I hang around people who talk about security and privacy and activists quite a bit. When talking security beyond the typical attackers — people committing identity theft, simple vandals, spammers, etc. — there’s the topic of government surveillance and legal attacks, and privacy as a way to defend political activists against the powers-that-be. I want to talk about this security question in particular.

(Nothing I say here relates to China or Iran or other places with overtly oppressive political systems and without basic legal rights. I don’t think worth trying to generalize that far.)

I’m not sure we are getting this stuff right. I don’t think the political attacks that are imagined are serious risks, and the attacks that are taking place are far less sophisticated than we imagine.

Background I’m taking these lessons primarily from the experiences of my sister, who along with 7 others is currently facing felony conspiracy charges in Minnesota (felony conspiracy to riot with a dangerous weapon and to commit property damage). These charges are specifically for organizing protests in the lead up to the 2008 RNC convention in St. Paul. It’s only one data point, but in these matters there’s only a handful of cases that inform the discussion. The city of St. Paul and other local governments received over $50 million for security for the RNC, and some of that money was quickly put into hiring informants to infiltrate organizations, anarchist organizations in particular. My sister among others were part of an organization known as the RNC Welcoming Committee. In total three informants were highly involved in the organization, each of them attending literally hundreds of hours of meetings. The Committee primarily worked on things like promoting the protests against the RNC, acquiring meeting space and internet access for people, finding housing and food for people visiting for the protests, and distributing logistical information like where protests would occur. “Anarchism” means “without rulers”: in line with their anarchist principles they didn’t try to prescribe how people would protest, they felt people should make their own choices about how to protest. The choices people made were widespread, ranging from staying in a “free speech zone” to a few permitted marches, some unpermitted marches, some civil disobedience, some blockading, and in a very small number of cases some people committed property damage. The Welcoming Committee did not advocate any particular kind of protest, they would not be their brother’s keeper, nor did they want to disparage any kind of protest as too timid. Each person should act on their own conscience. Immediately before the RNC started the 8 were arrested and held for the duration of the convention before being charged and released on bail. Their houses and cars were searched. Nothing interesting was found, though at the time the Sheriff misrepresented things like bike inner tubes as possible slingshot material, or that having paint thinner in the basement, rags in the laundry, and empty bottles in the pantry constituted Molotov cocktail ingredients.

The Evidence The case has progressed very slowly, but with recent hearings more of the prosecution’s case has been coming out. It’s been over a year and a half and only now are we getting any indication of what the real claims are against the defendants, though the prosecution continues to avoid presenting any real case or plausible complaint. From the hearings we’re also learning something about the form of the investigation. The FBI was closely involved with the case and recruited the most active informant, and the primary investigator was previously with the Secret Service (which somewhat oddly has a computer-related duties), and at the time there was a great deal of national attention on the convention. So presumably they had the resources to investigate seriously if they wished to do so. From the perspective of online security the case is very boring. The defendants have been given all the evidence collected during the investigation (including benign or even helpful evidence). It’s a huge amount of evidence, and hard for them to understand or sort through, but some kinds of investigation aren’t there. No email accounts were subpoenaed. Their computers were all confiscated, and will no doubt be kept until after the trial, but there’s nothing high-tech about that. Some of them had whole-disk encryption, and there is no indication it was broken nor were they even asked to provide passwords. There’s also no evidence of sniffing internet connections, tapping phones, breaking into email… nothing fancy was done. From what we can tell the evidence against them will be primarily from informants’ testimony about open meetings, widely distributed literature, a video posted on YouTube, a password-protected but essentially open wiki (the wiki provider was not subpoenaed, despite things like edit history being potentially interesting). If they had been any more security-conscious it would have worked against them — it would have been out of line with their ideals and would have made them less effective and transparent in their organizing efforts. The biggest danger now is that they’ll be demonized, that they’ll be judged based on caricatures of their actual beliefs, privacy only makes this worse.

Credit Where Credit Is Due Perhaps one reason the surveillance was low-tech and subpoenaed evidence is not playing a large part in the case is that it’s just too hard. They used Riseup for many services, which is a set of online services for activists, who take privacy very seriously, log as little as possible, and try to host everything outside of the country so regardless of an activists locality it will be a bureaucratic challenge to get access to the servers. Outside of the core group most people acted anonymously, so the prosecution would not be able to follow up on most of what they found anyway. Even if they got all the logs and email from everything the Welcoming Committee touched, I’m not sure they could make use of it. If they could somehow relate all that anonymous information, they’d still have to explain those techniques and convince a jury. Data mining and other data-driven techniques could be useful if they were trying to attach people who had done anything wrong. You can use surveillance to find the smoking gun, and once you’ve found it you don’t have to justify the techniques you used in the process. But only if there’s a smoking gun. It’s a peculiar situation where the prosecution doesn’t appear to actually believe they did anything demonstrably wrong; I fear they plan a case where they redefine “wrong”.

Privacy Besides the security issue there’s the privacy issue, and privacy is big on the internet these last few months. One of the oft-claimed benefits of privacy is to allow political dissent. And maybe that makes sense in China, but I don’t know how it relates to the things in the U.S. or Europe. Political beliefs held in private don’t much matter. Complaining about politics in private situations is fine, because it just doesn’t matter. So sure, you are safe from political persecution if your privacy is maintained… but it’s because you are impotent not because privacy is some part of a political struggle. This reminds me of a playground sense of privacy. On the playground you might say you like They Might Be Giants and the playground bully says that’s so gay, and you think I shouldn’t have said anything. But it doesn’t really matter how much you reveal in that situation, it doesn’t matter what you say you like — the bully isn’t making a pointed critique on your preferences, they are just trying to hurt you. The only way privacy will help you is if you are so quiet that the bully doesn’t notice you at all and picks on someone else instead. That’s a pathetic stance. Ramsey County (where the RNC 8 are being charged) is a bully. They decided before the Welcoming Committee even existed that people were going to be arrested, charges were going to be made. The Welcoming Committee stuck their necks out further than anyone else. The problem isn’t that they made themselves vulnerable, the problem is that the Sheriff Fletcher is a bully and County Attorney Gaertner is some kind of automaton who doesn’t give a shit about justice.