Published on 1st June 2017 by Gabor Szathmari and Glenn Todd. Image by Eiti Kimura

We need to update this page from testing these tools on the ground. Some tools have worked, some have not.

In the meantime, see the Tools guide – July 2020 by Glenn Todd

This guide was created to strengthen Community organising and to support individual organisers.

Activism consists of efforts to promote, impede, or direct social, political, economic, and/or environmental reform or stasis with the desire to make improvements in society.

These community groups are leveraging the benefits of digital technologies such as social media and databases that are leading to some big wins in addition to the inspiration of overseas revolutions such as the Arab spring. Digital technologies enable organisers to reach out to more people and organise their events the most effectively than ever.

This potential, also comes with its drawbacks. Our systems increase the government’s ability to undermine our work and to target individuals with in our systems.

We have had a history of government and corporate informants and agents infiltrating community movements and targeting individuals within these networks to gather intelligence. Our Government have passed laws such at the mandatory data retention scheme to improve their intelligence-gathering capabilities. By applying big-data and data-mining techniques to the retained metadata, it is viable to map the members of an organisation, even if the content of the communication was encrypted.

On a federal level, the government is a partner in the massive Echelon spying system and on a local level, WikiLeaks revealed the NSW police spent $2 million on targeted spy/hacking software called FinFisher. (Source SMH, ABC)



Then we have Facebook and Google who have created the most sophisticated personal profiling engines ever built. Our government relies on the data hoarded on these social networks as shown in the annual reports published by Facebook and Google themselves (Source CW, FaceBook, Google)

Edward Snowden has given us hope that we can protect ourselves from spying by revealing security systems such as encryption are working. The Director of National Intelligence (US) claimed that his revelations advanced encryption by seven years. (Source)

Using this Guide

This guide outlines the basic functions used by digital organisers and offers safer alternative tools. These tools must also be used in conjunction with safer general working practices within your groups, also called operational security or #opsec.

Although OPSEC is related to technology, it is a higher-level concept. It is a set of practices for protecting information and the operation of a community group. For a general introduction, read The Grugq’s intro on Opsec-for-hackers.

For more information on security concepts and working more securely with groups, please see the “Digital security for everyone” guide as well as this collection of links to more security resources.

Please note that the safety of tools can change suddenly if we learn of new exploits or risks with tools. Also remember if your device or that of your friends has been compromised with a backdoor at a system level, this will also compromise some of these tools.

Backdoors like FinFisher will log your keystrokes, take screenshots or turn on the microphone. Signal will not protect your messages if a backdoor is running on your device. Please use these recommendations in context with some healthily cynicism and common sense.

Typical collaboration activities to secure:

Communication

Email

Chat

Conference Calls

Documents

Media releases (may include sensitive stuff like dates and locations)

Internal documents

Media, photos, video

Public information such as Leaflets, posters

Databases/CRM

List of participants or interested people and their contact details

Spreadsheets (xls, google)

Newsletter database

Hosted tools: NationbuilderBuilder, Action Network, Mailchimp etc

Recommended Tools

Disclaimer: The following list attempts to suggest tools and practices based on the typical collaboration activities the community groups do. This list does not try to be comprehensive, nor provide 100% protection. The recommendations might contain errors and may get outdated fairly quickly. We suggest you to study these tools and be aware of their weaknesses and limitations – and you make the ultimate decision whether these tools can help you in your unique situation or not.

Email

Protonmail

All users must be on protonmail for it to be secure – encryption only works between Protonmail users

Free option avilable

Other options: Riseup, Tutanota

A good OPSEC practice is to delete emails from the inbox, sent and draft folders as frequently as possible. Make sure the bin is also emptied. If your email account is compromised, the attacker will not be able to read your sent or received email archive.

Communication – Chat – Conference calls

It is important to know that regular phone conversations or popular VoIP tools like Skype or Google Hangouts have wiretapping capabilities built-in. Authorities can request Microsoft to record and hand over conversations with a warrant.

Wire (preferred), Signal (backup)

They protect the content of the communication – end-to-end encrypted

Metadata will reveal who belongs to the same network of people

reveal who belongs to the same network of people Both supports video calls

Wire supports group chat

Wire supports group audio calls Wire also stores the list of people you have ever contacted (Source)

Preferred platform: iOS and Android Avoid installing the apps on PC if possible

Make sure you turn the disappearing message on (might be able to retrieve with forensics analysis)

Other options: Talky (video chat), Jitsi (video, text), Clearchat (chat), Ricochet (chat – operates over Tor thus conceals metadata)

Documents

As a community activist, you need to write documents and collaborate with others to write or review them. Google Docs and similar tools are not encrypted: authorities can request Google to hand over who contributed to a document and what the content of the document is.

CryptPad

This is a secure, end-to-end crypted document editor. The big difference to Google is the encryption: the server hosting CryptPad cannot peek into the content of the documents.

End-to-end encrypted document editor

Threats Backdoored computer => Check ‘Advanced Security’ Metadata can reveal who contributed to a document (but not the content of the document) Apply the combination of both: Use the Tor browser, or check ‘Advanced Security’ for Tails Self-host CryptPad on a server (e.g. rent a VPS server in Switzerland)

Challenge: Need to create and manage an inventory of the secure URLs Store URLs in a secure note in Password manager such as 1Password or Keepass How to send the Url’s to each other Secure note in Password manager such as 1Password or Keepass Use Signal or Wire disappearing messages to send URLs back and forth



Filesharing

Dropbox, OneDrive and similar tools are not encrypted: authorities can request the hosting companies to hand over who contributed has accessed a shared file and what the file is. Dropbox transparency report reveals the number of warrants presented.

We should use end-to-end encrypted services like Sync, where although the metadata can still link the collaborators together, the content of the files are safe from the prying eyes at the service provider.

For sharing files on an ad-hoc manner:

OnionShare operates over the Tor network, which conceals of the metadata related to the file share. It can keep the linkage between the two partners concealed, assuming these partners are only using Ricochet to communicate with each other over the Internet. Any other method (Signal, PGP) can establish a link between the two parties.

Team collaboration

Slack, Google and similar tools are not encrypted: authorities can request the hosting companies to hand over the user list and the chat logs. Even if you delete a message on Slack, we cannot be sure Slack actually deletes them from their servers or their backups.

Semaphor

Good compromise of security vs usability

Similar to Slack (look and feel)

End-to-end encrypted

Threat: Metadata may reveal the network of people



Matrix Riot – for advanced security

End-to-end encrypted

Self hosted (requires tech skills

Crabgrass

You can use a hosted version at Riseup Crabgrass.

Mattermost

CRM

This area is a MASSIVE GAP in secure organising. Read about the issues here. Many organisations are moving to hosted solutions such as Nationbuilder and Mailchimp (just to name two). Current open-source or secure options are are losing seen to be less advanced and user friendly. Having your data hosted on a private company’s servers allows law enforcement access, and requires you to trust this companies ethics and ability to secure their system.

Potential applications are:

Email list management

Mailtrain – Self-hosted

Alternatives: Mailman, Sympa

Should be self-hosted somewhere overseas

The servers hosting the email list management software contain the list of all email subscribers. Ideally, all subscribers should use a brand-new email account solely dedicated for receiving emails from the email list.

Computers and Phones

Threats:

Finfisher, Hackingteam

The technical bar of installing a backdoor is very low

Computers as well as smartphones are both affected

Typically installed with a phishing email or MMS

Phishing email/MMS either contains a link pointing to a Windows/Mac/Linux/iOS/Android exploit

Or contains a file attachment that downloads and installs the backdoor silently in the background

Typically the backdoors are distributed through phishing emails or MMS messages

The content is typically tailored to you (e.g. Iranian human rights activist receives an email saying that prisoners are tortured in a prison. They are asked to open a .doc file for the details)

If you can, install a Linux VM in virtualbox and take a snapshot. Open links and attachments within the virtual machine. Once you finished, power off the VM and restore the snapshot.

Basic computer security

These won’t protect you from Finfisher, but provides some protection from mischevious hackers / casual attackers:

Install Kaspersky anti-malware (paid) – Windows

Has basic anti-keylogger feature

Notifies you if the camera / microphone is turned on

Has ransomware protection

Has basic phishing protection (only protects from cyber criminals, doesn’t protect you from state sponsored phishing!)

Bitdefender, Kaspersky – OSX

Many features are missing

Consider installing additional software BLOCKBLOCK: Alerts if a software tries to install a new service to start up automatically after each boot. Malware/backdoor typically does this to survive reboots. OverSight: Alerts if the microphone or camera is turned on: Other interesting tools:



Turn on two-authentication where possible – twofactorauth.org

Turn on disk encryption AND login passwords AND auto-screen lock

Preferred, least painful: buy Windows 10 professional and use Bitlocker => one click install

Open source (Windows, Linux): VeraCrypt

OSX: FileVault

Secure Phone

Threats:

Physical damage is frequent in action

Older phones have lots of vulnerabilities – not recommended

Can be unlocked

Stingrays / IMSI Assume that all regular phone calls are wiretapped Although unlikely, your web traffic can be intercepted and backdoor can be deployed by injecting iOS/Android exploits into your web traffic. This is usually used to hunt down high-profile persons of interests, it’s unlikely you will targeted be with this exploit.

Location data (based on celltower information) is retained for two years as part of the metadata retention scheme

Rely on OPSEC (Operational Security) practices

If possible, leave all your electronic devices home. Don’t use Opal cards and bank cards linked to your name.

Pre-event

(if possible) Buy a new/used phone from eBay and never use it for personal stuff ever

Do factory reset

Buy SIM card Activate SIM card with fake details Travel SIMs from the airport ?

Buy activated SIMs from eBay (may not be an Australian number)

Don’t store numbers in the address book

If you are using Wire instead of regular phone calls: Create a new throwaway Wire account for the event Don’t link your own personal Wire account with the new one ever Don’t add any of your friends personal Wire account Same goes for Signal



On-event:

Do not use SMS or regular phone calls if possible – they can be sniffed with IMSI catchers on the spot. If your phone starts using the 2G (the classic GSM) network, your traffic is almost likely is being intercepted.

Do not connect to any Wifi access points

Remember, reception may be jammed in critical situations

Post-event:

Never use the Wire account ever again

Throw away SIM card

Factory wipe phone

Your IMEI number will not change. Never reuse the phone again.

New Wire account

May need a working phone number => Buy a VOIP number

Personal smartphone OPSEC

Snowden: smartphones are spying machines

Leave the smartphone home (protests, organiser meetings)

Notes: walkie-talkies are not secure either

You can consider installing video streaming or recording apps on your phone to document what is happening around you.

Periscope, Facebook Live and YouTube Live streams the video immediately to the Internet

Video evidence apps burn things like the GPS coordinates and the time/datestamp onto the video

It’s Your Right to Film the Police. These Apps Can Help (American but we also have the right to film Police)

Collaboration threats

Even if you’re using Cryptpad, the computer might be backdoored by the authorities. Live in the 60s again, meet in-person instead and use the good old pen and paper combo

Use Basic OPSEC hygene: