Fourteen steps to being safer online and off in Trump’s America

Feeling scared? Me, too.

Nope.

Since Trump’s election, I’ve seen lots of digital security guides circulated on listervs, on social media groups, and among friends and colleagues. While well-meaning, these guides and lists concerns me; each uses highly technical jargon, and does little to help you discern which security tools are useful or trustworthy. Comprehensive guides, while helpful when you have time and a level of security acumen, are useless in moments of crisis; the overwhelm they induce shuts you down. You search “What’s a VPN,” jump down that rabbit hole, come out an hour later to find a mile-long list of other tools to search, think “fuck it,” and slam your computer shut. No more secure than before, now pissed off and hopeless.

Guides give you no clear understanding of trade-offs; e.g., I’ve seen lots of calls for Tor (all of which omit the empowerment of a serial rapist), but Tor can get you into more trouble. It’s also not practical; even in the US its slow. Likewise, Signal is useful for messaging, but it can’t make calls reliably and is generally buggy. So how and when do you use WhatsApp, FaceTime audio, or Talky.io instead? Digital security tools are notoriously unreliable, so determining a mix of commercial and open source tools is your best bet.

Finally, these guides assume that your biggest worry is the NSA; any person who’s even slightly vulnerable in our current society can tell you that that concern is a luxury. So, while encryption is a must, it’s not going to safeguard you when you’re in a protest, posting thoughts on social media, or just getting gas or walking to campus if you’re a person of color. For many in historically oppressed groups, the immediate threat isn’t some opaque government agency, but those who weaponize the internet to silence your voices. So, while many of the digital security resources are helpful for deeper study, this post will focus on your immediate needs, generally and while protesting IRL and on social media.

Prioritize your risks and sensitive data 
Since we’ve actually elected an Internet troll for president, a useful threat model for people of color, folx along the gender spectrum, LGBT folks, women, non-citizens, or people from other vulnerable groups, may be one that counters social data being used to lash out on a physical level, whip online mobs into a bloodthirst, pile on and hound, and create the general impression that you are findable anywhere, and there’s nothing you can do. Verify this for yourself with our Security Impact Canvas tool. As or if your priorities differ, you can take what works best for you from the following list of recommendations.

Goodbye to PII 
First, swab your personal information online so someone doesn’t show up on doorstep. Review what’s out there about you and decide if you want to delete it or use it to your advantage. It’s okay to do this in stages, pick what’s most immediate or appropriate for you, and to take breaks. Also preferably done with whiskey and / or friends.

For more of this, see our Guide to Dodging Trolls Online.

Keep your online life behind lock and key
If you’re targeted online, haters with the barest minimum of technical capability can hack your passwords. Brute forcing, as it called, is particularly easy with automated tools that scrape your public social data and combine it over and over until they guess your passwords.

Passwords are a pain in the ass; we’ve been trained to make them easy for machines to guess and impossible for humans to remember. A 2013 DARPA / Kore Logic Study found that most people combine 2–4 letters with 2–4 numbers and a special character at the end. My own ShDill2014! (*actual password*) is a perfect example. Feel like your passwords are tough enough? Make sure they aren’t already out there, released in any data dumps.

  1. Design a password: This xkcd cartoon explains a good model for designing a password; use spaces, actual words, and phrases (as personal mottos), and combine words from different languages. Also, anything you use in your password should be omitted from your online life; if your dog Choco features prominently on your Insta, then Choco4eva2014! is not your password. We recommend making a handful of special passwords for key accounts, like your banks or anywhere you save credit card info, your primary email, and your social accounts and cloud storage.
  2. Password managers: For that really important stuff, the loss of exposure of which would cause serious damage to your finances, reputation, or the safety of yourself and your loved ones, don’t trust passwords alone. A password manager allows you to remember one strong password and it stores encrypted the rest of them for you. I use Dashlane for its usability and have used Last Pass because it works across browsers. For both, I recommend letting the manager generate passwords for you.
  3. Two factor authentication (2FA): If your movement relies on digital organizing, each of your social media accounts must be especially secured; set a strong password, and set up 2FA. 2FA confirms your identity through a combo of two different components; for example an ATM requires both a bank card (a token or artifact the user possesses) and a PIN (something that the user knows) before greenlighting a transaction. Authy is a great app for organizations to use with 2FA; it allows for multiple users to access the same accounts. Use it or the Google Authenticator app to send you codes — texts can be intercepted by a sophisticated actor who will log in as you.

It may also be time to really discuss our reliance on commercial tools and their cozy relationship with US intelligence and law enforcement agencies.

Mobile phones at protests 
Your mobile phone is literally a homing device. When you carry it, you’re giving up your location, both in the moment, and in perpetuity. This may be recorded or subpoenaed by law enforcement or the NSA. Moreover, DRT boxes and other stingrays are employed throughout the US; they can jam your phone, or locate you and gather your data. The chances of any of this happening to most of us is slim, but there is the possibility.

Before you go, consider:

At a protest:

  • Phone or otherwise recording device OUT: I’m wary of the ACLU’s app. When I reviewed it the source code hadn’t been released, so we had no idea of its vulnerabilities, and, more importantly, it’s not advisable to reach into a pocket for anything when in a direct confrontation with police. Have whatever devices you intend to use out and in your hands.
  • Gathering data: InformaCam, for Android users, gathers and encrypts the metadata of your photo of video to verify the images for legal cases. Witness offers more on this.
  • Facebook Live and Periscope: Both options for immediate sharing are commercially owned. Before you go, make sure you’ve got 2FA on. Later, and especially if your phone gets seized, download your own video.

Stuck?
Security Positive is planning a series of webinars to talk more about your specific threats, online troll behavior, best practices for web browsing, encrypted emails, and the best secure alternatives to tools you use. Interested? Let us know.

More resources
More on hiding your address and masking your phone number.
A forthcoming Personal Security Course and instructions and links for OPTING OUT of those sites.

For more like this, sign up for our newsletter.

A comprehensive guide for legal advice
Security Culture for Activists, Ruckus
The “Oh Shit! What Should I Do Before January?” Guide

If you found this useful, sign up for our bi-monthly security updates: http://eepurl.com/cCzol9

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.