A short
guide
on digital
self-defense

Contents

00_Editorial
01_Basics
02_The Alternatives
03_Glossary
04_Addresses

Editorial link icon

The year is 2032. Self-driving vehicles are everywhere, at the kiosk most people pay with their smartwatch, thanks to intelligent systems, power consumption has also been reduced. Nevertheless, we do not live in the digital surveillance dystopia. What has happened?

It all began in 2020, when the Federal Supreme Court made a landmark decision: The secret service wiretapping program (Kabelaufklärung) violates the constitution. People must not be surveilled without a reason - not even online. It was not only the complainants around the digital society who cheered.

A domino effect started. Suddenly, the population no longer wanted all their movements captured by their smartphone to be permanently recorded and stored for months. A popular initiative banning the Data Retention law (Vorratsdatenspeicherung) was adopted. Later also the Intelligence Service law (Nachrichtendienstgesetz) had to be revised, because more and more disproportionate digital records came to light. And the overdue revision of the Data Protection law (Datenschutzgesetzes) has also revealed its true purpose: We need to protect people's privacy from the collection mania of the digital corporations - not regulate their interest in our data.

This change of mind has brought new business models with it. Apps are now based on comprehensive encryption. And services are no longer paid secretly with data, but they are financed and improved through crowdsourcing. A few years ago, in an astonishing manoeuvre, the Federal Council also decided: Only open source software will be used in public administration. Since then new community-based social networks are promoted. The increasing privatization of the Public - still in full swing in 2019 - has been put under control.

For once, Switzerland has a pioneering role. Initially with stronger regulation despite the resistance of supranational corporations. But at some point people got fed up with the surveillance capitalist games of Google, Facebook, Amazon, Alibaba and Microsoft. Because there are enough alternatives that are transparent and user-friendly while guaranteeing anonymity and data sovereignty. This will therefore be the last edition of the "Guide to Digital Self-Defense" - it has simply become unnecessary.

This should be written in the editorial of 2032. It is still all utopia today - we are not even on the way there. Data-hungry corporations are more powerful than ever before. That's why we need alternatives. We present these in this guide. They all help to better protect our privacy and regain control over our data.

WOZ, Digitale Gesellschaft and CCC-CH

P.S: Important and less common terms are explained in the glossary. They are underlined and linked in the text.

01_Basics

Data privacy link icon

Being connected to the Internet means leaving traces. Since it is difficult to check whether someone (and who) is reading in the background, the most effective data protection principle is always: Less is more. Data that does not get onto the net does not need to be protected in the first place.

Personal details such as name, address, birthday, telephone, account or insurance numbers, but also photos and videos are particularly lucrative for data dealers and should only be deposited with trustworthy services. If an offer is "free", it can be assumed that the service is sometimes financed by the sale of data. This applies in particular to social media such as Facebook, Instagram or Twitter.

We also often forget that we have decision-making power: Not everything that can be done over the internet has to be done over the internet. We don't have to buy our books from Amazon, our shoes from Zalando. Their products are also so cheap because we pay a generous tip with our data.

Important: Connecting to the internet via smartphone is usually done via Apps. When you install a new app on your smartphone, it asks for certain access rights. To the contacts, the tracking service, the camera, the microphone, the picture gallery. In principle, all these access rights should be reduced to the minimum and deactivated whenever possible.

Powerful tech corporations link icon

Five US giants dominate the internet: Google (Alphabet), Amazon, Facebook, Apple and Microsoft. They hold monopoly-like positions in several business areas such as social networks (Facebook) or search queries (Google). Together they control and monitor the flow of information on the internet. They maintain infrastructure such as server farms and fiber optic networks, they build the devices we communicate with, they own the applications we use.

Thereby they collect practically unlimited data about us. They link this data to complex personality profiles and sell them to clients from business and politics. Furthermore, this information is exploited by secret services, as whistleblower Edward Snowden has proven.

There are also repeated cases of economic abuse. Since June 2017, the EU has sentenced Google to several fines totalling almost 8.3 billion euros for manipulating its search results or abusing its market power. Facebook was also sentenced to a fine of 5 billion dollars in the USA in July 2019 because the company passed on user data to Cambridge Analytica, among others. As useful as the services of the giants are: they have developed a power that is alarming both in terms of economy and democracy. In order not to further strengthen their dominance, they should be avoided wherever possible.

Operating systems link icon

On the vast majority of devices one of the following five operating systems is installed: Android (Google) or iOS (Apple) for mobile devices such as smartphones or tablets; Windows (Microsoft), MacOS (Apple) or Linux (independent) for PCs. Basically: No operating system guarantees complete security.

The security updates from the manufacturers help to close vulnerabilities. They keep operating systems up to date and should be installed as soon as possible. The cyber attack Wannacry in May 2017 showed just how catastrophic outdated operating systems can be, when criminals broke into thousands of computers through "old" security holes in the Windows operating system and demanded a ransom. Even today there are many different malicious software programs in circulation that work in a similar way.

While Apple regularly provides security updates for its operating systems and encourages users to update, the manufacturers of Android devices are more negligent.

Passwords link icon

Passwords are like house keys. Whoever has them opens the doors to our data. They are central for the protection of our privacy. Every device, every hard disk, every account, every network should be secured with its own individual password. A sufficiently secure password is at least five random words or twelve characters long, contains upper and lower case letters, numbers and special characters and cannot be derived from personal data such as name, birthday or place of residence. Profiles on social networks are rewarding sources for fraudsters to obtain password clues (pet name, quote from favorite band). Under no circumstances should standard combinations such as "12345", "admin" or the name of the network be selected. A good example: Only safe on the way!

It is nearly impossible to remember a steadily growing number of good passwords. Luckily, password managers offer a remedy. These applications work like a safe in your own computer, where the passwords for the various services are securely stored. The password manager also helps to generate random passwords and ensures with a few clicks sufficiently complex and long passwords. Recommendable and trustworthy password managers are KeePass and KeePassXC.

Some vendors promise to relieve us from the password pain and at the same time improve safety and comfort by providing the option to log in using biometrics - with our voice, fingerprints or face. However, this can be dangerous. Because once hacked, faces and fingerprints cannot simply be changed. Therefore, such methods should be avoided on untrustworthy systems.

Talking about house keys: Again and again there are burglaries, because thieves find out via Facebook that the residents are currently on holiday abroad.

keepass.info keepassxc.org
→ Further information

Backup link icon

Hard disks can break down, mobile phones or computers can be stolen. Therefore, it is essential to keep a copy (backup) of the most important data. It is best to store them on a personal external hard disk which is not connected to the internet.

Online storage holds the greater risk of being targeted by criminals and state actors. But since the personal hard disk can be also stolen (burglary) or destroyed (fire, water), it should be stored in a safe place.

→ Further information

02_The Alternatives

Web browser link icon

The web browser is the window to the internet. It determines what we see - and how much of us there is to see. It depends on the browser and its settings, whether our surfing behaviour can be systematically recorded and which traces we leave behind on the individual websites. Since also the browser operators - like all service providers - can collect data, it is worth taking a look at their business model.

By default, on every device the manufacturer's browser is pre-installed. With Windows the Internet Explorer and its successor Edge, for Apple devices Safari, for Android (Google) Chrome. All these browsers work at the service of their manufacturers. Since the source code is not completely open, the design of the application is not visible, it is not possible to check what information is collected in the background.

Firefox link icon

Mozilla Firefox is considered the alternative to Chrome and Internet Explorer. The browser of the non-profit Mozilla Foundation is dedicated to "safe surfing". It is fast and versatile. The source code is open and is constantly developed by an active community. In addition, countless extensions (add-ons) can be installed to increase data protection.

It is important to delete regulary the cookies (and the local history and cache) and block trackers.

For this purpose Firefox has integrated the tracking blocker Disconnect.me. This blocks advertisements and makes it difficult to systematically collect information about our surfing behavior. With Tracking-Blocker, in "Privacy & Security", the protection against activity tracking can be changed from "Standard" to "Strict". Add-ons such as uBlock Origin offer even better protection.

Cookies and all other locally stored data can be deleted using the Ctrl-Shift-Delete key combination or via the menu in the settings. Here you can also set that "Cookies and website data are automatically deleted when you exit Firefox".

www.mozilla.org/firefox
→ More information

Tor link icon

Tor is by far the most secure, though slowest browser. Since the connection between the user's device and the visited website is established via three random nodes of the Tor network, it is almost impossible to track who is accessing the website.

The Tor browser is also used to access hidden websites (Darknet) or to bypass internet blocks such as those in Iran, Turkey and Switzerland.

www.torproject.org

VPN link icon

Another way to surf the internet relatively safely is to access it via a Virtual Private Network (VPN). The installed VPN software establishes an encrypted connection to the server of the VPN provider. From there, the desired website is called up - and not, as is normally the case, directly via the own IP address, which is used to identify the device used on the internet.

A VPN is particularly recommended when using open WLAN networks in cafés or railway stations, for example. Such open networks may involve actors who harvest data: public authorities, data traders or criminals.

Especially in countries like Russia, China, Iran or Turkey, where parts of the internet are blocked, users can obtain blocked information on the Internet via VPN.

Many companies and universities offer their own VPN service. In addition, there are a large number of independent providers, but these should be checked for reliability before being trusted.

Search engines link icon

Who searches on the Internet, googles. Opening hours, recipes, translations, music, directions, diseases ... the search engine finds everything. Searching for something on the internet means - since 2004 also according to Duden - "googling". The Silicon Valley-based group has a market share of over ninety percent in Europe. Google's secret algorithms decide what we can and cannot see on the net.

The group uses the enormous amount of data collected not only to deliver search results. The search behaviour is combined and evaluated together with data from other Google services such as YouTube, Gmail or Google Docs. The profiles form the basis for personalised advertising. This means that in 2018 alone, the group generated sales of almost 140 billion US dollars. The profiles are also accessible and relevant to public and private intelligence services.

It is worth asking your questions to more trustworthy services. Because those who know our questions know us.

Startpage link icon

The search engine Startpage uses the Google search index, however, neither provides to the corporation the search data of the users, nor does it store the search queries.

The Dutch company which operates Startpage also finances the service through advertising, but this is not personalised.

www.startpage.com

Duck Duck Go link icon

Duck Duck Go is a independent US search engine that does not store the search behaviour of users. Duck Duck Go is financed by donations and non-personalised advertising.

www.duckduckgo.com

Messenger link icon

Today we often use messengers for our everyday communication. The most popular as well as the most dubious messenger is WhatsApp. Since 2014 it has been part of Facebook. With the purchase of WhatsApp, Mark Zuckerberg's company gained access to millions of address books (telephone numbers, e-mail addresses) and exploited them - although the company initially claimed the opposite.

Although, according to the company, messages between Whatsapp users are secured by end-to-end encryption, this cannot be independently verified.

The fact that Whatsapp is largely without competition in this country is due to the fact that many users turn away from alternative services if they do not find friends there. This makes it all the more important to persuade friends to use other messengers.

The Digitale Gesellschaft has published a Messenger test.

→ Further information

Threema link icon

The look and feel of Threema is very similar to Whatsapp. However, the Swiss Messenger can be used without giving your own phone number. Only a randomly generated ID is stored centrally, but not personal data such as telephone number, address, profile picture or group members. All messages are secured by end-to-end encryption. Although the source code is not open, it has been verified by an independent body.

The software development and the operation of the servers in Switzerland is financed by the users (one-time fee).

www.threema.ch

Signal link icon

This messenger from Open Whisper Systems is a widespread free app, funded by a non-profit foundation in the USA and recommended by Edward Snowden.

Signal includes all important messenger features such as group chats and (video) telephony, whereby all messages and conversations are encrypted. This means that this messenger can also be used as a secure alternative to Skype. Signal can also be used on the desktop.

The source code of Signal is open.

www.signal.org

Social networks link icon

We spend several hours a day on the internet, a lot of that time on social networks like Twitter, Instagram, Snapchat, LinkedIn - and of course Facebook: More than two billion active users belong to the platform in the meantime. A quarter of humanity shares its most personal details with Facebook - an unimaginable concentration of power.

The influence of Facebook on social communication behaviour and information gathering is enormous. A separate public has virtually formed on the platform. What is and what is not allowed there is largely determined by the operators themselves, or rather their secret algorithms. They are not subject to democratic control. Moreover, the algorithms are programmed in such a way that we are hardly ever confronted with opinions on Facebook that do not correspond to our own. This can lead to a very distorted picture of reality. This situation is described by many people as "filter bubbles".

Using alternative social networks helps to break these bubbles. Unfortunately, they too have to struggle with the fact that many users turn away because they meet very few friends there.

Diaspora link icon

The functionality of the decentralised network launched in 2010 is inspired by Facebook. As an idea, however, it is its antithesis. Diaspora is based on free software. The platform is managed and developed by the community.

diasporafoundation.org

Ello link icon

The ad-free platform has established itself above all in the art, photo and fashion scene. It guarantees not to pass on any user data to third parties. Furthermore, Ello does not force its users to register with their real name.

ello.co

GNU Social link icon

An alternative to Twitter is GNU Social. The microblogging service is part of the so-called GNU project, which is largely supported by the Free Software movement.

gnu.io/social

Mastodon link icon

Mastodon is an emerging short news service compatible with GNU Social.

www.joinmastodon.org

E-Mails link icon

Billions of e-mails are sent everyday. Without an e-mail address it is practically impossible to navigate the internet. For now. For many services or applications, registration is increasingly taking place via Facebook or Google accounts. This is convenient, but bad for data security. Then why not use an e-mail address? But of course not just any e-mail address. Most Swiss users rely on services such as Gmail (Google, USA), GMX (D) or Bluewin (Swisscom, CH).

All these providers are closely linked to the advertising industry. They operate their e-mail services primarily out of commercial interest. The protection of our privacy, on the other hand, remains secondary and is therefore weak. Inboxes are searched for keywords to collect advertising data; e-mails are not automatically encrypted.

But it is precisely this feature that is essential for data protection. Nobody would send letters without an envelope. Nor should electronic messages be sent unencrypted.

There are a number of e-mail services that give high priority to the protection of privacy and rely on encrypted e-mail communication. However, the encrypted transmission of e-mails only works automatically between users of the same provider.

→ Further information

mailbox.org (D) link icon

mailbox.org

Posteo (D) link icon

posteo.de

Immerda link icon

The service of the Immerda Collective (CH) is aimed primarily at activists. Whoever wants to use it needs a personal invitation from people who are already using Immerda.

www.immerda.ch

E-mail applications link icon

In most cases, we manage our e-mails in webmail, i.e. directly on the provider's website - for example on gmail.com or gmx.ch.

When using webmail, the data is stored on the provider's server, but not locally on the device used.

However, e-mails should always be archived on your own computer - as a backup. It is possible that a service is the target of a cyber attack or goes bankrupt, which can lead to the loss of all data.

The applications for local e-mail administration access the mail server and automatically load the entire content on the user's own computer. Apple Mail and Microsoft Office Outlook are the best known, but not the only mail applications.

Thunderbird link icon

Thunderbird is the best known product of the Mozilla Foundation alongside Firefox. The application enables the local archiving of e-mails. As for the browser Firefox, there are add-ons for Thunderbird to better protect privacy. One example is Enigmail. It allows encrypted communication between e-mail addresses of all providers. However, the prerequisite is that both the sender and recipient use encryption software. Since version 78, no additional add-on is needed for mail encryption.

www.thunderbird.net

Calendar / address book link icon

Calendar and address book are two indispensable applications - in private and professional daily life. Both store a lot of personal and sensitive information that allows conclusions to be drawn about our work, our circle of friends, our interests and in extreme cases even our medical history.

The standard applications for managing this data come from Apple and Google (iCal and Calendar). These offer a very useful service: they allow the synchronisation of appointments and contacts between laptop and mobile phone. Nevertheless, the question arises whether you want to tell Google or Apple about your doctor's appointment.

The two e-mail providers Posteo and Mailbox.org (see chapter e-mails) also offer good and secure contact management and calendar features. However, both services are subject to a fee.

posteo.de mailbox.org

Collaborative editing online link icon

Many documents and publications are produced through collective work (such as this guide) via services that allow several people to work on a document simultaneously. Google Docs is the most famous of such services, which comes once again from Google.

But there are also alternative collaborative tools in this area. Usually, users can be invited simply via a link, which has the advantage that they do not need an account. Most tools also allow you to grant or deny certain rights to individual users. This requires a separate account for each user.

Etherpad link icon

The Etherpad software allows you to create text documents that can be edited together via web browser. As with Google Docs, the documents can be accessed via a link (password protected if desired). An own account is not necessary.

At pads.ccc.de or pads.ccc-ch.ch one can directly get started.

Ethercalc link icon

The spreadsheet application Ethercalc is based on the Excel model in its operation. However, it does not have all its features.

ethercalc.net

CryptPad link icon

The end-to-end encryption software Cryptpad provides pads and other tools for working together. It can be installed by yourself or used directly on the servers of the project.

cryptpad.fr

Video conferences link icon

In addition to messengers, video conferencing services are becoming increasingly important in both professional and private environments. Being able to see each other in larger groups (as opposed to telephone conferences) makes communication easier and creates a pleasant atmosphere.

Many providers require an account from all participants or are otherwise not very data protection friendly. However, there are also recommended free solutions for video conferencing.

Jitsi Meet link icon

The free software project Jitsi Meet not only develops the software of the same name but also makes it available to the public as a service. All you need is a browser (preferably Chrome/Chromium) or the corresponding app. Further participants can be invited via a link. The software is also offered as a service by various other providers.

jitsi.org/jitsi-meet open.meet.switch.ch

BigBlueButton link icon

The free software BigBlueButton is suitable for discussions in larger groups. The project was founded at the Carleton University of Ottawa. BigBlueButton can therefore also be used to organise seminars or lectures online. For this purpose, features for presentations, a whiteboard and the possibility for breakout sessions are available.

Those who do not wish to operate the software themselves can also obtain it from various service providers. A browser is required to use it.

bigbluebutton.org public.senfcall.de

Cloud services und online storage link icon

Countless users no longer store their data and applications on their own computers, but in gigantic server farms. The hard disk disappears from the user's horizon, it can be still accessed from anywhere and at any time - and thus thousands of private photos, texts, mails or songs.

Nextcloud is software that enables everyone to build their own cloud - on their own servers or on servers of providers who rely on Nextcloud: Eqipe and Wölkli for example. Both providers can be tried out free of charge, but the use of the respective cloud storage is then subject to a fee.

The use of Nextcloud is particularly useful for managing calendars and address books. It enables the synchronisation of this data without it flowing directly to Google or Apple.

Maps link icon

Even when we ask the Internet for directions, the answer usually comes from Apple or Google, or their map services Apple Maps and Google Maps. By default, these services can permanently check our location and create comprehensive movement profiles. Location tracking services must be deactivated manually in the application settings.

If the tracking feature is activated on the smartphone, all photos taken with the phone will also be tagged with information about the location and time of the shot, so-called metadata. This allows services that have access to photos to reconstruct where and when a photo was taken.

The location tracking feature should therefore be deactivated whenever possible.

Open Street Map link icon

The Open Street Map can compete with the big ones in terms of accuracy and information content. Not only are the geographical data freely available, users can also contribute improvements to the map - similar to the online encyclopedia Wikipedia.

Thanks to its open structure, the Open Street Map is constantly growing and producing a wide variety of applications. These include the route planner routing.osm. ch or the app osmand.net.

www.openstreetmap.org

map.geo.admin.ch link icon

The freely accessible map of the Federal Administration is also recommended. In addition to the map material, a great deal of other information can be retrieved, for example on public transport stops or hiking trails, on locally available internet bandwidths, on noise pollution or on water quality. Besides normal maps, aerial photographs and historical maps are also available. The official Swiss Map Mobile app allows offline access on the smartphone. This service has therefore become a standard tool, especially for hikers.

map.geo.admin.ch

Internet service provider link icon

The internet service providers (ISP) provide internet access. How and under what conditions they do so depends largely on the provider. Swisscom, for example, collects anonymous customer data and passes it on to the advertising company Admeira, a joint venture between Swisscom, Ringier and SRG. Anyone who does not wish to do so must either notify Swisscom themselves (opt-out) or switch to another provider, whereby particular attention should be paid to two criteria: net neutrality and responsible data handling.

A Swiss provider that is committed to net neutrality, locally based and oriented more towards new and sustainable technology than towards return on investment targets, is Init7. According to its own statements, the provider advocates "a monopoly-free, liberal internet", "which is open to users and service providers without restrictions".

The basic rule is: Always check local offerings.

Hosting link icon

If users want to put their own content on the internet - texts, photos, videos, etc. - they are dependent on web hosting services whose role is comparable to that of a traditional host.

It makes sense to host your website via a Swiss hosting service whose servers are located in Switzerland and which offers an encrypted use of the website. The corresponding encryption protocol ensures that the data exchange between the server on which the website is running and the browser of users is encrypted. Server location and encrypted use of the website are the central criteria when choosing a hosting service.

With netzone.ch, cyon.ch, nine.ch, hosttech.ch, hostpoint.ch or also amazee.io there are many options for choosing a good local provider.

03_Glossary link icon

A algorithm basically describes a sequence of instructions with which a particular problem can be solved. Nowadays the term is often used in connection with the processing of huge data sets (Big Data): Algorithms sift through these mountains of data for patterns and correlations. In concrete terms: a (non-public) algorithm determines which book Amazon recommends to me or which friends Facebook suggests to me.

App is the short form of the English word Application and describes - at least in the German-speaking world - software-based applications on mobile devices (smartphones and tablets). The most famous example is probably WhatsApp.

The end-to-end encryption is the envelope of digital mail. Encryption is the process of packaging messages like e-mails on the sender's machine and putting a "lock" on them. Only the recipient of the message has the key to this lock; only she can open it again. This prevents messages from being read on their way from sender to recipient.

Free Software is software that respects the freedom and community of users. It allows you to run, copy, distribute, modify and improve applications, and gives you control over the software you use and how it processes data.

An IP address is assigned to each device (computer, smartphone, server, etc.) that is connected to the internet. An IP address is similar to a postal address. This means that data packets are assigned an IP address that uniquely identifies the recipient.

GNU/Linux is a collective term for independent, open source and free operating systems. The core of GNU/Linux was developed by the then Finnish IT student Linus Torvalds in 1991. GNU/Linux is based on free software, which means that programmers all over the world can extend and improve the operating system. GNU/Linux is the world's leading operating system for smartphones (Android) and servers.

The Kabelaufklärung (secret service wiretapping program) is anchored in the new Intelligence Service Act (NDG). It allows the intelligence service to search all telecommunications connections leading from Switzerland to other countries for defined keywords. Facebook messages are scanned in the same way as Google search queries or purchases from online shops.

Data retention includes the collection of the metadata from our communications: who called whom and when? How long did the conversation last? Who logged on to the internet or accessed an e-mail inbox and when? Mobile phone location information is also stored.

The Act on the Intelligence Service (NDG) regulates the activities of the Swiss secret service. With the introduction of the law on 1 September 2017, the intelligence service gains increased powers: It is allowed to tap telephones, read letters and e-mails, bug flats, use trojans to infiltrate other people's computers and search all data streams which flow abroad via the Swiss fibre-optic network (see Kabelaufklärung). In short, the law gives the secret service an instrument for mass surveillance.

Net neutrality refers to the equitable transmission of data on the internet. Net neutrality is achieved when all data - regardless of sender, recipient, service or content - is forwarded by the telecommunications providers (ISPs) in the same quality and at the same speed.

Trackers are companies or techniques that monitor users on the internet and spy on their behaviour, for example to be able to sell personalised advertising based on user profiles.

The Data retention is a central part of the new intelligence service law (NDG). It obliges all providers of postal, telephone and internet services to record the communication behaviour of their customers and store it for six months. The service responsible for the retention of data is the Post and Telecommunications Surveillance Service (PTSS).

The source code is the blueprint of an application. It is written in a programming language like C, Python or Java. Developers who disclose the source code create transparency about how their software works. For example, it is possible to check whether so-called backdoors have been installed to extract data. The basic rule is therefore: whenever possible, use applications with open source code.

04_Addresses

Useful addresses link icon

For privacy in the digital space link icon

For digital self-defense link icon

For advice and repair of hardware and software: link icon