Safety and Security

From Resistance Manual
This is the approved revision of this page, as well as being the most recent.
Jump to: navigation, search

The Basics of Safety and Security[edit]

Computer/Internet[edit]

  • For sensitive communications, don't use e-mail or text.
  • Password-protect your computer.
  • Use two-factor authentication for Gmail, Facebook, Twitter, and other accounts with personal information.

Real-Life[edit]

How to Protect Yourself from Digital Surveillance[edit]

Popular Services and Apps[edit]

Be Careful What You Post[edit]

Often, we post material online that can compromise our own safety and security. For example, when you post a photo to certain sites like Flickr, the photo includes data that can be used to identify and locate you (known as metadata). Images posted on Twitter or Instagram do not include such metadata.

Services like Instagram and Twitter sometimes ask you to "enable location services" so they can tag your tweets or posts with your current position. This can be risky, as it shows other users where you are located.

It's also important to be careful about what you communicate online. Anything you post, message, or even type into a text box on Facebook is compromised information that can be easily collected by intelligence agencies. Information stored on Google's servers is easily accessible to NSA analysts. Your Amazon shopping history, Twitter posts, private messages on any digital service, Snapchat photos or messages, and Reddit posts and private messages are all fair game. In general, anything you post to an online service, whether it's in a private message or a public post, is available to surveillance agencies with little effort. Never use a third-party service for private communications unless you are absolutely confident that the contents of those communications could not be used against you.

What you can do:

  • Disable location services for apps like Twitter and Instagram.
  • When you post to social media, avoid posting information about your current location.
  • Avoid patterns. If you stop at the same Starbucks every day, do not tag that Starbucks in your posts.

Use 2-Factor Authentication[edit]

Many popular sites, like Twitter and Facebook, offer the option to enable two-factor authentication for your account login. This means that in addition using a username and password to log in, you also use a second form of security so that no one else can access your account. This might mean entering a code that gets sent to your cell phone, or using an additional app, like DuoMobile or Authy.

Strengthen Your Passwords[edit]

Make sure your passwords are secure so that no one can guess them and hackers cannot crack them. A few rules to follow:

  • Make your passwords long, at least 12 characters.
  • Do not use any personally identifying data in your passwords, such as:
    • Important dates
    • Names of people or pets
    • Companies you have worked for
    • Cities you have visited or lived in
  • Use words that do not appear in the dictionary.
    • If you do use dictionary words to make the password easy to remember, combine them with numbers and symbols. An example would be gips973"bake.
    • You can also combine random words that make no sense together. An example would be Baked horses tower road.. Adding punctuation or numbers will make the password even more secure.
  • Do not reuse passwords! This is very important. If you use the same password for Twitter and your Gmail, both could be compromised. Use a password manager such as LastPass or 1Password.

User-Friendly Software[edit]

The most important step you can take toward securing your communications is to use encryption (meaning that people who were not the intended recipients cannot read the contents of the message). Most people currently send unsecured information over the Internet, which makes it easier for hackers and surveillers to read such information. Sending an email without encryption, for example, is the equivalent of sending a postcard in the mail: anybody with access to the message can read its contents.

Encrypted communication, by contrast, is illegible to anybody without the correct key to decrypt it. The intermediate servers passing it along cannot make sense of it without knowing the precise way in which it was encrypted. There is some debate about the NSA's capabilities with respect to breaking commonly used encryption methods, but it is broadly believed that one of the reasons for the agency's massive expansion in data storage capacity in recent years[1] is to enable a "store until relevant" methodology, whereby the agency simply stores all communications it can intercept, regardless of relevance or encryption, and returns to them when the necessary decryption keys become available or computing power reaches a point that enables vastly accelerated brute-force decryption methods. The broad consensus, however, is that encrypting your communications is the single most important step you can take to avoid having them read by third parties of any kind.

You can refer to this Medium post for a straightforward guide to encrypting your communications easily and safely.

Texting/Messaging[edit]

  • What to know: Texting is not a secure method of communication.
  • Acceptable alternative: There are a few apps and services you can use as a replacement for texting.
    • Signal has quickly grown into the tool of choice for many activists, journalists, and people who are part of a resistance. There are no known or public vulnerabilities with this app. If you're a Chrome user, you can also use Signal Desktop.
    • Dust—an app for disappearing text messages and photos that is similar in some ways to Snapchat.

Email[edit]

  • What to know: When it comes to email, here's a rule of thumb: Say nothing in your email that you will not be hurt by seeing on the front page of the New York Times. Email is an inherently insecure method of communication and should only be used with multiple precautions.
  • Acceptable alternatives:
    • Switch to using an encrypted email service. Protonmail and Tutanota are two easy-to-use providers of encrypted email. Both are hosted outside the US, so they are less likely to hand over your data on a subpoena; more to the point, both services store your email in an encrypted form on their server (also known as "encryption at rest"), and you are the only one who has the password. These services can hand over your data, but without your password(s) to unlock them, they're just garbled ciphertext.
    • One important note: Protonmail will give you a "public key" so that someone who is not using Protonmail can send you secure mail from, for example, their iCloud account using the GnuPG Apple Mail plugin to encrypt it. However, you cannot send that person an encrypted message unless you have them come to Protonmail's website and enter a unique password that you have prearranged with them.
    • Caveats: Using Protonmail or Tutanota is only useful if you are communicating with someone who is using the same service. You cannot send encrypted end-to-end mail from Protonmail to a Tutanota or Gmail user. You CAN send such a user an encrypted message that they have to come to Protonmail or Tutanota's website to decrypt, but you would have to provide them a password verbally, which would defeat the purpose.
    • When you simply want to avoid giving out your email address (e.g., when taking a Trump-sponsored poll!), you can get a free, temporary email address from Shark Lasers.
  • For more advanced users:
    • Start using GnuPG to encrypt all your mail. This is a bit tricky, as you have to get into the world of Public Key Infrastructure (PKI) and need to have the public key of anyone you want to email. If you want to get into this, however, here are a few good tutorials:
    • This 12-minute video called GPG for Journalists—Windows Edition is rumored to have been created by Edward Snowden to teach journalist Glenn Greenwald how to communicate over encrypted email. It is a good primer on the subject, even if you are using a Mac.
    • If you are on a Mac, you should see GPGTools, which gives you the full GPG package as well as a plugin for Apple's Mail application. This assumes that you have an email provider that grants you IMAP access and you do not mind restricting your use of email to your personal computer.

Web Browsing[edit]

  • What to know: Browsing the web is not safe from surveillance. However, there are measures you can take to be safer when you browse.
    • Use Tor: Most security professionals recommend using Tor. Tor is one of the first tools you should reach for when browsing the web. While it used to be that only the technologically savvy used/understood Tor (and that is still the case if you want to use it for all your network activity), the Tor Project now has a more user-friendly web browser. Simply download the Tor Browser and launch it. It takes a few minutes, but when it is up and running, you can browse the web in relative anonymity and privacy.
      Here are a few things to keep in mind when using the Tor Browser.
      • If you put the Tor Browser on a flash drive, you can run the brower directly from that drive so you do not have to sacrifice your anonymity when not using your own computer. Add both the Mac and Windows versions to the drive.
      • Know that using Tor can be frustrating at times. Since it is routing your traffic through multiple "hops," or servers around the world, it can be slow. You will not be able to stream YouTube over Tor (though it is not out of the question if you get a good route at random).
      • Using the Tor Browser alone is not enough to shield you. Read this section on the Tor Project's website to understand the risks that you face, even when using Tor Browser.
      • Set your Tor Browser Security settings to "Medium" or "High." This makes it more frustrating to use the system, since it blocks a lot of the Javascript that modern websites need to run in order to serve you ads, track you around the internet, etc., but it also makes things more frustrating for someone trying to snoop on your activity.
      • There are mobile versions of Tor Browser, as well. On iOS, there is VPN Browser and Tob. For Android, there is Orbot.
    • DuckDuckGo—an anonymous search engine (i.e., Google without the tracking). It does not really work as well as Google, but it is much more secure.
    • Tails Operating System—Tails is a live operating system that you can start on almost any computer from a DVD, USB stick, or SD card. It aims to preserve your privacy and anonymity, and helps you to use the Internet anonymously and circumvent censorship. All its connections to the Internet are forced to go through the Tor network.

Personal Safety and Security[edit]

Protester Safety[edit]

Other Guides[edit]

Electronic Surveillance[edit]

Every activist, down to someone who's simply Tweeting in support of the resistance, could potentially be put under surveillance. The United States has a long history of surveilling political dissidents, from making lists of Communists during the Red Scare to monitoring civil rights activists through programs like CointelPro.[2] Given that the laws around electronic privacy are underdeveloped, the government can potentially gain access to a lot of information without going through the processes that would come with more established/recognized privacy rights.

Surveillance has a well-documented "chilling effect" on freedom of expression. The simple fact of knowing that it's possible somebody could be paying attention to your actions severely reduces the scope of the actions you're willing to take and may lead to self-censorship (well before, and/or more severely than, governmental censorship is even put in place). This impacts everything from political dissidence to art, and is a serious problem regardless of whether those with access to surveillance information make active use of that information.

Government Surveillance[edit]

Information Accessible Without a Warrant[edit]

  • The PRISM program,[3] which began after the September 11, 2001, attacks, enables NSA analysts to query the information stored by Facebook, Google, Yahoo, MSN, Apple, Youtube, AOL, and Skype.[4] Information indicating which specific companies are a part of this program was released in 2013 as part of the Snowden disclosures, and it is likely that more companies have been added to the system since those materials were created.
  • The XKeyscore program,[5] also started after September 11, is a complex software system that enables NSA analysts to quickly access any of the NSA's data. According to The Guardian's Glenn Greenwald, low-level NSA analysts can, via systems like XKeyscore, "listen to whatever emails they want, whatever telephone calls, browsing histories, Microsoft Word documents. And it's all done with no need to go to a court, with no need to even get supervisor approval on the part of the analyst."[6][7] He added that the NSA's data bank of collected communications allows its analysts to listen "to the calls or read the emails of everything that the NSA has stored, or look at the browsing histories or Google search terms that you've entered, and it also alerts them to any further activity that people connected to that email address or that IP address do in the future."[8]
  • The Foreign Intelligence Surveillance Act of 1978[9] describes procedures that the government must follow in conducting domestic surveillance. It was passed after a bipartisan effort to create more strictly defined rules on the matter after the revelations about President Nixon's use of government resources to spy on opposition political parties. The Act provides means by which American spy agencies can be approved for secret warrants to conduct surveillance on individuals within US jurisdiction, via electronic surveillance, physical searches, telephone surveillance, access to business records, or certain other means. The Act created a secret court, the Foreign Intelligence Surveillance Court (commonly known as the FISA Court), that examines these surveillance requests without making the content of the requests public and decides whether to approve or deny the requests. Between 1979, the year of the court's creation, and 2013, of 35,529 requests submitted, only 12 were denied.
  • The USA Patriot Act, initially signed by George W. Bush in 2001 and later reauthorized in part by Barack Obama in 2011, widened and enhanced the capabilities authorized by FISA. Previously, only conventional wiretaps (on phones) were authorizable under FISA; but the Patriot Act added wiretaps on packet-switched networks (the Internet) to the list. It also allows for lower-level FBI officials to issue National Security Letters, which require the recipient to provide some information to the Bureau but that also contain a gag order prohibiting the recipient from disclosing the existence of the NSL to anybody other than an attorney.

Information Accessible With a Warrant[edit]

If a warrant is actually obtained, then of course more information becomes accessible. The individual subject to the warrant may not be aware of the warrant: Often the warrant requires an internet service or cell phone provider to give information to a government agency, and the government can request a gag order preventing the organization providing the information from telling its clients that they are subject to a warrant.

Online and Offline Harassment[edit]

Donald Trump's victory has emboldened the (already quite active) online trolls who harass, insult, and threaten women, minorities, LGBTQ+ people, and others who disagree with them or don't support Trump. This harassment can discourage people from engaging online and prevent very real conversations about our country and its future from taking place. Harassment can lead to serious long-term effects, including trauma. Online attacks can also extend into the real world. Doxxing, where the private details of someone's life are exposed, is one type of attack. Other threats include stalking, swatting, and identity theft. Some tools for reducing the risk of doxxing are here and here.

Given the threat of this harassment, people who engage in resistance activities online need information and tools to protect themselves.