Teresa Shook awoke Nov. 9 to a new reality. The previous night, Republican Donald Trump had staged the biggest political upset of the young century.
Defying the collective wisdom of pollsters and pundits, the former reality TV star had defeated former Secretary of State Hillary Clinton to become the next president of the United States.
Shook, a grandmother living in Hawaii, had opposed Trump throughout the campaign and felt an immediate need to make her voice heard on the national stage. She logged on to Facebook and invited 40 of her friends to join her in a
protest in Washington, D.C., the day after Trump’s inauguration.
Her invitation quickly went viral.
Merging with a handful of similar events, Shook’s planned demonstration, dubbed the Women’s March on Washington, became a focal point of the emerging post-election anti-Trump movement. Within weeks, over 200,000 people had indicated they would be joining Shook in protesting the new administration. Smaller regional chapters of the group had sprung up in all 50 states to help coordinate the action taking place in the nation’s capital and stage their own concurrent local marches.
While Facebook RSVPs are about as loose as commitments can get in 2016, the event’s rapid spread is an indication of how Trump’s electoral victory has spurred a fresh wave of American activism. People across the country, many of whom never had previously considered marching in a demonstration, let alone organizing one, have become activists.
For those just beginning their efforts to foment political change, Ahmed Mansoor has a crucial piece of advice: To be both safe and effective, thinking deeply about one’s own cybersecurity practices is essential.
Mansoor has been a prominent figure fighting for human rights in the United Arab Emirates for over a decade, starting when an online discussion forum he frequented was shut down by government officials and its owner was arrested.
“I started defending freedom of expression because I believe that basic right … (is what) all other rights are really built on,” he said in an interview over Skype.
Emirati human rights activist Ahmed Mansoor.Credit: Courtesy of Ahmed Mansoor
Mansoor has spent years protesting his government’s systematic silencing of journalists and pro-democracy activists. He helped create a discussion board on which Emiratis could freely and anonymously discuss controversial opinions, a rarity in the conservative UAE.
“Nobody else was allowing that level of freedom of people to talk,” Mansoor boasted. “They were deleting them. They were suppressing them. They were blocking users who talked about these red lines,” which ran the gamut from the political to the religious.
In response to the 2011 Arab Spring uprisings across the Middle East, the UAE enacted a spate of political reforms, which Mansoor said didn’t go nearly far enough. He helped circulate a petition calling for universal suffrage for UAE citizens. The petition attracted a massive level of attention and resulted in Mansoor’s arrest on the charge of insulting government officials.
While he ultimately was pardoned after spending eight months in prison, Mansoor never stopped being the subject of government scrutiny. In the years since, he’s been under constant surveillance.
A telecommunications engineer by training, Mansoor has been dubbed the “Million Dollar Dissident” because of the great lengths to which authorities in the UAE have gone to monitor his electronic communications.
A single piece of spyware sent to Mansoor, which he identified and then rerouted to researchers at the University of Toronto for analysis, was packed with features taking advantage of three previously undiscovered flaws in the security of Apple’s iPhone. Based on the private sale of information about a similar vulnerability made public last year, the spyware used against Mansoor may have cost $1 million to construct.
Why is Mansoor such a target?
“It’s obvious that my activities are annoying the authorities here, as they don’t want human rights violations to be revealed. I’m probably the most active and outspoken human rights defender in UAE, with good reach to the international human rights organizations, international media, U.N. and so on,” he said, noting he’s won international awards for his activism.
Despite his vigilance, Mansoor has had his electronic devices compromised and his online accounts hacked. He’s been physically assaulted and once saw the $140,000 end-of-service benefit he received from his telecom company job after his arrest and subsequent termination mysteriously disappear from his bank account. It’s enough to make someone legitimately paranoid.
Unsurprisingly, Mansoor is incredibly careful about how he manages his digital privacy, which he sees as a cornerstone of his activism.
“This is extremely important because … it could jeopardize your ability help people. It would hinder your efforts to communicate with victims,” he said. “Not only that, it might also identify them as targets and subject them to reprisal from the authorities.”
“It may also cause you to be convicted using one of those open-ended terminologies or clauses in laws,” he added, recalling his own experiences in the UAE, “due to any type of peaceful communication with human rights organizations or media to raise (awareness of) these kinds of human rights violations. They would consider them either acts that are harming the national security or destroying the image of the country.”
What follows is a cybersecurity guide for activists. Compiled with advice from technologists who build these tools to activists such as Mansoor who use them, these strategies can be used by people on either side of the political aisle, by organizers and journalists alike.
Most of the tips are straightforward and require little specialized technical knowledge. Complexity can trip up people and delay important communications. Journalist Glenn Greenwald’s initial inability to set up email encryption, which can be tricky for technical neophytes, nearly derailed former National Security Agency contractor Edward Snowden’s attempts to leak him stolen documents exposing the U.S. government’s omnipresent electronic surveillance dragnet.
For the tools in this guide, if you can use Gmail or Facebook, none of these suggestions should be especially taxing. Nor are any of these individual suggestions, or even all of them taken together, a panacea. Using any electronic device will always come with some risks, no matter how careful you are about cybersecurity.
But, this is, at the very least, a good start.
Model the threat
As a senior researcher for Citizen Lab at the University of Toronto’s Munk School of Global Affairs, John Scott-Railton specializes in understanding cyberattacks that target the secure communications of activists and civil society organizations. The most difficult part of developing a plan for someone to keep his or her communications safe, he explained, is to understand that the precise threat each individual faces is a little different – meaning that there is no one-size-fits-all solution.
Scott-Railton suggests people sketch out a model of potential threats to the security of their data. While a number of helpful guides for threat modeling exist online, he noted, “the basic thought process is: What do I have that needs to be protected, who is likely to be interested in it, and what kind of resources are they likely to have?”
“For example, if I’m working at a think tank in the United States, perhaps I’m not particularly concerned that my own government is going to see my work as repressive,” Scott-Railton continued, “but perhaps my work is misaligned with the foreign policy objectives of another government and hackers are going to target my email.”
In the 15 years that Citizen Lab has been analyzing cyberattacks against activists across the globe, the group has noticed a correlation between periods of contentious politics within a country and increases in the number of cyberattacks of all stripes.
Coming off the most contentious U.S. election in decades, in which a hacking campaign allegedly directed against one political party for the benefit of the other may have swung the contest’s ultimate outcome, Scott-Railton predicted more groups with political axes to grind will discover the power of hacking and disclosing sensitive information.
Understanding precisely what unique threats someone faces gives a person a framework for how to expend his or her limited time and resources. In the absence of that framework, there’s a tendency for people to adopt what Scott-Railton calls “digital security yo-yo dieting,” which means taking needlessly extensive digital security precautions for a particular situation and quickly abandoning them after finding they are too much of hassle for everyday use.
Use Signal for text messages
In the weeks since Trump’s electoral victory, downloads of the encrypted messaging app Signal have spiked by 400 percent, according to the company’s internal metrics. That rapid increase is due to the combination of the encrypted messaging app’s ease of use and widely respected reputation – the app counts NSA leaker Snowden as one of its many vocal fans.
I use Signal every day. #notesforFBI (Spoiler: they already know) https://t.co/KNy0xppsN0
— Edward Snowden (@Snowden) November 2, 2015
A free-to-use, open-source project of San Francisco-based Open Whisper Systems, Signal is a replacement for a smartphone’s text messaging client. When someone with Signal sends a message to someone without the application, it shows up as a standard SMS text message. When both sides of a conversation are using the app, messages are fully encrypted end to end, meaning the content of the messages is scrambled into gibberish that can be decoded only by the users on either end.
The encryption techniques developed for Signal are open source, meaning the code powering the app can be viewed by anyone interested in combing through it and looking for bugs, which is typically a sign to others in the cybersecurity community that an organization is serious about making its product as transparent as possible.
The company also has worked with platforms such as WhatsApp and Facebook, which have incorporated Signal’s technology into their own encrypted messaging systems.
Signal’s instant messaging function in action. Courtesy of Open Whisper Systems.
People have an “intuition that when they send someone a message, the only people who can read that message are themselves and the intended recipient,” said Open Whisper Systems co-founder Moxie Marlinspike. “When that turns out not to be true, people are always very upset – whether they’re Sony executives or celebrities or politicians or journalists, or ordinary people like myself. The idea is that end-to-end encryption is the only thing that can bring that intuition into line with reality.”
Signal also allows users to make fully encrypted voice calls, as long as the person on the other end of the line is also using Signal. Phone calls made through Signal, much like its messaging feature, can’t be meaningfully intercepted by third parties.
Turn on two-factor authentication
At its most fundamental, two-factor authentication is the idea that employing multiple methods to verify a user’s identity is better than one. The most common form of two-factor authentication involves requiring a user to enter a password to access his or her account on an online service and then sending the user an email or text message with a code that must be entered for secondary verification.
Two-factor authentication makes it significantly more difficult for an attacker to compromise an account. If a potential hacker discovers the password to someone’s Gmail account, with two-factor enabled, the hacker won’t be able to access it unless he or she is also in physical possession of that person’s smartphone.
Turning on two-factor for Facebook involves going to the security section of the settings menu and clicking on “Login Approvals.”
On Twitter, the feature is accessible through the security and privacy tab of Twitter’s settings page; check the box labeled “Login verification.”
For all Google applications linked under any single account, turning on two-factor can be accomplished by clicking the “Get Started” button on its 2-Step Verification page.
The website Two Factor Auth allows people to look up how to enable two-factor on most popular online services that offer the feature.
Yet, as Mansoor can attest, two-factor authentication could introduce its own security vulnerabilities.
In fall 2014, Mansoor received a pair of suspicious text messages sent to his phone in quick succession. The first was the verification sent by Google when someone tries to log in to a Gmail account from an unfamiliar device. The second was a notification that Mansoor’s Gmail password had been changed. His Gmail account had been compromised. A Hotmail address linked to that Gmail account also was breached, as was Mansoor’s Twitter account, which was attached to his Hotmail account.
What happened, Mansoor believes, is government snoops had access to the cellular network and were able to intercept Google’s text messages to his phone. They simply found his email address, asked to have the password reset, grabbed the text message before it arrived on his mobile device, logged into this account and reset the password.
The solution, Mansoor advised, is to use Google’s proprietary app, called Google Authenticator, which allows users to employ two-factor authentication entirely within its fully encrypted ecosystem without passing any potentially sensitive information via unencrypted text message. Once the app is downloaded, it can be linked to individual Google accounts here.
Use a mud-puddle test to make judgments about online services
In her 2014 book “Dragnet Nation,” journalist Julia Angwin describes a quick and dirty test to determine the security of online services – the mud-puddle test.
“Imagine you drop your device in a mud puddle, slip in the mud, and crack your head so that you forget your password to access your data,” she writes. “Now, can you get your data back from the service you were using? If the answer is yes, then you have left a data trail. … If you are using a service that lets you recover your lost password, then the service has access to your data.”
It isn’t just that services that let users recover lost passwords are more vulnerable, it’s that they’re also susceptible to being forced to turn over user data to government officials.
Earlier this year, a Reuters report revealed that Yahoo had developed software to search all incoming messages on its email and provide the content to intelligence and law enforcement officials. In a statement, the company responded to the allegations with the explanation, “Yahoo is a law abiding company, and complies with the laws of the United States.”
Yahoo had no choice but to comply with the government’s order to turn over user data without notifying the individuals being watched. When Yahoo seriously attempted to fight U.S. officials over data collection in 2008, it faced a daily fine that began at $250,000 and doubled each week. In less than eight months of defying the federal government, Yahoo would have been forced to pay more money than exists in the world.
There is, however, another option. While companies may be compelled to provide user data to government officials, they don’t have to build their systems in a manner in which they can access that data in the first place. If an online service doesn’t have the ability to reset someone’s password, it also doesn’t have the ability to turn over that data to government monitors without the user’s knowledge or consent.
Signal, for example, designed its system so that when a federal grand jury issued a subpoena earlier this year to produce information related to two phone numbers, one with a Signal account and one without, the only information Open Whisper Systems was able to provide was when the account was created and the last time it connected to Signal’s servers. Even as it fully complied with law enforcement demands, Signal was able to completely protect the privacy of its users.
This security can come with a price, though: losing the data on your account when you lose your password, which happens to even the most tech-savvy people. After leaking a trove of government secrets to the media and fleeing to Russia, former NSA contractor Edward Snowden had an account with the now-defunct encrypted email service Lavabit. At one point, Snowden forgot his password and, because Lavabit administrators had designed the system to lock themselves out of user accounts, the best they could do was restore the account from scratch – losing all of Snowden’s data.
Use Semaphor for collaboration
For people in different locations working toward a common goal in close-knit teams, collaboration tools such as Slack and HipChat are hard to beat. However, when the privacy-obsessed developers at SpiderOak – a Kansas City, Missouri-based company behind Semaphor, a Snowden-approved encrypted cloud backup service – looked at the collaboration market, they didn’t see anything that could pass Angwin’s mud-puddle test. So they built their own system.
Semaphor allows teams of users to share files and create private chat rooms that are encrypted individually. Not only is SpiderOak unable to see the content of each chat room, but an attacker installing malware that would give that person total control of a user’s device would be able to access only the chat rooms of which that user was a part, rather than every communication the team had over the service. In addition, Semaphor uses a “web of trust” matrix to give users added confidence that the people with whom they’re chatting really are who they say they are.
Semaphor’s chat function in action.
Credit: Open Whisper Systems
While Semaphor was still in development, SpiderOak President Mike McCamon traveled to the San Francisco Bay Area to meet with different activist groups because he saw activism as an important use case for the software.
“One of the things that I had never thought of until I was meeting with some of these people was they were pointing out to me that they didn’t have a way to organize themselves in the private way online. They could do file sharing or they could do chat or they could (do) direct messaging,” but they didn’t have a tool that had all of those functionalities in one place, McCamon recalled. “They were very excited and gave me the inspiration to keep moving the Semaphor project forward.”
Prepare smartphones before going to a protest
There is likely no more intimate record of someone’s daily activities than the one contained inside his or her smartphone. For activists looking to protect their data, maintaining physical control of their devices is crucial. Participating in a demonstration, where mass arrests or detentions are a looming threat, could potentially result in authorities confiscating the phones of people taken into custody.
While there could be an impulse to avoid bringing smartphones to protests, mobile devices are essential to have on hand during demonstrations for both coordination and documentation. In this case, the middle ground is bringing a phone but taking steps to lock it down beforehand.
Demonstrators in a 2014 Hong Kong protest holding up their phones.
Courtesy of Citobun/Wikimedia Commons
The most important thing is to ensure smartphones have their lock screens enabled, which require users know the password before they can gain access to the device.
For iPhones, the passcode can be turned on by going to the touch ID and passcode tab in the settings menu and clicking the “Turn Passcode On” button.
For Android devices, screen lock options are available in the security section of the settings menu.
As the digital rights group the Electronic Frontier Foundation advised in a recent blog post, protesters should disable the feature that allows their phone to be unlocked with a single fingerprint.
“A police officer can physically force you to unlock your device with your fingerprint,” writes security engineer and technologist William Budington. “And as a legal matter, while the state of the law is in flux, there is currently less protection against compelled fingerprint unlocking than compelled password disclosure. You can always add your fingerprint back to the device after you’ve left the protest.”
For extra protection, protesters should consider disconnecting their phones from cloud-based information storage services. Someone who confiscates a protester device would need that person’s password to access his or her accounts with email providers or group collaboration tools.
Also important is encrypting all data on a phone so it is unreadable unless the user has the password or PIN code to legitimately unlock the device. Newer iPhones, and many higher-end Android phones running more recent operating systems, encrypt their hard drives by default. To turn on encryption for other Android devices, go to the security tab in the settings menu and select “encrypt phone.”
Learn to spot phishing attacks
Why are phishing attacks among the most commonly used tools in a cyberattacker’s arsenal? Because phishing, which uses a misleading email or text message to trick a target into downloading malware to give an attacker access to the target’s device, works like a charm. A recent study by the cybersecurity firm Duo Security found that it takes, on average, about 25 minutes for a coordinated phishing campaign targeted at employees of a specific company to compromise at least one computer.
Phishing attacks often are the most difficult to defend against because they’re aimed at what’s typically the weakest part of any cybersecurity system: the human operating the device. When hackers gained access to the personal email account of Hillary Clinton campaign chairman John Podesta and provided its contents to the radical transparency group WikiLeaks in an effort to sabotage Clinton’s presidential campaign, their route into Podesta’s account may have been a phishing attack.
Having been the target of ceaseless phishing attacks over the better part of a decade, Emirati dissident Mansoor has developed a framework for determining whether he should click on a link or open an email attachment.
“On the email side, it’s about if I know the person or not. Do I know this email or not? Was it a trusted person or not? Is this email an expected email or is it not? Is this the type of email I usually receive from this individual or not?” he said. “I become more suspicious about links within the emails and attachments within the email. If I do not expect an email with an attachment, the likelihood that I will open it will be less than otherwise, unless I examine them. If they are from an unknown source, I will not open them and send them for examination first. If they are from a known email, but I am not expecting an attachment or an email like this, I would suspect it, too, and probably send it for examination.”
Mansoor added that he is often sent phishing attempts via his widely followed Twitter account.
“On Twitter, I’ll open a tweet (sent to me), but I won’t open the link. I open the account (that sent me the message) and see what kind of account it is. I try to understand if it’s a general spam kind of message targeting lots of different users with these kind of tweets or is it only being sent to me?” he said. “If the tweet doesn’t give useful information or any confirmation that I think would add value to me, I just ignore it. I don’t click on the link. I try to make a common-sense check on the account itself and the type of information posted there. Is it really useful for me? Am I losing anything if I don’t click on it or if I don’t open it?”
No matter the sender, Mansoor has a policy of not opening files emailed with the Windows .exe extension, which indicates that opening the file runs a program that has the potential to install malware on his system.
Everyone is in this together
Any cybersecurity regimen that’s entirely focused at the individual level has a fundamental weakness, said Scott-Railton, the Citizen Lab researcher.
“Security is a group phenomenon rather than an individual thing,” he said. “Most people work in groups, organize in groups and are targeted in groups.”
As more electronic data is stored in cloud services instead of saved on the hard drive of an individual device, it’s increasingly likely that a hole in one user’s security could compromise an entire organization. What’s needed, Scott-Railton insists, is the building of a sort of digital herd immunity, in which everyone needs to be protected in order for anyone to be protected.
For scrappy, upstart activist groups that often are strapped for both time and cash, spreading good cybersecurity practices at the organizational level can be tricky, which is why taking the requisite care to protect each member’s electronic data is something that needs to be baked in the DNA of every activist group.
“Digital security is hard for people to go it solo, and it’s hard for people within organizations to go it solo without taking an organizational view about how to improve it,” Scott-Railton said.
“Organizations need to work with other organizations that are in a position to help them conceptualize digital security. … Activist groups and civil society organizations need to look to their funds for help with identifying resources. Funders and charities need to think about this as a serious component of their funding. … The place that we need to move towards is a place of thinking about security as a community issue and an organizational issue.”
This story was edited by Fernando Diaz and copy edited by Nadia Wynter and Nikki Frick.
Aaron Sankin can be reached at email@example.com. Follow him on Twitter: @ASankin.