An Activist’s Guide to Personal Cybersecurity and Grassroots Cybersecurity

Index  (Click on the links in the index to navigate to a specific section)

1. Why Privacy and Cybersecurity Are Important
2. Vulnerabilities in DIY Cybersecurity
3. Brief Glossary of Terms
4. Security Basics
   • Part A: Physical Security for Devices
   • Part B: Passwords and Password Managers
   • Part C: Encryption
   • Part D: Email, Messaging Applications, and Communication
   • Part E: Mobile Device and Cell Phone Security
   • Part F: Using VPNs and the Tor Browser
   • Part G: File Storage
   • Part H: Operating Systems, Browsers, Hardware, Software
   • Part I: Additional concerns for activists
5. Additional Resources

1.Why Privacy and Cybersecurity Are Important:

Cybersecurity and privacy have become increasingly relevant topics with the new administration as well as previous experience with direct actions such as Occupy Wall Street and No DAPL protests. Even if you personally do not have something to hide, the increased erosion of privacy online puts other people at risk to state and private surveillance, particularly vulnerable populations. Examples of this include:

1. The use of Facebook check-ins to potentially monitor the protesters at Standing Rock.
2. Privacy being important to those involved in reproductive rights such as the personal information of abortion providers

Risks to privacy include both state and private actors. Some of the most well known and publicized mass surveillance efforts include leaked information about the National Security Agency’s PRISM and other programs via documents released by Edward Snowden and the general expansion of government surveillance, even with the sunset of the Patriot Act. There has been alleged use of technological capabilities against protesters, for example, the use of stingray devices at Standing Rock campsites to intercept communications of protesters and caused mobile devices to be drained of power. There are several cases of private corporations, such as AT&T selling data to law enforcement or providing backdoors to agencies such as NSA.

You can read more on the history of mass surveillance in the United States here.

Protecting your personal information, devices, and digital communications is important and is the first line of defense. This not only keeps you from harm, but also may protect the information and privacy of organizations and other individuals.

2. Vulnerabilities in DIY Cybersecurity

It is crucial to remember that most security breaches everywhere are caused by human error, negligence, or a physical theft of data. Attacks will generally be a crude attempt to access your information, infamously the fake link that led to the leak of John Podesta’s emails.

Trust, but verify

It is worth noting that the techniques presented in this guide can be, and often are, used for unscrupulous activities (A lot of people who take this level of security precautions STILL get caught). Most of the times that people are caught or exposed, it is because of activities by law enforcement like a sting, or when someone they start to trust and let into their network reveals their personal information or identity. In summary, you need to be able to verify who you interact with both in person and online. While online tools such as social media can be useful in organizing, it is important to be able to trust those who you regularly communicate with.

While a large portion of cybersecurity consists of encrypting your data and implementing tools such as VPNs, the success of protecting your privacy and data is also dependent on being cautious about who you talk to and what information you provide. Most security breaches come from things like Edward Snowden downloading incriminating data, the FBI using hundred of clues to narrow down a person’s location, or one big slip up in a chat. If you intend to do things that might call attention to you–or that an oppressive regime might take issue with–understand that half of your safety relies on technology, but the other half relies on you. If you only rely on one method, you will probably risk your security and the safety of others’ data, privacy, or safety.

For example, at a college, a student, who had been leaking details containing a private school’s information that he did not like – specifically, technical details on how the school network was set up) was identified by the IT department, and was nearly expelled. They realized who was the culprit was because his personal email and the username he was posting the information to forums were the same. He was technically savvy and cautious with encryption, as well as other precautions, but a non-technical oversight revealed his identity.

Legality: For the most part, all techniques listed are legal, and cost little to no money. Techniques that are not legal in many circumstances will be described as such and are only provided as a warning for folks who may run into these in tutorials or elsewhere.

3. Brief Glossary of Terms

1. Doxing: To reveal someone’s online persona or real identity / personal info. Can be used by good people or bad.
2. Encryption: Making data look like gibberish without a key (like a password). This works by using math that is easy to calculate in one direction, but computationally expensive to reverse.
3. TFA/2FA: Two-Factor Authentication. Basically a second, single use, password for a website. For instance, when you log into gmail it will text you a single use 6-digit number to enter with your password.
4. VPN: Virtual Private Network. A service that hides your computer’s location and identity.

4. Part A: Physical Security for Devices

While security concerning vulnerabilities in software, the accessibility of data, and communication are important topics, it is also necessary to be mindful of the physical security of both your computer and mobile devices. In particular, it is important to mindful of cameras and microphones. You should ALWAYS cover cameras on desktops, laptops, and other devices as these can be remotely turned on. As well, you need to be aware that microphones in cameras, computers, and mobile devices can be remotely turned on.

You should never insert a hard-drive or USB stick into your computer without verifying it first, as malware can easily be uploaded to your device. Read more on the Stuxnet virus for an example of this.

Never leave computers or devices unattended, as they can become compromised through physical manipulation. If you can set a number of password attempts to automatically lock your account for a certain amount of time, do it. Additionally, set an automatic inactivity logout, so that your device(s) will log you out if you do not use it for a set number of minutes. Finally, make sure you are not facing a window, camera, or other people when inputting passwords or accessing sensitive information.