InfoSec Dos and Don’ts For Leftist Organizers
This text was written as part of the LSC Pamphlet Program. It reflects only the opinions of the author(s) and not the consensus of the Libertarian Socialist Caucus.
Author’s Note: This pamphlet is an amalgamation of many guides, sources and opinions of friends, comrades, and co-workers. This should be considered an opinionated guide for general purpose, as each individual's threat model, means to protect themselves, and knowledge will vary.
Last updated May 2019
This is a general-purpose guide targeted at leftist journalists, activists, and organizers in the United States. The tools and behaviors that you should consider is based on what is called a “threat model”[1] in the security community. Threat modeling is a process in which an individual (or group) evaluates perceived vulnerabilities from the attacker’s point of view.
There are four main things to consider:
- Who is most likely to target you?
- What they want?
- What you can do about it?
- What is at stake if you fail?
This guide will not protect you from a dedicated state actor, such as the FBI or the NSA, but it will force them to at least seek FISA warrants[2] and require them to go through the motions of the basic levels of legal protections that Americans have regarding privacy. The average leftist organizer isn’t trained or equipped to handle the surveillance state’s immense resources. This guide is designed to help give you a baseline level of protection against local police departments, hostile journalists, or fascists.
Most data breaches happen due to poorly configured social media profile privacy settings, reuse of passwords, phishing attacks, malware, or simple theft. This guide hopes to help you harden yourself against those who are most likely to target, intimidate, doxx[3], and harass you because of your political beliefs or organizing activities.
Don't:
- Don’t plug ANYTHING into a USB port (especially airport charging ports) that you didn’t buy and unwrap directly yourself, especially USB drives.
- Don’t use email for anything you wouldn’t want printed on a billboard.
- Don’t store anything sensitive (think about your threat model) in Google Drive or Dropbox (or any type of cloud storage).
- Don’t backup messages to iCloud or Google drive.
- Don't use iCloud keychain.
- Don’t ever reuse or share passwords or PINs.
- Don’t cross the US border with a device containing sensitive information.
- Don’t use thumbprint scanners or facial recognition on your phone.[4]
- Don’t use an Android device, use an iPhone.[5]
- Don’t use your phone number as a two-factor authentication (2FA) method. If it’s the only option, it’s better than nothing, but avoid if possible.[6]
- Don’t say anything over the phone or on VoIP(Skype, Webex, Zoom) that you wouldn’t want recorded.
- Don’t use Facebook (if possible).
Do:
- Use a long (6+ character) PIN for your phone/tablet.
- Use a long passphrase for your laptop / desktops.
- Use a different passphrase for every account. Use a password manager such as 1Password or KeePass to generate and manage these automatically.
- Use an iPhone that is newer than an iPhone 6s, which has a hardware security module.[7]
- Use Gmail. Although it is a domestic product, the Gmail security team regularly deals with nation-state level security intrusions and it is the most secure product available.[8] If you don’t trust Google, ProtonMail is a good alternative.
- Use a hardware 2FA key for logging into Gmail on your phone and use an authenticator (such as Google Authenticator or Authy) when on a mobile device.
- Use 2FA for all accounts if possible. Don’t use SMS or your phone number as a second factor.
- Use Signal to communicate with other people, don’t trust SMS. iMessage is encrypted but Apple holds the keys, so treat anything on iMessage as compromised.
- Consider using an iPad or a Chromebook to open emails with attachments, otherwise try not to use attachments in any way.
- If you must use a Windows laptop, do not use any antivirus other than Windows Defender.
- Use full disk encryption for all devices.
- Use Google Chrome as your browser. Firefox isn't on the same level of security right now.
- Have a dedicated burner phone for crossing the US border (or for any direct actions). Reset to factory settings if possible before crossing the border, otherwise power it down completely. Do not power it on or unlock it until you are clear of the border. See this guide for more information.
- Use what is known as a "USB Condom” for charging your devices when traveling. This could be a cable with the data ports disabled or an actual dongle you can attach to your cable.
- Keep your electronic devices with you at all times. Never leave your computer or phone unattended. Power it off at night or when not in use.
- Don’t use hotel room phones for calls with comrades or journalists. Never meet in a hotel. Assume that anything said within a hotel is recorded.[9]
Other Questions
- This guide seems pretty basic? Why are you making this?
- This guide is for anyone who has just joined a leftist organization and might not understand the threats they may encounter. By utilizing this guide, they may hopefully avoid some basic security missteps. These things won't deter a dedicated adversary (such as the CIA / NSA / FBI) but it will make their job harder.
- What about VPNs?
- A VPN is a good way to watch videos not available in your region but they don't offer any real protection against the government.[10]
- What about Tor?
- It doesn't make any sense to not use antivirus on a Windows computer!
- Modern AV is bloated and potentially a vector for exploitation. Microsoft's Windows Defender is good enough to stop casual attackers.
- I need Facebook to organize! I can't just give it up![13]
- I get it. It's a very powerful tool to connect with others and help plan events, but it's also the FBI's wet dream.[14] Imagine having a list of all the members within an organization, where they live, what they enjoy, who they associate with all at your fingertips? Now take a look at sites such as KeyWiki and realize that almost all of that information was gleaned through Facebook alone.
- How do we share and transmit documents if we can't use Google Drive or Dropbox? How can we do it if we can't use email?
- You can share documents through Signal. You can send 100MB as an attachment that way.
Additional Reading
Surveillance Self-Defense: Tips, Tools, and How-Tos For Safer Online Communications
Privacy for Journalists: Guides
The Motherboard Guide to Not Getting Hacked
Online Security Guide for Journalists
Signal for Beginners
How I learned to stop worrying (mostly) and love my threat model ↩︎
Foreign Intelligence Surveillance Act: Electronic Surveillance ↩︎
Police Can Force You to Use Your Fingerprint to Unlock Your Phone ↩︎
Two-factor via your mobile phone – should you stop using it? ↩︎
Apple and Google harden their smartphones against hackers and governments ↩︎
Hotels have historically been wiretapped and bugged. ↩︎