Telegram history crash course

Telegram was developed in 2013 by brothers Nicolai and Pavel Durov, Russian entrepreneurs currently in exile after a confrontation with Russian government over the social media platform VK regarding users’ privacy and freedom of speech. Durov brothers founded VK in 2006, but they were later pressured to sell it and leave the company.

The Digital Resistance movement became popular in Russia in 2018 when the government tried to block Telegram due to its high level of privacy and a surge of politically-oriented pseudonymous Telegram channels critical towards the Russian government. Authorities blocked more than 15 million IP addresses including servers operated by Google, Amazon, Microsoft, and Digital Ocean, so many popular websites and apps experienced outages during a few weeks of a standoff. Telegram users, however, received push-notifications with new network settings multiple times per day, so most people were able to use an app without a VPN. Eventually, the Russian government gave up on trying to block Telegram. Other authoritarian governments usually solve this issue by importing China’s surveillance and censorship technologies, but for Russia, I guess, the national security concerns are more important, so they don’t use China’s technologies, therefore Telegram can still be accessed freely from most Russia’s ISPs.

Side note: Internet in Russia is heavily censored, e.g. even LinkedIn is blocked.

Since the start of the Digital Resistance movement, Telegram became very popular in crypto space and in highly oppressed regions such as Russia, Iran, Hong Kong, etc.

Hong Kong Digital Resistance

Reddit: Chinese nationalists are review-bombing a Warframe game because the “Country” settings didn’t list Taiwan and Hong Kong as a part of China

In order to confront the 50 cent army (Chinese state-sponsored trolls) and to spread the word across the world, HK activists started massively signing up for western social media platforms. However, openly criticizing CCP is very dangerous, so most Hongkongers take care of their privacy using the best practices known in the crypto space. Let’s look at those practices:

Use Tor or a VPN (ideally, paid with cryptocurrencies using mixers without any link to user’s ID, or with anonymous debit cards from grocery stores)

or a (ideally, paid with cryptocurrencies using mixers without any link to user’s ID, or with anonymous debit cards from grocery stores) Create an email address using privacy-oriented email providers (e.g., ProtonMail or Tutanota) that will be used only for signing up for social media platforms.

(e.g., ProtonMail or Tutanota) that will be used only for signing up for social media platforms. Do not use this email address for any other communication, because the address should stay secret, so a potential adversary will have to discover an email address, password, and bypass 2FA (if set) in order to break into an account.

If the platform supports different 2FA options, then use two-factor authentication via TOTP (Time-Based One-Time Password) instead of authentication via SMS, because the latter one can be bypassed with a SIM swap attack.

Do not scan a TOTP 2FA QR code, but rather type a secret key manually into your 2FA mobile app, and don’t forget to back up the secret key.

After the registration process on social media platforms is complete, activists hide their email addresses from public in the account settings.

If the platform requires a phone number for registration, then activists use either prepaid SIM cards that are not linked to their IDs, or VoIP and burner-like apps . Ideally, the phone number should be detached from the account after the registration is done in order to protect from a SIM swap attack.

. Ideally, the phone number should be detached from the account after the registration is done in order to protect from a SIM swap attack. Activists use complicated passphrases that consist of multiple random words, e.g. “correct horse battery staple”, which are easier to remember but harder to break than “Carr13Lam777”.

Other tech

Streaming

When recording videos, activists often prefer streaming services to avoid videos being deleted from the phone if the device was lost or confiscated.

AirDrop

Activists often use AirDrop service on iPhones, which allows pseudonymous sharing of important information “on the ground” over Wi-Fi and Bluetooth.

FireChat or Bridgefy

In the absence of an internet connection, activists sometimes use FireChat or Bridgefy messengers to chat with each other using peer-to-peer connection via Wi-Fi and Bluetooth (meshnet). However, Bridgefy requires a phone number for registration.

Private Bin

In some extreme cases activists use a Private Bin service if they are afraid that the message can be intercepted. Here are some interesting use-cases:

Activists create a pastebin with a “burn after read” feature enabled, encrypt it with a password, and then share a link over the suspicious communication channel. If upon opening a link, the bin has already been deleted, then the message has been intercepted by an adversary, so the communication channel is not secure. Side note: a pastebin is deleted after opening a link even if it was not decrypted with a correct password.

Activists share a link to a pastebin and a password for it via two different communication channels to make sure that an adversary won’t be able to access the important information even if he intercepts one of the messages.

When activists temporary don’t have an access to a trusted channel of communication, they encrypt a message using a pre-agreed password and set expiration time (e.g., 10 mins, 1 hour, 1 day). Then they share the link in a group, knowing that only activists with a correct password will be able to decrypt the message. For security reasons passwords are changed periodically and shared face-to-face or via a trusted channel of communication.

Fingertrapp

Whistleblowers use Fingertrapp to clear English-language docs from hidden characters that can identify an employee that leaked the evidence. However, the app currently supports only English, Korean, Russian, and Devanagari.

What3Words

Advanced activists use What3Words to set up a location for a private meeting (e.g. flock lock photocopy), especially if they don’t know each other and will meet for the first time. What3Words has some advantages over other maps:

You don’t need to be physically present at the spot to get the 3 words representing the precise location It’s easy to find a person if you know the exact 3x3m square he will be in It’s essentially just GPS locations but in 3 words which people can easily remember and share You don’t need GPS or internet to get the location if you have the app Don’t need to have the app to get a location if you have an internet connection (i.e. getting locations works through the browser). It’s easier to hide 3 random words into any text to obfuscate the location of the meeting for a conspiracy purpose

On-the-ground

Here are some other ways activists protect their identities during protests.

RFID scanners

People wrap their HK IDs, subway cards or credit cards with an aluminum foil (tinfoil) so adversaries can’t track them by remotely scanning the radio frequency identification chips embedded in the cards.

Burner phone

Ideally, protesters leave their main phones at home and use cheap burner phones when attending events. Many hardcore protesters don’t carry any phones, but rather communicate face-to-face or with walkie-talkie.

Note: secondary phones are also set up according to the best security and privacy practices, otherwise they stand out because they are linked only between members of a group.

Using a phone during a protest

If activists bring their phones to events, then they take extra precautions:

disable GPS, WiFi, Bluetooth, and mobile data

turn on an “airplane” mode when the Internet connection is not required

log out from all social media apps, so adversaries won’t get an access to activist’s accounts if they obtain and unlock his phone

beware of CCTV cameras when checking a phone, because cameras can capture passwords and other sensitive information such as account names, phone numbers, chat logs, etc.

Photos

Take photos without unlocking a phone

Try not to get other protesters’ faces on the photos

Black out or blur faces and other identifying features of all protesters on the captured photos

Delete metadata from the photos (e.g., instead of sharing an original photo, take a screenshot of that photo on a phone, or send an original photo to a desktop and take a screenshot there, or use a special software/app to get rib of the metadata, and only then share the image)

If a phone was lost

Log into social media accounts and other services from another device and revoke all accesses for the lost device to log into these accounts.

Umbrellas

Activists often use umbrellas not only as shields against riot-control weapons, but also to hide their activities from cameras.

Hide face

Protesters hide their faces with all kinds of facial masks, goggles and caps.

Cover body

People can be identified not only with face recognition technologies, but also by specific hairstyle, hair color, shape of ears, tattoos, piercings, freckles, unique cloths, the shoes style, etc. Thus hardcore activists cover all body parts with simple black cloths without brand names.

Change clothes

If there was a specific dress-code (e.g., all black) then many activists change clothes into something brighter before commuting home to avoid being targeted by police or pro-government radical groups.

Cash

Activists use cash to buy protective gear and MTR tickets when commuting to and back from the protests. Many activists take off 1–2 stations before the protest/home, and then walk to the protest/home.

Conclusion

China is exporting censorship and surveillance technologies across the world, while Hongkongers teach us how to use privacy-oriented technologies to protect our freedoms.

“One country, two systems” principle will officially end in 2047, so many of those who will fight for the freedom in 2047 are not even born yet. What values that generation will carry and how much freedoms will Hongkongers have after 3 decades? We don’t know that yet.

But what we know for sure is that Hong Kong has already reached a generation of youth who cares less about academic and financial success, than political freedoms and civil liberties. The new generation is young, bold, tech-savvy and they are protesting from early ages.

If you want to see more candid articles about Hong Kong, crypto, security & privacy, you can share this article, retweet basic privacy tips, or donate crypto.