Government Surveillance During Crises
Geopolitical crises consistently trigger expanded surveillance activity. Understanding the scope helps prioritize defenses:
- Data requests to tech companies: Google received over 400,000 government requests for user data globally in 2024, according to its Transparency Report. Apple, Meta, and Microsoft report similar trends. During active conflicts and security emergencies, request volumes spike - the U.S. alone submitted over 60,000 requests to Google in the first half of 2024.
- Warrantless surveillance: Section 702 of the Foreign Intelligence Surveillance Act (FISA) allows warrantless collection of communications of non-U.S. persons abroad, but U.S. persons' data is routinely swept up in the process. Section 702 was reauthorized in April 2024 with expanded authority. The PCLOB (Privacy and Civil Liberties Oversight Board) documented significant compliance issues in its most recent review.
- International surveillance: The Five Eyes intelligence alliance (U.S., UK, Canada, Australia, New Zealand) shares signals intelligence broadly. EU member states operate their own surveillance programs. Russia and China maintain extensive domestic surveillance infrastructure that also targets foreign nationals and diaspora communities.
- Commercial data brokers: Government agencies - including U.S. law enforcement and intelligence agencies - purchase location data, web browsing histories, and app usage data from commercial data brokers, bypassing warrant requirements. A 2024 FTC enforcement action against X-Mode/Outlogic highlighted the scale of this practice.
Encrypted Messaging
Standard SMS text messages and many popular messaging apps transmit messages in a form that carriers, governments, and attackers can intercept. End-to-end encryption ensures only the sender and recipient can read message content.
Recommended Encrypted Messaging Apps
| App | Encryption | Key Strengths | Considerations |
|---|---|---|---|
| Signal | End-to-end (Signal Protocol) | Open source, minimal metadata collection, disappearing messages, independent security audits | Requires phone number for registration. Growing user base - over 70 million monthly active users as of early 2025. |
| End-to-end (Signal Protocol) | Largest encrypted messaging platform (~2 billion users), widely adopted internationally | Owned by Meta. Collects metadata (who you message, when, how often). Message content is encrypted but metadata is not. | |
| Briar | End-to-end, peer-to-peer | Works without internet via Bluetooth/Wi-Fi mesh, no central server, designed for high-risk environments | Android only. Smaller user base. Higher battery usage due to mesh networking. |
Email Encryption
Standard email (Gmail, Outlook, Yahoo) is not end-to-end encrypted by default. Encrypted email providers include ProtonMail (based in Switzerland, over 100 million accounts) and Tutanota (based in Germany). Both encrypt messages at rest and in transit. For existing email accounts, PGP/GPG encryption adds end-to-end protection but requires both sender and recipient to use compatible software - adoption remains limited outside technical communities.
VPN and Network Security
A Virtual Private Network (VPN) encrypts your internet traffic and masks your IP address from your internet service provider, network operators, and websites. VPN usage increased significantly during crises - GlobalWebIndex data shows approximately 31% of internet users worldwide accessed a VPN at least once per month in 2024.
What a VPN Protects
- ISP monitoring: Your internet provider can see every website you visit, every service you connect to, and the volume of your traffic. A VPN encrypts this data so your ISP sees only that you are connected to a VPN server.
- Public Wi-Fi: Open Wi-Fi networks (cafes, airports, hotels) are trivially easy to monitor or spoof. A VPN protects all traffic on these networks.
- Geolocation: Websites and services see your VPN server's location instead of your actual location.
- Censorship circumvention: In countries that restrict internet access during crises (Iran, Russia, China, Myanmar), VPNs provide access to blocked information - though governments actively work to block VPN protocols.
What a VPN Does Not Protect
- Account-level tracking: If you log into Google, Facebook, or any service while using a VPN, that service still knows who you are.
- VPN provider trust: Your VPN provider replaces your ISP as the entity that can see your traffic. Choose providers with independently audited no-log policies. Avoid free VPNs - many monetize user data.
- DNS leaks: Misconfigured VPN connections may leak DNS queries (revealing which sites you visit) outside the encrypted tunnel. Use VPN providers that operate their own DNS servers.
DNS-Level Privacy
Even with a VPN, DNS queries (the system that translates website names to IP addresses) can reveal browsing activity. DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt these queries. Major providers include Cloudflare (1.1.1.1) and Quad9 (9.9.9.9), both of which also block known malicious domains.
Authentication and Account Security
Compromised accounts are the most common entry point for both criminal and state-sponsored attackers. Strengthening authentication is the single highest-impact security step most people can take.
Multi-Factor Authentication (MFA)
MFA requires something beyond a password to access an account. The security level varies significantly by method:
- Hardware security keys (FIDO2/WebAuthn): Physical devices (YubiKey, Google Titan) that plug into USB or communicate via NFC. The strongest form of MFA - resistant to phishing, SIM-swapping, and remote interception. Google's Advanced Protection Program requires hardware keys and has prevented 100% of automated attacks in internal testing.
- Authenticator apps (TOTP): Apps like Google Authenticator, Authy, or Microsoft Authenticator generate time-based codes. Significantly stronger than SMS but vulnerable to phishing if a user enters the code on a fake login page.
- SMS codes: The weakest form of MFA. Vulnerable to SIM-swapping attacks (an attacker convinces your carrier to transfer your number), SS7 network interception, and social engineering. Still better than no MFA, but should be replaced with stronger methods for important accounts.
Password Management
Password reuse is the most exploited authentication weakness. When a breach exposes credentials from one service, attackers automatically test those credentials against thousands of other services (credential stuffing). A password manager generates unique, strong passwords for every account and stores them in an encrypted vault. Major options include Bitwarden (open source), 1Password, and KeePassXC (offline, open source).
Device Security
Your phone and computer contain more personal information than any other single object. Securing them protects against both remote attacks and physical seizure.
- Full-disk encryption: Modern iPhones and Android devices encrypt storage by default when a passcode is set. On computers, enable BitLocker (Windows), FileVault (macOS), or LUKS (Linux). Without encryption, anyone with physical access to your device can read all stored data.
- Software updates: Apply operating system and app updates promptly. Most successful attacks exploit known vulnerabilities that patches have already fixed. The NSO Group's Pegasus spyware, used against journalists and activists worldwide, primarily exploited unpatched vulnerabilities.
- App permissions: Review which apps have access to your location, microphone, camera, contacts, and files. Revoke permissions that are not essential to the app's function. Both iOS and Android now provide detailed permission dashboards.
- Remote wipe: Enable remote wipe capability (Find My iPhone, Google Find My Device) so you can erase the device if it is lost or seized. For high-risk situations, consider configuring automatic wipe after a set number of failed passcode attempts.
- Border crossing: U.S. Customs and Border Protection asserts the authority to search electronic devices at the border without a warrant. If crossing international borders during a crisis, consider traveling with a clean device and accessing data remotely via encrypted cloud services after entry.
Data Protection and Backup
During a crisis, data loss can result from cyberattack, physical damage, confiscation, or infrastructure failure. A layered backup strategy protects against all scenarios:
- 3-2-1 backup rule: Maintain 3 copies of important data, on 2 different types of storage media, with 1 copy stored offsite (physically separate location or encrypted cloud storage).
- Encrypted cloud storage: Services with zero-knowledge encryption (the provider cannot access your files) include Tresorit, SpiderOak, and Proton Drive. Standard cloud services (Google Drive, iCloud, Dropbox) encrypt data in transit and at rest but retain the ability to decrypt files - meaning they can comply with government data requests.
- Offline backups: Encrypted external drives stored in a secure location protect against both cyberattack and cloud service disruption. In a grid-down scenario, offline backups may be the only accessible copies.
- Document digitization: Scan and encrypt copies of critical documents (identification, insurance policies, property records, medical records) in cloud and offline backup. During evacuations or displacement, physical documents are frequently lost.
- Secure deletion: When disposing of devices or preparing for border crossings, standard file deletion does not remove data - it marks storage space as available. Use secure deletion tools (built into iOS and modern SSDs, available via BleachBit on computers) to prevent data recovery.
Frequently Asked Questions
Is using a VPN legal?
VPN usage is legal in most countries, including the United States, Canada, the EU, the UK, Japan, and Australia. However, several countries restrict or ban VPN use: China requires VPNs to be government-approved (most commercial VPNs are blocked by the Great Firewall), Russia banned non-approved VPNs in 2017, Iran blocks most VPN services, and North Korea prohibits civilian internet access entirely. Even in countries where VPNs are legal, using a VPN to conduct illegal activity remains illegal - the VPN protects privacy, not legality.
Can the government read my encrypted messages?
Properly implemented end-to-end encryption (Signal, WhatsApp message content) cannot be decrypted by governments, service providers, or attackers without access to one of the endpoint devices. However, metadata (who you communicate with, when, and how often) is often not encrypted and can be obtained through legal process or surveillance. Additionally, if a government gains access to your physical device (through seizure, spyware like Pegasus, or a legal order to unlock), they can read messages stored on that device regardless of encryption in transit.
What is the single most important digital security step?
Enable multi-factor authentication on all important accounts - especially email, banking, and social media. A strong, unique password combined with a hardware security key or authenticator app blocks the vast majority of account compromise attempts. Google reported that hardware security keys prevented 100% of automated phishing attacks in their internal study. After MFA, the next highest-impact step is using a password manager to eliminate password reuse.