Part 3 — Security

protection from whom?

I have bad news. If a state actor like the NSA or GRU or whoever want to snoop on you, it’s likely not going to be hard for them to crack your Jitsi server’s security or hack into your Cloudron instance.

This is not the fault of these tools, it’s just the nature of computer security — it’s really, really hard. Sure, you could harden your server, and keep up to date with Jitsi/Cloudron and make security and config updates as necessary, but finding a volunteer with the time, ability, and willingness to do such a thing is extremely difficult. Even if you do all of that, it will likely only delay them from getting your data.

Keep in mind that with very few exceptions, if a national government wants your data they will get it.

The risk calculation that brought me to this conclusion is simple – true protection from state actors is nearly impossible, and you can waste a lot of time trying the increasingly difficult and arcane defense measures.

Luckily, the feds probably aren’t going to come after you. So who should you focus on protecting yourself from? Two main entities: local law enforcement, and ideological enemies like fascist groups or internet trolls.

There are a few tools cops of local police departments have in their arsenal, and they can be sidestepped with some preparation and care. To protect against attacks from non-state actors, we’ll show you how to cover your tracks as you browse online and how to remove your personal data from shady sites.

You’re not going to leave your phone at home, are you?

Many leftist protesting guides will tell you to leave your phone at home if you’re going to a protest or are anywhere where you think a cop may take you or your phone, which is excellent advice. That said, I don’t do this, and I bet a lot of you don’t either. Happily, there’s a very easy compromise — turn off face and fingerprint unlock before leaving your house.

The cops (probably) aren’t going to beat a password out of you, but they will absolutely point the phone at your face to unlock it and snoop through the contents. This has been the case for awhile though, so cops found a friend in the private sector to get what they want.

Some PDs may have purchased hacking devices that take advantage of security flaws in phones to defeat their full-disk encryption, allowing cops to read everything on your phone, no passcode needed.

However, Signal and Matrix can act as a last line of defense here. E2EE messages are much harder to access, and if messages are set to disappear by the time the hacking is complete they’re gone forever.

posting discipline and troll defense

a mosaic of problems

Cops are just as good as angry twitter users at sniffing out personal information from photos, and they have a lot more tools at their disposal to use against you. It’s easiest to not take photos or videos, period — and try to ensure you aren’t in someone else’s.

If you do take photos, and you decide to post them (do you really, really need to?) you have to blur faces, tattoos, distinctive clothings items, jewelry, basically any identifying property of a person. If you don’t do this, cops can put photos together to get the identity of the person in question.

On other people recording you or your comrades: this isn’t illegal, and there’s nothing you can do — other than smile and wave, of course!

don’t hand out ammo to enemies

As you know, anything you post online might cause undue attention. A mean joke, lewd photo, or salacious video one day can be broadcast to the world the next day and the avalanche of abuse can put you and your comrades at risk. If you’ve got spicy takes, keep them in dissapearing Signal chats or twitter accounts restricted to only people you trust.

That said, there are a lot of cases where this won’t matter at all — right wing media will converge on some innocuous but poorly worked remark from a left-leaning person, and the avalanche of abuse will commence.

If you are being targeted: review all of your social media accounts and lock them down, immediately purge your personal information from lookup sites if you haven’t already, alert your chapter leadership, and take any other steps to protect yourself physically and emotionally, like staying with a friend to get out of the house. They may also screen your messages to let real messages through and spare you looking at the torrent of abuse. Also consider letting friends, family, and even your boss know they may get strange calls or texts due to a harassment campaign.

In the future, this guide will have an exact list of things to do for folks in an emergency like this.

solidarity first

If you are in the same chapter as someone being target, support them however they need first. Any discussion on how to respond as a chapter can wait — prioritize their safety first.

Harassment campaigns can last hours or months and can have severe real-world consequences. For shorter campaigns, it may be worth not responding at all and simply ignoring it – people will move on to the next target.

For longer campaigns of abuse, this will not work, and you’ll need to communicate the threat to the chapter and ensure common harassment vectors — Zoom meetings, open email inboxes, personal phone numbers — are secure.

We’ll go over specific tasks later, but for now let’s switch gears to the threat that powers the cops and trolls — data brokers.

the running spies of capital – data brokers

So you’ve protected your phone from cops and don’t post anything online that gives your home address or job away, but there’s one last piece of the privacy puzzle that’s exploded onto public consciousness in recent months — data brokers.

Most mobile apps have ads in them. These ads collect loads of your personal data — such as what websites you read, what locations you visit (turning location services can help, but cell tower triangulation can be very accurate), and what you buy — and sell this information to brokers. Brokers then sell this data to whoever they want — even religious fundamentalist news outlets.

Blocking ad brokers from collecting the data at the source is tough, but not impossible. If you’ve ever used an adblocker on the wen like uBlock or AdBlock plus, there’s a similar service you can use to block many (but not all!) data brokers. DNS based blockers, like NextDNS or PiHole, to ensure that most requests your phone makes to ad networks are blocked.

NextDNS is a hosted service that costs $2 a month and comes with apps for every device. You just log in, select what block lists you would like to use (some are more restrictive but have a higher chance of breaking a website, others are more lenient but may not block as many threats), and that’s it! It doesn’t totally stop all data brokers, but will severely limit the data you leak to them and it blocks annoying advertisements to boot. It’s cheap, easy, and pretty effective — I strongly recommend it.

Whitepages in the internet era

Identity brokers are a bit different from brokers that rely on cell phone data. Identity brokers can collect your personal information like address and phone number from various sources and then they sell it to individuals online for a fee. It’s easier to get information from an identity broker like Spokeo than a data broker — data brokers sell raw data that has to be deanonymized where identity brokers will take a person’s name and spit out their phone number, address history, and family.

Landlords, annoying busybodies, and shady bosses love these services because they allow the voyer to see things like your address history, income, and family members. Luckily, these brokers are at least kind of regulated. Each one has an opt-out page where you can request that your data be deleted. The length of that document can be intimidating at first, so if you’re short on time do the high-priority sites first and come back to the rest later.

With these methods of protection, you should be better protected against most common threats. Let’s move on to Part 4, communication – where all your sensitive conversations probably are, and why you need this security in the first place.