What Sort of Surveillance Tools Do Police Use?

What Sort of Surveillance Tools Do Police Use?

Editor’s note: People who confront the destruction of the planet find a legal system that prioritizes corporations and not uncommonly become the targets of police surveillance. Unless we take precautions, police surveillance tools can uncover our plans and organizational structures—and can contribute to a culture of paranoia that discourages action.

This training, from the Freedom of the Press Foundation, consists of interactive materials for learning what sort of tools law enforcement agencies use against journalists, but the material is practically applicable for organizers as well. We encourage our readers to study this material and consider appropriate countermeasures.


by Freedom of the Press Foundation

The Digital Security Training team at Freedom of the Press Foundation works with news organizations to better protect themselves, their colleagues, and sources by upgrading their security posture. In an environment where journalists are increasingly under attack, experiencing targeted hacking, harassment, and worse, we want to see systemic change in the way news organizations learn about and address their digital security concerns. While journalists come from many professional backgrounds, one place we can most reliably address this need for digital security education systemically is within journalism schools, where students are already learning many of the skills they will need in a contemporary newsroom. We know many programs feel underprepared for education of this kind, so we built this curriculum to better support J-schools’ goals for digital security education.

Below, we have created modules responsive to a variety of digital security topics. We intend for this resource to be used by journalism professors and educators looking for a starting point for digital security education. Ultimately, it’s our hope that by tinkering with these materials, you might take advantage of the parts most useful or inspiring to you, and make this curriculum your own.

Police Surveillance Tools Training

This section on surveillance tools used by law enforcement is discussion focused, and intends to get students to think critically about the relationship between surveillance, privacy, and transparency. It begins with lecture canvassing a variety of law enforcement surveillance technology, based on research from from the Electronic Frontier Foundation. Afterward, the module opens into an activity to investigate surveillance technology used in a location of their choice, followed by a discussion of their interpretation of law enforcement surveillance technologies they’ve discovered.

Prerequisites

Threat modeling
Legal requests in the U.S.

Estimated time

60-70 minutes

Objectives

  • Upon successful completion of this lesson, students will be able to distinguish between technology commonly used by law enforcement to conduct surveillance in physical spaces.
  • Students will be able to identify which of these tools are used in a specific physical location, based on publicly-accessible reporting tools.

Why this matters

The technical capabilities of law enforcement actors may affect journalists’ threat models when conducting work in risky situations. For example, when meeting a sensitive source their location may be tracked through a constellation of surveillance equipment, or their phone numbers and current call or text data may be scooped up when covering protests.

Homework

(Before class)

Sample slides

Credit to Dave Maass and the Electronic Frontier Foundation for these slides, with minor modifications.

Law enforcement surveillance tech (Google Slides)

Activities

Have students open up Atlas of Surveillance and report back for the group with surveillance technology used in a location where they’ve lived in the U.S. (e.g., where their hometown is; the campus).

Questions for discussion

  • In terms of their ability to compromise journalistic work, which one of these technical law enforcement capabilities is most concerning to you? What makes it concerning?
  • If that’s not especially concerning, why is that?
  • Out of respect for peoples’ privacy, are there any issues you think should be “off the table” for journalistic coverage? If so, what are those issues, and why do you think they should be off the table?
  • We often talk about privacy for people, but transparency for institutions. Why the distinction? Are there times when individual actions demand transparency, and when institutions have a meaningful claim to privacy?

This article was first published by the Freedom of the Press Foundation. It is republished under the CC-BY-NC 2.0 license. Banner image: Police training using bodycams via flickr (CC BY-SA 2.0).

Leveraging Ubiquitous Surveillance for Obfuscation

Leveraging Ubiquitous Surveillance for Obfuscation

We live inside a surveillance state that is unparalleled. As exposed in various leaks, the NSA, GCHQ, Chinese government, and other national spy agencies record and store every phone call, text message, email, and other signal that is available to them, then make these records easily searchable in databases cross-referenced with names, locations, buying habits, financial records, etc. We know that these agencies tap in directly to the data centers and undersea cables belonging to telecommunications corporations. And we know that these secret spy agencies are unregulated, operating outside the law and largely without oversight.

The combination of modern cloud computing, ubiquitous surveillance cameras, insecure communications technology, facial recognition, and machine learning has propelled the surveillance apparatus of the state to levels that would have been considered science fiction a decade or two ago. And leaked government documents show that these capabilities are used offensively or pro-actively to spread false information, discredit, intimidate, and cause discord for political opponents.

Indian dissident Arundhati Roy warns that “Our digital coordinates [now] ensure that controlling us is easy. Our movements, friendships, relationships, bank accounts, access to money, food, education, healthcare, information (fake, as well as real), even our desires and feelings—all of it is increasingly surveilled and policed by forces we are hardly aware of.”

There are various ways to resist this state of affairs, including engaging in personal efforts to increase your privacy and security, tackling political and policy change at the national level, and working to dismantle the entire techno-industrial system.

However, this article aims to explore one small way that ubiquitous surveillance can actually be leveraged to increase the security of resistance movements.

Cell Phone Tracking and “Geofencing”

Each time a cell phone connects to a cell tower, its location is logged. This is true for both old school “dumb” phones and smartphones. Modern smartphones exacerbate this issue via GPS tracking and other signals which are transmitted through mobile internet networks and recorded in apps.

So let’s say there was a crime committed. Something serious; an armed robbery, for instance. In a situation like this, one common tools used by law enforcement is called geofencing. This technique involves taking a subpoena to the major internet and telecommunications companies—Verizon, AT&T, Sprint, Apple, Google, etc. This subpoena directs these companies to provide the state with a list of all cell phones recorded within a certain geographic area during a certain time. This geofencing procedure is used to narrow down the list of suspects and is admissible in court.

Geofencing and Obfuscation

I am not advocating that any of you in particular go out and commit crimes. I am advocating for privacy. And the ubiquitous nature of cell phone tracking makes it possible to obfuscate movements relatively easily. A simple example: if someone were about to engage in activity that they wished to keep secret, they could give their cell phone to a trusted accomplice and send them on, for example, a long drive through a rural location—preferably somewhere without cameras. Cell phone location data, which is being constantly recorded by each telecommunications provider, would then provide “false data” on the location of that phone’s owner.

This is a simplified example, but is meant as a starting point to more deeply explore this topic. While the surveillance state is powerful, it is not all-powerful. J.R.R. Tolkien once said that the “one bright spot” of the present world is “the growing habit of disgruntled men of dynamiting factories and power-stations.” Our situation today is similar to the “roving eye of Sauron” in Tolkien’s Lord of The Rings.

They cannot watch us all, not all at once.


Featured image by EFF, licensed under CC BY 3.0.

How to Browse the Internet Anonymously

How to Browse the Internet Anonymously

Anytime you browse the internet, your ISP (Internet Service Provider), government agencies such as the NSA and GCHQ, and most of the websites you visit are tracking everything you do.

This data is often used to generate profiles of individuals preferences, purchasing behavior, travel, habits, etc, then packaged and sold to marketing companies, political advertisers, and other bidders. Politically, internet surveillance is used to suppress resistance movements, identify dissidents, and encourage self-censorship.

Threat Models

Most technological infrastructure globally is controlled by corporations and the government. That means that online security will always be risky. We don’t recommend using the internet for any particularly dangerous purposes. This is not a guide for advanced users, underground activists, or anyone with a high-level threat model.

However, using this method can be useful for any organizer concerned with security and privacy. If you are still considering whether to go underground or stay aboveground, you should take steps to remain anonymous.

What is Tor?

Tor is a volunteer-run service that provides both privacy and anonymity online by masking who you are and where you are connecting. The service also protects you from the Tor network itself—you can have good assurance that you’ll remain anonymous to other Tor users.

For people who might need occasional anonymity and privacy when accessing websites, Tor Browser provides a quick and easy way to use the Tor network.

The Tor Browser works just like a regular web browser. Web browsers are programs you use to view web sites. Examples include Chrome, Firefox, and Safari. Unlike other web browsers, though, the Tor Browser sends your communications through Tor, making it harder for people who are monitoring you to know exactly what you’re doing online, and harder for people monitoring the sites you use to know where you’re connecting from.

Keep in mind that only activities you do inside of Tor Browser itself will be anonymized. Having Tor Browser installed on your computer does not make things you do on the same computer using other software (such as your regular web browser) anonymous.

How to Install Tor

  1. Visit https://torproject.org
  2. Download the appropriate software for your operating system
  3. Follow the instructions to install the software

How to Use Tor

The first time Tor Browser starts, you’ll get a window that allows you to modify some settings if necessary. You might have to come back and change some configuration settings, but go ahead and try to connect to the Tor network by clicking the Connect button.

A new window will open with an orange bar that illustrates Tor Browser connecting to the Tor network.

The first time Tor Browser starts, it might take a long time; but be patient, within a minute or two Tor Browser will open and congratulate you.

You will be greeted by a welcome screen.

Some features of a normal web browser can make you vulnerable to man-in-the-middle attacks. Other features have previously had bugs in them that revealed users’ identities. Turning the security slider to a high setting disables these features. This will make you safer from well-funded adversaries who can interfere with your Internet connection or use new unknown bugs in these features. Unfortunately, turning off these features can make some websites unusable. The default low setting is fine for everyday privacy protection, but you can set it to high if you are worried about sophisticated attackers, or if you don’t mind if some websites do not display correctly.

Finally, browsing with Tor is different in some ways from the normal browsing experience. We recommended reading these tips for properly browsing with the Tor Browser and retaining your anonymity.

Advanced Option: TAILS

A more advanced security option is to use TAILS. TAILS is a live operating system that you can start on almost any computer from a USB stick or a DVD.

It aims at preserving your privacy and anonymity, and helps you to:

  • use the Internet anonymously and circumvent censorship;
    all connections to the Internet are forced to go through the Tor network;
  • leave no trace on the computer you are using unless you ask it explicitly;
  • use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.

You can learn more about using TAILS on their website: https://tails.boum.org/


Portions of this material have been adapted from EFF’s SSD project under the CC BY 3.0 license.

Weaponising Europe’s General Data Protection Regulations

Weaponising Europe’s General Data Protection Regulations

by Liam Campbell

What Is GDPR?

GDPR is a European legal framework intended to protect personal data, provide greater data transparency, and give people greater control over their data. It requires any group that stores or processes data to follow strict policies to ensure security. It also entitles individuals to request personal data reports and deletion, both of which must be completed within 30 days by any group holding the data.

Who does GDPR apply to?

At minimum, GDPR applies to any group or company which stores the data of EU citizens or residents, in practice it applies primarily to data processing entities based in the EU. This can include corporations, political parties, activist groups, and even individuals.

What are the consequences of negligence?

Violation reports are investigated, a warning is usually issued, data may be deleted, data processing may be restricted, and continued violations can result in fines up to €20,000,000 or 4% of revenue, whichever is greater. The consequences are significant enough to even warrant serious concern among large corporations.

What is a personal data request?

Anyone can submit a request for a comprehensive report on any data which relates to them, and these reports must include all data and a list of systems which store or process that data. Requests must be fulfilled in under 30 days. This is relatively easy for big businesses who have invested in compliance software, but intermediate businesses have much more difficulty, and small groups or individuals struggle the most. Processing a data request manually can take 30+ minutes per request because all systems must be checked.

What is a deletion request?

Anyone in the EU can request that their data be deleted from some or all systems. The data must be permanently deleted and all systems must be checked for data. This can also take 30+ minutes to complete per request, depending on the systems.

How do you weaponise GDPR?

Opposition groups and companies which perpetuate ecocide can be easily flooded with GDPR requests. Each individual email address warrants a separate request. If someone has 3 email addresses and a request template, they can consume 1-3 hours of a company, group, or individual’s time and resources by investing a few minutes. If the request is not completed in 30 days, or if the report is incomplete, they can report the offense for investigation. Additionally, any company, group, or individual that does not have GDPR compliant opt-in features and privacy statements can also be reported, even without a 30 day waiting period.

Strategic mass reporting can consume significant resources among medium sized targets, and can be devastating for smaller targets. This is a tactic which requires minimal training, is highly asymmetric, and can be very disruptive when targets are selected intelligently. I recommend identifying candidates like: climate science denial groups, fossil fuel lobbyists, regional oil and gas distributors, politicians, logging companies, and opposition movements.

 

23 Reasons Not to Reveal Your DNA

23 Reasons Not to Reveal Your DNA

Editor’s note: the following is a good reminder why privacy is so important for the average person. Revolutionaries need to take these considerations even more seriously.

via Mozilla / Internet Health Report

Photo “Karyotype” by Can H. (CC BY-NC 2.0).

DNA testing is a booming global business enabled by the internet. Millions of people have sent samples of their saliva to commercial labs in hopes of learning something new about their personal health or heritage, primarily in the United States and Europe. In some places, commercial tests are banned. In France, you could face a fine of around $4,000 USD for taking one.

Industry giants Ancestry.com, 23andMe, MyHeritage and FamilyTreeDNA market their services online, share test results on websites, and even offer tutorials on how to search for relatives in phone directories, or share results in social media. They often also claim rights to your genetic data and sell access to their databases to big pharmaceutical and medtech companies.

In terms of internet health, it’s part of a worrying trend of corporations to acquire personal data about people and act in their own best interests, not yours. OK, so test results can also lead to important discoveries about your personal health, and can also be shared for non-profit biomedical research in the public interest. But before you give in to your curiosity, here are 23 reasons not to reveal your DNA – one for each pair of the chromosomes in a human cell.

  1. The results may not be accurate. Some outputs on personal health and nutrition have been discredited by scientists. One company, Orig3n, misidentified a Labrador Retriever dog’s DNA sample as being human in 2018. As Arwa Mahdawi wrote after taking the test, “Nothing I learned was worth the price-tag and privacy risks involved.”
  2. Heritage tests are less precise if you don’t have European roots. DNA is analyzed in comparison to samples already on file. Because more people of European descent have taken tests so far, assessments of where your ancestors lived are usually less detailed outside of Europe.
  3. Your DNA says nothing about your culture. Genetic code can only tell you so much. As Sarah Zhang wrote in 2016, “DNA is not your culture and it certainly isn’t guaranteed to tell you anything about the places, history and cultures that shaped you.”
  4. Racists are weaponizing the results. White nationalists have flocked to commercial DNA companies to vie for the highest race-purity points on extremist websites.
  5. DNA tests can’t be anonymous. You could jump through hoops to attempt to mask your name and location, but your DNA is an unique marker of your identity that could be mishandled no matter what.
  6. You will jeopardize the anonymity of family members. By putting your own DNA in the hands of companies your (known or unknown) relatives could be identifiable to others, possibly against their wishes.
  7. You could become emotionally scarred. You may discover things you weren’t prepared to find out. A fertility watchdog in the United Kingdom called for DNA testing companies to warn consumers of the risks of uncovering traumatic family secrets or disease risks.
  8. Anonymous sperm and egg donors could become a thing of the past. The likelihood that anonymous donations will remain anonymous decreases with every test taken, which could dissuade donors and negatively affect some families.
  9. Millions are spent on targeted ads to lure you. DNA companies hand out free kits at sporting events, and create DNA specific music playlists on Spotify. In 2016 alone, Ancestry.com spent $109 million on ads. An ad by AncestryDNA capitalized on “Brexit” and British identity politics, with the slogan, “The average British person’s data is 60% European. We may be leaving Europe, but Europe will never leave us.”
  10. A pair of socks is a better gift. You may be tempted by special offers around holidays such as this one, offering 30% off genetic tests for Father’s Day: “What do you share with Dad? This Father’s Day, celebrate your DNA connection with Dad”. Perhaps the man who has everything would prefer not to become your science experiment.
  11. You will become the product. Your genetic code is valuable. Once you opt in to sharing, you have no idea what company gets access to it, nor for what purpose.
  12. Big pharma wants your DNA. 23andMe revealed a $300 million USD deal with pharmaceutical giant GlaxoSmithKline in 2018 that gives them access to aggregate customer data. Calico Life Sciences, a medtech company owned by Google’s parent company, Alphabet, is the primary research partner of Ancestry.com.
  13. Companies can change their privacy policies. You might be asked to give your consent again, but policies of companies can still change in ways you may not like.
  14. A company (and your DNA) can change hands. Companies are bought, sold, go out of business or change their business models. And then what happens with your genetic info?
  15. Destructing your DNA can be difficult. An investigation into how to delete your DNA from Ancestry.com found that it is possible to erase your record and allegedly even destroy your physical sample. But they don’t make it easy.
  16. You have no idea how long they will keep your sample. Some companies say they keep samples for 1-10 years. Regulations governing DNA databases differ from country to country. Do you know the rules where you live?
  17. Police can access your DNA. There’s crime solving potential, but also human rights risks. Authorities can seek court approval to access consumer DNA databases, but investigators have also been known to create fake profiles using a suspect’s DNA.
  18. Your results could become part of a global database. Law enforcement in several countries have unrestricted access to genetic profiles. Some scientists argue that creating a “universal genetic forensic database” would be the only way to make unwanted intrusion less likely through regulation.
  19. Your data could be hacked, leaked or breached. Third party sharing is common practice among companies. The more people have access to your DNA, the more vulnerable it is to being hacked. As companies amass more data, they will become increasingly attractive to criminals and vulnerable to cyber theft.
  20. Genes can be hacked. Scientists have discovered how to store data and even animated GIFs in DNA, and even believe malware could be placed in DNA to compromise the security of computers holding databases. Still trust them?
  21. You are signing away rights. When you use services like AncestryDNA the default agreement is to let them transfer your genetic information to others, royalty-free, for product development, personalized product offers, research and more.
  22. Companies profit from your DNA. Testing isn’t the only way companies make money. They profit from data sharing agreements with research institutes and the pharmaceutical industry. If your DNA helps develop a cure for a disease, you’ll never know. And you certainly won’t earn royalties from any related drug sales.
  23. You may be discriminated against in the future. In the United States, health insurers and workplaces are not allowed to discriminate based on DNA. But the law does not apply to life insurance or disability insurance. Who knows in your case, where you live? Some day you could be compelled to share genetic information with your own insurer.

If you still decide to submit your DNA for testing, the U.S. Federal Trade Commission offers sound advice to consumers: compare privacy policies before you pick a company, choose your account options carefully, recognize the risks, and report any concerns to authorities. To counteract the dominance of commercial companies, you can also contribute your data to non-profit research repositories like All of Us or DNA.Land that are open to public scrutiny.

If you regret a choice you made in the past, you could have your DNA data deleted and request that your sample be destroyed. Consumer DNA testing is an example of why strong data protection laws are so important. In Europe, the General Data Protection Regulation (GDPR) offers some protections, but elsewhere you have few rights when you hand over sensitive data.