privacy & security
We live in an era of free-flowing data, where any person with an Internet connection has seemingly all the information in the world at their fingertips. Yet, while the Internet has greatly expanded the ability to share knowledge, it has also made issues of privacy more complicated, with many worrying their own personal information, including their activity on the Internet, may be observed without their permission. Not only are government agencies able to track an individual’s online movements, but so too are corporations.
The Internet, at its most basic, is the series of connections between computers across great distance. In the beginning, computers were isolated, unable to communicate with each other. As the tech got more advanced, engineers were able to physically link computers together, creating early networks. These networks still required the computers to be relatively near each other, however. Eventually, advances in fibre optics enabled networks to connect across continents, allowing for the Internet to be born. Some computers house the data stored on the Internet, including web pages like Google. These computers are known as “servers.” A device used to access this information, such as a smartphone or PC, is known as a client. The transmission lines that connect clients to servers come in a variety of forms, whether fibre optic cables or wireless signals, but they are all connections.
Although clients initiate connections to get information from servers, the flow goes both ways. Data is exchanged across the Internet in packets. These packets contain information about the sender and the destination, and certain individuals and organizations can use this data to monitor who is doing certain things or accessing certain information on the Web. It is not just the server that can see this data. Traffic analysis is big business, and many organizations, both private and governmental, can monitor the messages flowing between clients and servers. So how can we protect our privacy and security online? Below are some tips to get you started. [1]
Internet browsers (Internet Explorer, Firefox, Chrome etc.) have optional “InPrivate” browsing or other forms of private browsing options that you can use to get you started.
Go through the settings (general, phone, microphone, camera, privacy, browsing, individual apps, location services etc.) on all devices (phones, laptops, IPads etc.) and turn off as much as possible.
Below is more information on online and in person security and privacy.
Privacy
Tor
Tor is free software and an open network that allows users to browse the Web anonymously. Developed by the Tor Project, a non-profit organisation that advocates for anonymity on the internet, Tor was originally called The Onion Router because it uses a technique called onion routing to conceal information about user activity (layered security, like an onion). It can operate under Microsoft Windows, macOS, Linux and Android.
Tor can significantly increase a user’s privacy and anonymity online by defending clients against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security. Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location. Tor is often viewed negatively by the press and law enforcement agencies, but it has many positive benefits. Journalists and their sources rely on it to communicate securely and anonymously, without fear of government interference. You can use Tor to hide your IP address, browse the dark web, and run a server anonymously. Tor does not replace your VPN, as it only anonymizes your browsing and a few other select services (which need to be specifically configured).
Connecting to Tor through a VPN connection is a great way to maintain your internet privacy and security. Not only will it hide your browsing data from your VPN company, it will also hide your home IP address from the Tor.
Virtual Private Network (VPN)
A virtual private network (VPN) extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. In other words, a VPN replaces your actual IP address to make it look like you've connected to the internet from a different location: the physical location of the VPN server, rather than your actual location.
Applications running on a computing device, e.g. a laptop, desktop, smartphone, across a VPN may therefore benefit from the functionality, security, and management of the private network. Encryption is a common, though not an inherent, part of a VPN connection. Learn more by visiting this website - What is a VPN and Why use one? A Non-Technical Beginner's Guide to Virtual Private Networks
.onion
.onion is a special-use top level domain suffix designating an anonymous onion service (formerly known as a "hidden service" reachable via the Tor network. Basically, it replaces the “.com” or “.org” suffix. Such addresses are not actual DNS names, and the .onion TLD is not in the Internet DNS root, but with the appropriate proxy software installed, Internet programs such as web browsers can access sites with .onion addresses by sending the request through the network of Tor servers. The purpose of using such a system is to make both the information provider and the person accessing the information more difficult to trace, whether by one another, by an intermediate network host, or by an outsider.
Sites that offer dedicated .onion addresses may provide an additional layer of identity assurance via EV HTTPS Certificates, and provision of an HTTP certificate also enables browser features which would otherwise be unavailable to users of .onion sites. Provision of an onion site also helps mitigate SSL stripping attacks by malicious exit nodes on the Tor network upon users who would otherwise access traditional HTTPS Clearnet sites over Tor. Learn more here - Onion Routing
Encryption
Encryption is the process of converting information or data into a code, in such a way that only authorized parties can read it, and to prevent unauthorized access. Encryption does not of itself prevent interception, but denies the message content to the interceptor. There are free encryption tools/software and others that individuals can purchase. A couple of examples are BitLocker and VeraCrypt.
It is advisable to research different secure chat platforms before beginning any secure chats. Ownership of these platforms is always changing as well as encryption and privacy laws. Do your research!
Faraday Cage
A Faraday cage, (or box or shield) is a container that, when made correctly, blocks whatever is contained within it from external electric/electromagnetic fields. Faraday cages can thwart spying on phones and other devices (when enclosed).
You may want to research and consider making a Faraday cage.
Learn more:
https://science.howstuffworks.com/faraday-cage.htm https://backyardbrains.com/experiments/faraday
Be sure to do your own research, too.
Secure Chat Platforms
Some secure chat platforms you may want to research are Wickr, Threema, Wire, WhatsApp and Jabber/OTR.
Codenames may be a good idea to use in chat and during actions as an added (onion) layer of security.
When creating a new group via secure chat platform [2]
Be intentional about the purpose and who you add. Consider what you would do with someone who gets unilaterally added at the beginning that maybe hasn’t been double-vouched for, or that someone has concerns about. Also, don’t add people to sensitive groups without getting their consent first.
After the group is created, state the purpose of group and take roll call right away. Roll call, (name, city, group), should be completed before conversation begins. [codenames may be preferred and this process may not be suitable for all AG’s as it does present a potential security risk. Some AG’s may simply require members to check the chat member list before engaging in discussions]
Do not add new people to threads/chats without asking group first, and give people a designated amount of time to be able to voice their concerns i.e.: 24 hrs., since many people cannot be active on their phones every minute of the day. Encouraging questions or elaboration about a proposed new member can help create a better dialogue than simply saying “vouch.” Do a new roll call each time a new person is added so they know with whom they are talking (this may not be suitable for every AG).
Further security measures for chat platforms -
Utilize the disappearing messages feature. Sometimes disappearing messages can get turned off automatically when someone reinstalls or a new person gets added. Make sure to reactivate disappearing messages.
Leave all groups and uninstall the chosen chat platform app if you are attending an action or are in a situation that may lead to arrest and you have your phone with you. BUT… do not bring your personal phone into these situations if at all possible.
Leave all groups and uninstall app if you are crossing an international border. Laws protecting you from searches and seizures generally don’t apply at international borders. Strongly consider not taking your regular phone/tablet/laptop/etc. if you are traveling abroad.
If there is a security breach, such as if you are arrested with your phone or your home is raided, designate someone to start a new thread and leave the old one immediately (aka burn the thread). Make sure the threat is not transferred to the new loop. Designate one person to stay on the old thread to make sure everyone leaves. After you leave the thread, delete it. Delete threads regularly.
In case of a lost/stolen phone or police confiscation, report immediately to a person you are in a thread with for them to alert others that they need to ditch the old thread with your number and restart.
Make sure that you set a passcode on your apps and phone. Use the two-step verification process when it is an option.
Clear chats, browsing history etc. often.
Remember, digital security is no substitute for relational security. All the security culture/InfoSec protocol in the world can’t help you if one of the people you decide to trust with sensitive information turns out to be malicious, reckless, careless, or unaccountable.
In person security
Vouching
According to the dictionary, to vouch means “to support as being true, certain, reliable” or “to attest; guarantee; certify.” In the political context, to vouch for someone means to state that you believe someone to be committed to the purpose of the group, trustworthy, reliable, and accountable. Such “vouches” are important for groups of people working together who may not have previous experience working together, and require a certain level of trust and safety to comfortably and effectively work together.
A vouching system allows one or more (the more the better) people to use the trust that they’ve earned from the group and extend it to someone they want to bring in. The necessity of vouches varies depending on what it is you are working on. Remember that a vouch is a personal reflection upon you, it is advised to not throw vouches around as it can undermine the safety, trust and cohesion of the group if it is an irresponsible vouch.
A vouch for whether or not someone should be able to access a group’s members, conversations, goals and objectives, should be considered within the context of the objectives and risk of the group. The other members of the group are trusting you to use discerning judgement when providing a vouch. Some criteria that people have used for vouches include:
- having met in person a certain number of times
- having worked together on political projects for a certain period of time
- knowing a certain number of people who have worked with the person for a certain period of time
- knowing someone’s strengths and weakness (personally and politically) and how they act under pressure or in the face of repression
- knowing how someone responds to criticism or feedback and how well they hold themselves accountable for their behaviour
- knowing someone’s extended family, childhood friends, and entire life story (just kidding…maybe…)
Vouches should be given for: people who you know and trust, who you know understands the objectives and degree of security required for the particular group, and who you know participates in solid security culture. Vouches should not be given simply for “knowing they exist and do work” or “had a good conversation once or twice” though those things are a part of knowing and trusting someone. The stringency of a vouch will vary based on the sensitivity of the information and the risks that the group is taking. If this is something you have not considered, please read up on security culture.
Whatever criteria or standard you use for vouching people, it is important that it be communicated to everyone in the group ahead of time, and that everyone is on the same page. Vouching is a word that gets thrown around often without elaboration, and people often have different ideas about what it means. Our collective security is only as good as the individual with the least safe practices.
AG members need to establish other security protocol for their group as needed and necessary.