CommsBlack Mobile

Academy

We are committed to empowering everyday Australians with the tools, knowledge, and platforms to communicate on their own terms. No gatekeepers. No surveillance. No compromise. Because a nation that can speak freely is a nation that can think freely.

Know the Threats (Awareness)

Surveillance Laws in Plain English Context

Australia’s surveillance framework is broad. Interception powers (TIAA), two-year metadata retention, the TOLA assistance regime, the AFP/ACIC Identify & Disrupt powers, and Online Safety mechanisms create overlapping ways to access data. These laws aim at crime and national security, but they also enable dragnet collection and compelled assistance that can touch ordinary people. A realistic stance is neither panic nor apathy: know the capabilities, then reduce your exposure.

  • Prefer end-to-end encrypted services with open protocols and public audits.
  • Keep less data: prune cloud backups, auto-delete messages, minimize account sprawl.
  • Separate roles: don’t mix personal and sensitive work on the same identity or device.
Metadata Retention Awareness

“It’s only metadata” is misleading—connection times, IPs, cell sites, and contact graphs map your life. In Australia, telcos must keep metadata; many agencies can access it. Even when message content is encrypted, metadata can reveal who you talk to, when, and from where.

  • Use messengers that minimize metadata (e.g., sealed-sender, contact discovery protections).
  • Prefer Wi-Fi with a reputable VPN or Tor to reduce location traces.
  • Turn off Wi-Fi/Bluetooth scanning; disable ad-ID tracking on mobile.
Compelled Assistance Risk

TOLA can require companies—and in some cases people—to help agencies access data or build capabilities. While backdoors are theoretically limited, the practical outcome is uncertainty: can your provider be forced to push a targeted update or share telemetry?

  • Favor open-source apps and community-audited builds.
  • Diversify providers; avoid single points of failure for comms, storage, and identity.
  • Pin app versions where possible for high-risk work; verify signatures.
Lawful Hacking Devices

If agencies can’t read your encrypted traffic, they may target the endpoints. Lawful hacking implants can capture screenshots, keystrokes, or files before encryption. The best defense is reducing attack surface and isolating risky tasks.

  • Keep OS and firmware updated; uninstall rarely used apps and browser extensions.
  • Use hardened OS options (GrapheneOS, Qubes OS) for sensitive roles.
  • Restart phones daily; it can clear some transient exploits.
Everyday Surveillance Life

Workplace monitoring, retail facial recognition, license-plate readers, smart TVs, and voice assistants all trade convenience for data. Even if each stream seems harmless, their combination profiles you.

  • Audit home devices; disable mics/cameras, guest-network IoT, and unneeded cloud features.
  • Ask employers for monitoring policies; use personal devices for personal accounts.
  • Carry camera covers; deny unnecessary app permissions by default.

Protect Yourself (Defense)

Choosing Secure Devices & OS Foundation

Security choices compound. GrapheneOS hardens Android on Pixel hardware; Tails routes traffic through Tor and leaves no trace; Qubes isolates tasks into compartments (qubes). Mainstream platforms can be made safer, but purpose-built systems start ahead.

  • Maintain a clean, dedicated device for sensitive roles.
  • Enable secure boot/verified boot and full-disk encryption.
  • Prefer devices with long, reliable update lifecycles.
Private Communications Messaging

SMS and traditional calls are easy to intercept and rich in metadata. Signal, Session, and Matrix offer strong end-to-end encryption and better privacy defaults. Your security improves as your contacts migrate too.

  • Enable disappearing messages and registration lock/PINs.
  • Verify safety numbers/keys for sensitive contacts.
  • Prefer calling inside E2EE apps over carrier voice.
VPNs, Tor & Proxies Networks

A VPN hides traffic from local observers but requires trust in the provider. Tor bounces traffic through relays to obscure origin—more anonymous, often slower. Proxies usually don’t encrypt; use with caution.

  • Use Tor for anonymity; VPN for hostile Wi-Fi and region locking.
  • Avoid “free” VPNs; choose reputable, audited services.
  • Combine Tor over VPN if Tor is blocked on your network.
Protecting Your Browser Tracking

Your browser is a data firehose: third-party cookies, fingerprinting, URL tracking, push IDs. Hardened Firefox or Brave can cut leakage dramatically when paired with disciplined habits.

  • Install uBlock Origin and enable EasyPrivacy & uBO filters.
  • Block third-party cookies; consider “strict” anti-tracking.
  • Use containers/profiles per role; disable unnecessary extensions.
Compartmentalisation Separation

One identity compromise shouldn’t cascade. Separate accounts, phone numbers, emails, and devices for distinct roles (work, personal, anonymous). The goal is to limit blast radius.

  • Use unique emails/aliases; separate payment instruments.
  • Different browsers or user profiles for each role.
  • Isolate high-risk tasks in VMs or Qubes.
Data Breach Survival Response

When data leaks, speed matters. Attackers reuse credentials within hours. Treat breaches as recurring events—assume old data can resurface.

  • Rotate passwords immediately; enable 2FA (preferably FIDO keys).
  • Set up breach alerts (e.g., HIBP); monitor identity and bank notifications.
  • Replace compromised emails/usernames; update recovery channels.
Crypto & Privacy Finance

Most crypto is pseudonymous, not anonymous. Exchanges, analytics, and sloppy hygiene can deanonymise you. If you must transact privately, plan each step.

  • Avoid address reuse; generate fresh receive addresses.
  • Use privacy-preserving wallets/coins where legal.
  • Beware KYC exchanges linking your identity to on-chain history.

Build Good Habits (Operational Security)

Don’t Mix Identities Discipline

Cross-contamination is the #1 opsec failure. One login to a personal account from an anonymous browser can create a lasting link. Treat identities like chemicals—store separately.

  • Dedicated browser profiles, containers, or devices per identity.
  • Unique usernames, avatars, writing styles, and time zones.
  • Never copy/paste between roles; use offline notes to relay info.
Safe Public Wi-Fi Use Travel

Open hotspots are fertile ground for snooping and phishing portals. Treat any shared network as hostile.

  • Use a reputable VPN before logging in anywhere.
  • Disable auto-connect; verify SSIDs; use mobile tethering when possible.
  • Carry a “burner” device for trips and conferences.
Password & Key Management Access

Reused or weak passwords remain the easiest breach vector. Keys (PGP, SSH, FIDO) protect higher-value assets but must be backed up and rotated safely.

  • Use a reputable password manager; create long passphrases.
  • Prefer hardware security keys for 2FA over SMS codes.
  • Store recovery codes offline; test account recovery annually.
Detecting & Responding to Device Compromise Incidents

Unusual battery drain, network spikes, new admin users, or blocked updates can signal compromise. Once an endpoint is owned, assume data exposure.

  • Go offline, back up essentials, then wipe and rebuild from known-good images.
  • Rotate all credentials used on the device; re-enrol 2FA.
  • For high-risk cases, seek professional forensics before altering evidence.
Traveling Safely with Tech Borders

Some borders allow device search; compelled unlock may be lawful. Reduce what you carry and what you store locally when you travel.

  • Travel with clean devices; keep sensitive data encrypted in the cloud.
  • Use temporary accounts/phone numbers; log out before return.
  • Assume devices inspected at borders are no longer trustworthy for high-risk work.

Push Back (Advocacy & Rights)

Your Rights in Australia Oversight

Regulators like the OAIC, Ombudsman, and IGIS can investigate misuse, require remediation, or recommend reforms. Paper trails matter—even small complaints contribute to systemic accountability.

  • Document facts (dates, systems, people) before lodging a complaint.
  • Request copies of data held on you; exercise correction rights.
  • Coordinate with community groups for templates and support.
Challenging Unlawful Surveillance Remedies

When powers are exceeded, courts and tribunals can suppress evidence, award damages, or set precedent. Strategic cases shift policy over time.

  • Seek legal advice early; preserve logs and screenshots.
  • Use FOI requests to surface decision-making and policies.
  • Crowdfund or pool resources via advocacy networks.
Joining Digital Rights Movements Community

Collective action multiplies impact. Groups like EFA and Digital Rights Watch (and global allies like EFF) educate the public and lobby for better laws.

  • Volunteer your skills; attend events; share resources locally.
  • Write submissions to public consultations on tech laws.
  • Support watchdog journalism and independent research.
Why Privacy = Democracy Civics

Privacy protects dissent, association, and press freedom. Chilling effects creep in when people expect to be watched. Healthy democracies preserve room to think and explore without constant logging.

  • Normalize privacy tools in everyday life.
  • Challenge the “nothing to hide” myth with real-world examples.
  • Teach kids and colleagues practical digital hygiene.
Future Laws to Watch Foresight

Digital ID proposals, age-verification mandates, and AI-driven workplace monitoring are evolving. Early engagement shapes outcomes; silence leaves design to others.

  • Track consultations; submit feedback through civil groups.
  • Ask vendors and employers about data governance for AI systems.
  • Support privacy-preserving standards and procurement.

High-Risk Playbooks

Fortress Mode (Qubes OS) Isolation

Qubes treats your laptop as many little computers. Compartmentalisation prevents a mistake in one domain from exposing all others—ideal for research, source handling, and document review.

  • Map roles to qubes (work, personal, research, throwaway).
  • Keep an offline vault qube for secrets and keys.
  • Use disposable VMs for opening unknown files and links.
Ghost Mode (Tails) Anonymity

Tails routes all traffic via Tor and forgets everything on shutdown. It’s powerful for anonymous browsing, leak handling, and high-risk comms—when used on trusted hardware.

  • Verify ISO signatures; use fresh USBs; disable internal disks in BIOS if possible.
  • Never log into personal accounts from Tails.
  • Avoid installing persistent add-ons that could fingerprint you.
Mobile Mode (GrapheneOS) Hardened

GrapheneOS on Pixel reduces attack surface, improves permissions, and enables sensible sandboxing. It feels like stock Android but respects your boundaries.

  • Use separate user profiles for roles; restrict network for sensitive apps.
  • Install apps via sandboxed Play or F-Droid; review permissions routinely.
  • Keep baseband and firmware updated; disable USB debugging.
Crypto Hygiene Money

Payments can unmask relationships. Treat every on-chain action as public by default and plan the full path—funding, spending, and cash-out.

  • Use fresh wallets per project; separate hot and cold storage.
  • Avoid linking KYC and non-KYC funds; mind blockchain analytics.
  • Consider privacy coins where lawful; document your threat model.
Breach Response Plans Preparedness

Incidents are stressful; pre-planning prevents panic. Decide who to call, what to shut down, and how to rebuild—before anything happens.

  • Maintain encrypted, offline backups; test restores quarterly.
  • Write a 1-page runbook (contacts, steps, legal support).
  • After action: rotate credentials, review logs, and tighten controls.

This page is educational, not legal advice. Adapt guidance to your own threat model.