403: FORBIDDEN V 2.1.0
By Alex Wieder
If the first and second rules of fight club are “don’t talk about fight club”, then the first and second ways to guarantee information security while protesting are “don’t bring your mobile devices to a protest”. Done.
Mobile devices are capable of informing the authorities of your or others’ whereabouts, implicating you or others of unlawful behavior in photographs or videos, and offering a potential treasure trove of information if breached, hacked, or stolen. As we saw in the previous installment, something as benign as your browsing history can be weaponized, and in cities like Chicago the authorities are monitoring your social media habits as well.
However this is the age of immediacy, where internet access has become a necessary utility for countless functions of daily life. For all of their potential vulnerabilities, mobile devices are some of your most powerful tools for protesting. Though impractical, it may seem like the only way to be truly secure is to leave your devices at home. Instead of preaching abstinence, the better question to ask is,what can you do to protect yourself when it’s actually time to use them?
***
THE IDEAL SCENARIO
The very first thing I recommend, long before ever leaving for a protest (or your home for groceries for that matter) is to make sure you have your lock screen PIN activated. You’d be surprised how many people don’t have this simple barrier turned on! Some may feign ignorance while others desire speed, but the risk is too great to continue leaving your device vulnerable in this way. For those of you who do use a PIN passcode, there’s a catch: you must also turn OFF biometric access.
Biometrics put simply, are measurements and movements of the body that are related to human characteristics. Colloquially speaking, they are body-specific credentials, like your fingerprint or your facial structure, which can be used to login to your devices or track your presence. They may be called FaceID, TouchID, Android Fingerprint, but they all do the same thing in different ways. I admit that it’s really convenient to touch your thumb to your phone, or hold it up to your face to access things like text messages or apps in a fraction of a second, but it also allows the authorities to do the same. Police can hold your device up to your face to open it, or have you touch the fingerprint scanner, but they can’t force you to give up your PIN. In addition, I highly recommend making use of at least a 6-digit PIN for increased security, as this is significantly harder to guess than 4 digits or less.
Turning off biometric access is critical, but only prevents access from the exterior of the device. Turning your device on in the first place starts an instantaneous series of processes, which need to be dealt with BEFORE leaving for the protest. Upon startup, alongside loading the operating system, your device will attempt to connect to cellular data, local WiFi, and turn on its GPS to receive and send its position for various applications, all before you even get through the lock screen to type, call, or post anything.
It only takes those few connections to let anybody around know your whereabouts and intercept information - whether it’s the authorities, your cellular provider, or others with malicious intent. Make sure to turn on Airplane Mode before leaving for the protest, and make doubly sure that cellular, Bluetooth, and WiFi are all deactivated when Airplane Mode is turned on. Equally important, make sure to turn off Location Services. If not turned off, your device will still be emitting a GPS signal even if the application you’re using doesn’t need it. Some Airplane Mode implementations will do this automatically, while others don’t, and it may be variable depending on what applications you’re interacting with, or the particulars of your OS. The only way to guarantee nobody can see your physical whereabouts is to disable location services completely.
Make sure to tape over or block your camera(s) until you plan on using them, and cover them back up immediately thereafter, since the same threats that plague the webcam on your computer are just as present with mobile devices. A sturdy, shock resistant phone case is helpful to prevent damage with drops and dings, and I highly recommend keeping a rechargeable backup battery with you, to keep your devices going in case of emergency or frequent use.
While it may be inconvenient, these precautions guarantee that you won’t have any outgoing transmissions on startup, or while using your device at all, unless you choose to activate them at your discretion.
***
REALISTIC DEVICE USAGE
If you’re bringing a mobile device to a protest, it’s probably because you intend to use it. The ideal scenario of perfect data blockage and devices left off entirely is a fever dream, especially in more chaotic situations. You may need to contact others via call or text, want to capture images and videos of solidarity and/or police brutality, or call a ride if public transit isn’t an option. No matter what you’re doing, always be considerate of time. The longer you’re connected to cellular, WiFi, GPS, etc. the more information you’re potentially giving up, and in the case of Location Services, you may be leaving a traceable trail of your whereabouts. When you do have to use mobile devices, make sure to keep your activity short, and turn off the requisite services immediately after you’re done using them. Any of the aforementioned uses can pose a realistic threat to your cybersecurity, and there are a variety of applications and measures to mitigate security threats.
PHYSICAL BARRIER
Shy of turning everything off entirely, and fumbling through menus to reactivate the services you need to use, you can instead place your device in a faraday bag. These unassuming black bags block any wireless signals from leaving or entering the bag itself. Once the device is inside, and sealed shut, no signals of any kind - whether WiFi, Cellular, Bluetooth, RFID, NFC, etc - can escape it. Sizes range from smartphone to laptop, and many are designed to carry multiple devices at once. Place your device(s) inside and they’re in a digital blackout, take them out and they can send and receive signals as usual. If you choose the faraday bag route, I still recommend leaving airplane mode on as a good backup and best practice, since it takes nothing more than removing the device to open devices to vulnerability.
INTERNET BROWSING
There are a few key strategies for keeping information secure while browsing. For starters, firewalls should be on and active whenever possible to filter traffic and keep unwanted users from accessing your devices. Using a VPN or the TOR browser are definitely recommended, if you plan to access the internet, since they will use various methods of encryption to ensure your information is safe. While VPNs tend to have compatibility across most devices, TOR hasn’t created a browser for iOS (yet). That being the case, I recommend the TOR browser for Android users, and Onion Browser for Apple users, which are one in the same. Check out the previous installation for a deeper explanation and more information about internet cybersecurity.
MESSAGING AND COMMUNICATION
Signal is an incredibly secure encrypted messaging service. While it’s a good idea to use it regardless of your messaging needs, it’s especially important when sharing sensitive information, as the messages are end-to-end encrypted. This means the service itself never gets to see your messages, let alone anybody but the recipient. Signal can never be stiff-armed by the authorities to give up your messages, and technically they don’t have any record of messages ever existing. Equally important, the messaging data itself is stored locally on your device instead of a server or the cloud, the latter of which is more prone to hacking and bound by a company’s privacy policy. You even have the ability to send “view once” photos and videos, to prevent sensitive leaks, and you can set messages to disappear or have them automatically delete from all devices involved after a certain period of time.
Text messaging is an important tool, but some prefer voice to text when it comes to rapid communication. Bridgefy is a walkie-talkie style app that uses Bluetooth instead of cellular or WiFi, and has a range of 330 feet. While this won’t connect people across a city, it can keep small groups in communication, especially in a march or protest environment. Bluetooth does have encryption built-in as part of the protocol, but it isn’t infallible. It’s advised to turn off Bluetooth immediately when not in use, and to “forget” devices you won’t be using.
PHOTOS & VIDEOS
Photographs and videos are commonplace at protests both to document solidarity as well as acts of police brutality. While some may opt for a dedicated camera for the job, the vast majority of media captured comes from mobile devices. Accessing your device’s camera can be a risky activity since it combines your device being at a distance from your person, and unlocking your device to use an application. A regularly overlooked feature of most mobile devices is their ability to access the camera without unlocking it. If you’re an Android user, this can be done by swiping up on the camera logo on the lock screen, and if you’re an Apple user you’ll just swipe your lock screen to the left. While it may be tempting to review your images on the spot, I recommend leaving that until you’re home and keep your device locked whenever possible.
CELLULAR DATA
You should try to limit your cellular data usage whenever possible, unless you’re making emergency calls or messaging with Signal. Cellular data has very little protection, and the companies that govern your cell plan will give detailed records to the authorities when subpoenaed or warranted. This includes both incoming and outgoing calls,their duration and recipients, websites visited through your cellular data connection, and even records of and the content in text messages, which may be kept for weeks, months, or years depending on your provider. Some of that information can be taken by authorities without a warrant or subpoena depending on the jurisdiction, and the age of the information itself.
Another threat to your cellular data is through the use of stingrays. Stingrays are devices that mimic cell towers, designed to intercept cellular signals of devices that connect to it. They send out signals to trick mobile devices into giving up their location information, and can give up information about nearby devices as well. The real danger here is that you won’t know if it happens to you; your device will act normally and there won’t be any error messages that appear, just a free flowing stream of information to the stingray itself. The ACLU reports that “Law enforcement agencies all over the country possess Stingrays, though their use is often shrouded in secrecy”, and it’s not a stretch to believe that the authorities are using them across America during protests.
Of course if using cellular data is a necessary action never hesitate to use it, especially in an emergency situation to contact those who can help you.
***
Public Surveillance
There are countless surveillance nodes throughout any municipality, from the bold and flashy “police cameras” and red light cameras, to the private security cameras keeping watch over homes and businesses. Even unassuming doorbell camera services like Arlo and Ring may be active before and after the button press, sharing the live feed with the companies themselves as well as the local authorities. Thinking that being caught on a police officer's body or dashboard mounted camera are the only threats is foolish, both because countless police officers don’t even turn them on, if they’re even wearing them, and the plethora of additional surveillance sources are just as capable of tracking someone biometrically.
Facial recognition software can be used on both videos and images, old and new. For any Apple device users out there, take a look at your Photos application. You’ll see your albums, as well as a section called “People and Places”. This is Apple’s facial recognition software skimming through your photos looking for faces that look alike, and allowing you to point them out in specific images. While the benign application could be really helpful, like finding all of the photos taken with your partner, the application could be just as harmful if used in the wrong manner. Places albums use geotagging to associate images with a specific place at a specific time, which can again implicate you with images and actions captured if used as evidence in court.
Facial coverings have become an integral part of fighting the spread of COVID-19, and should be used in day-to-day activities as well as mass protests for this reason alone. They also offer the protestor a form of shielding from biometric tracking, as they distort one’s facial features and make it difficult or impossible for programs to associate your image with your person. The very same goes for eye coverings such as sunglasses, goggles, safety glasses, or any other obscuring paraphernalia.
Tattoos, piercings, or other notable features should be covered or distorted as well, since these are also used by biometric tracking software. The same goes for easily identifiable logos and slogans on clothing - anything that can be used to pinpoint you specifically. Personally, I’m easy to spot due to my particular hair style, which could be used against me if captured in photograph or video. Wearing hats, changing hairstyles, nondescript clothing, covering tattoos, and removing piercings may not seem like cybersecurity principles, but these are all variables impacting surveillance and therefore safety.
***
ARREST or DETAINMENT
I hope this doesn’t happen to you, but our government is taking increasingly aggressive action against protestors which includes the possibility of being detained or arrested. There are plenty of resources for what to do from a legal standpoint if arrested while protesting from resources like the national chapter of the ACLU, your local ACLU chapter, or organizations like First Defense Legal Aid (1-800-LAWREP4), but not so many when it comes to protecting your mobile device’s information.
In the ideal situation that your device is off, the arresting officer can do nothing with it, but that probably won’t be the case. If your device does happen to be on, having your biometric access disabled and your PIN activated is the greatest security between an officer and your device, as they cannot force you to open your device via your PIN. Some states have prohibited police from being able to force the use of biometric access, but frankly when it comes down to you and the officer anything is possible. Keep your passwords long and your biometrics off and your device should be reasonably secure.
If you’re worried about particularly sensitive information getting leaked, some device operating systems do have the ability to wipe a device remotely. Apple’s “Find My” app can use other Apple devices or even a web browser to locate, and effectively wipe a phone and its data remotely, as goes for the Android Device Manager. Both of these services will require you to have Location Services turned on, and connected to WiFi or Cellular Data, which may not be the case for you. It’s still a good tool to have in your back pocket, just in case you can make use of it.
***
Now that we’ve covered general cybersecurity and protest-specific threats, the next installation will dive into managing the information you’ve captured during said protests and how to disseminate them without implicating yourself, or others involved.
We’ll discuss both cloud and physical information storage, the power of metadata and why you should scrub it, safely sharing information for organizing purposes, and keeping your information safe regardless of how you choose to make use of it.