By: Candace
Williams Head of Community Operations by day. Poet by night (and subway ride).
Forever @TeacherC.
It’s imperative that folks under
siege (POC, LGBTQ+, Indigenous folks, immigrants, Muslims, folks with
disabilities, etc), especially artists and activists, take steps to protect
their data and privacy online.
These are just suggestions This list
is not exhaustive or the only way to secure your data.
Identifying assumptions that underlie
this article:
- Taking a small, first step lowers your mental barriers.
- Changing workflows is hard and takes practice. Go at
your own pace and be easy on yourself.
- COINTELPRO (and similar programs) didn’t just
“happen”. It’s been happening and will ramp up.
- Government and non-governmental bodies already have you
on their radar: They know you disagree with some element of the status quo
and that you’re a person under siege (black, POC, Muslim, queer, a person
with physical or intellectual disabilities, a recent immigrant,
indigenous, etc).
- Many of your private communications are sitting on the
email accounts and devices of your friends and family.
- Surveillance capitalism is dangerous. We don’t know the
implications of how tech companies extract value from their customers’
data. Most people don’t understand what corporations like Facebook and
Google know about them, how the data is
used/bought/traded/aggregated/sold/deployed, and if corporations have already
handed over information to government groups.
- Lack of transparency +
colonialism/capitalism + technological supremacy = STRANGER DANGER.
SOLUTIONS
- Withdraw
$10–$40 of cash from your bank.
- Buy a Starbucks gift card with the cash.
- Use the gift card to purchase 1 month to 1 year of VPN access on https://www.privateinternetaccess.com
(or a comparable service of your choosing. Ask around or read online
reviews. Make sure the service doesn’t keep logs of your activity). Keep
in mind: It’s better to purchase VPN with a credit/debit card than to
purchase none at all. Furthermore, this is just a small layer and it’s
still possible to figure out which VPN service you’re using.
- Download and start to use Tor as your
primary browser. Be sure to follow the instructions and security warnings
here: https://www.torproject.org/download/download-easy.html.en#warning
- Since it’s impossible to follow all of the warnings and there are
limitations to Tor, it’s a good idea to also use a VPN. If you don’t use a
VPN, using Tor + Chrome/Firefox with the HTTPS Everywhere
extension is a good start.
- Download Signal on your phone and
encourage all folks you communicate with privately to use it as well. Use
it instead of iMessage, SMS, WhatsApp, Facebook Message, etc. You can also
make calls. The desktop version can be used in lieu of Skype, Slack, etc.
- Enable 2 Factor
Authentication on all email, financial, etc services.
- Do an info security audit — Begin to brainstorm how you use social
media, email, mobile devices, and cloud storage. How do you use these
services? Which communications need to be moved to secure channels? Are
sensitive documents saved in the cloud? Can you quit Facebook, Twitter,
Google, and Amazon altogether?
- Choose strong and distinct passphrases. The Intercept has a handy guide
here: https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/
- @AllBetzAreOff
recommends using non-cloud-based password manager to generate and secure
your passwords. More info here: https://securityinabox.org/en/guide/keepassx/windows
- It’s important to turn on software auto-updates so you’re
protected from known software vulnerabilities. (Thanks to Dan Sullivan, Ph.D.
for this advice! Check out his excellent comment
for more information.)
- Encrypt your mobile devices. iPhones are automatically encrypted
but many use
access codes that are inadequate. Reset your code to a long, random
string of numbers (make sure you write this down while you’re committing
it to memory). Android users can enable encryption in the Settings app.
- Encrypt
your computer using BitLocker (Windows) or FileVault (Mac).
- If you
have (or want) a website, database, or app, join an encrypted hosting
service like MayFirst.
- Purchase a physical safe (like the SentrySafe SFW123DSB) for your
important documents, hard drives/USB keys, and artwork. You can split this
cost with folks who live nearby. If your artwork is larger than a common
household safe, and you’re interested in chatting, ping me. We need to
brainstorm how to help artists under siege keep their art safe from
destruction. Research the safe to make sure electronics won’t oxidize or
buy Silica Gel Dehumidifier Desiccant packets/special sleeves.
- Purchase a hard drive that can store your digital files. Encrypt
it. In the future, consider purchasing multiple drives and keeping your
most valuable information in multiple places. If you bought a safe, keep
your hard drive there. You should also prepare for a time when Internet
access or your information stored online is completely unavailable to you.
- Audit your cloud storage. Where are you files stored? What kind of
information is stored? Where’s the most sensitive information?
- Begin to break your dependence on cloud storage (when possible):
iPhoto, Google Photos, Google Drive, DropBox, etc. Structure your
filesystems in ways that are easy to navigate without Google’s search
capabilities.
- See if you can minimize your use of Chrome/Firefox/Safari/etc by
the end of the month. Dennis Cahillane ツ says:
NOTES:, Using
a Firefox add-on you install yourself is not recommended. Recommend downloading
the Tor Browser bundle directly from the Tor Project here https://www.torproject.org/download/download
Using the Tor Browser bundle is easy for non-technical users, but you will
quickly become frustrated by its limitations. When you aren’t using Tor, Also
recommend Firefox or Chrome with the following add-ons: HTTPS Everywhere,
uBlock Origin.”
- Download all of your files to your computer + external hard drive.
This might take awhile so you can do a batch a day. Start with the most
sensitive information. (This is just a start. There are ways to have
access to encrypted cloud storage, I think folks can consider this after
the New Year after they’ve done the initial transfer and have broken their
dependence on easy to use cloud services).
- If you’d like, choose an activist email provider you’ll use
instead of Gmail (or a service like ProtonMail).
You’ll also need to loop in your friends and family. Jamie McClelland,
Co-Founder of MayFirst/PeopleLink says:
NOTES: “Using Gmail is definitely a bad idea.
Under Obama we had a huge
expansion in the federal government spying
infrastructure and they
definitely target the big corporate
providers — either by compromising
them or simply sending them a subpoena. And now all
of that will belong
to Trump.
For email, stick with activist providers. And *everyone* has
to do it.
If you are having a group conversation and just one person is on gmail,
then everything goes to gmail.
If everyone is on MF/PL, then it never leaves our servers
and it is far
more difficult to intercept. If some people are on Riseup and some are
on MF/PL it’s also good — since MF/PL and Riseup will encrypt messages
between servers.
However… even with all of these protections, I would advise
against
relying on email for anything sensitive.
If you haven’t already, I would suggest replacing whatever
program you
use to send SMS messages with Signal (https://whispersystems.org/).
It’s
on both iPhone and Android. It’s easy to use and it’s very secure.
https://support.mayfirst.org/wiki/how-to/jabber).
Both signal and jabber work on your phone and provide much
better
encryption and privacy than email ever will.
A note about email: Dan Sullivan, Ph.D. left
a relevant criticism of activist email accounts in the comments:
Also, infosec is largely a battle of technical skills and
resources. Google has more of both than any email or other cloud provider I
know of. I use Gmail with two factor authentication and will stick with it.
Sure, an agency may get a warrant for emails at Google but there is less chance
of successfully hacking the Google infrastructure to get those emails than
hacking another provider with fewer resources.
Response::
- Share
- what
you’ve learned from this process. Help other artists start to shore up
their security. If you’re the only person who uses Signal or an activist
email account, it’ll be of no use to you.
- To level-up the security of your email, start using PGP. Better yet,
have a PGP party where you and your closest friends, family, and coworkers
install
GPG Tools and create keys together. matt mitchell has an
excellent (draft of a) guide for how to spin up PGP without installing an
email provider: https://docs.google.com/document/d/1Zn62XjVRkt6_nvtgUvWO4WLo4VTQ3WQ98WKc5gkPb8w/edit
- Organize—Collaborate with others and explore group action
(collection money for folks who can’t afford services, purchasing secure
storage units for large works, creating personal libraries of books and
information that could be targeted, etc). Try to find groups like matt mitchell’s
CryptoHarlem security parties: https://twitter.com/cryptoharlem
- If your information is sufficiently backed up, consider next steps
(ie- deleting it from the cloud).
- Consider using Tails. @ciakraa of @hackblossom
explains it well in their EXCELLENT DIY Guide to
Feminist Cybersecurity:
There
are a countless number of situations where Tails could be an invaluable tool
for your privacy. Activists looking to organize in spite of government
surveillance can use Tails to effectively communicate. People being tracked by predatory
abusers can use Tails to access the internet without risking their physical
location or data. Someone that wants to utilize public computers or internet
networks can do so while still having their privacy protected. Any time you
want to be maximally private in your activity and your data, Tails is an
incredible tool to have at your disposal!
expansion in the federal government spying infrastructure and they
definitely target the big corporate providers — either by compromising
them or simply sending them a subpoena. And now all of that will belong
to Trump.
If you are having a group conversation and just one person is on gmail,
then everything goes to gmail.
more difficult to intercept. If some people are on Riseup and some are
on MF/PL it’s also good — since MF/PL and Riseup will encrypt messages
between servers.
relying on email for anything sensitive.
use to send SMS messages with Signal (https://whispersystems.org/). It’s
on both iPhone and Android. It’s easy to use and it’s very secure.
https://support.mayfirst.org/wiki/how-to/jabber).
encryption and privacy than email ever will.
