Technology for Direct Actions
On March 25th I presented at LibrePlanet 2017: The Roots of Freedom. This is a copy of my prepared remarks for the presentation, called “Technology for Direct Actions.”
Thank you for joining me today at LibrePlanet. Thank you to the Free Software Foundation and MIT’s Student Information Processing Board for this opportunity. My name is Andrew Seeder. This strategic action session is called “Technology for Direct Actions.” I hope you’re in the right room!
For those listening here and online, my presentation is meant for educational purposes only. It does not reflect the opinions of my employer. TW: I will mention violence against activists in terms of numbers of injuries and deaths. Let me take a moment to read LibrePlanet’s safe space policy:
Safe Space Policy
If you need to file a report, find a staff member or ask a volunteer to help you find one.
The FSF is dedicated to providing a harassment-free LibrePlanet experience for everyone.
We do not tolerate harassment of conference participants in any form. Offensive or graphic sexual language and imagery is not appropriate for any conference venue, including talks.
Conference participants violating these rules may be sanctioned or expelled from the conference at the discretion of the conference organizers.
Harassment includes offensive verbal comments related to gender, sexual orientation, disability, physical appearance, age, body size, race, religion, sexual images in public spaces, deliberate intimidation, stalking, following, harassing photography or recording, sustained disruption of talks or other events, inappropriate physical contact, and unwelcome sexual attention.
Participants asked to stop any harassing behavior are expected to comply immediately.
If a participant engages in harassing behavior, the conference organizers may take any action they deem appropriate, including warning the offender or expulsion from the conference.
If you are being harassed, notice that someone else is being harassed, or have any other concerns, please contact a member of the FSF staff immediately. FSF staff are available in every conference session and at the information desk throughout the conference.
Conference staff will be happy to help participants contact hotel/venue security or local law enforcement, provide escorts, or otherwise assist those experiencing harassment to feel safe for the duration of the conference.
We value your attendance and hope you enjoy the conference.
Speaking of whom, would any FSF staff or conference volunteers raise their hand? Please join me in thanking them. Thank you for organizing this conference.
My goal today is to describe some of the challenges and opportunities technology brings to direct actions. What kinds of direct actions? Let’s start with protests.
The Admirality in Hong Kong. September 2014. An organized public assembly to protest changes to Hong Kong’s electoral system. This photograph was taken during the Umbrella Revolution. By the end of November there would be nearly 500 injuries and 1,000 arrests. Especially important for our purposes today because more than 100,000 people installed Open Garden’s FireChat mobile application precisely for the action that was taking place. The app uses individuals’ smart phones to create a peer-to-peer mesh network over Bluetooth or WiFi. Helps people create a local, site-specific communication channel. But as organizers we need to make sure that the tools we use — like for when you need to communicate online and expect the internet to get cut — that these tools also respect our privacy. We need private communication. But take my recommendation with a grain of salt. For those of us who don’t have the expertise to fully audit an app, including myself, who would you trust to tell you whether FireChat or Signal or Riot or Whatsapp is safe to use?
Yorohoco, Desaguadero, Peru. More specifically, the Peru-Bolivia border. It’s May 16, 2011. Thousands of indigenous people organized a direct action against a Bear Creek project to mine silver on the shores of Lake Titicaca. The Canadian company has mining projects across the region. You’ll see a caravan of trucks in the background trying to cross into Peru from Bolivia. Instead of building a vertical barricade against the oncoming traffic, the organizers built a foot tall barricade along the road.
In an action the next month, two people died and 12 wounded in June 2011 at an action over an airport in Pruno and the Peruvian government canceled a Bear Creek Mining Corp project. Another project was canceled in Arequipa. I can’t say for sure whether the Lake Titicaca project was stalled. These actions did not attract global attention.
I juxtapose these two photographs to remind you that your cell phone contains cassiterite and lead and gold and that these metals are extracted at the expense of natural environments and human lives. For the record, the cassiterite in your phone’s solder likely came from the Bisie mine in the Democratic Republic of the Congo. So I ask you, in whose hands is the power of technology? On one hand, transformative political power. A tool of democratic liberation. On the other, a tool of violence and oppression.
Today, I’ll be talking primarily about three things: Versions of private corporate control that stop direct actions from happening, the use of military surveillance technology to capture direct actions in the United States, and what concrete steps organizers can take to use technology that protects their direct actions.
As technologists, we build tools of liberation by sharing a security culture with organizers of direct actions.
Direct actions need organizers. And those organizers are on social media. That’s fine, except when all the organizing happens *through* social media, you end up sacrificing much-needed privacy.
Here are almost 4,000 of the companies that are trying to profit from your personal data by selling it to other companies who want, in turn, to sell you something you’ll buy. I saw this slide while watching a video of Wolfie Christl’s presentation at this year’s Chaos Communication Congress, called Corporate Surveillance, Digital Tracking, Data & Privacy. Highly recommend you also watch it.
This almost goes without saying to this audience, but, believe it or not, there has been a frenzy of interest in your data. And what’s at stake when you have so much interest in the data which makes you you? At the extreme, let me quote the CEO of Strategic Communication Laboratories, known in America as Cambridge Analytica, named Alexander Nix, who said, “Persuading somebody to vote a certain way is really very similar to persuading 14- to 25-year-old boys in Indonesia to not join Al Qaeda.” The company claims to have thousands of data points on 220 million Americans.
Organizers of direct actions need to understand that while they are surfing social media there are also sharks in the water. How do you recognize whether an online organizing space is actually safe? Or what if social media turns against you?
#YaMeCanse. Spanish for “I’ve had enough” — the hashtag used to organize actions in the wake of the disappearance of 43 Ayotzinapa students in Iguala, Mexico in 2014. Found this image from Tanya O’Carroll’s article, Mexico’s misinformation wars: How organized troll networks attack and harass journalists and activists in Mexico. The article is about the effects of this troll network and Alberto Escoria’s burden of trying to persuade Twitter that troll accounts are indeed troll accounts. The image was created by software called Gephi. Let me quote from the original image caption:
The orange smudge at the top is the start of the troll offensive against #YaMeCanse. The protesters had to change to #YaMeCanse2, and then 3, all the way to 33, in order to stay ahead of the trolls who flooded the hashtag with spam.
Very difficult to organize a direct action when you’re getting pinned down by bots. O’Carroll reports that the troll attacks brought organizational capacity down by 20%.
Say you wanted to organize the old fashioned way, without any kind of digital technology to aid your efforts, to limit your digital footprint. Is it possible to extricate yourself from the data machine?
Here is a photo provided by B of a security checkpoint at Disneyland. That there is an adorable RFID scanner and a fingerprint reader convenient for someone just at the right height for the average child. B related that this checkpoint was part of a process that resembled going through an airport. Who has a copy of your fingerprint?
Here’s a piece of technology that relies on open source software. Immigration and Customs Enforcement proposed process flow for a case management system, a diagram obtained by The Intercept_ and reported by Spencer Woodman in an article called, Palantir Provides the Engine for Donald Trump’s Deportation Machine. The same machine, by the way, developed by past presidential administrations, as Kade highlighted this morning. This image is from a funding document. Palantir eventually got the bid. Would it be right if, as libre technologists, all we demanded was a free software solution for this system? I ask again, in whose hands is the power of technology?
I hope one day organizers of direct actions should look for a libre solutions FIRST, because underlying these freedoms is quality assurance. The ability to review and modify source code supports the free software ecosystem. Even if you can’t understand a lick of programming, knowing that there’s an active community who hack source code should be assuring. Why? Because there’s a virtuous circle between what’s accessible, what’s auditable, and who’s held accountable. Accessible. Auditable. Accountable.
Some Economic Democracy Apps (via Ujima Project)
Frankly, I don’t know how many of these solutions, if any, technically qualify as “free software.” I share them today because they give you a sense of some operational priorities that organizers are thinking about. The Ujima Project builds community controlled economic democracy in Boston. Through their research, specifically from Aaron Tanaka, Hendrix Berry, and Sarah Jimenez, they’ve pulled together a list of apps which are poised to help organizers. Many seem to market themselves as “ethical alternatives” to other apps. I won’t go through all of them in detail, aside from noting that they span a range of interests which technologists do not often think about, but which are absolutely crucial to organizers of economic democracy. Volunteer management. Time banking. Group governance, decision making, and voting. Shout out to platform co-operativism, the digital version of worker co-ops. Check out Micky Metts’s presentation tomorrow afternoon. Quick show of hands: How many people here are part of a worker co-op?
A lot of us here have strong commitments to free software. Yet when we’re working with organizers of direct actions, we’re going to come up against the pragmatist’s dilemma time and again: Practical expediency versus commitment to values. Whereas one organizer might recommend Signal as a secure communication technology with a growing user base, another might not because it uses proprietary technology. Put another way: For organizers, the perfect is the enemy of the done.
There is a great place to create spaces where organizers and activists can come to learn and share best practices, build that shared security culture among free software experts and organizers. Here’s the impenetrable ghost back door to the cryptoparty in Boston. It’s actually in Somerville. Very secure. At our cryptoparties we try to create the most welcoming, accessible space that we can. Because, lately, there’s been a lot of interest in “Digital Security 101” trainings. Here’s an outline of those agendas:
I’m not going to recommend specific apps for these solutions. I will leave that to the bonafide experts. If you want to learn about encryption tools and public key cryptopgraphy, there’s a cryptoparty going on this weekend here. There are lots of resources about how to do this! I’ve also put up some good further reading resources. Noah Kelley of HACK*BLOSSOM just launched a new website, DIY Cybersecurity for Victims of Domestic Violence, by the way.
For all these technology solutions, it’s important to note that, organizers, there will be moments when in your work it would serve you best to put your phone in the fridge, battery out. There are also many situations when you it’s extremely dangerous to give technology recommendations if you don’t know the situation on the ground, such as for border crossings and international travel, or which you have no first-hand experience.
That said, there is one tool I think should be normalized as soon as possible.
You know what’s cool? Checksums. Checksums are cool. If we, as a community, could make checksum verification a regular part of installing software for non-experts, that would be a real victory. What’s a checksum? A code that tells you whether the software you’re running is the software that someone else uploaded. Huge thanks to Troy Sankey for helping me with this slide — and for holding my hand as I learned what any of this actually means. Bear with me.
A cryptoparty participant brought a computer and asked to install a new libre operating system on it. Easier said than done. This process was complicated and would not have been possible without the hands-on help of technology experts — and, I might add, an extra working computer and an extra USB drive to do the installation.
To install the new operating system we went to the website of a Linux distribution. Then we downloaded the operating file system, usually appended .iso. There’s more to just downloading the file and right-clicking on it. Turns out to install the new operating system securely, we also have to know something about public key cryptography. O.M.G.
The checksum file is the code that tells us whether the .iso file, the raw data of the operating system, is in fact the same file that was uploaded by the webmaster. You do that by running the same algorithm, in this case it is named SHA512, a mathematical hash function, on the raw operating system files. If you run the same algorithm and you get the same result, your codes match, then you can feel secure that your original .iso files match, too.
The clever among you are already thinking, but wait, if you are worried about the .iso file being somehow corrupted on the website, and you get the checksum file from that same website, how do you know whether the checksum file is the same one that was uploaded by the webmaster. Fortunately for us, the checksum came signed with a special signature unique to the webmaster, a key. We downloaded the signing key, which ends with .gpg.
The dollar signs are commands on the command line. The first command runs the SHA512 algorithm against the .iso and sees whether it matches the SHA512 result posted by the webmaster. The second program verifies the signing key.
Next we format the USB to hold the operating system so we can use the USB to install the operating system on a computer. The command $ lsblk checks where your devices are mounted. The first sudo command, meaning you are running as root, as admin, unmounts the USB from the rest of the computers file system, so you don’t accidentally wipe a part of your hard drive. The last line, runs the $ dd command. This clears the USB drive and installs the .iso onto it. Be very careful with this command! Although it doesn’t have a formal name, what do some people call it? Disk destroyer.
The different steps in this process are often seen as yet another “obstacle” in a complicated installation process for organizers, but in reality each of these steps is responsible for a pretty robust security process. Instead of a bundled executable that “just works,” these steps, while potential points of failure, add another layer of accountability into the installation process. Checksums are a great example of the process-oriented approach of digital security.
The process reveals something crucial about our shared security culture. Namely, that a lot of the work can be done by changing the language we use and shifting frames of mind.
Here are just the headings from the Albert Einstein Institute. Lots of direct actions, lots of ways of showing solidarity.
Protests. January 28th. Copley Square. This protest was mobilized against the Muslim travel ban through social media in less than 24 hours. That’s how I heard about it. During a speech, a city councilor from Cambridge asked everyone in the crowd to pull out their phones, log into a popular social media company, and “like” the event’s page. This is problematic.
Hard to compete with the speed of this popular social media company. The only way someone is going to choose a free software alternative over something with a vast user base is if they value security. Plain and simple.
Meanwhile, during the protest, I saw someone walking around asking for people to pose with their posters. Problem is, it’s not just randos taking photos in the crowd that we should think about. Law enforcement, too. Here are three surveillance technologies that organizers need to be familiar with:
The cell site simulator, popularly known as a Stingray, although a Stingray is a product made by one company, the Harris Corporation. These devices pretend to be a cell tower so your phone connects to it. The simulator then retrieves data about your phone, such as your unique International Mobile Subscriber Identity number. This infographic and the next two, by Katie Martin, illustrate how city police departments have been inundated with military-grade surveillance technology. The infographics were prepared for George Joseph’s article in the Atlantic’s City Lab, called Cellphone Spy Tools Have Flooded Local Police Departments. The article details how these technologies jam, intercept, and extract your communications. Joseph reports that 11 departments of purchased cell site simulators from the Harris Corporation.
The dirtybox, also known as the DRT, for Boeing’s Digital Receiver Technology, Inc. Like a Stingray but more powerful and mounted on a helicopter.
Departments have spent more than $700,000 on tools like Cellebrite’s “Universal Forensic Extraction Device,” which is said to
Allow cops to scoop up both data immediately visible on the phone and that which has been deleted or hidden.
It’s what law enforcement uses to crack and gather data from your cellphone after you’ve been put on the curb. For organizers of protests listening, note that while you may be compelled to unlock your phone with your fingerprint, you can’t be so compelled to enter a password, because a password is considered testimony, whereas your fingerprint is not. Thank you to Ben Cook for that pro-tip!
If you’re an organizer and you haven’t heard of these technologies, you might think, jeez, is there some way I can protect myself against these intrusions? The answer is yes, don’t bring your cell phone. Don’t bring your laptop.
Maybe the fight to roll back the acquisition of these technologies is not possible, maybe we can’t put the toothpaste back into the tube. We know that law enforcement has this technology and they’re going to use it. Which is why Community Control of Police Surveillance (CCOPS) is such an important policy approach.
Unfortunately, in many cases the privacy of a corporation outweighs the public’s interests. Here’s a screen shot from Elizabeth Joh’s article The Undue Influence of Surveillance Technology Companies on Policing. It quotes a section of a Non-Disclosure Agreement made between the Harris Corporation and the Baltimore Police Department in 2011. It’s this last bullet point that frightens me the most. “We caught this criminal and are protecting the public, but y’know what, we have to drop the case instead of revealing intellectual property about the technology.” Is that just?
Still, there are technologies that can help protect against surveillance. You can find them yourself by looking for “sousveillance” solutions.
Here’s AIMSICD. What happens is you download the app and as you walk around it captures data about Access Points which are nearby. If you then go to a public assembly and discover an Access Point which was not there the day or two before, you might be in the presence of a cell site simulator.
More sousveillance. Another cryptoparty organizer, Steve Revilak, has gone and mapped all of the surveillance cameras at the Arlington Housing Authority. This was done on Open Street Maps. We need more of this. Much more of this. Our local Pirate Party has an online map you should contribute to. Stay tuned for a larger campaign around mapping cameras this way.
Would be remiss if I talked about sousveillance without mentioning M.C. McGrath. The Surveillance Industry Index is a project of the Transparency Toolkit. Compiling data about the surveillance industry is a critical piece of power mapping for direct actions.
More examples of systems that use open source intelligence and that organizers can build from. Emphasis on sousveillance and the power of visualization.
Before we move to Q&A where you should please share projects or tools that you know of, I’d like to address two broader, more speculative ideas. Mostly because I’m curious whether anyone here knows if they’ve been done already.
Here’s an infographic from the Prison Policy Initiative about the United States prison population. 2.5 million people are incarcerated. 2.5 million. Look a little closer and you’ll see a segment of the jailed population who have not been convicted of any crime. Why are they still caged? Because many of them are too poor to pay the cash bond.
There are organizations out there trying to do something about this. Take the Chicago Community Bond Fund. There are bond or bail funds all over the world. What do libre technologists have to do with it? During a presentation during Chi Hack Night last October, Micah Gates mentioned how difficult it was to 1) Create a website where you could join a mailing list and 2) Also accept donations. We should have a solution for this. Please, as you choose the project you contribute to, consider whether they work for those organizing actions.
But what about bond funds more broadly? Ideally, they wouldn’t need to exist because we wouldn’t jail people for being poor. But, for now, bond funds are a valuable instrument in fighting against our unjust penal system. So is the creation of a bond fund something automatable? Using decentralized autonomous organizations, the know-how of libre technologists, lawyers, could we establish 500 such bond funds in year? 5,000? How do you batch incorporate a bond fund?
This last one I am just going to smash together. Mesh networks. Shucks do I love mesh networks. People powered. Community media. Here’s a map of Guifi’s 27,000 nodes. Those lines coming across are connections to other countries. Italy and Germany have really strong mesh network and ad-hoc network communities. The mesh network movement is growing in cities in North America, especially New York, Pittsburgh, Denver, Toronto. In Toronto they’re using cjdns, a network routing protocol that encrypts traffic. “Pop-up” networks would be very useful ways of sharing resources during public assemblies without going through an ISP. These mesh networks are built on trust in the spirit of sharing. Real, person to person relationships of trust. Community technology and direct actions go hand in glove.
Say, hypothetically, we wanted to organize a long-term boycott and a series of protests against private companies that didn’t divest from illegal oil pipelines that violate native lands. Gets to the point where a mid-sized sanctuary city shuts down completely, mass staging of actions in solidarity with native peoples. The powers that be shut down access to the internet to try to quell the city’s protests, fueled as they are by social media. Mesh networks are, for organizers, a forked communications grid, controlled by the people maintaining it. But it would need to be organized before internet gets cut. Let’s take this technology to its logical conclusion. How might we securely move food, water, and other resources through the network?
The Feral Trade Network. A human-to-human, trust-built, low-technology way of distributing resources. To quote from their website:
The Feral Trade Network is a live shipping database for a freight network running outside commercial systems. The database offers dedicated tracking of feral trade products in circulation, archives every shipment and generates freight documents on the fly.
Now imagine we organized the distribution of resources over a community-controlled communications network. Trust is the foundation of a global mutual aid network.
Back to Hong Kong, five years ago. Technology didn’t do this for anyone. People organized for themselves. We can’t assume that technology will solve any of our organizing challenges — in fact, on the contrary, technology creates many serious challenges for organizing. Which is why technologists and organizers must share a security culture.
Thank you for reading!