Digital Security for Activists 101

Citizens Privacy Coalition

of Santa Clara County

What is the CPC?

A grassroots, volunteer-run watch dog coalition that aims to combat the lack of oversight and awareness surrounding the state of government and corporate surveillance in the heart of Silicon Valley.

What is the CPC?

Investigate. Legislate. Educate.

Agenda

Password managers
Encrypted communications
What should I do while protesting?

cpcscc.org/101

If you want to follow along with slides

Curriculum largely taken from ssd.eff.org

Please feel free to interrupt with questions

⁸⁰⁄₂₀ rule

Roughly 80% of surveillance can be avoided by taking 20% of precautions.

(This statistic is for illustration purposes, not exact)

Password Managers

Password Manager:

A tool that produces randomly generated passwords and stores thems securely, allowing you to have a different password for each login. This makes your life easier and more secure simultaneously.

How does it make my life more secure?

Using the same password for every login is a bad idea. Sites get hacked and passwords get leaked. If you’re using the same password on Instagram that you use for your email and banking, those logins are also compromised.

How does it make my life easier?

It’s impossible to remember a different password for the hundreds of logins you have. A password remembers them for you.

What password manager should I use?

Paid: 1Password, Dashlane

Free: LastPass, Bitwarden, KeePass

Let’s give it a try!

2 Factor Authentication

2 Factor AUthentication (2FA):

Requires you to enter a randomly generated PIN after successfully entering your password. PIN changes every 30 seconds.

If you can help it, don’t use text messages for 2FA.

What 2FA app should I use?

Paid: 1Password, LastPass

Free: Duo Security, Google Authenticator, Authy, tons more options

Last resort: Text message

Password managers and 2FA are not bullet proof

Won’t protect from physical attacks or more sophisticated attackers.

Let’s give it a try!

Encryption

Encryption:

The process of converting messages in ordinary language, or other information into a secret coded form that cannot be interpreted without knowing the secret method for interpretation, called the key.

Encryption vs end to end encryption

Encryption is not bullet proof

It will not protect you from data you submit to a website or reveal to a third party

How do I encrypt my email?

Protonmail

The easiest option.

Protonmail

Swiss email provider that encrypts your inbox so they can’t even read it.

Protonmail

All emails sent between Protonmail addresses cannot be accessed by anyone other than who they are intended for.

Protonmail

Metadata not encrypted:

Source, destination, time, subject

Protonmail

An email sent from Protonmail to any non-Protonmail address will be viewable by the other email provider (i.e., Gmail, Yahoo, etc.)

PGP

“Pretty Good Privacy” or PGP is an encryption algorithm developed explicitly for email. It has a steep learning curve with dozens of ways to implement it.

PGP

The easiest way to use it for Gmail is to install the browser plugin FlowCrypt.

flowcrypt.com

Let’s give it a try!

How do I encrypt my text messages and phone calls?

Text messages and phone calls

No encryption and easily intercepted.

Text messages and phone calls

Santa Clara County Sheriff’s Department submitted a proposal to buy a stingray, a device to intercept phone calls and text messages.

Signal Messenger

By far, the absolute best option, hands down.

Signal Messenger

E2E that Signal’s servers can’t even read your messages or your metadata.

Signal Messenger

They don’t know who your messaging or when. If they don’t know, they can’t give that information to law enforcement.

Better than nothing, but not ideal.

Encrypts the content using the same algorithm as Signal, but Facebook actively analyzes metadata.

Keybase

Pretty solid, but just acquired by Zoom, which has censored activists in the past.

I do not recommend this app at all. Their encryption has been proven to be less than ideal.

Let’s give it a try!

What should I do while protesting?

First you need to review your threat model

Location

Your location is being tracked in several different ways.

Cellular provider

Your cellular service provider can triangulate your general location based on what tower your phone is using at any given time.

GPS data

When you share your location with an app on your phone, they know where you are. Choose carefully.

How to review app permissions on your phone

Comprehesive Protest Guide:

Here

I’m not an attorney and this does not constitute legal advice

Thanks

Next workshop February 25 @ 6 pm

@cpcscc_ @cpcscc @cpcscc

Digital Security for Activists 101

What is the CPC?

What is the CPC?

Agenda

cpcscc.org/101

Please feel free to interrupt with questions

80⁄20 rule

Password Managers

Password Manager:

How does it make my life more secure?

How does it make my life easier?

What password manager should I use?

Let’s give it a try!

2 Factor Authentication

2 Factor AUthentication (2FA):

If you can help it, don’t use text messages for 2FA.

What 2FA app should I use?

Password managers and 2FA are not bullet proof

Let’s give it a try!

Encryption

Encryption:

Encryption vs end to end encryption

Encryption is not bullet proof

How do I encrypt my email?

Protonmail

Protonmail

Protonmail

Protonmail

Protonmail

PGP

PGP

Let’s give it a try!

How do I encrypt my text messages and phone calls?

Text messages and phone calls

Text messages and phone calls

Signal Messenger

Signal Messenger

Signal Messenger

WhatsApp

WhatsApp

Keybase

Telegram

Let’s give it a try!

What should I do while protesting?

First you need to review your threat model

Location

Cellular provider

GPS data

How to review app permissions on your phone

Comprehesive Protest Guide:

I’m not an attorney and this does not constitute legal advice

Thanks

⁸⁰⁄₂₀ rule