On this episode of the Green Flame, we speak with Claude Marks, former political prisoner and activist, director of the Freedom Archives, about COINTELPRO and state repression of revolutionary movements. We hear from Will Falk, activist, radical movement lawyer and writer, about security culture. And for our skill, we focus on operational security. This show also includes a poem by Sekou Kambui, and music by Dead Prez and Beth Quist.
“We know now that people like Martin Luther King Jr. where under constant surveillance including plots and attempts to create so much chaos in their lives that they [are] destabilized emotionally with intent”. — Claude Marks
“It’s really important that people not think of law or Security Culture as this bulletproof vest that you can put on that is going to keep you completely safe”. — Will Falk
The Green Flame is a podcast of Deep Green Resistance. You can find episodes on the DGR News Service, as well as on Apple Podcasts, Google Play, Stitcher, and wherever else you listen to podcasts.
Those in power do not hesitate to assault, imprison, torture, and sometimes murder those who fight capitalism, patriarchy, racism, the murder of the planet, and other elements of global empire.
In order to do this, they need information. State agencies, private military corporations, investigators, and far-right reactionaries want to gather as much information on revolutionaries as possible. The information they want includes where you live, who you associate with, where you go, where you work, and more.
Protection of information is therefore critical to survival and effectiveness of resistance movements. This becomes even more important when you’re engaged in high-risk revolutionary work and direct action.
Militaries around the world use a procedure called operational security (OPSEC) to protect important information. While I am opposed to all imperialist militaries, we can and should learn from our adversaries. Therefore, I am writing this article to help keep you safe and make you more effective.
What is OPSEC?
OPSEC is defined as “the protection of information that, if available to an adversary, would be detrimental to you/your mission.” Implementing OPSEC is essential for revolutionaries and activists, and can also be valuable for many other people, including:
Women facing stalking, sexual violence, or abuse
Immigrants seeking to avoid persecution, detention, and deportation
People of color threatened by racist persecution and violence
Prominent individuals facing doxing and harassment
The 5-step OPSEC process
In Army Regulation 530-1, the US military defines a 5-step process for operational security. This procedure should be studied and implemented by all activists and revolutionaries. In fact, we should practice OPSEC at all times, in all situations. Rather than fostering paranoia, this allows us to ensure maximum safety based on a realistic assessment of threats and vulnerabilities.
Step 1: Identify the information you want to protect
The first step in the OPSEC procedure is the simplest. Determine which information you want to protect. This may include:
Plans
Procedures
Relationships
Locations
Timing
Communications
Purchases
Step 2: Analysis of threats
The second step is to develop a “threat model.” In other words, determine who you need to protect this information from, and what their capabilities are. Then assess how these capabilities may impact you in the particular situation at hand.
In this stage, you should also ask yourself “what information does the adversary already know? Is it too late to protect sensitive information?” If so, determine what course of action you need to take to mitigate the issue, plan for ramifications, and prevent it from happening again.
You can learn about the capabilities of state agencies and private intelligence companies from the following sources:
Now that you know what you need to protect, and what the threats are, you can identify specific vulnerabilities.
For example, if you are trying to protect location information from state agencies and corporations, carrying a cell phone with you is a specific vulnerability, because a cell phone triangulates your location and logs this information with the service provider each time it connects to cell towers. If this phone is linked to you, your location will be regularly recorded anytime your cell phone is connected to cell towers. This process can be repeated to identify multiple vulnerabilities.
Once you have determined these vulnerabilities, you can begin to draft OPSEC measures to mitigate or eliminate the vulnerability. There are three types of measures you can take.
Action controls eliminate the potential vulnerability itself. EXAMPLE: get rid of your cell phone completely.
Countermeasures attack the enemy data collection using camouflage, concealment, jamming, or physical destruction. EXAMPLE: use a faraday bag to store your phone, and only remove it from the bag in specific non-vulnerable locations that you are not concerned about having recorded. NB: This method may not eliminate all dangerous data tracking, as smartphones are capable of tracking and recording location and movement data using their built-in compass and accelerometer, even when they have no access to GPS, cellular networks, or other radio frequencies.
Counter analysis confuses the enemy via deception and cover. EXAMPLE: give your phone to a trusted friend who is moving to a different location so that your tracked location appears different than your real location during a given period.
Step 4: Assessment of risk and countermeasures
Step four is to conduct an in-depth analysis of which OPSEC countermeasures are appropriate to protect which pieces of information. Decide on the cost-benefit ratio of each countermeasure. You want to ensure that your security measures are strong and adequate, but ideally, they should not hamper the mission itself. Determine which factors are most important and make a judgement call about your course of action.
Step 5: Apply your OPSEC countermeasures
The final step is to put the plan into action. Implement your chosen action controls, countermeasures, or counter analysis methods.
Once the operation is complete, or on an ongoing basis, you should also reassess effectiveness. Conduct research, analyze any mistakes you have made, and plan for the ramifications of these mistakes. Then improve your techniques and repeat the process.
Creating a “security culture”
Operational security does not make sense for everyone. It is designed to protect groups of people engaged in high-risk activities. Therefore, OPSEC is not a hobby or something to be practiced occasionally. The OPSEC procedure should be habitual and regular, because it only takes a short period of inattention to accidentally disclose information that can have dangerous consequences.
The lessons in this article need to be combined with general activist “security culture.” and basic forensic countermeasures (a topic I will cover in another article) to protect us from threats.
It is important that we begin to shift our culture of activism towards revolutionary confrontation. This requires a serious shift in attitude. We need to look at ourselves as warriors in a life-and-death war for the future of the planet. OPSEC provides us with a procedure for increasing our safety and reminds us to treat this struggle as seriously as it really is.
—
Max Wilbert is a third-generation organizer who grew up in Seattle’s post-WTO anti-globalization and undoing racism movement, and works with Deep Green Resistance. He is the author of two books.
We live in a surveillance state. As the Edward Snowden leaks and subsequent reporting has shown, government and private military corporations regularly target political dissidents for intelligence gathering. This information is used to undermine social movements, foment internecine conflict, discover weaknesses, and to get individuals thrown in jail for their justified resistance work.
As the idea of the panopticon describes, surveillance creates a culture of self-censorship. There aren’t enough people at security agencies to monitor everything, all of the time. Almost all of the data that is collected is never read or analyzed. In general, specific targeting of an individual for surveillance is the biggest threat. However, because people don’t understand the surveillance and how to defeat it, they subconsciously stop themselves from even considering serious resistance. In this way, they become self-defeating.
Surveillance functions primarily by creating a culture of paranoia through which the people begin to police themselves.
This is a guide to avoiding some of the most dangerous forms of location tracking. This information is meant to demystify tracking so that you can take easy, practical steps to mitigating the worst impacts. Activists and revolutionaries of all sorts may find this information helpful and should incorporate these practices into daily life, whether or not you are involved in any illegal action, as part of security culture.
About modern surveillance
We are likely all familiar with the extent of surveillance conducted by the NSA in the United States and other agencies such as the GCHQ in Britain. These organizations engage in mass data collection on a global scale, recording and storing every cell phone call, text message, email, social media comment, and other form of data they can get their hands on.
Our best defenses against this surveillance network are encryption, face-to-face networking and communication, and building legitimate communities of trust based on robust security culture.
Capitalism has expanded surveillance to every person. Data collection has long been big business, but the internet and smartphones have created a bonanza in data collection. Corporations regularly collect, share, buy, and sell information including your:
Home address
Workplace
Location tracking data
Businesses you frequent
Political affiliations
Hobbies
Family and relationship connections
Purchasing habits
And much more
Much of this information is available on the open marketplace. For example, it was recently reported that many police departments are purchasing location records from cell phones companies such as Verizon that show a record of every tower a given cell phone has connected to. By purchasing this information from a corporation, this allows police to bypass the need to receive a warrant—just one example of how corporations and the state collaborate to protect capitalism and the status quo.
Forms of location tracking
There are two main types of location tracking we are going to look at in this article: cell tower tracking and GPS geolocation.
Cell phone tracking
Whenever a cell phone connects to a cell tower, a unique device ID number is transmitted to the service provider. For most people, their cell phone is connected directly to their identity because they pay a monthly fee, signed up using their real name, and so on. Therefore, any time you connect to a cell network, your location is logged.
The more cell towers are located in your area, the more exact your location may be pinpointed. This same form of tracking applies to smartphones, older cell phones, as well as tablets, computers, cars, and other devices that connect to cell networks. This data can be aggregated over time to form a detailed picture of your movements and connections.
GPS tracking
Many handheld GPS units are “receiver only” units, meaning they can only tell you where you are located. They don’t actually send data to GPS satellites, they only passively receive data. However, this is not the case with all GPS devices.
For example, essentially every new car that is sold today includes built-in GPS geolocation beacons. These are designed to help you recover a stolen car, or call for roadside assistance in remote areas.
Additionally, many smartphones track GPS location data and store that information. The next time you connect to a WiFi or cell phone network, that data is uploaded and shared to external services. GPS tracking can easily reveal your exact location to within 10 feet.
Defeating location tracking
So how do we stop these forms of location tracking from being effective? There are five main techniques we can use, all of which are simple and low-tech.
(a) Don’t carry a cell phone. It’s almost a blasphemy in our modern world, but this is the safest way for activists and revolutionaries to operate.
(b) Use “burner” phones. A “burner” is a prepaid cell phone that can be purchased using cash at big-box stores like Wal-Mart. In the USA, only two phones may be purchased per person, per day. If it is bought with cash and activated using the Tor network, a burner phone cannot typically be linked to your identity.
WORD OF CAUTION: rumor has it that the NSA and other agencies run sophisticated voice identification algorithms via their mass surveillance networks. If you are in a maximum-security situation, you may need to use a voice scrambler, only use text messages, or take other precautions. Also note that burners are meant to be used for a short period of time, then discarded.
(c) Remove the cell phone battery. Cell phones cannot track your location if they are powered off. However, it is believed that spy agencies have the technical capability to remotely turn on cell phones for use as surveillance devices. To defeat this, remove the battery completely. This is only possible with some phones, which brings us to method number four.
(d) Use a faraday bag. A faraday bag (sometimes called a “signal blocking bag”) is made of special materials that block radio waves (WiFi, cell networks, NFC, and Bluetooth all are radio waves). These bags can be purchased for less than $50, and will block all signals while your phones or devices are inside. These bags are often used by cops, for example, to prevent remote wiping of devices in evidence storage. If you are ever arrested with digital devices, you may notice the cops place them in faraday bags.
WORD OF CAUTION: Modern smartphones include multiple sensors including a compass and accelerometer. There have been proof-of-concept experiments showing that a smartphone inside a faraday bag can still track your location by using these sensors in a form of dead reckoning. In high-security situations where you may be targeted individually, this is a real consideration.
(e) Don’t buy any modern car that includes GPS. Note that almost all rental cars contain GPS tracking devices as well. Any time a person is traveling for a serious action, it is safest to use an older vehicle. If you may be under surveillance, it is best to use a vehicle that is not directly connected to you or to the movement.
Conclusion
There are caveats here. I am not a technical expert, I am merely a revolutionary who is highly concerned about mass surveillance. Methods of location tracking are always evolving. And there are many methods.
This article doesn’t, for example, discuss the simple method of placing a GPS tracker on a car. These small magnetic devices can be purchased on the private market and attached to the bottom of any vehicle.
However, these basic principles can be applied across a wide range of scenarios, with some modification, to greatly increase your privacy and security.
Editor’s note: republished under a Creative Commons License, this article is “A handful of digital security things that that most of us should do almost all of the time,” in the words of the author. We offer it here as a resource for activists who wish to communicate securely, to protect their groups and allies against digital infiltration or monitoring.
This is not intended as a comprehensive security guide. Nor is it a privacy guide. There are many securityguides online. It is not intended for people who think they are currently hacked. Or who are trying to remain anonymous. Or hide their browsing or e-mail traffic. Suspect you are currently under attack? Have a look at the last section of the document.
Why: Two step verification is a great way to increase the security of your account. In its simplest form, it works by sending you an SMS with a code after you have entered your password. You need this code in order to log in.
Time commitment: 5-10 minutes
This means that even if someone has stolen your password, they won’t be able to access to your account.
Here are some directions for setting up 2 step verification on your different accounts:
For a more comprehensive list of all services offering 2 Step Authentication, click here
2 Step to the Next Level
Getting SMSes every time can be cumbersome. Before you throw up your hands with frustration, you should know that are apps that make the process easier. They also make it much more secure. The most widely used is the Google Authenticator.
If you are seriously concerned about security, there is an even more robust option: Security Keys. These small USB dongles give you all the benefits of 2 Step authentication, but can’t be hacked. They don’t cost much, and are a dramatic improvement.
Why: when your phone is encrypted only you or someone who has your password can access the data on the device. It is fully effective only when the device is turned off.
Time commitment: 5 minutes to set up, 20-60 minutes of time for your phone to do its thing.
The neat thing is that your iPhone is encrypted by default. It would be cool if Androids did this, right? But for it to ‘count’ you should use a strong password, rather than a simple pin. A guide on encryption of your iPhone
Note: Encryption is not available on iphones older than 3GS
*Reminder: If the phone is hacked this doesn’t solve the problem since a hacker can already look at your data*
Talk and Text With Some Privacy
Why: when your communications are properly encrypted, only someone with access to a side of the conversation (like your phone, or your friend’s phone) can listen in.
Reminder: If the phone is hacked this doesn’t solve the problem since a hacker can already read everything
Time commitment: 2 -5 minutes to download and verify the app to your number.
Note: This app provides secure SMS-like messaging and calls over data. This option requires data plan to work, and it does not hide the fact that you are making these communications!
Signal is great, and easy to use. It is a drop-in replacement for existing call and messaging features, as long as you have good data service! But there are many other tools that have other features, advantages, and quirks. Including a few, like WhatsApp, that use the same encryption protocol as Signal. You may find it hard to move all your contacts over to Signal, but easier to get everyone to agree to use WhatsApp. So, what to do?
To sort through it all the Electronic Frontier Foundation (EFF) has done a great job assembling information about the security and privacy policies of many different chat apps. Have a look here. Note: As of January 2017 EFF is re-developing the Secure Messaging Scorecard. Check back often for the new version.
We all hate updates. But they go a long way towards keeping you safe. If you find updating as painful as everyone else, you might consider Secunia PSI, which manages updates for you. There is a free version available for Windows only here that will take *some of the pain out*.
Drive Encryption
You should encrypt your personal and professional laptops and computers. This means that when they are turned off your data can’t be accessed without your password, or a lot of work. This doesn’t work as well when the device is in Sleep or Hibernation mode.
Time commitment: 5-10 minutes to set up. Then a restart. Then a wait (sometimes you can do other things) while your computer encrypts. Plug in laptops before getting started.
Windows
Some Windows versions support BitLocker encryption. Many don’t. Here is a guide to BitLocker (The guide link addresses some cases where your version does not support it.). Have a look at veracrypt if your Windows does not have BitLocker.
Mac OS
All recent Mac computers support encryption using a built-in feature called FileVault. Here is a guide to FileVault
Secure Communication
There are a lot of things to consider before choosing a secure communications solution for your computer. I encourage you to consult some more systematic resources like the many security guides onlineto make a selection.
That said, Signal Private Messenger has an excellent Chrome Extension that you can use to message securely from your desktop.
This new tool, made by Google, will check where you enter your Gmail password and warn you if you are being tricked by a website into entering your password in the wrong place. It is available as a Chrome extension.
Gmail and the Outlook Web App both have a fantastic feature: you can preview attachments without opening them on your machine. If you discipline yourself to do this regularly you will make it a lot harder for someone to hack your machine.
Spot A Malicious Message
Why: A very, very common route into computers is via emails and messages containing malicious attachments and links. Those links can deliver viruses that undo all of your other security measures.
These messages are based around trying to trick you into performing some behavior. These work with things like:
FEAR Making you afraid (oh no, I need to change my password!)
URGENCY Making you worried that something is urgent
CURIOSITY Making you curious (what is this e-mail about? I will click the link..)
ENTICED Enticing you (important message about a political issue)
These messages can be very sophisticated. Sometimes they also come by SMS or by messages on Skype, WhatsApp etc.
Came to a different inbox where you can’t preview it? Forward it to your Gmail or Outlook and preview it there
If it doesn’t preview or the content looks suspicious, consider Step 2.
Double Check a Link
Don’t click the link! Instead right-click it, copy the link and paste it into your browser or somewhere else if it is long. Look at it before hitting the enter key.
First, look at the name of the website, especially the part right before “.com,” or whatever the“.ending” is.
Is the name spelled correctly? Does it match the page you want to visit?
For example: “https://google.secure-mymil.com” is not a Google website! It is secure-mymyel.com, which could be fake. Now look at https://mail.google.com, which genuine. See the difference? The correct website name, “google.com” is right before the “.ending.”
If the website name looks right, check for the at the beginning “S” in “HTTPS://.”
The “S” stands for “Secure” and means that your connection is being encrypted
Step 2: Six Second Detective
Upload a suspicious file to www.virustotal.com to get an answer. Go to the website and upload the file.
Privacy Tip: files submitted to VirusTotal are available to security researchers. Make sure you don’t submit sensitive things.
Step 3: I’m now convinced this is bad.
If you are working with an organization, this would be a great time to contact your IT staff. Make sure not to delete the message before contacting them!
Finally, you can always share with researchers like Citizen Lab (where I work). We can be reached at info[at]citizenlab.org.
FAQ
Hey, this was really simplistic!
Yes! This document doesn’t even mention e-mail encryption. And it doesn’t give a lot of explanation for *why* you should do these things.
You can’t really do digital security without first carefullyassessing your risk, then being systematic in how you address it. The objective of this document is simply to lay out things that, on balance, help. If you want something systematic there are lots of resources. Here is a curated list of online security guides. Here is another. I can’t vouch for all of the linked resources.
TigerSwan is one of several security firms under investigation for its work guarding the Dakota Access pipeline in North Dakota while potentially without a permit. Besides this recent work on the Standing Rock Sioux protests in North Dakota, this company has offices in Iraq and Afghanistan and is run by a special forces Army veteran.
Law enforcement and private security at the North Dakota pipeline protests have faced criticism for maintaining a militarized presence in the area. The American Civil Liberties Union (ACLU) and National Lawyer’s Guild have filed multiple open records requests to learn more about the extent of this militarization, and over 133,000 citizens have signed a petition calling for the U.S. Department of Justice to intervene and quell the backlash.
The Federal Aviation Administration has also implemented a no-fly zone, which bars anyone but law enforcement from flying within a 4-mile radius and 3500 feet above the ground in the protest area. Dallas Goldtooth, an organizer on the scenes in North Dakota with the Indigenous Environmental Network, said on Facebook that “DAPL private security planes and choppers were flying all day” within the designated no-fly zone.
Donnell Hushka, the designated public information officer for the North Dakota Tactical Operation Center, which is tasked with overseeing the no-fly zone, did not respond to repeated queries about designated private entities allowed to fly in no-fly zone airspace.
What is TigerSwan?
TigerSwan has offices in Iraq, Afghanistan, Jordan, Saudi Arabia, India, and Latin America and has headquarters in North Carolina. In the past year, TigerSwan won two U.S. Department of State contracts worth over $7 million to operate in Afghanistan, according to USASpending.gov.
TigerSwan, however, claims on its website that the contract is worth $25 million, and said in a press release that the State Department contract called for the company to “monitor, assess, and advise current and future nation building and stability initiatives in Afghanistan.” Since 2008, TigerSwan has won about $57.7 million worth of U.S. government contracts and subcontracts for security services.
Company founder and CEOJames Reese, a veteran of the elite Army Delta Force, served as the “lead advisor for Special Operations to the Director of the CIA for planning, operations and integration for the invasion of Afghanistan and Operation Enduring Freedom” in Iraq, according to his company biography. Army Delta partakes in mostly covert and high-stakes missions and is part of the U.S. Joint Special Operations Command (JSOC), the latter well known for killing Osama Bin Laden.
One of TigerSwan’s advisory board members, Charles Pittman, has direct ties to the oil and gas industry. Pittman “served as President of Amoco Egypt Oil Company, Amoco Eurasia Petroleum Company, and Regional President BP Amoco plc. (covering the Middle East, the Caspian Sea region, Egypt, and India),” according to his company biography.
“It is sad, but not surprising, that this firm has ties to the US interventions in Afghanistan and Iraq,” Medea Benjamin, co-founder of the women-led peace group CODEPINK and the co-founder of the human rights group Global Exchange, told DeSmog. “It is another terrifying example of how our violent interventions abroad come home to haunt us in the form of repression and violation of our civil rights.”
The North Dakota Bureau of Criminal Investigation and the Private Investigation and Security Board are also conducting parallel investigations to the one recently completed by Morton County. TigerSwan did not comment on questions posed about their contract.