Digital security and privacy workshop¶

Intro segment¶

This workshop is designed to be read collaboratively/collectively, going around in a circle. The text is based on material from EFF and Equality Labs. [1]

The Harm Reduction Approach
Why We Should Care – And Act
Seven Keys To Digital Security
Some actual tech advice: The Minimum Viable Teaching
A positive security culture for organizers

The Harm Reduction Approach ¶

Harm reduction is a term used in public health to describe policies aimed at reducing the harm associated with high-risk behaviors, such as intravenous drug use. In the context of digital security training, the harm reduction approach can be applied to people that are at heightened risk of compromise because of their practices, such as using non-optimal hardware, applications, or platforms. It is not always possible to change somebody’s (or our own) risky practices and when that is the case, it is important to meet people where they are, rather than where we think they should be.

Some principles to follow are:

Everyone deserves digital security and privacy.
Remove the stigma of bad security or privacy practices.
Increasing your digital safety is a process.
Harm reduction is collective.

Everyone deserves digital security and privacy.¶

It is not uncommon to hear people in the security industry say that if you don’t use a certain product or you don’t follow a certain best practice, then “you don’t deserve security.” This is a highly toxic mentality that causes a lot of harm. A techie may believe that activists should not use Facebook, but if activists still use the platform because it is a highly effective way of reaching their audience, then they need and deserve advice that allows them to be as safe on Facebook as possible.

Remove the stigma of bad security or privacy practices.¶

Everyone has made digital privacy or security mistakes, including trainers and “experts”. Stigmatizing or shaming people for confessing their mistakes makes it less likely that other people will speak up about their own practices. Talking about our own digital security shortcomings is sometimes a good ice-breaker and helps make everyone feel more comfortable.

Increasing your digital safety is a process.¶

When learning about what we need to do to improve our digital security and privacy, it’s common to feel overwhelmed. Don’t be too hard on yourself – instead, we can see our work towards better security habits as a process that will take time. The goal isn’t to lock everything down in one day or one week. It takes time and patience to learn, and it’s important to give ourselves credit for how we have already improved our digital safety, even as we take further steps and solidify better habits.

Harm reduction is collective.¶

Because of the many ways our digital lives are inherently intertwined, it’s important to remember that we are responsible for each others’ safety and privacy. It’s upon us to collectively support each other as we learn about each other’s privacy preferences.

We can coordinate in reducing threats and vulnerabilities that affect us as co-workers, family members, activists, or even just neighbors using the same cafe WiFi to browse the web. When you notice that others have unsafe settings or are leaking personal data, you can tell them. If you prefer not to be tagged in photos on social media, let others know and ask others what their preferences are. If you see your parents have a weak password, take the time to explain how to create a more robust one.

There’s a million ways we can help our networks reduce the harm from poor digital security habits and build better security cultures.

While many people often use military or war analogies when talking about digital security, thinking about it that way can often be misleading. In many ways, analogies to public health and medicine can be much more informative and helpful.

Why We Should Care – And Act ¶

It’s important to understand not just the what and the how of digital security, but the why. Why should we care about digital security? And, why should we take action to develop our personal security?

General tips and tricks about technology are great, but we also need to understand ourselves. There are several types of common thought patterns that can keep us from learning:

Nothing-to-Hide Apathy:
	“I have nothing to hide, so why do I need to protect privacy?”
Security Paralysis:
	“I am worried about my digital security to the point of being overwhelmed. I don’t know where to start.”
Technical Confusion:
	“I’m ready to take action, but not until I have a perfect handle on how all of these technical concepts fit together.”
Security Nihilism:
	“There’s no such thing as perfect security, so why even bother? If someone wants to hack me, they’ll figure out a way to do it.”

What made you come today?

Genuineness and empathy is important. No one is perfect.

Many security trainers like to make their stories sound scary or intimidating. But these types of stories often turn people off from learning about security. Fear is the motivation killer, and can lead to “security paralysis” or other kinds of disengagement from learning.

Also, a single person can cycle through several of the attitudes below (and more!). The better we are at spotting and responding to our motivational hangups, the better we can learn.

Nothing-to-Hide Apathy ¶

“I have nothing to hide, so why do I need to protect privacy?”

People with this attitude typically do not feel a personal stake in their digital privacy and security, and therefore do not feel compelled to act. They may associate digital security concepts with high-profile state actors, whistleblowers, and public figures – not with “normal” people like us.

Talking through the first step of threat modeling – the question “What do you want to protect?” can also be helpful towards finding your own stake in digital security.

Some examples:

Credit card and bank account information (both on the associated websites and on any commerce websites like Amazon, PayPal, or Venmo).
The information often found on “people finder” sites – like full names, home addresses, and family connections.

It’s also common for the “nothing to hide argument” to become so dominant that we forget what’s at play when we talk about privacy. What is privacy and what does it mean to people? What are we really talking about when we talk about privacy? This is a complex topic, but as one researcher puts it:

Privacy is Consent. Privacy is the right to consent. Privacy is the right to withdraw consent. Privacy is nothing more than that, but that is everything.

Finally, sometimes someone with this attitude is making a logical decision based on their own threat model. Having identified what they want to protect, who may come after it, and what their risk is, they may have simply decided that a certain privacy protection is not worth them expending significant time, resources, or energy. The job of a trainer is not to “convince” them that they “should” take certain actions, but to help them make an informed decision.

Security Paralysis ¶

“I am worried about my digital security to the point of being overwhelmed. I don’t know where to start.”

This kind of person cares deeply about digital security, but is frightened and paralyzed. Often, people with this attitude are overwhelmed with the task of locking down their personal information. Perhaps they have been bombarded with news stories about leaks and data breaches, or have close friends who have experienced personal harassment or doxxing. They may have even been exposed to intimidation-based trainings in the past that left them feeling overwhelmed and helpless in the face of various digital threats.

In this case, it can be helpful to emphasize one’s personal agency. At the same time, acknowledge the reality that it may very well be impossible to control all the information about one person online – and that’s okay. Instead, we can shift the goal from erasing all our information to just minimizing our information.

First steps to take could include Googling oneself (perhaps with the support of a trusted friend to help alleviate any fear associated with doing so), investigating social media settings, or looking into opt-out options on people finder sites.

The goal is to get the best idea possible of the information available about ourselves online, and then reduce it according to what we care about and are worried about. If we can minimize the information that we have control over, then we are in a much more powerful position if and when a company we use has a data breach or a social media platform we’re on changes its default settings.

Technical Confusion ¶

“I’m ready to take action, but not until I have a perfect handle on how all of these technical concepts fit together.”

This kind of person may be technically overwhelmed. They are hearing about different kinds of devices, operating systems, apps, software, browser extensions, and encryption. While they have abundant information, they have no idea where to start or exactly how all these things are connected. Often, these learners have less experience with technology than the average trainer, but they are detail-oriented and cautious. They may be elders, or come from a low-resource background that has not given them consistent access to cutting-edge devices and software. Just like security paralysis, this person typically does not know where to start.

If this is your case, it can help to focus on the security principles behind the technology. Technology changes quickly and can be confusing, but fundamental security principles – threat modeling/risk assessment, tradeoffs, and deciding who and what to trust – can all act as steadfast guides as technology changes and evolves.

Security is more than just tools. It’s about adopting a “security mindset” over time.

Security Nihilism ¶

“There’s no such thing as perfect security, so why even bother? If someone wants to hack me, they’ll figure out a way to do it.”

People with this attitude care about security, but also don’t know what to actually do. Or, perhaps more accurately, they do not think they have the power to do much.

One useful concept is “door lock security.” Think about the lock on the door of your home. It might be a normal deadbolt with a doorknob lock. This lock can be compromised in any number of ways: keys can be stolen or forged, locks can be picked, doors can be kicked down. If someone was determined to breach that door, they probably could. But you probably still locks your door regularly and finds some assurance in that level of security.

This analogy can even extend to extra layers of security. Perhaps you can imagine someone with particularly expensive items in their home having a security system protecting the perimeter of their house. Or, maybe they’d have a safe inside the house for valuables and important documents.

We can approach digital security in the same way. The digital security equivalent of a “door lock” can be reliable, reasonable, and worth using, even if it is imperfect and incomplete. For higher-value assets, added layers of security (analogous to safes or home security systems) can also be put in place.

The goal is to make it harder or more inconvenient or more expensive to hack you, not to make it impossible. It’s important to set reasonable, achievable goals, not pie-in-the-sky theoretical scenarios.

Seven Keys To Digital Security ¶

Here are some basic tips to consider when thinking about your own digital security.

Knowledge is Power
The Weakest Link
Simpler is Safer and Easier
More Expensive Doesn’t Mean More Secure
It’s Okay To Trust Someone (But Always Know Who You’re Trusting)
There is No Perfect Security – There’s Always a Trade-Off
What’s Secure Today May Not Be Secure Tomorrow

Knowledge is Power ¶

Good security decisions can’t be made without good information. Your security tradeoffs are only as good as the information you have about the value of your assets, the severity of the threats from different adversaries to those assets, and the risk of those attacks actually happening. This guide should help you gain the knowledge you need to identify the threats to your computer and communications security, and judge the risk against possible security measures. And some of this knowledge you already have: knowledge of your own situation, who might want to target you, and what resources they have. You already have more power than you think!

The Weakest Link ¶

Think about assets as components of the system in which they are used. The security of the asset depends on the strength of all the components in the system. The old adage that “a chain is only as strong as its weakest link” applies to security too: The system as a whole is only as strong as the weakest component. For example, the best door lock is of no use if you have weak window latches. Encrypting your email so it won’t get intercepted in transit won’t protect the confidentiality of that email if you store an unencrypted copy on your laptop and your laptop is stolen. That doesn’t mean you have to do everything simultaneously, but it does mean that, over time, you should spend time thinking about each part of your information and computer use.

Simpler is Safer and Easier ¶

It is generally most cost-effective and most important to protect the weakest component of the system in which an asset is used. Since having a simple system makes it much easier to identify and understand the weak components, you should strive to reduce the number and complexity of components in your information systems. A small number of components will also serve to reduce the number of interactions between components, which is another source of complexity, cost, and risk. That also means that the safest solution may be the least technical solution. Computers may be great for many things, but sometimes the security issues of a simple pen and notepaper can be easier to understand, and therefore easier to manage.

More Expensive Doesn’t Mean More Secure ¶

Don’t assume that the most expensive security solution is the best; especially if it takes away resources needed elsewhere. Low-cost measures like shredding trash before leaving it on the curb can give you lots of bang for your security buck.

It’s Okay To Trust Someone (But Always Know Who You’re Trusting)¶

Computer security advice can end up sounding like you should trust absolutely no one but yourself. In the real world, you almost certainly trust plenty of people with at least some of your information, from your close family or companion to your doctor or lawyer. What’s tricky in the digital space is understanding who you are trusting, and with what. You might deposit a list of passwords with your lawyers: but you should think about what power that might give them – or how easily they might be maliciously attacked. You might write documents in a cloud service like Dropbox or Microsoft OneDrive that are only for you: but you’re also letting Dropbox and Microsoft access them, too. Online or offline, the fewer people you share a secret with, the better chance you have of keeping it secret.

There is No Perfect Security – There’s Always a Trade-Off ¶

Set security policies that are reasonable for your lifestyle, for the risks you face, and for the implementation steps you and your colleagues will take. A perfect security policy on paper won’t work if it’s too difficult to follow day-to-day.

What’s Secure Today May Not Be Secure Tomorrow ¶

It is also crucially important to continually re-evaluate your security practices. Just because they were secure last year or last week doesn’t mean they’re still secure! Keep checking sites like SSD (EFF’s Surveillance Self-Defense guide) because they will update their advice to reflect changes in their understanding and the realities of digital security. Security is never a one-off act: it’s a process.

Some actual tech advice: The Minimum Viable Teaching ¶

(When Teachers Have No Time To Teach or Learners Have No Time to Listen)

Sometimes there’s no time for a full digital security walk-through. Perhaps you’re suddenly about to face an unexpected set of risks. Too much information can be overwhelming or intimidating. You’re short on time. You might have only one brief moment for security, and you want to take full advantage of it.

Some security is always better than no security. You can do a lot to improve your basic security by walking through some basic steps, and following some general advice.

Here’s a short bit of advice that can fit in one minute or less. It’s a concentrated form of advice. This information could easily expand it into a half-day of teaching, but the short version is good too.

“You can turn on encryption on your Android, iPhone, iPad or Mac. Pick a long password made up of six or more random words to lock your computer, or six or more numbers as a PIN to lock your phone. Don’t reuse passwords! Use a password manager, or write down your passwords on paper and store it in your wallet instead. Turn on “two-factor” or “two-step” authentication on your Google, Facebook or other online accounts: this will help stop those logins from being hacked. Avoid clicking on strange links or email attachments. To send messages safely and securely, use an end-to-end encrypted messenger app like Signal or WhatsApp. If you want to be anonymous online, try using the Tor Browser.”

Well, that was the concentrated version. Now let’s break it down and talk about it.

The basics:

Turn on encryption.
Pick a long password.
Don’t reuse your passwords!
Turn on two-factor authentication.
Avoid clicking on strange links or email attachments.
Use an end-to-end encrypted messenger app like Signal or WhatsApp.
To be anonymous online, use the Tor Browser.

Here’s some more detailed thinking about each of those pieces of advice, and how you might dig deeper into them, when you have more time.

Turn on encryption.¶

We say “turn on encryption” because that phrase typed into a search engine gives you good links to general instructions on encryption. (Unfortunately we can’t say “turn on encryption” on Windows, because only Windows Professional offers full disk encryption.)

Pick a long password.¶

“Long” is more understandable than “strong.” PIN is understood as the number that locks your phone, so you can extend this by including it in the same sentence to include desktop PC or laptop device logins. “Random” is a bit technical, but gets across the idea that it shouldn’t just be a familiar sentence. We spend a lot of time arguing internally about whether we should say “six” or “seven”!

Don’t reuse your passwords!¶

Reusing passwords is one of the top ways that accounts can be compromised, but it can be hard to stop doing it. One thing that can really help is to use a tool called a “password manager”. There are a number of password manager guides, such as the ones on SSD. Additionally, it might sound surprising, but you can actually write down passwords and keep them in your wallet! This might seem insecure, but it’s actually much better than reusing passwords. (Password reuse really is very bad.)

Why do passwords matter so much? Check out websites like https://www.HaveIBeenPwned.com/ – Password dumps affect regular people all the time.

Turn on two-factor authentication.¶

In an attempt to “avoid jargon,” almost every web service uses a different term for two-factor authentication. We say “two-factor or two-step” to imply that it might be called a number of different things. We also give the basic reason why you should turn on two-factor authentication: it will help stop your logins and accounts from being hacked.

Understanding why two-factor might protect you is difficult, but getting the benefit from it is not.

For info on how to tell what accounts offer two-factor authentication, you can use websites like https://www.twofactorauth.org/. (Generally, websites like Google, Facebook, etc support it.)

Avoid clicking on strange links or email attachments.¶

We say this to reinforce the idea that you are most vulnerable to phishing when presented with links or attachments, but security experts have long internal debates about this advice too. Can anyone really go through life not clicking on any links or email attachments? Can anyone confidently tell when a link or attachment is “strange” (that is, a fraudulent attempt to trick you into accepting malware onto your computere)?

In concrete terms, if you receive strange attachments or links, one thing you can do is talk to the supposed sender in person or over the phone, to verify the weird email. But if you have better suggestions, go for it (and let us know!).

Use an end-to-end encrypted messenger app like Signal or WhatsApp.¶

Our first product mention! Break out the ™ symbols! JK. Recommending specific software or hardware is actually very complicated, but people usually want a concrete suggestion. So why Signal?

Signal was one of the first audited, open source, messaging devices with a strong theoretical cryptographic foundation, backed by an organization specifically dedicated to providing secure end-to-end encryption. It suffers from some of the problems of a small and underfunded software project, but it is reasonably safe from compromise and has a broad user base.

WhatsApp’s parent company, Facebook, is not very trustworthy, but the client itself is end-to-end encrypted, and (we believe) is unlikely to be undermined without a large and highly critical expert audience spotting the problem.

By offering two alternatives, we try to imply that the important thing here is “secure messaging app” rather than a particular secure messaging app. We put this advice at the end of our list, because at this point no one will remember much beyond the brand names.

To be anonymous online, use the Tor Browser.¶

People are often more curious about anonymity than fighting surveillance (they are more concerned about being generally exposed online, than specifically monitored by the authorities).

Staying anonymous online involves more than just using Tor, but the Tor project does a good job of warning people who download their software about this. We try to convey that Tor is a solution for anonymity, and not one for defending against surveillance or other side-effects.

“Use Tor; Use Signal” is not always the best advice, but if you start searching for advice on Tor and Signal, there’s a good chance you will be directed to more detailed guidance by experts who know what they’re talking about.

A positive security culture for organizers ¶

Following the uptick in alt-right activity after Charlottesville, a group called Equality Labs wrote up a guide for organizers about protecting yourself from doxxing attacks.

Equality Labs is a South Asian community technology organization, that works at the intersection of community-based participatory research, socially-engaged arts, and digital security. They are dedicated to ending caste apartheid, Islamophobia, and religious intolerance; and they place an emphasis on further elevating trans and cis femme voices from these communities.

Here’s what they put in the intro to their guide:

Hey Movement Fam,

It is the folks from Equality Labs and we have an urgent Anti-Doxing guide to support the activists who are getting slammed by Alt-right Forces around the country for coming out and resisting Nazis from Charlottesville to Berkeley.

[…] Post Charlottesville, Boston, and the Bay Area Anti-White supremacist marches we are seeing an unprecedented number of doxing attacks on all members of the movements. [2]

“Security culture” is important for crisis times, but it’s also important for the long run. Additionally, it’s important to ensure that this is a positive and inclusive vision of security culture, not a toxic one. Equality Labs, collaborating with and building on work by groups like Stop LAPD Spying Coalition, have outlined such a vision.

The challenges we face (such as the escalated activity of the White Supremacists after Charlottesville, or the regular grind of state oppression) may be scary, but the best defense is one rooted in information, compassion and self-care for ourselves and each other, and a commitment to collective resilience.

What to do? What is security culture? The basic idea is to adopt best practices to stay safe. These are things that should be incorporated into your regular digital security practices, and into your regular habits more generally. The practices will help lock you down through attacks. But it’s not enough to just do it once and then move on: You need to maintain these things to keep your digital resilience. “Security is a process, not a product.”

Stop LAPD Spying Coalition talk about adopting a vision of security culture that centers all collective security practices as a form of expressing love and solidarity. We all have a sense of it from being marginalized, targeted, and activists. It’s about harnessing those good instincts with knowledge and practice.

We can build power instead of paranoia, and meet people where they’re at. From there we can have communities of practice that normalize better practices in a way that is resilient in a crisis.

Digital security is a system. You are creating and implementing it as part of your core skills as an organizer. There is no silver bullet to digital security – it is an awareness and a practice. It gets better with reiteration and with a community committed together to stay safe. The best defense is a collective one and we are all in it together. :)

Footnotes

[1]

Sources:

[2]

From the ANTI-DOXING GUIDE FOR ACTIVISTS FACING ATTACKS FROM THE ALT-RIGHT. See:

https://github.com/sptankard/digitalsecuritycurriculum/blob/master/anti_doxing_guide.md

Adapted version of guide originally published by Equality Labs, 12017 Sep 1.

https://equalitylabs.org , https://medium.com/@EqualityLabs/

Anti-doxing guide for activists facing attacks from the alt-right¶

Adapted from this blog post originally published by equality labs, 12017 Sep 1. EqualityLabs.org

Hey Movement Fam,

It is the folks from Equality Labs and we have an urgent Anti-Doxing guide to support the activists who are getting slammed by Alt-right Forces around the country for coming out and resisting Nazis from Charlottesville to Berkeley.

[…] Post Charlottesville, Boston, and the Bay Area Anti-White supremacist marches we are seeing an unprecedented number of doxing attacks on all members of the movements.

This guide has been created to deal with the current issues we are seeing.

It should be incorporated into your regular digital security practices.
We know that the escalated activity of the White Supremacists is scary, but…
the best defense now is one rooted in information, compassion and self-care for ourselves and each other, and…
a commitment to collective resilence.

With that, we have broken up this guide in terms of background and next steps.

Equality Labs welcome questions at:

email: equalitylabs@protonmail.com
upon the twitterplace: @EqualityLabs

What is doxing?¶

Doxing (or “doxxing”) is the violent Internet-based practice of:

Researching and broadcasting private or identifiable information about an individual or organization
…in order to harass and traumatize activists from organizing activity.
Additionally, such attacks can also be accompanied by real world violence and spread disinformation about and individual and/or a movement.

How’s it work, concretely?

Easier to do than you might think. A wealth of information on the internet is hidden in plain sight.
Hostile individuals can get this information by searching publicly available databases and social media websites like Facebook, as well as by hacking, and social engineering.
Alt-right attackers of our colleagues around the country are using their full social media ecosystem both to attack and to spread disinformation.

What to do?

Adopt best practices to stay safe
The practices below will help lock you down through the attacks
You need to maintain these things to keep your digital resilience
“Security is a process, not a product.”

What this guide covers, and what it doesn’t¶

This is a very specific, tailored guide to a certain type of activity and a certain type of problem (problem: aka “threat”, “adversary”).

Specifically, it is a very practical, nuts-and-bolts guide to protecting yourself from doxing attacks like those coming out of current “alt-right” activity.
In this case, your adversaries are fanatics and meanies with a resource level similar to yours.

Sometimes your adversaries will be some random rich person, governments, corporations, local police departments…

In that case, you would need to do some other things that aren’t covered in this guide.
There’s overlap – much of the advice would be the same, but also a lot of it wouldn’t.

…image here of the trumpeye

Overview¶

Logistics and human-y stuff

✔ CREATE A SELF-CARE PLAN
✔ CREATE AN INCIDENT LOG

Techy stuff immediately

✔ CHANGE YOUR EXISTING PASSWORDS
✔ TURN ON 2-FACTOR AUTHENTICATION (2FA) for all your accounts.

Techy stuff step/day 2

✔ FIND OUT WHAT INFORMATION TROLLS CAN FIND OUT ABOUT YOU.
✔ CALL YOUR CREDIT CARDS, CELL PHONE PROVIDER, UTILITIES, AND BANK AND LET THEM KNOW YOU ARE A TARGET.
✔ INSTALL A VIRTUAL PRIVATE NETWORK (VPN)
✔ USE THE TOR BROWSER.
✔ INSTALL SIGNAL.

Techy stuff steps/days 3 & 4+

✔ WEAN YOURSELF OFF G-MAIL AND BEGIN USING ENCRYPTED E-MAIL.
✔ FOR SECURE GROUP CONVERSATIONS USE TALKY.IO OR ZOOM.
✔ CHANGE YOUR PRIVACY SETTINGS ON YOUR SOCIAL NETWORKS.
✔ KILL ALL ORPHAN ACCOUNTS.
✔ USE ALIASES WHEN SIGNING PETITIONS OR SIGN-IN SHEETS FOR MEETINGS.
✔ FINALLY SECURE AND BACK UP YOUR HARDWARE.

Final little note – Actually, install Signal immediately. Like right now while you’re reading this.

It’s incredibly easy and quick. Literally takes 2 minutes to install and set up.
It’s very effective.
Everybody should be using it all the time.
Install Signal! & use it :)

With that, here is our check-list for protecting your identity…

Logistics and human-y stuff¶

✔ CREATE A SELF-CARE PLAN¶

Create a plan
Recruit your family and friends to help support you.
Let them know whats going on, because trolling and doxing can be traumatic and you must prioritize your mental and physical health so that you can outlast these attacks.

We take our lead from our collaborators at Stop LAPD Spying Coalition:

They talk about adopting a vision of security culture that centers all collective security practices as a form of expressing love and solidarity.
We all have a sense of it from being marginalized, targeted, activists.
It’s about harnessing those good instincts with knowledge and practice.

Staying sane in insanity

This is why it is important, even when you are under attack, to give space to your feelings of anxiety and dread.
But, do not succumb to them.
Release them and return to your agency.
In these situations we can practice a culture of mutual-aid and support around digital security.

A way forward

We can build power instead of paranoia, and meet people where they’re at.
From there we can have communities of practice that normalize better practices in a way that is resilient in a crisis.

✔ CREATE AN INCIDENT LOG¶

This is crucial to:

establish patterns of your attacks and can be useful to…
compare with other organizers to identify larger patterns within the attacks to…
identify opponents and their organizations.

A sample log could look like this:

Incident response log. Columns: date, time, description, result/recommendation

(Just a simple table with four columns: date, time, description, result/recommendation.)

But please feel free to create one that makes sense for you and that you can adapt to your situation. The most important thing is that you:

keep notes throughout your attack and
share with your security professional when you can.

If you’re not attached to an org that provides you something like a security professional, then you can either:

Hopefully, talk to the person who is giving you this presentation :)
Contact an org like Equality Labs, or
Security Without Borders or
EFF’s cooperating techs network cooptechs@eff.org

If you like Equality Labs’ incident log example you can use it as an example. Please feel free to make a copy.

But please note: we recommend that you keep incident logs not in google docs but in an encrypted word processing platform like

Etherpad on Riseup at https://pad.riseup.net or
Cryptpad at https://cryptpad.fr

Techy stuff immediately¶

✔ CHANGE YOUR EXISTING PASSWORDS¶

What’s up

Trolls will be trying their best to get into all of your accounts.
You can find out if you e-mail is part of any recent hacks at www.haveibeenpwned.com
This will let you know what level of risk you are at for penetration of your accounts.

After you have made that quick assessment,

make a list of all of your crucial accounts and
change the passwords immediately so you have fresh passwords for each.
Ideally, passwords should be randomly generated (by a computer, not by your human head) &
should be different for each account (never reuse passwords).

Additionally, if you have time we strongly recommend:

Use a password manager to generate and store all of your new passwords.
This will allow you a greater capability to create complex passwords for all of your accounts, while
limiting you to only have to remember one!

Password manager software recommendations:

1password https://1password.com/
KeePassXC https://keepassxc.org/
LastPass https://lastpass.com/

✔ TURN ON 2-FACTOR AUTHENTICATION (2FA) for all your accounts.¶

2fa wuts that?

This means you are adding another verification method when you sign into your accounts.
This helps A LOT when you have trolls trying to break into your account.
If they only have your password they will be stopped at the second point of verifcation.

Thinking like the adversary

When thinking about which accounts you want to add 2FA you have to think like a troll.
Which accounts do you have that would cause the most damage if it was compromised?

E.g.

By taking over your e-mail they can release and interfere with your communication, and
likely gain much sensitive information about you (scan of your passport? driver’s license?).
By taking over your bank account they wreak havok with your finances, etc.

So if possible lock them all down. When in doubt, lock it down.

2FA is available for GMail, Facebook, Twitter, Amazon and more.
When possible avoid using Text/SMS as your method of verification. This is because texts can be intercepted and so are not as secure as…
the other commmon method: “OTP” (aka “TOTP”).
We recommend using Google Authenticator app or an app like Authy or FreeOTP.
These can generate codes on your phone and can be revoked remotely in the chance that our phone is confiscated, stolen, or lost.

However, text/SMS 2fa is always better than no 2fa! (OTP-2fa > SMS-2fa > no 2fa)

You can find tutorials for 2FA instructions for most of your accounts here:

https://www.turnon2fa.com/tutorials/
https://twofactorauth.org

Not going to lie to you, at first you are going to find 2fa a little annoying. But:

It’s worth it. It really is.
It will get less annoying pretty quickly as you get used to it.

Techy stuff step/day 2¶

✔ FIND OUT WHAT INFORMATION TROLLS CAN FIND OUT ABOUT YOU.¶

Get a quick idea:

Search for yourself on DuckDuckGo and try doing this search in incognito mode.
This will give you a sense of how much data exists about you online to people who are not in your network.
After that inital search you can go on to looking at all of the data broker sites that trade in our personal livs.

Check your Data leaks and Opt out here:

BeenVerified: https://www.beenverified.com/faq/opt-out/
CheckPeople: http://www.checkpeople.com/optout
Instant Checkmate: https://www.instantcheckmate.com/optout/
Intelius: https://www.intelius.com/optout.php
PeekYou: http://www.peekyou.com/about/contact/optout/index.php
PeopleFinders: http://www.peoplefinders.com/manage/
PeopleSmart: https://www.peoplesmart.com/optout-signup
Pipl: https://pipl.com/directory/remove/
PrivateEye: http://secure.privateeye.com/help/default.aspx#26
PublicRecords360: http://www.publicrecords360.com/optout.html
Radaris: http://radaris.com/page/how-to-remove
Spokeo: http://www.spokeo.com/opt_out/new
USA People Search: http://www.usa-people-search.com/manage/default.aspx
TruthFinder.com: https://www.truthfinder.com/opt-out/
Nuwber: https://nuwber.com/removal/link
OneRep: https://onerep.com/optout
FamilyTreeNow: http://www.familytreenow.com/contact

While it is hard to get all of the content off, every little bit helps.
Ultimately, the challenge to get your data off these sites is an uphill battle because there are hundreds of these sites and most organizers have very little time to do this work.

Paid services for urgent circumstances:

In an urgent case of doxing and if you are simply over capacity in terms of your rapid response then consider using a service like Privacy Duck.
They are incredible and have been working with activists around the country to scrub their data.
There is an activist subsdized rate that can be arranged through Equality Labs.
If you feel like you need this and qualify then please e-mail them: equalitylabs@protonmail.com

Also, Privacy Duck share all their free how-to opt-out videos on their YouTube with detailed, step-by-step instructions at: https://www.youtube.com/privacyduckcom

✔ CALL YOUR CREDIT CARDS, CELL PHONE PROVIDER, UTILITIES, AND BANK AND LET THEM KNOW YOU ARE A TARGET.¶

Many times trolls will take the online attacks into the physical world by trying to go after your credit cards, utilities, and bank accounts.
They can access these to try to drain your accounts or worse.
In a case of raised stakes please call them to let them you are target and they can often add an additional layer of security that can help protect you during this time.

✔INSTALL A VIRTUAL PRIVATE NETWORK (VPN)¶

A VPN is like a layer between you and the big bad internet (the internet is very big & bad). You should use one.

Helps to privatize your network traffic and bypass filtering happening at your internet service provider.
It also makes sure that trolls can’t find you by using your IP address.

You can get VPN apps for your phone and also your computer.

We recommend Private Internet Access and Vypr VPN, but whatever VPN you use…
always read the privacy policy to make sure your service does not sell, store, or share your data and that they will protect it if engaged by the state.

✔USE THE TOR BROWSER.¶

A VPN is great because it can offer privacy but only the TOR Browser offers real anonymity.

This is because rather than going through a VPN’s servers, with Tor:

your internet traffic is channeled through three random computers
the software system is designed and setup so all the computers distrust each other (no trust needed)

Using Tor…

TorProject.org
Tor Browser is free and provides real anonymity but does not always load multimedia heavy sites.
Try it out and see!
We recommend using TOR at least once a day so it becomes part of your daily usage and it won’t be unusual if you have to use it for an urgent situation. (Make privacy normal again :P)

Tor also comes with security downsides:

Don’t do your banking etc. over Tor!
Do disable JavaScript when using Tor!
You can re-enable JavaScript specifically only on httpS (TLS) website connections.

Tor is the only tech that offers real, strong anonymity, but it’s not a tool for everything.

Learn a bit about the tools and know when to use what for what.

Bits of Freedom diagram of how Tor works, showing guard/relay/exit nodes, etc.

✔INSTALL SIGNAL.¶

What is it & how’s it work?

This secure messaging and voice/video-call app can take the place of text, phone, and e-mail when installed on your phone and computers.
It’s a lot like texting or WhatsApp.
Install it on your phone first. Available for Android and iPhone.
As an extra, verify all the users you are concerned about talking to privately (there is a Verify feature in the app)
Additionally you can add Signal Messaging to your desktop, by adding it to your Chrome/Chromium browser (install the extension/add-on)

Go get it

Main website (where you can find how to download): Signal.org
Handy mini-guide/shameless self-plug: https://medium.com/@sptanager/intro-to-signal-d3bc095a115a

Go get it now. What are you waiting for?

Techy stuff steps/days 3 & 4+¶

✔WEAN YOURSELF OFF G-MAIL AND BEGIN USING ENCRYPTED E-MAIL.¶

G-Mail collaborates with the government on many surveillance programs including the PRISM project. So while Googles extensive protection will help you from individual hackers there is still the inheren threat that all of your data in your account can be searched and stored onto NSA servers with no consent on your part. As a result we recommend if you are using G-Mail use a form of encryption like GPG Encryption for MAC or https://gnupg.org for the PC. These are the safest but the set up of your own GPG can be daunting. In that case use encrypted e-mail services like Tuanota or Proton Mail. We like Tuanota because they are open source and Proton Mail because of its use and scalability. Both services embed your encryption key as part of your service and its interface is similar to g-mail.

✔FOR SECURE GROUP CONVERSATIONS USE TALKY.IO OR ZOOM.¶

All other protocols including freeconference call are not secure. This includes Skype, google hangouts, and facetime. Talky.io is free but can be wonky while ZOOM works but has limited time in its free version. If you are using Zoom make sure you go to the settings and turn on encryption.

✔CHANGE YOUR PRIVACY SETTINGS ON YOUR SOCIAL NETWORKS.¶

Visit your privacy settings for Facebook, twitter, snapchat, and instagram to PRIVATE and block all trolls who already follow you.

FACEBOOK¶

For All of your Facebook privacy settings you can find them here https://www.facebook.com/help/325807937506242/

Key to change are the following settings.

Post visibility

Change your settings so that only your friends can see your current posts.
When you want to post something work related as public, set those individual posts as public.
Protect past timeline posts by watching this video. How To Video. …link…

Friends lists

If you can review your friends lists.
Unfriend all those people who follow you or who are your friends but you can’t remember who they are or maybe vaguely remember some awkward interaction with them.
Double check that each of your friends is unique and no one has created accounts with similar names and photos to a real friend in order to access your private friend only communications.

Other stuff

Also go through your profile information and make sure your phone number and email are set to be viewed by “only you”.
Remove featured photos and/or any information in your “About” section in your profile that you would not want to see appear on doxing sites.
This is because a common tactic trolls will do is to take your album photos and spread them across the internet. They will do this to either create a fake profile for you or to make harassing memes or messages about you.
Remove your Facebook public photo, and replace it with a generic photo that doesn’t have your actual picture and remove your full birthday (or replace it with inaccurate information).

TWITTER¶

In your Account settings make sure you have verify all login requests so you can flag anyone trying to get into your account.

In your Privacy and Safety Settings make sure you turn off Tweet with a location. This prevents you leaking your location through your twitter statuses.

Turn off photo tagging so that random troll accounts can’t tag you on harassing content or statuses.

Turn off discoverability by e-mail or phone.

If you are concerned about being followed by fake Antifa accounts consider installing an application like block together.

Through block together you can follow trusted collaborators or accounts who begin blocking Antifa and other hostile sites.
This is a good practice to build within your own network as you will be able to start to see fake accounts through a pattern of similar messages, bad grammar, or even copy and paste texts.
Blocking them collectively ensures you can operate with a greater peace of mind because their goals again are to harass and spread disinformation. Once you have installed block together you can subscribe to other users lists to spread community resilence.
A good one for fake Antifa accounts is the list run by the twitter hand @antifachecker. You can subscribe to their list here: https://blocktogether.org/show-blocks/UQ_ZPDyCHCygI-EUU_6xLY23sewTWFbPA8k7cCdz .
You can also use services like Troll Busters to attack a troll swarm with affirmative messages that can help drown out the abuse. Learn more at http://www.troll-busters.com.

✔KILL ALL ORPHAN ACCOUNTS.¶

Remember trolls are going to use whatever information they have of you online to get into as many accounts you have.

Orphan accounts or accounts you have not used in a long time can make you vulnerable because
if they are using an older password they can try that accounts technical support to
get more data about you that
they can try to use for other accounts.

So be on the safe side and shut them down.

✔USE ALIASES WHEN SIGNING PETITIONS OR SIGN-IN SHEETS FOR MEETINGS.¶

One of the number one ways people are getting their names on doxxing lists for the White supremacists is through petion websites and sign sheets.

Our recommendation is to absolutely not use real names, phone numbers or e-mails for these kinds of activities. When possible compartmentalize. Use an e-mail that is only used for their activities that cannot be tied back to your real life details. Additionally for phone consider using google voice or an app like burner app to not divulge your personal information. Finally an alias for these sign up purposes can be your best protection because if they don’t know your name how can they find you.

✔FINALLY SECURE AND BACK UP YOUR HARDWARE.¶

This is going to take some time so take a couple of hours and follow the Equality Labs digital security one sheets here:

https://docs.google.com/presentation/d/1rtWqtbY_tVnncCEEEfRXInN1atSjodloBAaJqRICxAg/edit?usp=sharing

Conclusions¶

OKAY! We know that is a lot but keep in mind. But:

Digital security is a system.
You are creating and implementing it as part of your core skills as an organizer.
There is no silver bullet to digital security, it is an awareness and a practice.
It gets better with reiteration and with a community committed together to stay safe.
The best defense now is a collective one and we are all in it together.

So please stay safe and if you have any urgent questions please contact us at:

email: equalitylabs@protonmail.com
website at: equalitylabs.org
the tweetything: @EqualityLabs