After the election, individuals took to the streets across the country to express their outrage and disappointment at the result of the U.S. presidential election. Many protesters may not be aware of the unfortunate fact that exercising their First Amendment rights may open themselves up to certain risks. Those engaging in peaceful protest may be subject to search or arrest, have their movements and associations mapped, or otherwise become targets of surveillance and repression. It is important that in a democracy citizens exercise their right to peaceably assemble, and demonstrators should be aware of a few precautions they can take to keep themselves and their data safe. Here we present 10 security tips for protesting in the digital age.
Full-disk encryption ensures that the files across your entire device are encrypted. This is a form of encryption that protects data at rest, as compared to in-transit encryption, which protects data that is transferred over the Internet. Full-disk encryption protects everything from your local database of text messages to the passwords you have stored in your browser. This is useful in case your device is confiscated by police, but also protects you in situations where the device is lost or stolen. Protest situations are often unpredictable, so losing your phone is distinct possibility.
Recent versions of Android and iOS require full-disk encryption capabilities to be built into devices. These should be protected by a strong password: 8-12 random characters that are nonetheless easy to remember and type in when you unlock your device. If devices are not protected by a strong password, the encryption may be easier to break using a brute force attack. Recent editions of the iPhone have employed specialized hardware to protect against this type of attack, but a complex password is still advisable.
In the past, iOS and Android used the same password to both boot your phone and to unlock it. Recently, both iOS and Android introduced a mechanism to allow you to unlock your device with your fingerprint. This is a convenient way to ensure that you enjoy the benefits of full-disk encryption without sacrificing convenience. However, in protest situations we suggest you turn this functionality off. A police officer can physically force you to unlock your device with your fingerprint. And as a legal matter, while the state of the law is in flux, there is currently less protection against compelled fingerprint unlocking than compelled password disclosure. You can always add your fingerprint back to the device after you’ve left the protest.
In iOS, you can disable this by going into Settings -> Touch ID & Passcode
and removing each of the fingerprints in this menu.
In Android, disabling this feature may depend on your device manufacturer. For Nexus devices, go into Settings -> Security -> Nexus Imprint
and delete the fingerprints from this menu.
Catching that perfect shot is something you want to be ready for, and powerful images can help bolster the cause. If you've chosen a strong password, entering it into the device takes precious time, and you risk the moment passing before you're able to take the shot. Luckily, newer versions of iOS and Android allow you to take photos and videos without unlocking your device, giving you the time to capture the moment.
With Android Nexus devices, double-press the power button.
At the iOS lock screen, you can swipe to the left.
Signal is an app available on both iOS and Android that offers strong encryption to protect both text messages and voice calls. This type of protection is called end-to-end encryption, which secures your communications in transit (as discussed in tip #1). Other apps, such as WhatsApp, have implemented underlying cryptography. But we believe Signal is the better option because it implements best practices for secure messaging.
In addition to encrypting one-to-one communication, Signal enables encrypted group chats. The app also recently added the functionality of having messages disappear anywhere from 10 seconds to a week after they are first read. In contrast to some other services like SnapChat, these ephemeral messages will never be stored on any server, and are removed from your device after disappearing.
Recently, a grand jury in the Eastern District of Virginia issued a subpoena to Open Whisper Systems, the maintainers of Signal. Because of the architecture of Signal, which limits the user metadata stored on the company’s servers, the only data they were able to provide was "the date and time a user registered with Signal and the last date of a user's connectivity to the Signal service."
Know your rights when attending protests with our SSD module on the topic: https://ssd.eff.org/en/module/attending-protests-united-states
If you're really concerned about the data stored on your device, don't bring it at all and pick up a prepaid mobile phone. These lower-end devices can be purchased along with a SIM card at most large retail stores, and current federal regulation does not require you to show your ID (but your state may). Let your friends know your temporary number, and use this to coordinate activities. Remember that the location of mobile devices can be determined by the cell towers they connect to, so if you don't want your identity known, turn off your prepaid device before going home or anywhere that might lead to your identity. Using GPS should be safe, since GPS is a receiver and does not transmit any information, but your device may store your coordinates. For this reason, we suggest you turn off location services. When you're done with the phone, it can be safely recycled or discarded from a location that is not linked to you. Keep in mind that if you carry both your regular device and a prepaid one with you, the location of these devices can be correlated as a way to compromise your anonymity.
Take precautions to limit the possible costs that can be incurred by the loss of a device. Backing up your data regularly and storing that backup in a safe place can save you a headache later on.
Automated License Plate Reader Systems (ALPRs) automatically record the license plates of cars driving through an area, along with the exact time, date, and location they were encountered. This technology is often used by law enforcement, or employed by private companies such as Vigilant and MVTrac who then share license plate data with law enforcement and other entities. Amassed in huge databases, this data is retained for an unknown period of time. These companies have lobbied and litigated vigorously against statutes that would ban the private collection of license plate data or otherwise regulate ALPRs. Effectively, your location can be tracked over time by your driving habits, with very few legal limits in place as to how this data can be collected and accessed.
Consider using alternative means of transportation if you would prefer that your movements and associations remain private.
Read more in our Street Level Surveillance guide on ALPRs.
Airplane mode ensures that your device will not be transmitting for the duration of your time at the protest, and prevents your location from being tracked. Unfortunately, this also means that you won't be able to message or call your friends, so plan accordingly. You may want to select a nearby meet-up spot where you and your friends can rendez-vous if you get separated. You may also want to turn off location services (as discussed in tip #6).
Facebook and Twitter provide a large user base for you to promote your cause, but these popular social media platforms also carry risks. Viewing an event page, commenting on the event, and stating your intention to attend are all actions viewable by law enforcement if the pages and posts are public, and sometimes even if the pages aren't (subject to a court order). For actions that require a more cautious approach, consider forming a group chat via Signal as described above.
Update 11/17: In tip #3, changed "swipe to the right" to "swipe to the left" for iOS.
https://www.eff.org/deeplinks/2016/11/digital-security-tips-for-protesters