A lot of folks are wondering what happens if things get spicy. Big Country has been posting tactical tips, as did Aesop last year (it doesn't look like he has a blog post tag for these so you'll have to dig). Other folks are posting, and they have an expertise there that I simply don't.
On the other hand, I do have a (professional) background in COMSEC - Communications Security. This post is how to pull off a level of COMSEC and OPSEC that will make it harder for you to end up on The Powers That Be's radar. Note that I said harder, not impossible. Ross Ulbricht messed up OPSEC, and he was very good at it. A professional grade level of paranoia is not just desirable, it's probably mandatory.
One thing that I keep seeing repeated is the phrase "Be the Gray Man". That's the primary objective here. That will limit the sorts of communications that you will be able to (hopefully) keep off TPTB's radar. And so what I'm going to write about here is not useful for voice or email protection (mostly), and won't help with GPS geolocation tracking. It's purely a thought experiment on how to transmit decently large quantities of information without TPTB being likely to understand the content, or even know that information is likely being transmitted at all.That last point is the key. Traffic Analysis is pretty terrifying, at least to those in the know, and was by far the biggest issue in the whole Snowden/NSA brouhaha. I'm not sure that this solves that problem, but it takes some steps in that direction. Remember, your mileage may vary, void where prohibited, do not remove tag under penalty of law.
The first thing we need to look at is how to hide data in a way that doesn't make people think that there's any hidden data. XKCD captured the problem for the would-be crypto nerd:
This is actually called the Rubber Hose Attack, and it's considered generally effective. So encrypting your hard disk is A Bad Thing, because it tells anyone who looks that the data is encrypted. More to the point, encrypting your data communications is A Bad Thing for exactly the same reason.
OK, so no encryption. How do you keep communications confidential from prying eyes, and ideally make traffic analysis less likely? This is Borepatch, and so that means that we'll start with a history lesson.
People have been trying to keep secrets secret for pretty much as long as there have been people. Growing up, there was a pretty interesting book in the Borepatch household library, Hidden Images. It gave a number of historical examples of how people hid images of things that were considered double plus ungood, typically via distorting perspective or some such.
This was a picture of (IIRC) English King Charles I who had been beheaded by Parliament. It was dangerous for people to have images of the dead King, and so you had to use a reflective cylinder to make the distorted image of the Sovereign comprehensible. The problem is that you need the cylinder, and you have a pretty suspicious distorted picture. Either of these if discovered in a search might result in a Rubber Hose Attack. We'd like to have our data in a normal image (I'll get to how to hide the "cylinder" in a bit).
There's a modern tool available to do this, called Steganography. It relies on the fact that many of the data formats in common use today are "lossy" - you can remove a lot of the original data bits without degrading the message. Jpeg image format is one example, MP3 is another. Stego uses this to introduce loss into the picture without degrading the picture (or into an MP3 without degrading the audio). The "loss" introduced is your secret message, which can be text, image, audio, or whatever you'd like. I did this once here:
Crash the Wundercat contains a secret message (well, the picture of Crash does; work with me here). You need a tool that does Stego to embed the message/data, and the person who wants to extract the message/data needs a Stego tool. Windows users can use OpenPuff which will embed your data in images, audio, video, and Flash. It will even encrypt the data and add white noise to make it even harder to detect. It's free and open source. Steghide is perhaps your best bet for Linux.
And now we have to peel the onion: how do you get your message distributed? The answer here is to use your regular methods. You shouldn't use email, as it's pretty direct (you sent it to someone, which is interesting in an of itself). Social Media is a much bigger haystack to hide in - Facebook, blogs (hello!), Reddit, Flickr - all of these excel as "dead drop" locations for seemingly innocuous pictures of your cat. The people you want to read your secret message have to know what password you're using in your stego, but there are a lot of ways to do that - for example, everyone has a copy of Gibbon's Decline and Fall of the Roman Empire and uses the 11th word on the page as the password. Each day, use the next page.
Sure, NSA will see that people are looking at Reddit, but it's an extra layer of indirection that they're looking at what you posted to Reddit. It's potentially a very large haystack indeed. By now you should see why this isn't any good for voice communications or email.
Remember the mirrored cylinder that was used to view the picture of King Charles? That was a give away. Well, so are steganography tools. If it comes to an investigation and someone finds that you've, say, installed the Ubuntu version of Steghide, there will likely be a lot of questions. So how do you hide your stego tools? I think that the best way is via the Purloined Letter approach - hide them in plain sight.
This is a Lego toy. Actually, it was a Lego toy until someone took a box cutter, Dremel, and some manual labor to cut it open and embed a USB drive in it:
Or you could just buy a Lego brick USB drive. Remember to keep it with your other Lego.
Now it's important to point out here that nothing is foolproof. NSA will be collecting traffic data showing that you're uploading to Reddit and Facebook. They will see that other people check Facebook and Reddit. They will build maps of relationships - maps showing who knows who. Someone might take a look at your Facebook page. If they really want to spend the time with the right people analyzing your pictures (or podcasts, or youtube vids) they might very well sniff something fishy. But they'll have to work a lot harder, and the work will be much less automated. That means that it will be expensive, and there will be a lot less of that sort of thing going on.
And this will give you a close to "Professional Grade" level of paranoia which is a Very Good Thing. If I seem that way myself, please remember that I was trained to be that way by the finest minds in the Free World.
This is an updated version of a post from 2013, but the information is as needed now as then.