Get Started With Online Privacy in 2022

Get Started With Online Privacy in 2022

by | Jan 21, 2022 | Movement Building & Support, Strategy & Analysis

Editor’s note: Online privacy is an essential layer of self-defense and security in our modern internet-driven world. This issue can be confusing and overwhelming. This article is aimed at beginners, and will provide a starting point for you to consider these issues and improve your security.

Why should I care about online privacy?

“I have nothing to hide. Why should I care about my privacy?”

Much like the right to interracial marriage, woman’s suffrage, and freedom of speech, we didn’t always have the right to privacy. Generations before ours fought for our right to privacy. Privacy is a human right inherent to all of us, that we are entitled to without discrimination.

But despite this, governments and corporations around the world regularly abuse our right to privacy for profit and power.

What should I do?

First, you need to make a plan.

Trying to protect all your data from everyone all the time is impractical, expensive, and exhausting. But, don’t worry! Security is a process, and by thinking ahead you can put together a plan that’s right for you. Security isn’t just about the tools you use or the software you download. Rather, it begins with understanding the unique threats you face, and how you can counter them.

Your Security Plan

Trying to protect all your data from everyone all the time is impractical and exhausting. But, have no fear! Security is a process, and through thoughtful planning, you can put together a plan that’s right for you. Security isn’t just about the tools you use or the software you download. It begins with understanding the unique threats you face and how you can counter those threats.

In computer security, a threat is a potential event that could undermine your efforts to defend your data. You can counter the threats you face by determining what you need to protect and from whom you need to protect it. This is the process of security planning, often referred to as “threat modeling.”

This guide will teach you how to make a security plan for your digital information and how to determine what solutions are best for you.

What does a security plan look like? Let’s say you want to keep your house and possessions safe. Here are a few questions you might ask:

What do I have inside my home that is worth protecting?

  • Assets could include: jewelry, electronics, financial documents, passports, or photos

Who do I want to protect it from?

  • Adversaries could include: burglars, roommates, or guests — as well as government or corporate agents.

How likely is it that I will need to protect it?

  • Does my neighborhood have a history of burglaries? How trustworthy are my roommates/guests? Am I involved in risky political activity? What are the capabilities of my adversaries? What are the risks I should consider?

How bad are the consequences if I fail?

  • Do I have anything in my house that I cannot replace? Do I have the time or money to replace these things? Do I have insurance that covers goods stolen from my home? Will our movement be harmed if the information or digital files I have are seized?

How much trouble am I willing to go through to prevent these consequences?

  • Am I willing to buy a safe for sensitive documents? Can I afford to buy a high-quality lock? Do I have time to open a security box at my local bank and keep my valuables there? Can I use encryption to protect my files?

Once you have asked yourself these questions, you are in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you’ll want to get the best lock on the market, and consider adding a security system.

The risk that something bad might happen, and the potential level of harm should it happen, should both be taken into account.

Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries’ capabilities, along with the likelihood of risks you face.

How do I make my own security plan? Where do I start?

Security planning helps you to identify what could happen to the things you value and determine from whom you need to protect them. When building a security plan, answer these five questions:

  1. What do I want to protect?
  2. Who do I want to protect it from?
  3. How bad are the consequences if I fail?
  4. How likely is it that I will need to protect it?
  5. How much trouble am I willing to go through to try to prevent potential consequences?

Let’s take a closer look at each of these questions.

What do I want to protect?

An “asset” is something you value and want to protect. In the context of digital security, an asset is usually some kind of information. For example, your emails, contact lists, passwords and access to websites, instant messages, discussion forums, notes, plans, location, and files are all possible assets. Your devices may also be assets.

Make a list of your assets: data that you keep, where it’s kept, who has access to it, and what stops others from accessing it.

Who do I want to protect it from?

To answer this question, it’s important to identify who might want to target you or your information. A person or entity that poses a threat to your assets is an “adversary.” Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network.

Make a list of your adversaries, or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.

Depending on who your adversaries are, under some circumstances this list might be something you want to destroy after you’re done security planning.

How bad are the consequences if I fail?

There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data.

The motives of adversaries differ widely, as do their tactics. A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing.

Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities.

Write down what your adversary might want to do with your private data.

How likely is it that I will need to protect it?

Risk is the likelihood that a particular threat against a particular asset will actually occur. It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low.

It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not).

Assessing risks is both a personal and a subjective process. Many people find certain threats unacceptable no matter the likelihood they will occur because the mere presence of the threat at any likelihood is not worth the cost. In other cases, people disregard high risks because they don’t view the threat as a problem.

Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.

How much trouble am I willing to go through to try to prevent potential consequences?

There is no perfect option for security. Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy.

For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a family member who regularly emails funny cat videos.

Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.

Security planning as a regular practice

Keep in mind your security plan can change as your situation changes. Thus, revisiting your security plan frequently is good practice.

Create your own security plan based on your own unique situation. Then mark your calendar for a date in the future. This will prompt you to review your plan and check back in to determine whether it’s still relevant to your situation.

Specific online privacy tools, methods, and apps

From here, you can start to consider and put in place specific protective measures. These might include things like:

  • Shredding or burning old notes and files.
  • Using a password manager and ensuring that your passwords are unique and strong.
  • Enabling encryption on your phone, tablet, computer, and any other devices you own.
  • Removing unused apps from your phone, tablet, or computer, and checking which apps have permission to access which features.
  • Using a privacy-oriented web browser, such as Firefox, rather than Google Chrome.
  • Use more-secure communication tools such as Signal, Wire, Protonmail, Tutanota, etc. rather than regular email, text messages, and phone calls.
  • Enable end-to-end encryption if you use Zoom, or try a Zoom alternative such as Jitsi.
  • Stop using non-private services such as Google Drive and Dropbox with end-to-end encrypted alternatives such as Skiff, Tresorit, Sync, and Cryptpad.

This article has been assembled from a mix of sources including the Electronic Frontier Foundation, PrivacyGuides.org, and our own knowledge here at the Deep Green Resistance News Service. We will publish additional guides on this topic in the future. This article is published under the Creative Commons-Share Alike Attribution 4.0 license.

How Modern Video Surveillance Works

How Modern Video Surveillance Works

by | Nov 30, 2020 | Repression at Home

By Dave Maass and Matthew Guariglia / November 19, 2020 / Electronic Frontier Foundation

A few years ago, when you saw a security camera, you may have thought that the video feed went to a VCR somewhere in a back office that could only be accessed when a crime occurs. Or maybe you imagined a sleepy guard who only paid half-attention, and only when they discovered a crime in progress. In the age of internet-connectivity, now it’s easy to imagine footage sitting on a server somewhere, with any image inaccessible except to someone willing to fast forward through hundreds of hours of footage.

That may be how it worked in 1990s heist movies, and it may be how a homeowner still sorts through their own home security camera footage. But that’s not how cameras operate in today’s security environment. Instead, advanced algorithms are watching every frame on every camera and documenting every person, animal, vehicle, and backpack as they move through physical space, and thus camera to camera, over an extended period of time.

The term “video analytics” seems boring, but don’t confuse it with how many views you got on your YouTube “how to poach an egg” tutorial. In a law enforcement or private security context, video analytics refers to using machine learning, artificial intelligence, and computer vision to automate ubiquitous surveillance.

Through the Atlas of Surveillance project, EFF has found more than 35 law enforcement agencies that use advanced video analytics technology. That number is steadily growing as we discover new vendors, contracts, and capabilities. To better understand how this software works, who uses it, and what it’s capable of, EFF has acquired a number of user manuals. And yes, they are even scarier than we thought.

Briefcam, which is often packaged with Genetec video technology, is frequently used at real-time crime centers. These are police surveillance facilities that aggregate camera footage and other surveillance information from across a jurisdiction. Dozens of police departments use Briefcam to search through hours of footage from multiple cameras in order to, for instance, narrow in on a particular face or a specific colored backpack. This power of video analytic software would  be particularly scary if used to identify people out practicing their First Amendment right to protest.

Avigilon systems are a bit more opaque, since they are often sold to business, which aren’t subject to the same transparency laws. In San Francisco, for instance, Avigilon provides the cameras and software for at least six business improvement districts (BIDs) and Community Benefit Districts (CBDs). These districts blanket neighborhoods in surveillance cameras and relay the footage back to a central control room. Avigilon’s video analytics can undertake object identification (such as whether things are cars and people), license plate reading, and potentially face recognition.

You can read the Avigilon user manual here, and the Briefcam manual here. The latter was obtained through the California Public Records Act by Dylan Kubeny, a student journalist at the University of Nevada, Reno Reynolds School of Journalism.

But what exactly are these software systems’ capabilities? Here’s what we learned:

Pick a Face, Track a Face, Rate a Face

Instructions on how to select a face

If you’re watching video footage on Briefcam, you can select any face, then add it to a “watchlist.” Then, with a few more clicks, you can retrieve every piece of video you have with that person’s face in it.

Briefcam assigns all face images 1-3 stars. One star: the AI can’t even recognize it as a person. Two stars: medium confidence. Three stars: high confidence.  

Detection of Unusual Events

A chart showing the different between the algorithms.

Avigilon has a pair of algorithms that it uses to predict what it calls “unusual events.”

The first can detect “unusual motions,” essentially patterns of pixels that don’t match what you’d normally expect in the scene. It takes two weeks to train this self-learning algorithm.  The second can detect “unusual activity” involving cars and people. It only takes a week to train.

Also, there’s “Tampering Detection” which, depending on how you set it, can be triggered by a moving shadow:

Enter a value between 1-10 to select how sensitive a camera is to tampering Events. Tampering is a sudden change in the camera field of view, usually caused by someone unexpectedly moving the camera. Lower the setting if small changes in the scene, like moving shadows, cause tampering events. If the camera is installed indoors and the scene is unlikely to change, you can increase the setting to capture more unusual events.

Pink Hair and Short Sleeves

With Briefcam’s shade filter, a person searching a crowd could filter by the color and length of items of clothing, accessories, or even hair. Briefcam’s manual even states the program can search a crowd or a large collection of footage for someone with pink hair.

In addition, users of BriefCam can search specifically by what a person is wearing and other “personal attributes.” Law enforcement attempting to sift through crowd footage or hours of video could search for someone by specifying blue jeans or a yellow short-sleeved shirt.

Man, Woman, Child, Animal

BriefCam sorts people and objects into specific categories to make them easier for the system to search for. BriefCam breaks people into the three categories of “man,” “woman,” and “child.” Scientific studies show that this type of categorization can misidentify gender nonconforming, nonbinary, trans, and disabled people whose bodies may not conform to the rigid criteria the software looks for when sorting people. Such misidentification can have real-world harms, like triggering misguided investigations or denying access.

The software also breaks down other categories, including distinguishing between different types of vehicles and recognizing animals.

Proximity Alert

In addition to monitoring the total number of objects in a frame or the relative size of objects, BriefCam can detect proximity between people and the duration of their contact. This might make BriefCam a prime candidate for “COVID-19 washing,” or rebranding invasive surveillance technology as a potential solution to the current public health crisis.

Avigilon also claims it can detect skin temperature, raising another possible assertion of public health benefit. But, as we’ve argued before, remote thermal imaging can often be very inaccurate, and fail to detect virus carriers that are asymptomatic.

Public health is a collective effort. Deploying invasive surveillance technologies that could easily be used to monitor protestors and track political figures is likely to breed more distrust of the government. This will make public health collaboration less likely, not more.

Watchlists

One feature available both with Briefcam and Avigilon are watchlists, and we don’t mean a notebook full of names. Instead, the systems allow you to upload folders of faces and spreadsheets of license plates, and then the algorithm will find matches and track the targets’ movement. The underlying watchlists can be extremely problematic. For example, EFF has looked at hundreds of policy documents for automated license plate readers (ALPRs) and it is very rare for an agency to describe the rules for adding someone to a watchlist.

Vehicles Worldwide

Often, ALPRs are associated with England, the birthplace of the technology, and the United States, where it has metastasized. But Avigilon already has its sights set on new markets and has programmed its technology to identify license plates across six continents.

It’s worth noting that Avigilon is owned by Motorola Solutions, the same company that operates the infamous ALPR provider Vigilant Solutions.

Conclusion

We’re heading into a dangerous time. The lack of oversight of police acquisition and use of surveillance technology has dangerous consequences for those misidentified or caught up in the self-fulfilling prophecies of AI policing.

In fact,  Dr. Rashall Brackney, the Charlottesville Police Chief, described these video analytics as perpetuating racial bias at a recent panel. Video analytics “are often incorrect,” she said. “Over and over they create false positives in identifying suspects.”

This new era of video analytics capabilities causes at least two problems. First, police could rely more and more on this secretive technology to dictate who to investigate and arrest by, for instance, identifying the wrong hooded and backpacked suspect. Second, people who attend political or religious gatherings will justifiably fear being identified, tracked, and punished.

Over a dozen cities across the United States have banned government use of face recognition, and that’s a great start. But this only goes so far. Surveillance companies are already planning ways to get around these bans by using other types of video analytic tools to identify people. Now is the time to push for more comprehensive legislation to defend our civil liberties and hold police accountable.

To learn more about Real-Time Crime Centers, read our latest report here

Republished under the Creative Commons Attribution License.

Introduction to Security Codes

Introduction to Security Codes

by | Jul 24, 2020 | Direct Action, Movement Building & Support

This article introduces a basic guide of generally accepted “security codes” for movements which can be applied in a variety of direct action, protest, and event situations.

More articles related to security can be accessed here. These include topics like physical security for events, operational security, geolocation and tracking and many more.

By Max Wilbert

Activists and revolutionaries will often find themselves in situations that are dangerous for a variety of reasons. Whether we are engaged in protest, events, or direct actions, we need to protect our community, our mission, and ourselves. That is why we endeavor to teach security training to everyone in our community.

Security falls into a number of domains. We must protect information using security culture, digital security, and other “infosec” techniques. We must protect relationships and organizations using vetting procedures, gradual building of trust, compartmentalization, and so on. And we must protect ourselves physically by learning self-defense techniques and being prepared for the situation we find ourselves in.

This article is proposing a set of generally accepted “security codes” for the movement that can be applied in a variety of situations. These protocols refer to the accepted or established code of procedure or behavior in any group, organization, or situation. By having a set of generally known and accepted protocols, we can:

  1. Minimize confusion;
  2. Build competency in security techniques; and
  3. Avoid wasting time and energy repeating information to large groups of people

Here we propose a basic 3-part code that varies between low-risk, medium-risk, and high-risk situations. These basic protocols should be considered a baseline and can be adapted to offensive and defensive situations.

Code Green (Low Risk)

This protocol should be applied in situations when no risks are expected. For example, private events held on friendly territory may be a “green” situation. However, in keeping with developing a general security culture, some precautions should still be taken.

  • Mission specific considerations and equipment
  • Maintain situational awareness
  • Maintain basic security culture precautions
  • Basic health and safety considerations: food, water, first aid kit
  • EDC (Everyday Carry)
  • Practical clothing
  • Communications: may be open, depending on the circumstances. Using secure communications is always recommended, but not crucial.

Code Yellow (Medium Risk)

This protocol should be applied in situations when there is an elevated potential for risk. For example, a public protest or event may be a code yellow situation. In a code yellow situation, information should be treated more carefully.

  • All of the above, plus:
  • Conduct a security analysis prior to the event/action, then brief your team on findings
  • Designate a security team and prepare for possible threats
  • Consider creating an Operations Order and formalizing roles
  • Use encrypted communications and minimize information leakage
  • For offensive operations, use TOR and secure research methods. Leave cell phones at home or place in a faraday bag.

Code Red (High Risk)

This protocol should be applied in situations when there is certainty of high risk. For example, a serious direct action or defensive action when you expect serious forms of repression would be a code red situation.

  • All of the above, plus:
  • Full Operations Order and briefing prior to action
  • Additional formal roles, such as leader or leadership group, medic, logistics, etc. (mission specific)
  • Consider additional protective clothing if there is a possibility of being hurt
  • Compartmentalize information on a need-to-know basis
  • All communications via secure channel or face-to-face

This is basic guide that can be adapted to a variety of situations. Feedback is welcome and this material will be updated over time.

Physical Security for Events / Actions

Physical Security for Events / Actions

by | Jul 14, 2020 | Culture of Resistance, Direct Action, Movement Building & Support, Strategy & Analysis

Vigilante, paramilitary, and state violence against resistance movements is on the rise. Around the world, regressive forces are violently resisting social movements for justice and sustainability, or using intimidation to create fear. Our movements must prepare for this.

This post includes a training on how to protect protests, events, and locations from violent attacks and disruption. The training is delivered by Ahjamu Umi of the All-African People’s Revolutionary Party. It was originally hosted by the Rural Organizing Project and published on 10th June 2020.

Ahjamu reminds us that “coming together is out best strength.” He says that the best deterrent for problems is ‘presence’ and starts by explaining how important is to get a team together, organized, and prepared before events. The training covers:

  • The proper ratio of security:participants
  • The psychology of security
  • Conflict de-escalation
  • Ensuring building safety
  • The centrality of community
  • Wargaming, training, and scenarios
  • Importance of communication

Featured image by Marcello Casal Jr/ABr. Creative Commons Attribution 3.0 Brazil.

How Covert Agents Infiltrate the Internet to Manipulate, Deceive, and Destroy Reputations

How Covert Agents Infiltrate the Internet to Manipulate, Deceive, and Destroy Reputations

by | Jun 29, 2020 | Repression at Home

This story is dated from 2014, but still provides a critical insight into the operations of federal intelligence agencies to discredit and disrupt social movements. We recommend activists and revolutionaries carefully study this information.

By Glenn Greenwald / The Intercept

One of the many pressing stories that remains to be told from the Snowden archive is how western intelligence agencies are attempting to manipulate and control online discourse with extreme tactics of deception and reputation-destruction. It’s time to tell a chunk of that story, complete with the relevant documents.

Over the last several weeks, I worked with NBC News to publish a series of articles about “dirty trick” tactics used by GCHQ’s previously secret unit, JTRIG (Joint Threat Research Intelligence Group). These were based on four classified GCHQ documents presented to the NSA and the other three partners in the English-speaking “Five Eyes” alliance. Today, we at the Intercept are publishing another new JTRIG document, in full, entitled “The Art of Deception: Training for Online Covert Operations.”

By publishing these stories one by one, our NBC reporting highlighted some of the key, discrete revelations: the monitoring of YouTube and Blogger, the targeting of Anonymous with the very same DDoS attacks they accuse “hacktivists” of using, the use of “honey traps” (luring people into compromising situations using sex) and destructive viruses. But, here, I want to focus and elaborate on the overarching point revealed by all of these documents: namely, that these agencies are attempting to control, infiltrate, manipulate, and warp online discourse, and in doing so, are compromising the integrity of the internet itself.

Read the rest of the article on The Intercept.

Further Resources

Featured image: NSA headquarters in Fort Meade, Maryland.