Candace Williams Follow

Head of Community Operations by day. Poet by night (and subway ride). Forever @TeacherC.
Nov 10, 2016 11 min read

A 70-Day Web Security Action Plan for

Artists and Activists Under Siege

Roberto Montes Follow

@RobertoGMontes

Keep your art public

& your communication encrypted

Stay safe I love you all

6:13 AM - 10 Nov 2016

20 40

We have 70 days until Donald Trump takes office. Its imperative that
folks under siege (POC, LGBTQ+, Indigenous folks, immigrants,
Muslims, folks with disabilities, etc), especially artists and activists,
take steps to protect their data and privacy online.

Micah Lee Follow

@micahflee

So it looks like Donald Trump is about to be in charge

of the most invasive, and barely accountable,
intelligence agency in the world
9:10 PM - 8 Nov 2016

753 766

Im not an information security or legal expert. These are just

suggestions This list is not exhaustive or the only way to secure your
data.
Web security is like a tree. A young tree can be snapped by a fist. As
trees grow layers and roots, they require knowledge, equipment, and
energy to cut down. Im trying to help you add layers of security to
your daily routines. I dont like the words secure or safe because
nothing fits into those categories. The only thing we can do is become
safer and more secure. Each bullet point is a layer, a step another
person or agency has to take, to access and trade your information. Ive
tried to choose the layers that have the highest return on your
investment in time and money. Think about your situation and
resources and create your own action plan.

Ill be updating this article with edits as I find out new information and
better ways to do things. If you have any ideas or edits, please ping me
or comment.

I want to identify keep assumptions that underly this article:

Taking a small, first step lowers your mental barriers.

Changing workflows is hard and takes practice. Go at your own

pace and be easy on yourself.

COINTELPRO (and similar programs) didnt just happen. Its

been happening and will ramp up.

Government and non-governmental bodies already have you on

their radar: They know you disagree with some element of the
status quo and that youre a person under siege (black, POC,
Muslim, queer, a person with physical or intellectual disabilities, a
recent immigrant, indigenous, etc).

Many of your private communications are sitting on the email

accounts and devices of your friends and family.

Surveillance capitalism is dangerous. We dont know the

implications of how tech companies extract value from their
customers data. Most people dont understand what corporations
like Facebook and Google know about them, how the data is
used/bought/traded/aggregated/sold/deployed, and if
corporations have already handed over information to government
groups. Lack of transparency + colonialism/capitalism +
technological supremacy = STRANGER DANGER.
 Candace Williams Follow
@TeacherC

Hitler's partnership with @IBM should remind us that

surveillance capitalism and the fascist surveillance
state go hand in hand.

Privilege alert: I have the privilege to spend time thinking about this
and drop money on a credit card for some of the costs associated with
purchasing VPN access, physical safes, and tech services. This article is
just a quick brain dump. The next step is for us to organize and help
those who dont have the same level of privilege. Remember to secure
your own oxygen mask before helping your neighbor.

LAST UPDATE: 11/24/16 at 11:30 am EST (29k views since 11/10)

November

John Rogers Follow

@jonrog1

Hey, no joke, and I'm paraphrasing smarter people. If

you plan on opposing Trump:

Get Tor.
Get Signal.
Get a VPN
2FA on your emails.
The first steps

Withdraw $10$40 of cash from your bank.

Buy a Starbucks gift card with the cash.

Use the gift card to purchase 1 month to 1 year of VPN access on

https://www.privateinternetaccess.com (or a comparable service
of your choosing. Ask around or read online reviews. Make sure
the service doesnt keep logs of your activity). Keep in mind: Its
better to purchase VPN with a credit/debit card than to purchase
none at all. Furthermore, this is just a small layer and its still
possible to figure out which VPN service youre using.
 Download and start to use Tor as your primary browser. Be sure to
follow the instructions and security warnings here:
https://www.torproject.org/download/download-
easy.html.en#warning

Since its impossible to follow all of the warnings and there are
limitations to Tor, its a good idea to also use a VPN. If you dont
use a VPN, using Tor + Chrome/Firefox with the HTTPS
Everywhere extension is a good start.

Download Signal on your phone and encourage all folks you

communicate with privately to use it as well. Use it instead of
iMessage, SMS, WhatsApp, Facebook Message, etc. You can also
make calls. The desktop version can be used in lieu of Skype,
Slack, etc.

Enable 2 Factor Authentication on all email, financial, etc services.

Do an info security auditBegin to brainstorm how you use social

media, email, mobile devices, and cloud storage. How do you use
these services? Which communications need to be moved to
secure channels? Are sensitive documents saved in the cloud? Can
you quit Facebook, Twitter, Google, and Amazon altogether?

Choose strong and distinct passphrases. The Intercept has a handy

guide here: https://theintercept.com/2015/03/26/passphrases-
can-memorize-attackers-cant-guess/

@AllBetzAreOff recommends using non-cloud-based password

manager to generate and secure your passwords. More info here:
https://securityinabox.org/en/guide/keepassx/windows

Its important to turn on software auto-updates so youre protected

from known software vulnerabilities. (Thanks to Dan Sullivan,
Ph.D. for this advice! Check out his excellent comment for more
information.)

Encrypt your mobile devices. iPhones are automatically encrypted

but many use access codes that are inadequate. Reset your code to
a long, random string of numbers (make sure you write this down
while youre committing it to memory). Android users can enable
encryption in the Settings app.

Encrypt your computer using BitLocker (Windows) or FileVault

(Mac).

December
December
If you have (or want) a website, database, or app, join an
encrypted hosting service like MayFirst.

Purchase a physical safe (like the SentrySafe SFW123DSB) for

your important documents, hard drives/USB keys, and artwork.
You can split this cost with folks who live nearby. If your artwork
is larger than a common household safe, and youre interested in
chatting, ping me. We need to brainstorm how to help artists
under siege keep their art safe from destruction. Research the safe
to make sure electronics wont oxidize or buy Silica Gel
Dehumidifier Desiccant packets/special sleeves.

Purchase a hard drive that can store your digital files. Encrypt it.
In the future, consider purchasing multiple drives and keeping
your most valuable information in multiple places. If you bought a
safe, keep your hard drive there. You should also prepare for a
time when Internet access or your information stored online is
completely unavailable to you.

Audit your cloud storage. Where are you files stored? What kind of
information is stored? Wheres the most sensitive information?

Begin to break your dependence on cloud storage (when

possible): iPhoto, Google Photos, Google Drive, DropBox, etc.
Structure your filesystems in ways that are easy to navigate
without Googles search capabilities.

See if you can minimize your use of Chrome/Firefox/Safari/etc by

the end of the month. Dennis Cahillane says:

Yeah, I dont recommend using a Firefox add-on you install yourself. I

recommend downloading the Tor Browser bundle directly from the Tor
Project here https://www.torproject.org/download/download Using the
Tor Browser bundle is easy for non-technical users, but you will quickly
become frustrated by its limitations. When you arent using Tor, I
recommend Firefox or Chrome with the following add-ons: HTTPS
Everywhere, uBlock Origin.

Download all of your files to your computer + external hard drive.

This might take awhile so you can do a batch a day. Start with the
most sensitive information. (This is just a start. There are ways to
have access to encrypted cloud storage, I think folks can consider
this after the New Year after theyve done the initial transfer and
have broken their dependence on easy to use cloud services).
 If youd like, choose an activist email provider youll use instead of
Gmail (or a service like ProtonMail). Youll also need to loop in
your friends and family. Jamie McClelland, Co-Founder of
MayFirst/PeopleLink says:

Using Gmail is definitely a bad idea. Under Obama we had a huge

expansion in the federal government spying infrastructure and they
definitely target the big corporate providerseither by compromising
them or simply sending them a subpoena. And now all of that will belong
to Trump.

For email, stick with activist providers. And *everyone* has to do it.
If you are having a group conversation and just one person is on gmail,
then everything goes to gmail.

If everyone is on MF/PL, then it never leaves our servers and it is far

more difficult to intercept. If some people are on Riseup and some are
on MF/PL its also goodsince MF/PL and Riseup will encrypt messages
between servers.

However even with all of these protections, I would advise against

relying on email for anything sensitive.

If you havent already, I would suggest replacing whatever program you

use to send SMS messages with Signal (https://whispersystems.org/). Its
on both iPhone and Android. Its easy to use and its very secure.

I would also suggest using Jabber (see the MF/PL page here:
https://support.mayfirst.org/wiki/how-to/jabber).

Both signal and jabber work on your phone and provide much better
encryption and privacy than email ever will.

A note about email: Dan Sullivan, Ph.D. left a relevant criticism of

activist email accounts in the comments:
Also, infosec is largely a battle of technical skills and resources. Google has
more of both than any email or other cloud provider I know of. I use Gmail
with two factor authentication and will stick with it. Sure, an agency may
get a warrant for emails at Google but there is less chance of successfully
hacking the Google infrastructure to get those emails than hacking another
provider with fewer resources.

I respond:

Email seems impossible to secure. Im already starting to drift away from

email as my primary means of communication. Although I might use an
end-to-end encrypted service, PGP, etc. 95% of my contacts do not have
access to this technology. So the question is: where do I want my
unencrypted emails and metadata to sit? Who do I trust moreGoogle or
activist groups? Although activist groups draw attention to themselves, I
trust Riseup and MayFirsts track record of resisting subpoenas from US
grand juries, US agencies, and many other governments/legal systems
around the world. Because of the identity and ideologies of dissident
artists, the government already knows were activists. Id rather collaborate
with groups that have been working on this issue for quite some time. Im
also leery of surveillance capitalism because it goes hand in hand with the
surveillance state. COINTELPRO and other surveillance projects that
impacted POC-led movements is in the back of my mind as I make these
decisions. Google has the money and the know-how but they dont give a
shit about me or my struggle. They arent going to go to the mattresses for
me. I dont like the demographic and psychometric data providers like
Google and Facebook gather (and the lack of transparency for how that
information is used). Im a dissident artist who is willing to spend the
effort to divest as much as I can and become a contributing member in
political tech groups.

Heres a short clip of a training I gave at Eyebeam about email

encryption.

January
Share what youve learned from this process. Help other artists
start to shore up their security. If youre the only person who uses
Signal or an activist email account, itll be of no use to you.

To level-up the security of your email, start using PGP. Better yet,
have a PGP party where you and your closest friends, family, and
coworkers install GPG Tools and create keys together. matt
mitchell has an excellent (draft of a) guide for how to spin up PGP
 without installing an email provider:
https://docs.google.com/document/d/1Zn62XjVRkt6_nvtgUvWO4
WLo4VTQ3WQ98WKc5gkPb8w/edit

OrganizeCollaborate with others and explore group action

(collection money for folks who cant afford services, purchasing
secure storage units for large works, creating personal libraries of
books and information that could be targeted, etc). Try to find
groups like matt mitchells CryptoHarlem security parties:
https://twitter.com/cryptoharlem

If your information is sufficiently backed up, consider next steps

(ie- deleting it from the cloud).

Consider using Tails. @ciakraa of @hackblossom explains it well

in their EXCELLENT DIY Guide to Feminist Cybersecurity:

There are a countless number of situations where Tails could be an

invaluable tool for your privacy. Activists looking to organize in spite of
government surveillance can use Tails to effectively communicate. People
being tracked by predatory abusers can use Tails to access the internet
without risking their physical location or data. Someone that wants to
utilize public computers or internet networks can do so while still having
their privacy protected. Any time you want to be maximally private in
your activity and your data, Tails is an incredible tool to have at your
disposal!

Known next steps and questions

How can organizers use PGP to avoid infiltration? (I have 9
Keybase invites. Ping me if youd like one)

Candace Williams Follow

@TeacherC

I just used @KeybaseIO + @GPGTools + these

tutorials to get started with pgp on my Mac
notes.jerzygangi.com/the-best-pgp-t

How can we make encrypted online storage easy to use for folks
who dont have IT/DevOps/tech experience?
 What tools do folks under siege need to build to get away from
using Google, Twitter, Facebook, Amazon, and other services?

Should our banking habits change (credit cards, online banking,

cryptocurrency, etc)?

Communities and organizations

Mr. Rogers once said that when he was a little boy and a national
tragedy happened, his mom told him Look for helpers. There are
always helpers. Within 6 hours of posting this, kind security experts
contacted me and wanted to help you be safer on the web. Once youve
secured your oxygen mask, I hope youll do the same for your family,
friends, and collaborators. Here are communities you can join:

MayFirst/People Linkhttps://mayfirst.org/en/index.html

May First/People Link engages in building movements by advancing the

strategic use and collective control of technology for local struggles, global
transformation, and emancipation without borders. Flowing from that
mission, our organization redefines the concept of Internet Service
Provider in a collective and collaborative way. Like any democratic
membership organization, we gather together each year to evaluate the
past years experiences, plan the coming years work and elect a Leadership
Committee to apply what weve decided. Like a coop, we pay dues, buy
equipment and then we all use that equipment as we need to for websites,
email, email lists, and just about everything else we do on the Internet. As
a movement organization, we participate in (and often lead) campaigns,
struggles, coalitions and network of left, progressive and social justice
organizations in the U.S., Mexico and Internationally.

Riseuphttps://riseup.net/

Riseup provides online communication tools for people and groups

working on liberatory social change. We are a project to create democratic
alternatives and practice self-determination by controlling our own secure
means of communications.

11/24/16: A note about Riseup: Cryptic tweets and an out-of-date

canary mean Riseup might have been compromised. If youre using
Riseup, you should: A. Donate to them and B. Decide if youll keep
using the service or migrate to another until the canary is updated.
There are arguments for waiting it out and arguments for backing up
data and using another provider until the canary has been updated.
Check out the article below for more information.

Riseup's Canary Has Died https://t.co/3DUbf5fcI6

@c4ssdotorg

CryptoParty NYChttps://www.cryptoparty.in

With a CryptoParty you create an environment where people from

different backgrounds come together and learn from each other. Hence you
might want to include people of different age, gender, heritage and
expertise.

Doors open, people arrive, find a seat and socialize. A short intro officially
opens the event and then its off to the tables. Each table covers a topic and
people decide what theyd like to learn or teach.

People will be more comfortable given enough time for socializing. They
will be more likely to ask questions then. But it also takes an environment
where they feel comfortable socializing. Setting the scene is your task.

CryptoHarlemhttps://twitter.com/cryptoharlem

Palante Technology Cooperativehttp://palantetech.coop/

Palante Technology Cooperative works to help progressive nonprofit

organizations move forward with the aid of technology. We come to this
work with technical expertise, a deep understanding of the particular
needs of community organizations, and a long-standing commitment to
working for social justice.

Resources
 Things to Know About Web Security Before Trumps Inauguration:
A Harm Reductionist Guide
https://medium.com/@kappklot/things-to-know-about-web-
security-before-trumps-inauguration-a-harm-reductionist-guide-
c365a5ddbcb8

How to encrypt your entire life in less than an hour

https://medium.freecodecamp.com/tor-signal-and-beyond-a-law-
abiding-citizens-guide-to-privacy-1a593f2104c3#.jn58hhi4k

Oh shit! What should I do before January? (a guide written with

LGBTQ+ folks in mind)
https://docs.google.com/document/d/1QjiJi4YBbmdnWyTdKDb
-IgLvTjYKWx3WqNirAkGMQV8/edit#heading=h.ln4kek81khwg

Activists Guide to Archiving Video:

https://archiving.witness.org/archive-guide/

How to Leak to the Intercept:

https://theintercept.com/2015/01/28/how-to-leak-to-the-
intercept/

A DIY Guide to Feminist Cybersecurity

https://tech.safehubcollective.org/cybersecurity/

Resources: What You Can Do Right Now

http://entropymag.org/resources-what-you-can-do-right-now/

Encrypt your Laptop Like You Mean It

https://theintercept.com/2015/04/27/encrypting-laptop-like-
mean/

Surveillance Self-Defense Against the Trump Administration

https://theintercept.com/2016/11/12/surveillance-self-defense-
against-the-trump-administration/

The Electronic Frontier Foundations security starter pack

https://ssd.eff.org/en/playlist/want-security-starter-pack