Digital Security for Activists 101
Citizens Privacy Coalition
of Santa Clara County
What is the CPC?
A grassroots, volunteer-run watch dog coalition that aims to combat the lack of oversight and awareness surrounding the state of government and corporate surveillance in the heart of Silicon Valley.What is the CPC?
Investigate. Legislate. Educate.Agenda
- Password managers
- Encrypted communications
- What should I do while protesting?
cpcscc.org/101
If you want to follow along with slides
Curriculum largely taken from ssd.eff.org
Please feel free to interrupt with questions
80⁄20 rule
Roughly 80% of surveillance can be avoided by taking 20% of precautions.
(This statistic is for illustration purposes, not exact)
Password Managers
Password Manager:
A tool that produces randomly generated passwords and stores thems securely, allowing you to have a different password for each login. This makes your life easier and more secure simultaneously.
How does it make my life more secure?
Using the same password for every login is a bad idea. Sites get hacked and passwords get leaked. If you’re using the same password on Instagram that you use for your email and banking, those logins are also compromised.
How does it make my life easier?
It’s impossible to remember a different password for the hundreds of logins you have. A password remembers them for you.
What password manager should I use?
Let’s give it a try!
2 Factor Authentication
2 Factor AUthentication (2FA):
Requires you to enter a randomly generated PIN after successfully entering your password. PIN changes every 30 seconds.
If you can help it, don’t use text messages for 2FA.
What 2FA app should I use?
Free: Duo Security, Google Authenticator, Authy, tons more options
Last resort: Text message
Password managers and 2FA are not bullet proof
Won’t protect from physical attacks or more sophisticated attackers.
Let’s give it a try!
Encryption
Encryption:
The process of converting messages in ordinary language, or other information into a secret coded form that cannot be interpreted without knowing the secret method for interpretation, called the key.
Encryption vs end to end encryption
Encryption is not bullet proof
It will not protect you from data you submit to a website or reveal to a third party
How do I encrypt my email?
Protonmail
The easiest option.
Protonmail
Swiss email provider that encrypts your inbox so they can’t even read it.
Protonmail
All emails sent between Protonmail addresses cannot be accessed by anyone other than who they are intended for.
Protonmail
Metadata not encrypted:
Source, destination, time, subject
Protonmail
An email sent from Protonmail to any non-Protonmail address will be viewable by the other email provider (i.e., Gmail, Yahoo, etc.)
PGP
“Pretty Good Privacy” or PGP is an encryption algorithm developed explicitly for email. It has a steep learning curve with dozens of ways to implement it.
PGP
The easiest way to use it for Gmail is to install the browser plugin FlowCrypt.
flowcrypt.com
Let’s give it a try!
How do I encrypt my text messages and phone calls?
Text messages and phone calls
No encryption and easily intercepted.
Text messages and phone calls
Santa Clara County Sheriff’s Department submitted a proposal to buy a stingray, a device to intercept phone calls and text messages.
Signal Messenger
By far, the absolute best option, hands down.
Signal Messenger
E2E that Signal’s servers can’t even read your messages or your metadata.
Signal Messenger
They don’t know who your messaging or when. If they don’t know, they can’t give that information to law enforcement.
Better than nothing, but not ideal.
Encrypts the content using the same algorithm as Signal, but Facebook actively analyzes metadata.
Keybase
Pretty solid, but just acquired by Zoom, which has censored activists in the past.
Telegram
I do not recommend this app at all. Their encryption has been proven to be less than ideal.
Let’s give it a try!
What should I do while protesting?
First you need to review your threat model
Location
Your location is being tracked in several different ways.
Cellular provider
Your cellular service provider can triangulate your general location based on what tower your phone is using at any given time.
GPS data
When you share your location with an app on your phone, they know where you are. Choose carefully.
How to review app permissions on your phone
Comprehesive Protest Guide:
I’m not an attorney and this does not constitute legal advice
Thanks
Next workshop February 25 @ 6 pm
@cpcscc_ @cpcscc @cpcscc