Twitter Activist Security

Guidelines for safer resistance

thaddeus t. grugq
Jan 30, 2017 · 8 min read

Many people are starting to get politically active in ways they fear might have negative repercussions for their job, career or life. It is important to realise that these fears are real, but that public overt resistance is critical for political legitimacy. This guide hopes to help reduce the personal risks to individuals while empowering their ability to act safely.

I am not an activist, and I almost certainly don’t live in your country. These guidelines are generic with the hope that they will be useful for a larger number of people.

Existing Activist Accounts

This is good. Do not reveal information to anyone.

These guys broke pretty much every rule I have on safety, but they did use some clever techniques. Firstly they used an old account created in the UK, where US political witch hunts carry less weight. Secondly, they used a number of authors to make stylometric analysis of tweets more difficult. The more authors, the harder it is to narrow the suspect list. Finally, the content for tweets was provided via a cut out – the info was sent to an author who then crafted the post from outside the US. Of course, the security of the connection from the author to the poster is another problem.

Security Principles To Live By

  • Cover
  • Concealment
  • Compartmentation

There is more to serious counterintelligence, of course, but keep these three concepts in mind. The two most important concerns will be compartmentation and concealment. In practice this means that you need to separate your resistance Twitter account from your personal life completely.

Compartmentation Rules

  1. Do — Twitter is a total bitch about collecting phone numbers these days, making it very hard to use without supplying something. You’ll need a burner phone, or to get a disposable VoIP number (I don’t recommend Google Voice because it is vulnerable to a state level adversary, other services might be as well.)
  2. Do — Use Tor for creating your Twitter account, and all access to the Twitter account. The IP address, along with cookies and other trackers, will be available to Twitter (and potentially investigative journalists / media.)
  3. Don’t — Use your smartphone Twitter app for the account. The IP address will be directly linked to your phone account and you’ll be at high risk of exposure via technical means. If you must use Twitter on your phone, make it a dedicated phone only for that account with no additional information on it (such as personal contacts, photos, etc.) Additionally, it is a good idea to use Tor (Orbot) on an Android phone, or a VPN (Algo, if you’re technical; Freedome if you’re not) to minimise your exposure.
  4. Don’t — respond to DMs or direct replies, particularly if there is a URL (which can be used to capture your IP address) or to exploit your device. Seriously, don’t click on links that are sent to you via @ or DM, particularly if they’re behind a URL shortener, but just don’t do it. (It is worth pointing out that all URLs on Twitter are redirected through Twitter’s own t.co shortener and analytics, so even a “safe URL” from a known and trusted confidant will expose the IP of the account that clicks it.)
  5. Don’t — interact with your personal account, or the accounts of people linked to you. In general, try to maintain a single flow of information, push data out into the public, don’t get involved in discussion or do anything “private” on the account. There is no privacy on Twitter, and those who befriend you are just as likely to be sent to turn you in as to support you. You don’t need the added risk.
  6. Don’t — follow your personal account. Follow no one, or only generic accounts.
  7. Don’t — tweet personal photos from your resistance account. This includes screen shots or anything of a personal nature. If you are including a picture, crop it so that details such as the phone network or other browser tabs are not visible.
  8. Do — ensure your avatar is generic (e.g. not your best selfie).

Concealment Rules

  1. Don’t — use work computers (or network!) for your resistance activities. You have no control over them, they can be seized and searched without your permission (you don’t have a 4th Amendment right over them). They may also be running spyware installed by your company/agency to monitor your activities and make sure you aren’t wasting time on things like Twitter or Medium.
  2. Do — protect your devices by enabling full disk encryption, using a strong password, using a password manager (one that stores data locally, rather than in the cloud is preferable), always install patches, and if against all advice you actually use a smartphone for your Twitter account — do not use the fingerprint unlock facility (you can be legally, or extra judicially, coerced into unlocking your device.)
  3. Do — change your writing style when using your resistance account. Affecting a parody style, or refraining from using favorite words can be a significant help in this regards.
  4. Don’t — interact with your real life friends, or your real account, or otherwise break your cover. Nothing you do should be uniquely linked to your real identity, or social group.

Practice makes perfect

Amateurs practice until they get it right, professionals practice until they can’t get it wrong

These are a lot of complicated operational rules and guides you’ll have to follow strictly and with discipline. If you “learn on the job” your mistakes will be linked to the account that you’re trying to protect. It would be best that you go through the steps and practice these rules on a non sensitive account. Make sure you’re comfortable with them, that you know how to use the tools, that you understand what you’re supposed to do and why.

Some underground organisations have something they call “the first and last mistake,” which is when you break a security rule and it leads to discovery and exposure. You’re the resistance, you need to make sure you can use the tools of resistance without mistakes – so practice where it is safe, get the newbie mistakes out of the way, and then implement and operate safely where it matters.

The Adversary

  1. Twitter
  2. Email / Phone, linked to the account
  3. Law Enforcement (or other nation state powers)
  4. News media / investigative journalists
  5. Colleagues / friends / family

The capabilities, intent, and opportunity are different for each of them, and require different techniques to prevent exposure and protect yourself. Although it may seem daunting to face this much investigative power, there is a great deal of control that you have to protect yourself. Much of it does not require a lot of hard work, although maintaining a strong security posture for prolonged periods of time will require discipline.

Do: remember that most of the time authoritarian regimes don’t bother with going after small fry. It is unlikely that the full force of the state will be brought against you unless you are perceived as a problem. Your biggest threat is probably going to be talking too much, and your biggest risk is probably going to be losing your job (or similar) along with some public attention and scrutiny for a newscycle or two. It may be unpleasant, but you’ll survive. Fear of the thing is worse than the thing itself, try not to stress over it.

Mental Health Risks

Do: seriously consider seeing a professional psychologist where you will be protected by patient confidentiality laws, and you will be able to talk freely about the stresses you’re under. Something to consider if it starts to feel too much.

Here are some security aware mental health experts:

Twitter

Feds

Image for post
Image for post
  • Name
  • Address
  • Length of service
  • Transactional records for all services (and accounts) from inception to present.

Additional information that is available to Twitter includes:

  • Physical location
  • IP address
  • Browser type
  • Referring domain
  • Interactions with ads (which collect even more data)
  • Cookies

This information is permanently stored at Twitter and can be collected by a legal authority at any time. The authorities will want everything, all historic data, and they will look for leads. The FBI has significant expertise in handling Tor and will quickly eliminate known Tor exit nodes. Any VPN will be targeted to turn over their information, which will probably include easily identifiable billing data. A VPN running on a private host (such as Algo, or Streisand) will be followed by a request for data from the server provider – again, billing records and the IP address used to create the account will be most damning.

The safest option is to use Tor, and use it religiously. From the first signup, through every tweet and interaction.

An alternative practice would be to repurpose an old account created by someone else who will not betray you. This is still risky because the more people know about the account and the identity behind it, the more likely that info will seep out. And of course, once you have the account, always use Tor.

Short version

  • Use Tor religiously (Tor browser bundle is fine, just remember to close the app when you’re done so it wipes evidence.)
  • Don’t use work or school equipment/networks, it is likely monitored.
  • Be cautious, not paranoid.
  • Good luck!

Support more content like this.

Update, 3 weeks later: Micah Lee wrote a similar piece over at The Intercept.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store