Fourteen steps to being safer online and off in Trump’s America
Feeling scared? Me, too.
Since Trump’s election, I’ve seen lots of digital security guides circulated on listervs, on social media groups, and among friends and colleagues. While well-meaning, these guides and lists concerns me; each uses highly technical jargon, and does little to help you discern which security tools are useful or trustworthy. Comprehensive guides, while helpful when you have time and a level of security acumen, are useless in moments of crisis; the overwhelm they induce shuts you down. You search “What’s a VPN,” jump down that rabbit hole, come out an hour later to find a mile-long list of other tools to search, think “fuck it,” and slam your computer shut. No more secure than before, now pissed off and hopeless.
Guides give you no clear understanding of trade-offs; e.g., I’ve seen lots of calls for Tor (all of which omit the empowerment of a serial rapist), but Tor can get you into more trouble. It’s also not practical; even in the US its slow. Likewise, Signal is useful for messaging, but it can’t make calls reliably and is generally buggy. So how and when do you use WhatsApp, FaceTime audio, or Talky.io instead? Digital security tools are notoriously unreliable, so determining a mix of commercial and open source tools is your best bet.
Finally, these guides assume that your biggest worry is the NSA; any person who’s even slightly vulnerable in our current society can tell you that that concern is a luxury. So, while encryption is a must, it’s not going to safeguard you when you’re in a protest, posting thoughts on social media, or just getting gas or walking to campus if you’re a person of color. For many in historically oppressed groups, the immediate threat isn’t some opaque government agency, but those who weaponize the internet to silence your voices. So, while many of the digital security resources are helpful for deeper study, this post will focus on your immediate needs, generally and while protesting IRL and on social media.
Prioritize your risks and sensitive data
Since we’ve actually elected an Internet troll for president, a useful threat model for people of color, folx along the gender spectrum, LGBT folks, women, non-citizens, or people from other vulnerable groups, may be one that counters social data being used to lash out on a physical level, whip online mobs into a bloodthirst, pile on and hound, and create the general impression that you are findable anywhere, and there’s nothing you can do. Verify this for yourself with our Security Impact Canvas tool. As or if your priorities differ, you can take what works best for you from the following list of recommendations.
Goodbye to PII
First, swab your personal information online so someone doesn’t show up on doorstep. Review what’s out there about you and decide if you want to delete it or use it to your advantage. It’s okay to do this in stages, pick what’s most immediate or appropriate for you, and to take breaks. Also preferably done with whiskey and / or friends.
- Do a Google search of your name in quotes i.e., “Joanna Smith”. Carefully go through the results. For example, if your bio is posted, what does it reveal about you, your habits, your connections? Do you name your alma mater? Does its alumni site keep your address on file?
- Check out how much about you, as a matter of public record, is out there. Hit Zabasearch.com, Pipl.com, and Spokeo.com. Happily, these sites are not as thorough as they were a few years ago, but partial addresses or phone numbers, email addresses or handles will likely still show up. Here is a more complete list of sites from our Personal Security Course and instructions and links for OPTING OUT of those sites.
- Stay aware. Set up a Google alert of your name / handle / company name / address to ping you any time anything is posted about you on the web. Make it specific to social sites using advanced tools, e.g., site:twitter.com #hashtag.
- Tighten your whereabouts. Turn off location services (especially for photos), bluetooth, even wifi unless you need them. Don’t give up your locations — current AND habitual. Don’t check in, don’t login to Google Maps, don’t tell Uber that your address is “home,” and make it a habit to not reveal your location on anything social — no posts, tweets, or photos — while you’re still there. That goes whether you’re at a protest or at the park down the street.
- Put strong passcodes on your phone and computer. Passphrases are the strongest and easiest to remember. Use the QWERTY keyboard on an iPhone or the really complex thingie on Android.
For more of this, see our Guide to Dodging Trolls Online.
Keep your online life behind lock and key
If you’re targeted online, haters with the barest minimum of technical capability can hack your passwords. Brute forcing, as it called, is particularly easy with automated tools that scrape your public social data and combine it over and over until they guess your passwords.
Passwords are a pain in the ass; we’ve been trained to make them easy for machines to guess and impossible for humans to remember. A 2013 DARPA / Kore Logic Study found that most people combine 2–4 letters with 2–4 numbers and a special character at the end. My own ShDill2014! (*actual password*) is a perfect example. Feel like your passwords are tough enough? Make sure they aren’t already out there, released in any data dumps.
- Design a password: This xkcd cartoon explains a good model for designing a password; use spaces, actual words, and phrases (as personal mottos), and combine words from different languages. Also, anything you use in your password should be omitted from your online life; if your dog Choco features prominently on your Insta, then Choco4eva2014! is not your password. We recommend making a handful of special passwords for key accounts, like your banks or anywhere you save credit card info, your primary email, and your social accounts and cloud storage.
- Password managers: For that really important stuff, the loss of exposure of which would cause serious damage to your finances, reputation, or the safety of yourself and your loved ones, don’t trust passwords alone. A password manager allows you to remember one strong password and it stores encrypted the rest of them for you. I use Dashlane for its usability and have used Last Pass because it works across browsers. For both, I recommend letting the manager generate passwords for you.
- Two factor authentication (2FA): If your movement relies on digital organizing, each of your social media accounts must be especially secured; set a strong password, and set up 2FA. 2FA confirms your identity through a combo of two different components; for example an ATM requires both a bank card (a token or artifact the user possesses) and a PIN (something that the user knows) before greenlighting a transaction. Authy is a great app for organizations to use with 2FA; it allows for multiple users to access the same accounts. Use it or the Google Authenticator app to send you codes — texts can be intercepted by a sophisticated actor who will log in as you.
- Check to see if your social media, bank, gaming, cloud storage and email accounts allow 2FA. If you have data stored in Salesforce, see their best practices for organizational security.
- How-to guides: Gmail and Google Apps, especially if your organization uses Google Drive, Dropbox, Facebook, Twitter.
- Require 2FA of all the admins of your group or organization’s Facebook page; it’s too fun for hackers to take over company pages and Facebook won’t give you back control.
It may also be time to really discuss our reliance on commercial tools and their cozy relationship with US intelligence and law enforcement agencies.
Mobile phones at protests
Your mobile phone is literally a homing device. When you carry it, you’re giving up your location, both in the moment, and in perpetuity. This may be recorded or subpoenaed by law enforcement or the NSA. Moreover, DRT boxes and other stingrays are employed throughout the US; they can jam your phone, or locate you and gather your data. The chances of any of this happening to most of us is slim, but there is the possibility.
Before you go, consider:
- Putting the phone in Airplane Mode or powering off. In extreme cases, phones can be remotely turned on, unclear if Airplane Mode can be remotely turned off.
- Faraday cage or leave it at home. If you have money, you can purchase a pocket for your phone to make sure no signal gets in or out (I’ve used this one successfully). Test it out first, and make sure to power your phone off or it will search for signal until the battery dies. You can also make a faraday cage with tinfoil, conductive fabric, or blocking fleece. Or, with some planning, you can leave it at home and use other tools without GPS or cellular networks embedded to document.
- Encrypt your data and shut off the fingerprint thingy. For iPhone users, this means simply putting a passcode on your phone, which you will also want to do because law enforcement cannot compel you to give up the code. Shut off the fingerprint, that can be compelled. Android users, turn it on, and be aware of device seizure.
- Drones, y’all: Flyovers film all of Baltimore, on a regular basis, without having to inform elected officials. Police can call up film from a time and location, cross-reference it with traffic, ATM, and other cameras, and locate you. It’s unclear where else this is or will be happening. Fortunately, the brilliant Adam Harvey offers tips for hair and makeup to thwart facial recognition; money friends and successful crowdfunders, help us get some heat signature hiding hijabs?
At a protest:
- Phone or otherwise recording device OUT: I’m wary of the ACLU’s app. When I reviewed it the source code hadn’t been released, so we had no idea of its vulnerabilities, and, more importantly, it’s not advisable to reach into a pocket for anything when in a direct confrontation with police. Have whatever devices you intend to use out and in your hands.
- Gathering data: InformaCam, for Android users, gathers and encrypts the metadata of your photo of video to verify the images for legal cases. Witness offers more on this.
- Facebook Live and Periscope: Both options for immediate sharing are commercially owned. Before you go, make sure you’ve got 2FA on. Later, and especially if your phone gets seized, download your own video.
Security Positive is planning a series of webinars to talk more about your specific threats, online troll behavior, best practices for web browsing, encrypted emails, and the best secure alternatives to tools you use. Interested? Let us know.
More on hiding your address and masking your phone number.
A forthcoming Personal Security Course and instructions and links for OPTING OUT of those sites.
For more like this, sign up for our newsletter.
A comprehensive guide for legal advice
Security Culture for Activists, Ruckus
The “Oh Shit! What Should I Do Before January?” Guide
If you found this useful, sign up for our bi-monthly security updates: http://eepurl.com/cCzol9