Internet-related tips for protesters (document in development here)
Whether you are protesting in person or working in digital spaces (or both) covering your browsing habits, metadata, and search histories is important. These can be ordered as evidence, or can expose others even months or years later. Even without a court order or direct governmental surveillance, your data history can be bought from aggregate services, both legally and illegally.
On the internet, you are tracked. You are tracked everywhere you go, whether by your ISP, advertisers, cookies, or the site itself. This will be your IP address (a unique identification number per network), where in the world you roughly are, other places you have been on the internet, and often what social media accounts you hold. Even just the browser you use can tell someone who you are because of the ‘headers’ your computer sends, called a Browser Fingerprint. Because there are only so many combinations of hardware and software, you may have a unique “fingerprint” simply because your computer’s particular combination is rare. See: https://webkay.robinlinus.com/ https://panopticlick.eff.org/
Personal privacy on the internet has been eroded from all sides, including advertisement and commerce, weak government protections, hacked databases, products and services which leak your information (via selling it or accidentally and ambiently). But also, the internet was never really made to be anonymous. It takes work anonymize your information.
~~~
AT THE PROTEST:
On phones / other smart devices:
Turn off your phone or leave it at home
Police can track phones through cell towers – this can confirm your presence or identify you later
Messages can also be intercepted by “stingrays”, which pose as cell powers -> https://en.wikipedia.org/wiki/Stingray_phone_tracker
If you use Android, leave it at home – they have a history of being hacked by police- > https://money.cnn.com/2016/02/25/technology/android-apple-police-encryption/index.html
If you have an old/spare/burner phone, consider bringing that instead- even without a sim card, having an empty phone that can connect to wifi and bluetooth might be helpful.
If you do bring your phone
Think about what you have stored on it and if it could put you or anyone else at risk. Delete contacts and messages as needed.
Back up your data, in case it is lost.
Set a difficult passcode
NOT face or thumb Id, not a year or all one number in a row
Turn off home screen notifications – don’t let anything show without unlocking your phone.
Set your phone to go to lock screen extremely quickly
Turn on airplane mode, which will keep your phone from broadcasting.
Make sure that Airdrop isn’t on.
If you lose your device or it is confiscated:
Revoke access & log out of applications remotely
Changing your password to accounts can sometimes force a log-out
Or you can do it manually per account- search “<service name> revoke access for devices”
Use Signal or other encrypted messaging systems to communicate
Police can still surveil metadata (when you’re sending messages to, when) but not the actual contents of an encrypted message
https://signal.org/en/
TURN OFF LOCATION SERVICES!! This will keep you from attaching GPS coordinates to photos.
iphone -> https://support.apple.com/en-us/HT207092
android -> https://support.google.com/accounts/answer/3467281?hl=en
On taking photographs:
Photographs can be extremely useful, but:
Take photos without unlocking your phone
Do not take pictures of anyone that could be identifiable
If you capture a person in a photo, BLUR OR BLOCK THEM OUT
After you take pictures, screenshot them to remove exif data
Exif data stores information on the image such as shutter speed, if a flash was used, date and time, and GPS information. See- > http://exifdata.com/
This can be evidence – don’t post something directly, but screenshot the image so that information is overwritten.
After you screenshot the photograph, delete the original.
IF YOU POST PHOTOS/INFORMATION ON THE INTERNET, know that this is saying that you were there. Never tag anyone else without their express consent or discuss private plans in a publicly visible space.
On keeping yourself from being identified:
Wear a bandana/mask, sunglasses, and cover any identifying features, especially tattoos.
Don’t wear clothes that have identifiable logos on them, or that are unique. Stick to solid colors, or all-black.
Don’t buy stuff, and if you do use cash! Credit cards / digital payments are immediately traceable.
Bring a change of clothes for after the protest, or if you have to get away quickly.
Bike or walk if you are able – License plate readers may be in use.
Regarding CV Dazzle (https://cvdazzle.com): this is cute and cyberpunk and folks like to share it, but it is not as effective as just blocking your face. AI gets better every day, and if you’re still identifiable to a human you’re still at risk. If anything, colorful facepaint might might you more identifiable.
~~~~
ON THE INTERNET:
If you’re doing research or online activities that shouldn’t be tracked to you, here are some ways to cover yourself, ordered roughly from least to most difficult/serious.
Check if your email and/or phone has recently been hacked: https://cybernews.com/personal-data-leak-check
Use the Firefox browser – Firefox just got a recent upgrade with increased tracking blocking and other data protections, especially over Chrome.
Don’t install plug-ins you don’t trust, but do install plug-ins that help keep your data safe –
https://www.eff.org/privacybadger or https://privacy.net/analyzer/, which tests everything Privacy Badger does but also covers some things it doesn’t such as testing for autofill leaks and logged in accounts.
UblockOrigin https://getublock.com/
No software without a privacy statement that you believe –
Even stuff you download to your computer that isn’t online can send information
No Dropbox
They are a very anti-privacy company. Use https://onionshare.org/ for filesharing.
No Googling things, use DuckDuckGo
Use Incognito mode
Not honestly a solution, but confuses some tracking.
Burner accounts
Always make a new email with no info for new accounts.
Use a fake name
This is legal and you should do it to avoid having your information data mined across services.
Turn off location sharing on your computer –
https://www.tenforums.com/tutorials/13225-turn-off-location-services-windows-10-a.html
https://appsliced.co/ask/how-do-i-disable-location-services-on-my-mac
Never pay with a credit card, use a third party like Paypal, or cash or bitcoins are better
Delete cookies and browsing history a lot.
Turn off Javascript – this is a bummer but really helpful, https://noscript.net/
Use the Tor Browser
Tor browser – > https://www.torproject.org/
Tor makes your traffic semi-anonymous by routing through nodes around the world.
This is how you access the darkweb but you don’t have to go to darknet sites, just use Tor for regular browsing.
There are also other browsers/systems, like Freenet and I2P.
Use a Proxy or a VPN (or both)
A Proxy hides your IP address makes it look like you’re somewhere else, but don’t encrypt your data. Good for lowstakes things.
A VPN also makes your IP looks like it is coming from somewhere else, but is significantly more secure.
More-> What is the difference between a VPN and a Proxy? https://www.howtogeek.com/247190/whats-the-difference-between-a-vpn-and-a-proxy/
Some Proxys:
https://hidester.com/proxy/
https://hide.me/en/proxy
You can read more about VPNs and pick one out here: https://ssd.eff.org/en/module/choosing-vpn-thats-right-you
Expect to pay for a good VPN, though some have free versions.
You need to make sure your VPN has had a public audit to ensure that it has no logs, aka no record of what you have used their internet connection for.
Use Proxygambit – http://samy.pl/proxygambit/
Use an anonymizing OS-
A virtual machine that resets on boot, running on (secure) portable media. You want an encrypted key with Tails or ZeusGuard, or even Windows To Go. Assign a random DHCP address on start. Iron key is a good place to start – > https://www.ironkey.com/en-US/ https://youtu.be/3sx41MXPgPg
Once you’re all set up, check against DNS leaks –
https://dnsleaktest.com/
https://dnsleaktest.com/what-is-a-dns-leak.html
~~
IF YOU’RE BEING TARGETED:
And need to button up your online presence in case of identify theft/ hacking/ harassment/ threats/ etc (thanks @somenerdliam from Twitter for some of these links):
Search your old emails
Go through each email you can think of that you’ve used
You’ll need access to them so that you can access other websites you may have signed up to using them.
Delete accounts from forgotten services
Use the search function for each email account and look for “Sign up”, “Welcome”, etc.
Recover and log in to each service.
Purge any content and messages, as the account may be archived even after its ideleted.
Make a note of your username, password, the service, and email used
Delete the account.
If you can’t find where, search “delete account” + “<service>”. You may have to email support.
If you remember being on other sites, go to those sites and enter all your old emails in the recover password box.
Check if your information is already public
Now that you have a list of usernames, emails, and services, see if these are part of a data breach anywhere
Search on Duckduckgo/Google/other search engine for your email and account names.
You will potentially find pastebin links or databases with leaked information. Note what usernames and passwords show up.
Many databases are not indexed by search engines: use https://haveibeenpwned.com to check when and what is public.
If anything shows up, this is the first priority to change or delete!
Remove old information from Google
Even if you delete old accounts, there is cached information about them.
Use the Google Console to request them to delete/update their search engine (which usually takes months organically) to remove those cached results. You have to provide a link to each. https://www.google.com/webmasters/tools/removals
Don’t let Google track you
Here is where you can go through each of Google’s services. Turn them off for every account you have. https://myaccount.google.com/activitycontrols
You can see (and scrub) your old activity here: https://myactivity.google.com/myactivity
You can report content for legal removal here: https://support.google.com/legal/answer/3110420?visit_id=637092788967151292-3839576181&rd=1
For every service you use, strip down privacy settings to the core.
What is possible will change service to service – it is safer to not have an account, but be sure to change your settings where possible.
Facebook is particularly bad, but if you do want to use Facebook make sure all of your information is set to private so people can’t access photos and information about you.
Delete old emails
After you’ve gone through your old emails for signups, etc, you should delete them.
This is not for stuff you will need in the future, but for personal information that could be used against you or embarrass you.
If you think you might need these emails, make sure to change your security questions and password.
Secure account practices
Change all your passwords regularly, at least a few times a year.
New databases are sold or leaks happen daily.
Never use the same password, passwords that are similar to each other, or personal information in your passwords.
Its easy to guess where an underscore or 0 might go to edit a password. There are even programs that run through password permutations automatically.
Delete your old content regularly
Delete tweets and old photos. If you are a personal target, this information might be studied intensely.
Be careful of posting about your social circle and folks who are physically near you. Even if you have tight data practices, your neighbor might not- and if a hacker knows they are your neighbor, they also know where you live.
~
More links –
https://www.eff.org/deeplinks/2016/11/digital-security-tips-for-protesters
https://ssd.eff.org/en/module/attending-protest
https://www.wireshark.org/tools/oui-lookup.html
~~
I’m not an expert – if you have additions or corrections, @ this thread on twitter: https://twitter.com/everestpipkin/status/1266601091229155328