Notes on Digital Security

| 11 min
An abstract video still projected onto my kitchen cabinets.

An abstract video still projected onto my kitchen cabinets.

Over the last year and a half or so I’ve learned quite a bit about online security. My interest was sparked by participation with a few different activist groups in 2019-2020 and amazing classes put together by Tech Learning Collective, which in turn led to a pretty significant amount of independent research. Along the way I’ve had the opportunity to share the basics of what I’ve learned through a blog post that flew pretty far and eventually led to an opportunity to teach an introductory class for folks in independent radio. These notes are nowhere near an exhaustive list of what’s out there, but I wanted to share some of the knowledge I’ve gathered thus far.

~

Notes for everyone

  1. No app is perfect, and everyone’s individual situation is different. That’s where threat modeling comes in. Everyone will make different choices based on the threats they face.
  2. For example, if I’m all about security and privacy, why I am I writing all about my life on a website and sharing about my life via a newsletter? It has to do with my own personal situation - I’m not a core organizer. I do not hold sensitive information about activist activities at this point. But I do try and keep my data out of Facebook’s hands.
  3. A threat that all people in our interconnected global world face is surveillance capitalism. Shoshana Zuboff’s interviews with The Guardian, The Markup and VPRO are a great place to start for information on the topic if you aren’t familiar. (Surveillance capitalism is nothing new.)
  4. Surveillance capitalism not only undermines personal privacy, but challenges democratic government at its core.

Data is content, and metadata is context. Metadata can be much more revealing than data, especially when collected in the aggregate.
 – Bruce Schneier

  1. Metadata is the “surplus” data that Google built itself upon and that fuels surveillance capitalism. The Markup’s Blacklight and EFF’s Cover Your Tracks can show you the alarming amount of data that companies are collecting about your online activity.
  2. As a result, the fact that you might feel “anonymous” - perhaps you used a fake name when signing up for a forum - does not mean you your activities are private or secure.

The idea that there are tools that would always work for everyone, everywhere; require no extra knowledge and zero additional infrastructure; are fair and just, and protect users at all times, is a dream that has not yet come true.
 – Tactical Tech

  1. If you want to limit surveillance capitalists' influence on your life, start by using Firefox (or if a novice Chrome user, Brave) rather than Google Chrome. Google was the original surveillance capitalist company. Then add in the uBlock Origin, Privacy Badger, and Decentraleyes browser add-ons. Make sure to also use DuckDuckGo rather than Google Search, and consider leaving corporate social media altogether. (I’m partway through my own journey, but there is still work (especially de-Google-ing) to be done.)
  2. Because of advanced fingerprinting techniques, there’s no real perfect system for avoiding trackers. Tor might be your best option if a stronger form of anonymity is required.
  3. Here are a few resources I use to choose my apps and tools, for both secure and open source alternatives:
  1. When thinking about companies/apps themselves, the ideal of privacy is inverted - instead of privacy, we seek transparency. That’s why going with open-source, decentralized, and/or audited tools is recommended where possible.
  2. Decentralization distributes power. Consequently, trust is distributed among multiple parties, allowing for less of a dependence on a central node but a larger number of potential fail points.
  3. One of the challenges in talking about digital security broadly and to a variety of different people is that there are many different potential threats, and they do not affect all of us equally. The digital world is not always safe for overpoliced Black folks or non-cis-men, and sometimes makes stuff like racism and sexism and domestic violence even worse. White men like me need to remember that we do not face the same challenges as others.
  4. At the same time, the truth is that everyone has something to hide.

Saying that you don’t need or want privacy because you have nothing to hide is to assume that no one should have, or could have, to hide anything - including their immigration status, unemployment history, financial history, and health records. You’re assuming that no one, including yourself, might object to revealing to anyone information about their religious beliefs, political affiliations, and sexual activities, as casually as some choose to reveal their movie and music tastes and reading preferences.
 – Edward Snowden

  1. Security is protection against threats. One way to talk about digital security is via the CIA triad: confidentiality (who has access, a.k.a. privacy), integrity (protecting data), and availability (the system still works for authorized users).
  2. In most cases you probably don’t need to buy any anti-virus software. Just set up your system to be as safe as possible using the tools it provides.
Another abstract projection in my kitchen.

Another abstract projection in my kitchen.

  1. There is a lot for you to do, however, to keep yourself secure online. Firstly, use a password manager and enable two-factor authentication on your accounts. Make sure to vary both your usernames and passwords (if you need to remember a particular password, try using a passphrase. You can even draw the passphrase words out of a hat or something. You should also add HTTPS Everywhere to your browser to ensure your browsing activity is encrypted through HTTPS.
  2. Mathematically scrambling data - encryption - is one of the most powerful tools we have for maintaining digital security. End-to-end (E2E) encrypted apps like Signal are particularly important and useful. Most people don’t realize that they use encryption every day through HTTPS and core Internet protocols like TLS and S/MIME.
  3. Make sure to encrypt your computer(s) and phone(s) as well.
  4. Using a VPN is not enough if you want to keep your activities secure and private - try Tor, and Signal instead (or in addition to a vetted VPN like ProtonVPN).

Notes for organizers and activists

  1. You must also stay vigilant. Sophisticated phishing attacks are something that you - and anyone known to be associated with you - will need to be careful of. These aren’t your average spam messages. These are often meant specifically for you, replicating emails and websites that you might use in order to try to get your passwords or personal information. It could look like an email with a link from your bank, email, or social media account, for example - and the link will send you to a site run by the hacker(s). To defend yourself, first educate yourself on phishing techniques. Then turn on two-factor authentication for all of your accounts, preferably either through an authenticator app or even a physical security key.

In a world where millions of digital communications are silently intercepted, collected, and stored every day, how do activists effectively say ‘I do not consent to this search?’ As in a physical encounter with law enforcement, we must be proactive. Online, this means using encryption along with other privacy-protecting and autonomy-preserving tools.
 – Civil Liberties Defense Center

  1. Going to a protest? See the iPhone Security Guide I put together a few days ago.
  2. Organizers who seek to change the world face unique challenges that other folks do not need to deal with. Recent examples, like the doxing of pro-democracy activists in Hong Kong and revelations of private surveillance of animal rights groups and activists, not to mention movies like Judas and the Black Messiah, are reminders of the importance of OPSEC for activists when dealing with “assholes with resources” or even governmental entities.
  3. Organizers are not only responsible for their personal security, but the security of their team and their activities. They also face greater risk and exposure due to their prominence within the group.
  4. When it comes to setting standards for a small group or even an entire organization, we have to talk about security culture. This goes way beyond choosing the “right” tools like Jitsi, Signal, and EteSync (etc).
Security culture
Regardless of your personal risk level, defaulting to tools that are private and/or secure is the easiest way to maintain a culture that keeps its people safe from online surveillance. The focus on culture, rather than just implementing policy or focusing on individual actions, is something that - funnily enough - I have only run into in two places: the corporate world and the activist world.
At a company like AT&T, security culture is focused on employees shared attitudes and actions related to corporate security policy and the way that affects their overall success. In their own words, security culture requires an “investment” of time and energy.
For organizers, security culture is “a set of customs shared by a community whose members may be targeted, designed to minimize risk.” You should use secure practices from the beginning so that you don’t have to come up with security measures over and over again. It’s a form of collective care as well - a defense against racist tech, doxing, and the far-right. Limiting the amount people know to only what they need to know can also help address issues like undercover surveillance and badjacketing.
For both organizers and corporations, the focus is on culture, not protocol. The focus is on habits, not rules. They use different terms, but the core is the same: security culture is about making security the default - for everything. Security culture is a framework to center when working with others in an activist space. The best way to keep each other safe is to engage in secure practices at all times, not just by using particular tools, but by creating a culture of security.
  1. One concern for organizers (along with journalists and politicians) is doxing. One preventative steps is to remove as much of your information from data brokers as possible. Here are a few useful guides. If you are doxed, see Equality Labs' guide for next steps, and seek out help. Cyber Civil Rights Initiative also has an online removal guide. Another potential layer of protection is to use a post office box or service like VirtualPostMail so that you don’t have to include your residential address on public documents. (If you own your property, however, there may be no way to avoid it.)
  2. One of the most useful tools for organizers is Tor. Tor harnesses decentralization and encryption to create anonymity. But make sure to sign into accounts you set up on Tor on Tor - never deanonymize yourself by logging in to an anonymous account through a regular browser. (Don’t F it up!)
  3. Another useful tool built upon Tor is OnionShare, developed by Micah Lee of The Intercept, which can be used to share files and host .onion hidden services. Micah recently wrote up instructions for how to set up an anonymous dropbox on a Raspberry Pi.
  4. Many people who use Signal all the time do not take advantage of all of its security features. Make sure to compare safety numbers with people you are in contact with to avoid man-in-the-middle attacks and other vulnerabilities - preferably in an audible manner, on video chat, or in some non-Signal, offline way.
  5. To give out your Signal number without publicizing your personal number, see The Intercept’s guide to using a different phone number on Signal. Make sure to also add a carrier pin to your phone(s). And if you are prominent organizer, having burner phones is probably not a bad idea. Services like MySudo can be an option, but they will be tied to your payment method. (My protester iPhone guide is probably also relevant.)
  6. A tool built upon Signal that will be useful to many organizers is Signalboost. Check it out.
  7. If you need a “burner” email address, your best option is probably ProtonMail, since they don’t require you to connect an existing email address or phone number. Make sure to set it up through Tor and only access it through Tor. Be careful when using ProtonMail - just using the service is not enough to fully secure your communications with PGP encryption. If you just need a disposable address, try Maildrop or 33mail.
  8. PGP (a.k.a. GPG) is an important and widely-used encryption tool. But its issues are well-documented. Make sure you read up before using it, and remember, only the body of the message is encrypted. Mailvelope is the most user-friendly PGP client I’ve encountered. But skipping PGP and just using Signal is probably your best option.
  9. When using Firefox, consider using an enhanced privacy configuration like the arkenfox user.js.
  10. And even after all this, there are also physical-world threats that intersect with digital security. Some relevant tools include Haven and RF-shielded (a.k.a. Faraday) bags. There are also alternative operating systems appropriate for high-level security.
A third abstract video projected onto my kitchen wall.

A third abstract video projected onto my kitchen wall.

One of the challenges with digital security is that it is constantly shifting and changing as new apps are created, new threats are discovered, and they way we engage with technology and the Internet continues to evolve. But seeking to learn how the technological systems we rely on actually work, and taking control of the ways we engage with them, is a political act.

There is so much to say on this topic - I haven’t even scratched the surface. Here are a few more resources to dig into to learn more:

If we want to see change in our lives, we have to change things ourselves.
 – Grace Lee Boggs