I have lately had a lot of conversations about privacy and surveillance. Most people seem to be OK with the argument that privacy is not dead and that we can fight back against mass surveillance. But then the question becomes - is it possible for a high-value target to hide? I think so, at least in some cases.

First - what do I mean with a high-value target? Basically, a high-value target is someone like a Snowden or a Manning. Someone that the intelligence services would be willing to spend millions of dollars and significant valuable resources (like 0days) in order to find. We could add some extra constraints along the lines of saying that they want to minimize risk of detection and so on. But for arguments sake let's ignore all that.

There are of course two different problems here. The first one is the problem of hiding your existance as a threat at all. If you just look like a regular person on the Internet and you hide all your problematic activities well enough, it should be very hard for an intelligence service to even find you in the first place. This was the case with Snowden before the leaks started coming out, for example. If the NSA knew to leak for a specific leaker it would have been harder to hide. But consider a situation like with the Dread Pirate Roberts. The law enforcement agencies clearly know that this individual exists. They just don't know who the alias maps to. This situation is harder.

There is another problem, which is even harder. That is the case of being someone that is wellknown - a lightning rod - where what they are doing is worth a lot to intelligence services to find out. Someone like Sarah Harrisson is a good example of this situation. So let's take that situation. First - it is very likely that physical surveillance will be used. So any moment in the physical world will be monitored. However, can you hide what you are doing digitally? I believe yes. And the approaches are the same operational security patterns as we have known about for a long time. Compartmentalization. Don't store information. Phyiscal proximity.

What are some examples of these kind of approaches? First, use laptops where as much as possible have been taken out of it. Use a CoreBoot on a BIOS that has been write-protected. Only use TAILS from a CD or USB (CDs are better but more cumbersome) on these machines. Use different machines for talking to different people. Use different jabber accounts for different people. Don't have all your accounts online at the same time. For very secure scenarios, use PGP to encrypt messages and then send them over OTR over Jabber on a Jabber service that is running on a Tor Hidden Service. And maybe talk in code inside of these messages. You can compose and encrypt the messages on an airgapped machine and then transfer the encrypted text to the computer connected to the Internet. Etc.

Have good password hygiene. Keep a USB stick around your neck at all times that contain your most important passwords and private keys. Of course, the USB stick has encrypted partitions with this information. Don't leave your important laptops out of sight - you will have to carry them with you all the time...

At the end of the day, even intelligence services must follow the laws of physics. And even if Tor Hidden Services have weaknesses, you can still put layers of protection on top of it. It's is extremely unlikely that an agency will be able to decrypt and MITM all your Tor Hidden Service traffic AND MITM your OTR traffic AND crack your PGP key at the same time. Especially if some of this happens offline.

So yeah. It is possible. Snowden is a clear existance proof. So are many other things and people out there. Of course, none of this is easy. But it is possible.