a question only you can answer. 

Godspeed, #EverydaySpy

Author: Andrew Bustamante, Founder of www.EverydaySpy.com. Andrew is a former covert CIA Intelligence officer, decorated US Air Force Combat Veteran, and respected Fortune 500 senior advisor. Learn more from Andrew on his Podcast (The Everyday Espionage Podcast) and by following @EverydaySpy on your favorite social media platform.