Twitter Activist Security

Guidelines for safer resistance

thaddeus t. grugq
8 min readJan 30, 2017

Many people are starting to get politically active in ways they fear might have negative repercussions for their job, career or life. It is important to realise that these fears are real, but that public overt resistance is critical for political legitimacy. This guide hopes to help reduce the personal risks to individuals while empowering their ability to act safely.

I am not an activist, and I almost certainly don’t live in your country. These guidelines are generic with the hope that they will be useful for a larger number of people.

Existing Activist Accounts

This is good. Do not reveal information to anyone.

These guys broke pretty much every rule I have on safety, but they did use some clever techniques. Firstly they used an old account created in the UK, where US political witch hunts carry less weight. Secondly, they used a number of authors to make stylometric analysis of tweets more difficult. The more authors, the harder it is to narrow the suspect list. Finally, the content for tweets was provided via a cut out – the info was sent to an author who then crafted the post from outside the US. Of course, the security of the connection from the author to the poster is another problem.

Security Principles To Live By

The basic principles of operational security are actually very simple, they’re what we call the three Cs:

  • Cover
  • Concealment
  • Compartmentation

There is more to serious counterintelligence, of course, but keep these three concepts in mind. The two most important concerns will be compartmentation and concealment. In practice this means that you need to separate your resistance Twitter account from your personal life completely.

Compartmentation Rules

  1. Do — create a new unique email address specifically, and only, for this Twitter account. There are a lot of options here, but seriously consider using SIGAINT or another non-US service. Always use Tor when accessing this account, never use it for anything except your resistance Twitter. Compartment!
  2. Do — Twitter is a total bitch about collecting phone numbers these days, making it very hard to use without supplying something. You’ll need a burner phone, or to get a disposable VoIP number (I don’t recommend Google Voice because it is vulnerable to a state level adversary, other services might be as well.)
  3. Do — Use Tor for creating your Twitter account, and all access to the Twitter account. The IP address, along with cookies and other trackers, will be available to Twitter (and potentially investigative journalists / media.)
  4. Don’t — Use your smartphone Twitter app for the account. The IP address will be directly linked to your phone account and you’ll be at high risk of exposure via technical means. If you must use Twitter on your phone, make it a dedicated phone only for that account with no additional information on it (such as personal contacts, photos, etc.) Additionally, it is a good idea to use Tor (Orbot) on an Android phone, or a VPN (Algo, if you’re technical; Freedome if you’re not) to minimise your exposure.
  5. Don’t — respond to DMs or direct replies, particularly if there is a URL (which can be used to capture your IP address) or to exploit your device. Seriously, don’t click on links that are sent to you via @ or DM, particularly if they’re behind a URL shortener, but just don’t do it. (It is worth pointing out that all URLs on Twitter are redirected through Twitter’s own t.co shortener and analytics, so even a “safe URL” from a known and trusted confidant will expose the IP of the account that clicks it.)
  6. Don’t — interact with your personal account, or the accounts of people linked to you. In general, try to maintain a single flow of information, push data out into the public, don’t get involved in discussion or do anything “private” on the account. There is no privacy on Twitter, and those who befriend you are just as likely to be sent to turn you in as to support you. You don’t need the added risk.
  7. Don’t — follow your personal account. Follow no one, or only generic accounts.
  8. Don’t — tweet personal photos from your resistance account. This includes screen shots or anything of a personal nature. If you are including a picture, crop it so that details such as the phone network or other browser tabs are not visible.
  9. Do — ensure your avatar is generic (e.g. not your best selfie).

Concealment Rules

  1. Don’t — show or tell anyone about your activities, don’t even drop hints. Whatever public stance you take in your private life, such as attending marches or rallies, signing petitions, or other participation in resistance movements, tell no one about your resistance Twitter account. Not your friends. Not your spouse. Not your kids. Not your colleagues or coworkers. The only way to keep a secret is to keep it secret!
  2. Don’t — use work computers (or network!) for your resistance activities. You have no control over them, they can be seized and searched without your permission (you don’t have a 4th Amendment right over them). They may also be running spyware installed by your company/agency to monitor your activities and make sure you aren’t wasting time on things like Twitter or Medium.
  3. Do — protect your devices by enabling full disk encryption, using a strong password, using a password manager (one that stores data locally, rather than in the cloud is preferable), always install patches, and if against all advice you actually use a smartphone for your Twitter account — do not use the fingerprint unlock facility (you can be legally, or extra judicially, coerced into unlocking your device.)
  4. Do — change your writing style when using your resistance account. Affecting a parody style, or refraining from using favorite words can be a significant help in this regards.
  5. Don’t — interact with your real life friends, or your real account, or otherwise break your cover. Nothing you do should be uniquely linked to your real identity, or social group.

Practice makes perfect

Amateurs practice until they get it right, professionals practice until they can’t get it wrong

These are a lot of complicated operational rules and guides you’ll have to follow strictly and with discipline. If you “learn on the job” your mistakes will be linked to the account that you’re trying to protect. It would be best that you go through the steps and practice these rules on a non sensitive account. Make sure you’re comfortable with them, that you know how to use the tools, that you understand what you’re supposed to do and why.

Some underground organisations have something they call “the first and last mistake,” which is when you break a security rule and it leads to discovery and exposure. You’re the resistance, you need to make sure you can use the tools of resistance without mistakes – so practice where it is safe, get the newbie mistakes out of the way, and then implement and operate safely where it matters.

The Adversary

There are a number of major adversaries that could lead to deanonymization of the account user. These include, but are probably not limited to:

  1. Twitter
  2. Email / Phone, linked to the account
  3. Law Enforcement (or other nation state powers)
  4. News media / investigative journalists
  5. Colleagues / friends / family

The capabilities, intent, and opportunity are different for each of them, and require different techniques to prevent exposure and protect yourself. Although it may seem daunting to face this much investigative power, there is a great deal of control that you have to protect yourself. Much of it does not require a lot of hard work, although maintaining a strong security posture for prolonged periods of time will require discipline.

Do: remember that most of the time authoritarian regimes don’t bother with going after small fry. It is unlikely that the full force of the state will be brought against you unless you are perceived as a problem. Your biggest threat is probably going to be talking too much, and your biggest risk is probably going to be losing your job (or similar) along with some public attention and scrutiny for a newscycle or two. It may be unpleasant, but you’ll survive. Fear of the thing is worse than the thing itself, try not to stress over it.

Mental Health Risks

Once you have mastered and implemented the technical protections and the security procedures to protect yourself, the biggest threat you will face is yourself. Creating and maintaining a secret identity can be extremely stressful and requires developing a sort of compartmented identity, a sharded ego, a fractured self. This can be very distressing and dangerous to your mental health in the long run, which is why spy handlers spend a lot of time acting as psychologists for their spies — providing the only safe place where they can speak freely about themselves and their concerns.

Do: seriously consider seeing a professional psychologist where you will be protected by patient confidentiality laws, and you will be able to talk freely about the stresses you’re under. Something to consider if it starts to feel too much.

Here are some security aware mental health experts:

Twitter

As a web service, Twitter collects (and purchases from data brokers), a great deal of information about their users. This information will be available to the authorities, and to some extent the public, via subpoena and old fashioned leg work.

Feds

  • Name
  • Address
  • Length of service
  • Transactional records for all services (and accounts) from inception to present.

Additional information that is available to Twitter includes:

  • Physical location
  • IP address
  • Browser type
  • Referring domain
  • Interactions with ads (which collect even more data)
  • Cookies

This information is permanently stored at Twitter and can be collected by a legal authority at any time. The authorities will want everything, all historic data, and they will look for leads. The FBI has significant expertise in handling Tor and will quickly eliminate known Tor exit nodes. Any VPN will be targeted to turn over their information, which will probably include easily identifiable billing data. A VPN running on a private host (such as Algo, or Streisand) will be followed by a request for data from the server provider – again, billing records and the IP address used to create the account will be most damning.

The safest option is to use Tor, and use it religiously. From the first signup, through every tweet and interaction.

An alternative practice would be to repurpose an old account created by someone else who will not betray you. This is still risky because the more people know about the account and the identity behind it, the more likely that info will seep out. And of course, once you have the account, always use Tor.

Short version

  • Shut up (don’t talk about what you’re doing or who you are to anyone)
  • Use Tor religiously (Tor browser bundle is fine, just remember to close the app when you’re done so it wipes evidence.)
  • Don’t use work or school equipment/networks, it is likely monitored.
  • Be cautious, not paranoid.
  • Good luck!

Support more content like this.

Update, 3 weeks later: Micah Lee wrote a similar piece over at The Intercept.

--

--