Disclaimer
I am a security educator, but I am not your security educator. It is in your interest to question everything I share with you and adjust accordingly. It is ultimately your responsibility for understanding why you take specific actions or inaction to maintain good defenses. Additionally, using some of the below processes, methods or tools may be illegal in your region. This post is for educational purposes only.
Introduction
You are an intelligent activist, journalist, or legal observer that is aware of the possibility of active or passive surveillance while exercising your non-violent, constitutionally protected (United States) rights. High profile protest events or people engaged with these events will have corporate or government stalkers during and after the event. You know that you need to safeguard your assets during protest events with post-event in mind — the present and future states of your metadata and information in tandem with other attendee’s metadata and information.
Even if you are not in the United States, this post might help you. I have instructed activists that have been or are victims of stalking or physical attacks after attending protest events. Having secure communications while minimizing data linkability is a critical part of defending yourself from people who want to scare you or hurt you.
This post is not about the broad problem of Detecting and Defending Against a Surveillance State. This post is about your need to communicate and coordinate with other activists or publish information online while at a protest event. This post provides meaningful defenses against specific attacks carried out at protests.
Scenarios
The following scenarios will define our risk scope that will be composed of assets, adversaries, threats, and vulnerabilities.
1. Local cellular networks store connection logs of nearby mobile devices and can actively alert local users as a scare tactic.
2. Local law enforcement can “Man in the Middle” every one’s cellular traffic to intercept communications.
3. Federal intelligence agencies and local law enforcement both actively surveil protest attendees and share data and information via Fusion Centers.
Assets:
- Personal safety.
- Personal identification data and information.
- Mobile device identification data and information.
- Mobile device local storage including your contacts database, text messages database, calendar, notes, call records, media files, and social media access and identities.
Adversaries:
- Regular cellular network operators run by AT&T, Verizon, Sprint, and T-Mobile.
- Organizations with records access to regular cellular network operators such as federal agencies and local law enforcement.
- Imitation cellular networks run by federal agencies, local law enforcement, and private entities with money and motive.
- Organizations with records access to imitation cellular networks such as federal agencies, local law enforcement, and private entities.
- Close-proximity federal agents, law enforcement agents, and private entity employees.
Threats:
- Parallel construction.
- Doxing.
- Physical mobile device collection.
- Physical visual and auditory collection.
- Cellular network infrastructure data collection.
- IMSI catcher data collection.
- Cellular network infrastructure mobile device attacks.
- IMSI catcher mobile device attacks.
Vulnerabilities:
- You. People’s faces, for example, are biomarkers (like fingerprints) that are commonly collected data at protest events. Personal actions that you make include those taken at protest events but also before and after events. For instance, how you transport yourself to and from events. Automatic license-plate readers are rampant. Electronic payments such as debit and credit card transactions, mass transit payments, Starbucks cards and gift cards all leave digital traces linkable to your identity.
- Mobile devices via visual identification or physical loss.
- Mobile device network traffic including device networking identifiers, connection metadata, unencrypted communications metadata, or unencrypted content.
- Other people’s mobile devices with information about you.
- Online publications and social media.
Risk Responses
There are certain risks that you have to accept as an activist or journalist while attending a protest. Journalists and legal observers may have greater legal protections for certain things, but they have the same assets, adversaries, threats, and vulnerabilities as activists when engaging in civil protests. Digitally communicating is something that you can’t always give up. Given our above risk scope, the question then becomes: what aspects of your risk scope should you be willing to accept, avoid, or mitigate?
Avoidance
Elimination of the vulnerability that gives rise to a particular risk so that it is avoided altogether. This is the most effective solution, but often not possible […]. Eliminating email to avoid the risk of email-borne viruses is an effective solution but not likely to be a realistic approach in the modern enterprise.
Our focus is to avoid what we can and mitigate or accept the rest.
Action 1: Do not use your personal, mobile devices.
You have a lot of personal information on your Android or iPhone that you should not risk getting lawfully taken, illegally stolen, or damaged. You cannot reasonably allow your personally-identifiable hardware device IDs to get associated with likely-adverse events that are out of your control. Regular, contracted cellular device service accounts are commonly associated with your Social Security Number and/or government issued ID. It is trivial for anyone to link hardware device IDs and phone numbers to you.
Mitigation/Deterrence
Risk mitigation involves the reduction in likelihood or impact of a risk’s exposure. Risk deterrence involves putting into place systems and policies to mitigate a risk by protecting against the exploitation of vulnerabilities that cannot be eliminated. Most risk management decisions focus on mitigation and deterrence, balancing costs and resources against the level of risk and mitigation that will result.
We have to use a mobile device to communicate because that is the tool that we know how to use and because they are valuable assets.
Action 2: If you’re attending a protest by yourself, an inexpensive, prepaid burner phone might be great start to surveillance self defense. Coupled with the exclusive use of end-to-end encrypted communication tools such as TextSecure, Signal, and RedPhone, you are dramatically increasing the security of your communications.
Action 3: Burner hotspots can provide an important proxy when depending on cellular networks. Similarly, it is possible to use a burner phone with a data plan to be used exclusively as a burner hotspot. When you are part of a coordinated, trusted group of people, burner hotspots allow everyone to share one device ID. Attributing communications to specific people becomes harder which affects the threat of parallel construction. Cellular network data collection cannot easily identify mobile devices that are in “airplane mode” with Wi-Fi turned on.
This threat mitigation action presumes that adversaries do not prey on the 802.11 standard (Wi-Fi). However, intercepting properly hardened Wi-Fi communication is a much harder feat compared to the ease of intercepting legacy telephony communication. Raising the cost of surveillance also lowers the exploitation probability.
Action 4: If you are part of an activist group, cost is a factor, and you know that law enforcement involvement is a low risk, using your personal cell phone in airplane mode behind a burner hotspot is a relative improvement. Backups, transport encryption and storage encryption are paramount in this scenario.
Enabling “airplane mode” on your mobile device is a critical deterrent to baseband processor attacks. Wi-Fi chipsets are not nearly as vulnerable to network exploitation as baseband processors are.
Action 5: This is the combination of Action 1, 2, and 3 and is the ideal action in a group setting. It requires that a group uses both burner hotspots and burner phones to maximize compartmentalization. It is also critical that both burner hotspots and burner phones are properly configured before attending protest events.
Acceptance
Recognizing a risk, identifying it, and then accepting that it is sufficiently unlikely or of such limited impact that corrective controls are not warranted. Risk acceptance must be a conscious choice…and regularly reviewed.
When using a burner hotspot to provide Internet access, there are inherent risks when using Wi-Fi devices. These devices also have hardware IDs, albeit the range needed for detection is much smaller. Additionally, collecting and tracking Wi-Fi device IDs are not nearly as threatening as collecting and tracking cellular network hardware IDs.
People using mobile devices can have photo and video recordings made of them using said devices. This is an inherent problem when attending protest events and is not covered in this post.
Note: “Acceptance,” “Avoidance,” and “Mitigation/Deterrence” quote reference: http://www.pearsonitcertification.com/articles/article.aspx?p=1809117
Planning
It is important to privately meet with protest party members and plan secure communicating prior to events. Here is a list of some questions you might want to ask and solve.
- Do the protest areas have reliable cellular service?
- Are you going to live stream parts or all of the event?
- Are you going to use text communications? Which ones?
- Are you going to use voice communications? Which ones?
- How many people do you need to support with Internet?
- Will everyone in your party be proactively securing their communications in the same way? If not, how do you have to adjust?
- Are you going to share access to your burner hotspots?
- How long will you be participating at an event? Will you have sufficient battery power?
- What is your fallback plan if party members get separated and are not within hotspot range?
- What is your fallback plan in case the cellular networks get shut down?
- What is your fallback plan if your organizers/hotspot carriers get arrested or leave?
- How are you going to responsibly dispose of your burner hotspot after a protest event?
Necessary planning actions
- As of June 2015, Walmart and BestBuy are national suppliers of prepaid hotspot solutions. Verizon sells a $50 hotspot with 1GB or 10GB 30-day plans but are pricey. Do your research to maximize anonymity when buying devices and services, and be aware of your cellular data needs.
- Burner phones do not necessarily need data service, just the ability to receive a text message in order to register with Open Whisper Systems. Once a burner phone is connected to Wi-Fi, TextSecure, Signal, and RedPhone should work flawlessly.
- Do not activate or use cellular service of any burner device from any anchor point.
- Uninstall all mobile apps that do not have an explicit purpose for advancing the protest’s cause. Disable any service or app that cannot be uninstalled for the same reasons.
- Employ strong (long, high-entropy) passphrases on all mobile devices. This includes device access and also Wi-Fi access.
- Enable storage encryption on all applicable devices.
- Enable two-factor authentication on all online social media accounts. Do not bring the 2nd authentication device with you to protest events.
- Use VPN’s or Tor when possible/applicable to mitigate upstream metadata collection.
- Some prepaid cellular service providers might allow you to bring your own hotspot device. If you can procure one pseudonymously, certain manufacturers support external antennas which might support signal stability.
Online social media planning
We know that federal intelligence agencies, local law enforcement agencies, and corporations stalk online social media. If any aspect of your identity is connected to the accounts from which you’ll be publishing information about protest events, you, and maybe your accessible social media contacts, are vulnerable. Disassociating your ID to cellular infrastructure is probably still an invaluable self-defense step, but be aware that attributing your presence to specific protest events can be trivial.
If protecting your identity and your contact’s identity is important to you, you may consider creating anonymous or pseudonymous email accounts and online social media accounts using the Tor Browser or Tails Linux. Do not log into these social media accounts from any non-burner devices because of hardware and network ID linking.
This post does not go into detail about maintaining anonymous or pseudonymous online identities. It also does not include information about responsible photo and video recording with the aim of protecting the identities of other activists.
Please be awesome to other people, be smart, act intelligently, and be careful.
On IMSI-catching detecting
This post does not go into great detail about managing IMSI-catching detecting devices.
I think that carrying network abuse detection tools, if you’re capable of managing them well, could prove to be invaluable for documenting abuse and following up with Freedom of Information Act requests. But someone with a detection tool must know how to use it and how to professionally release information about exactly what is detected.
It seems prudent to carry such a device along with an identical burner device for secure communications. In retrospect, what affects the detector device is likely occurring to the communications device, too, given the nature of IMSI catchers and common cellular networks. Keeping the two device functions separate allows you to easily share the detection device, as evidence, to a qualified examiner, without jeopardizing the private information contained in your secure communications burner device.
Supplemental watching
— Defcon 21 – Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell
— Defcon 18 – Practical Cellphone Spying – Chris Paget
— SS7: Locate. Track. Manipulate. [31c3] by Tobias Engel (SnoopSnitch)
Supplemental reading
— IMSI Catchers: Practical Knowledge for Activists and Thotcon presentation
— StingRay Technology: How Government Tracks Cellular Devices
— Stingrays: The Biggest Technological Threat to Cell Phone Privacy You Don’t Know About
— Telco metadata surveillance: only minimal avoidance with HTTPS and Tor
— TextSecure, RedPhone, and Signal threat modeling
— Create an anonymous TextSecure and RedPhone phone number