Revolutionary social movements which challenge power can be dangerous, as power structures can be broad, far reaching, and have different components. The General Defense Committee of IWW holds that broad structures can only be effectively challenged by mass and broad movements themselves, and this is how movement security is upheld. Having comrades within a vibrant social movement that have your back when you need them is infinitely more vital than a paranoid security culture. Strong relationships fight power in ways that physical tools can not, and security culture alone cannot defend on every front or make strong actions lasting and relevant.
Recognizing different parts of power have different tools and reach is key. Flexibility and specialized education is necessary to confront different types of hurdles – social, technological, or otherwise. That being said, the digital landscape is foreign and unfamiliar to many, and some understandings of strengths and weaknesses in this landscape may not be representative or complete. This document is focused on technology security and serves as an educational map and how-to in defensive methods and awareness for readers confronting power, particularly in methods you don’t need years of education to understand, or simple substitutions for insecure services.
In today’s paranoid climate, everybody is a target for surveillance and repression, but if there was ever a time where elevated surveillance were to occur, confronting power would be that time. For example, the cell phone spying at the 4th precinct in Minneapolis (http://nstarpost.com/17486/159855/a/cellphone-surveillance-used-on-black-lives-matter-protesters-at-fourth-precinct) is proof of it’s existence beyond all doubts. Because of this and other similar situations, the Twin Cities GDC wrote this document to give a few practical tips:
Tech things you have no excuse not doing:
Google is known to be cooperating with PRISM (a corporate and government joint surveillance program) in turning over warrantless user data to the National Security Agency (NSA). It’s also well established that the NSA is monitoring search engine data traffic through a secondary access point. Everyone should assume that anything you do through Google is being tracked, and that data is accessible by both large power structures and anyone with access to your account.
Use DuckDuckGo or Disconnect.me for searches, and don’t send any sensitive data through gmail, or any unencrypted (the digital equivalent of unlocked) email for that matter.
LOCK YOUR DEVICES
Devices such as laptops and cell phones that have personal information can easily be stolen through physical means, giving complete control to an attacker with technical skills.
Do not leave devices unattended. Put at least a simple password on your phone and laptop when you close it – it won’t stop people who really know what they’re doing, but it does prevent the simplest forms of data theft without much hassle for you. Do not use fingerprint unlocking on your phone! Fingerprints unlocking is imprecise and can be easily stolen, spoofed, and turned over to the authorities by companies like Apple, while preventing authorized users who are not you from accessing your phone if they need to do so.
AVOID PUBLIC FACEBOOK LEAKS
Facebook is king of unintended information leaks, hands down. Surveillance doesn’t need to be complex if you give all your data away for free.
Review your privacy settings on Facebook very carefully. If you have some kind of semi-public persona, it might be best to clean your friends list and make a separate page for that. Isolation is easier to enforce than reviewing security on every post. As a rule of thumb, similar to google accounts, do not send sensitive information through Facebook at all. Facebook is also a member of PRISM, so do not assume any sort of privacy from large power structures.
AVOID TEXT MESSAGES
Plain SMS (Short Message Service), also known as text messages, are unencrypted by default. Anybody with access to the cell phone network you’re on has full and complete access to anything you send through regular text (SMS) or multimedia (MMS) messages. This includes local police with fake cell towers.
Use an app called Signal if you have iOS or android. Signal encrypts your text data end-to-end before sending, which prevents any man in the middle from viewing it, and has an option to encrypt voice calls as well. Please note that it does not prevent anyone with access to your phone or your recipient’s phone from viewing your messages, nor does it prevent cell phone tracking! If you do not have the ability to get this app, sending sensitive information through SMS could be dangerous: wait for an opportunity to relay this information in person, or use some other method.
AVOID WEAK & REUSED PASSWORDS
Having weak and reused passwords is a great way to get accounts stolen. If you worry that your password may be weak or has been reused, rebuild and change your password immediately.
Use a mnemonic to remember passwords that don’t contain English words (for example, create a sentence including capitalized proper nouns and use the first letter from each word), use lower case, upper case, numerals, and punctuation in your sentence, and add in a part to your password or sentence to the place you are using it for so that your exact same password does not get reused. For example, Ga!TIwt1RFab33lob. could be a password from “Google account! Today I went to 1 Rainbow Foods and bought 33 loaves of bread.”. (DO NOT USE THIS EXAMPLE VERBATIM) The sillier or otherwise more meaningful the sentence, generally the easier it is to recall.
Alternatively, if you have many sensitive accounts, I might recommend using a password manager application (such as KeePassX).
AVOID STOCK BROWSERS
An internet browser from a fresh install (either Firefox or Chrome) will be vulnerable to all kinds of attacks, so it’s best to install a few extensions before viewing anything.
Install these add-ons: HTTPS Everywhere (automatically uses secure transfers when supported), Privacy Badger (prevents you from being tracked by certain methods), uBlock Origin (prevents intrusive advertisements and some forms of trickery), and perhaps cryptocat (simple chat rooms with end-to-end encryption).
For more security at the price of seriously learning both terms and how to use other tools, we might also suggest the following: uMatrix (or alternatively noscript, both are domain blocking extension for browsers), a proxy server (some such as disconnect.me are available freely but have mixed records on turning over access logs. We might also recommend buying one from a dealer called Private Internet Access if you want more proxy options and better safety), pidgin + OTR (a generic IM program with encryption through any protocol), VeraCrypt (deniable generic data encryption), and if you absolutely must transfer anything highly sensitive outside of physically handing the data over, please look into the tor project, a distributed communications systems project far beyond the scope of this letter. Do note however that these tools are only as useful as your understanding of them—do not let their existence on your hard drive lull you into a false sense of security.
It’s important to understand that your data security and information pipeline doesn’t affect only you, but everyone who you are in contact with. Please take some time to consider your own connections or behaviors that could be exploited—if not for your own safety, then for the safety of your friends, loved ones, and everyone else you’ve been in contact with.
For more information on action planning, threat modeling, and more in-depth information on tools that require more education to use effectively, please contact the Twin Cities IWW General Defense Committee Local 14 about an upcoming Information Security Training 101, or contact your local GDC about providing this training.
Stay safe everyone,
Twin Cities IWW General Defense Committee Local 14