A 70-Day Web Security Action Plan for Artists and Activists Under Siege

We have 70 days until Donald Trump takes office. It’s imperative that folks under siege (POC, LGBTQ+, Indigenous folks, immigrants, Muslims, folks with disabilities, etc), especially artists and activists, take steps to protect their data and privacy online.

I’m not an information security or legal expert. These are just suggestions This list is not exhaustive or the only way to secure your data.

Web security is like a tree. A young tree can be snapped by a fist. As trees grow layers and roots, they require knowledge, equipment, and energy to cut down. I’m trying to help you add layers of security to your daily routines. I don’t like the words “secure” or “safe” because nothing fits into those categories. The only thing we can do is become safer and more secure. Each bullet point is a layer, a step another person or agency has to take, to access and trade your information. I’ve tried to choose the layers that have the highest return on your investment in time and money. Think about your situation and resources and create your own action plan.

I’ll be updating this article with edits as I find out new information and better ways to do things. If you have any ideas or edits, please ping me or comment.

I want to identify keep assumptions that underly this article:

  • Taking a small, first step lowers your mental barriers.
  • Changing workflows is hard and takes practice. Go at your own pace and be easy on yourself.
  • COINTELPRO (and similar programs) didn’t just “happen”. It’s been happening and will ramp up.
  • Government and non-governmental bodies already have you on their radar: They know you disagree with some element of the status quo and that you’re a person under siege (black, POC, Muslim, queer, a person with physical or intellectual disabilities, a recent immigrant, indigenous, etc).
  • Many of your private communications are sitting on the email accounts and devices of your friends and family.
  • Surveillance capitalism is dangerous. We don’t know the implications of how tech companies extract value from their customers’ data. Most people don’t understand what corporations like Facebook and Google know about them, how the data is used/bought/traded/aggregated/sold/deployed, and if corporations have already handed over information to government groups. Lack of transparency + colonialism/capitalism + technological supremacy = STRANGER DANGER.

Privilege alert: I have the privilege to spend time thinking about this and drop money on a credit card for some of the costs associated with purchasing VPN access, physical safes, and tech services. This article is just a quick brain dump. The next step is for us to organize and help those who don’t have the same level of privilege. Remember to secure your own oxygen mask before helping your neighbor.

LAST UPDATE: 11/24/16 at 11:30 am EST (29k views since 11/10)

November

The first steps
  • Withdraw $10–$40 of cash from your bank.
  • Buy a Starbucks gift card with the cash.
  • Use the gift card to purchase 1 month to 1 year of VPN access on https://www.privateinternetaccess.com (or a comparable service of your choosing. Ask around or read online reviews. Make sure the service doesn’t keep logs of your activity). Keep in mind: It’s better to purchase VPN with a credit/debit card than to purchase none at all. Furthermore, this is just a small layer and it’s still possible to figure out which VPN service you’re using.
  • Download and start to use Tor as your primary browser. Be sure to follow the instructions and security warnings here: https://www.torproject.org/download/download-easy.html.en#warning
  • Since it’s impossible to follow all of the warnings and there are limitations to Tor, it’s a good idea to also use a VPN. If you don’t use a VPN, using Tor + Chrome/Firefox with the HTTPS Everywhere extension is a good start.
  • Download Signal on your phone and encourage all folks you communicate with privately to use it as well. Use it instead of iMessage, SMS, WhatsApp, Facebook Message, etc. You can also make calls. The desktop version can be used in lieu of Skype, Slack, etc.
  • Enable 2 Factor Authentication on all email, financial, etc services.
  • Do an info security audit — Begin to brainstorm how you use social media, email, mobile devices, and cloud storage. How do you use these services? Which communications need to be moved to secure channels? Are sensitive documents saved in the cloud? Can you quit Facebook, Twitter, Google, and Amazon altogether?
  • Choose strong and distinct passphrases. The Intercept has a handy guide here: https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/
  • @AllBetzAreOff recommends using non-cloud-based password manager to generate and secure your passwords. More info here: https://securityinabox.org/en/guide/keepassx/windows
  • It’s important to turn on software auto-updates so you’re protected from known software vulnerabilities. (Thanks to Dan Sullivan, Ph.D. for this advice! Check out his excellent comment for more information.)
  • Encrypt your mobile devices. iPhones are automatically encrypted but many use access codes that are inadequate. Reset your code to a long, random string of numbers (make sure you write this down while you’re committing it to memory). Android users can enable encryption in the Settings app.
  • Encrypt your computer using BitLocker (Windows) or FileVault (Mac).

December

  • If you have (or want) a website, database, or app, join an encrypted hosting service like MayFirst.
  • Purchase a physical safe (like the SentrySafe SFW123DSB) for your important documents, hard drives/USB keys, and artwork. You can split this cost with folks who live nearby. If your artwork is larger than a common household safe, and you’re interested in chatting, ping me. We need to brainstorm how to help artists under siege keep their art safe from destruction. Research the safe to make sure electronics won’t oxidize or buy Silica Gel Dehumidifier Desiccant packets/special sleeves.
  • Purchase a hard drive that can store your digital files. Encrypt it. In the future, consider purchasing multiple drives and keeping your most valuable information in multiple places. If you bought a safe, keep your hard drive there. You should also prepare for a time when Internet access or your information stored online is completely unavailable to you.
  • Audit your cloud storage. Where are you files stored? What kind of information is stored? Where’s the most sensitive information?
  • Begin to break your dependence on cloud storage (when possible): iPhoto, Google Photos, Google Drive, DropBox, etc. Structure your filesystems in ways that are easy to navigate without Google’s search capabilities.
  • See if you can minimize your use of Chrome/Firefox/Safari/etc by the end of the month. Dennis Cahillane ツ says:
“Yeah, I don’t recommend using a Firefox add-on you install yourself. I recommend downloading the Tor Browser bundle directly from the Tor Project here https://www.torproject.org/download/download Using the Tor Browser bundle is easy for non-technical users, but you will quickly become frustrated by its limitations. When you aren’t using Tor, I recommend Firefox or Chrome with the following add-ons: HTTPS Everywhere, uBlock Origin.”
  • Download all of your files to your computer + external hard drive. This might take awhile so you can do a batch a day. Start with the most sensitive information. (This is just a start. There are ways to have access to encrypted cloud storage, I think folks can consider this after the New Year after they’ve done the initial transfer and have broken their dependence on easy to use cloud services).
  • If you’d like, choose an activist email provider you’ll use instead of Gmail (or a service like ProtonMail). You’ll also need to loop in your friends and family. Jamie McClelland, Co-Founder of MayFirst/PeopleLink says:
“Using Gmail is definitely a bad idea. Under Obama we had a huge
expansion in the federal government spying infrastructure and they
definitely target the big corporate providers — either by compromising
them or simply sending them a subpoena. And now all of that will belong
to Trump.
For email, stick with activist providers. And *everyone* has to do it.
If you are having a group conversation and just one person is on gmail,
then everything goes to gmail.
If everyone is on MF/PL, then it never leaves our servers and it is far
more difficult to intercept. If some people are on Riseup and some are
on MF/PL it’s also good — since MF/PL and Riseup will encrypt messages
between servers.
However… even with all of these protections, I would advise against
relying on email for anything sensitive.
If you haven’t already, I would suggest replacing whatever program you
use to send SMS messages with Signal (https://whispersystems.org/). It’s
on both iPhone and Android. It’s easy to use and it’s very secure.
I would also suggest using Jabber (see the MF/PL page here:
https://support.mayfirst.org/wiki/how-to/jabber).
Both signal and jabber work on your phone and provide much better
encryption and privacy than email ever will.

A note about email: Dan Sullivan, Ph.D. left a relevant criticism of activist email accounts in the comments:

Also, infosec is largely a battle of technical skills and resources. Google has more of both than any email or other cloud provider I know of. I use Gmail with two factor authentication and will stick with it. Sure, an agency may get a warrant for emails at Google but there is less chance of successfully hacking the Google infrastructure to get those emails than hacking another provider with fewer resources.

I respond:

Email seems impossible to secure. I’m already starting to drift away from email as my primary means of communication. Although I might use an end-to-end encrypted service, PGP, etc. 95% of my contacts do not have access to this technology. So the question is: where do I want my unencrypted emails and metadata to sit? Who do I trust more — Google or activist groups? Although activist groups draw attention to themselves, I trust Riseup and MayFirst’s track record of resisting subpoenas from US grand juries, US agencies, and many other governments/legal systems around the world. Because of the identity and ideologies of dissident artists, the government already knows we’re activists. I’d rather collaborate with groups that have been working on this issue for quite some time. I’m also leery of surveillance capitalism because it goes hand in hand with the surveillance state. COINTELPRO and other surveillance projects that impacted POC-led movements is in the back of my mind as I make these decisions. Google has the money and the know-how but they don’t give a shit about me or my struggle. They aren’t going to go to the mattresses for me. I don’t like the demographic and psychometric data providers like Google and Facebook gather (and the lack of transparency for how that information is used). I’m a dissident artist who is willing to spend the effort to divest as much as I can and become a contributing member in political tech groups.

Here’s a short clip of a training I gave at Eyebeam about email encryption.

January

There are a countless number of situations where Tails could be an invaluable tool for your privacy. Activists looking to organize in spite of government surveillance can use Tails to effectively communicate. People being tracked by predatory abusers can use Tails to access the internet without risking their physical location or data. Someone that wants to utilize public computers or internet networks can do so while still having their privacy protected. Any time you want to be maximally private in your activity and your data, Tails is an incredible tool to have at your disposal!

Known next steps and questions

  • How can organizers use PGP to avoid infiltration? (I have 9 Keybase invites. Ping me if you’d like one)
  • How can we make encrypted online storage easy to use for folks who don’t have IT/DevOps/tech experience?
  • What tools do folks under siege need to build to get away from using Google, Twitter, Facebook, Amazon, and other services?
  • Should our banking habits change (credit cards, online banking, cryptocurrency, etc)?

Communities and organizations

Mr. Rogers once said that when he was a little boy and a national tragedy happened, his mom told him “Look for helpers. There are always helpers.” Within 6 hours of posting this, kind security experts contacted me and wanted to help you be safer on the web. Once you’ve secured your oxygen mask, I hope you’ll do the same for your family, friends, and collaborators. Here are communities you can join:

May First/People Link engages in building movements by advancing the strategic use and collective control of technology for local struggles, global transformation, and emancipation without borders. Flowing from that mission, our organization redefines the concept of “Internet Service Provider” in a collective and collaborative way. Like any democratic membership organization, we gather together each year to evaluate the past year’s experiences, plan the coming year’s work and elect a Leadership Committee to apply what we’ve decided. Like a coop, we pay dues, buy equipment and then we all use that equipment as we need to for websites, email, email lists, and just about everything else we do on the Internet. As a movement organization, we participate in (and often lead) campaigns, struggles, coalitions and network of left, progressive and social justice organizations in the U.S., Mexico and Internationally.
Riseup provides online communication tools for people and groups working on liberatory social change. We are a project to create democratic alternatives and practice self-determination by controlling our own secure means of communications.

11/24/16: A note about Riseup: Cryptic tweets and an out-of-date canary mean Riseup might have been compromised. If you’re using Riseup, you should: A. Donate to them and B. Decide if you’ll keep using the service or migrate to another until the canary is updated. There are arguments for waiting it out and arguments for backing up data and using another provider until the canary has been updated. Check out the article below for more information.

With a CryptoParty you create an environment where people from different backgrounds come together and learn from each other. Hence you might want to include people of different age, gender, heritage and expertise.
Doors open, people arrive, find a seat and socialize. A short intro officially opens the event and then it’s off to the tables. Each table covers a topic and people decide what they’d like to learn or teach.
People will be more comfortable given enough time for socializing. They will be more likely to ask questions then. But it also takes an environment where they feel comfortable socializing. Setting the scene is your task.
Palante Technology Cooperative works to help progressive nonprofit organizations move forward with the aid of technology. We come to this work with technical expertise, a deep understanding of the particular needs of community organizations, and a long-standing commitment to working for social justice.

Resources