strugee.net

Posts categorized as "privacy"

Surveillance priorities

For several years now I've been really interested in technology policy - things like security, privacy and censorship, and especially how those things relate to both mass surveillance and freedom-respecting software. That's why I follow organizations like Fight for the Future and the EFF, and why I e.g. participated in the movement to stop SOPA and PIPA, the internet censorship bills.

But a week or so ago I had a realization: I'm not interested in surveillance law anymore.

It's clear to me that Congress is completely busted. The 113th Congress came very, very close to being the least productive Congress in modern history. Our current Congress isn't particularly good either, although they are (as far as I know) not as bad as the 113th - but they're still not good enough that I'm confident in their ability to actually, you know, pass laws. Even if we could get Congress to pass laws at all, it's unclear whether we could actually get them to pass laws curtailing mass surveillance. Over and over again we see Congress trying to pass misguided laws that weaken encryption, damage the DNS, and do all sorts of other seriously nasty (and hacky!) things - it just doesn't seem very reasonable to me to assume that they'd change their minds and decide to do (what we think is) the right thing[1].

This is why I'm not interested in surveillance law anymore. I find it to be a waste of time. Instead, I've shifted my focus towards systems that are fundamentally designed to resist surveillance and censorship. That's why I advocate for Signal and why I work on pump.io: because these are both systems designed from the ground up to, among other things, essentially be unaffected by surveillance law. Who cares if Congress passes a law that says they can surveil pump.io users? Congress saying a bunch of words doesn't change the fact that technically speaking, that's quite hard to do. Certainly it's more difficult than surveilling e.g. Facebook.

As Moxie Marlinspike puts it in this talk on PKI's flaws and an alternative system called Convergence:

And, you know, with this legislation that's been coming up recently like COICA and PROTECT IP and this kind of thing, you know - to me the real lesson here isn't whether this passes or not because there's been, you know, some kind of heroic efforts to prevent this legislation from going through. But I think, you know, the thing to take away from this is that they're trying. To pass regulation that messes with this stuff. And maybe one day they'll succeed.

Trying to make Congress do the right thing is, I feel, akin to an endless arms race: they don't seem to be getting the message and it's doubtful that they'll stop in the near- or medium-term future.

A much better solution is this: implement secure-by-default, freedom-respecting, encrypted and/or federated systems, and be done. Forever.

[1]: honestly, I think a big problem with this is that a lot of Congress is old white guys. Emphasis on old. The problem of people in the legal sphere not understanding technology, especially technology relating to security, privacy and encryption, has cropped up before. Consider, for example, the judge who ruled that a Tor user had "no reasonable expectation of privacy" because he literally could not wrap his head around how Tor worked and what the FBI did.


Friendly reminder: protect yourself while protesting

In light of the recent protests against Donald Trump's nomination, I wanted to write up some tips for people going out and protesting on how to protect themselves from retribution, both physical and legal. These guidelines are especially critical given the almost unfettered power the federal government and (through the federal government) local governments have to surveil citizens exercising their constitutional right to free assembly.

This is not a laughing matter: recall that President-elect Trump has repeatedly called for greater surveillance of mosques, indicating that he will have no problem expanding and abusing the power of the federal government's mass surveillance network. In this Guardian article, Thomas Drake (an NSA whistleblower predating Snowden) says it far better than I could:

The electronic infrastructure is fully in place – and ex post facto legalised by Congress and executive orders – and ripe for further abuse under an autocratic, power-obsessed president. History is just not kind here. Trump leans quite autocratic. The temptations to use secret NSA surveillance powers, some still not fully revealed, will present themselves to him as sirens.

So, here are some tips on how to protect yourself while engaging in a political protest:

General guidelines

  • Don't talk to police
  • If possible, leave your phone at home
    • If this isn't possible, leave your phone in Airplane Mode or even better, turn it off. It is not enough to not post anything; you cannot connect to the cell network at all. See IMSI catchers.
    • Use a passcode on your phone - this gives you a better position under the 5th Amendment for resisting a search of your phone
    • If police try to force you to give up the passcode of your phone, they are probably breaking the law
    • Disable fingerprint unlock, as police are legally allowed to force you to unlock the phone via your fingerprint (note: this link is insecure; consider visiting it in Tor Browser)
    • Disable face unlock (or any other form of biometric authentication) since the police may be able to force you to unlock the phone for the same reason they can do this with fingerprint unlock
    • Make sure full-disk encryption is enabled on your phone
      • iPhone users: this is already on if you're using iOS 8 or later
      • Android users: this is often enabled by default, but you should check by going to Settings > Security and looking under "Encryption"
      • Windows Phone users: not available. Leave your phone at home.
  • Do not bring laptops or tablets - the 5th Amendment protections above do not necessarily apply to these devices, so they can be seized and searched even without a warrant
  • Seriously do not talk to the police
  • Use strong encryption for everything you do online
  • Don't post anything on social media about the protest, including photos, checkins, and text, either during or after. (Remember: the protest lasts one night, but metadata lasts forever.)
  • Under the First Amendment you have the right to film police officers but be extremely careful because some police departments are extremely hostile towards this behavior anyway, to the point of physical violence. See the ACLU's guide for more information.

What do do if you're stopped by the police

If you're stopped by the police and they start questioning you, be polite but invoke the Fifth Amendment (i.e. say: "I don't want to answer any questions unless my lawyer is present", and keep saying it if the officer presses you). Ask if you're under arrest. If not, great! The police officer cannot legally detain you and you're free to go - do so calmly and silently.

If you are under arrest, here are the things you should do right away:

  • Say: "under what grounds am I under arrest?" The officer is only allowed to arrest you if they believe you are about to commit or are in the act of committing a crime. (Remember, photographing officers is not a crime; if they say something about this, remind them that it's protected under the First Amendment.)
  • Immediately ask for a laywer. If you don't have one, the government is required to provide you with one.

Then, keep these tips in mind:

  • Stay calm
  • Be polite
  • Don't run
  • Don't lie
  • Do not resist, argue, or be rude, even if you are innocent
  • No matter what the officer asks you or tells you, always say: "I invoke my right to remain silent until I can talk to my lawyer." Do not answer any questions, no matter how innocuous. Your lawyer will tell you to remain silent but it is important that you make it clear you're requesting a lawyer anyway, because it will look better in case you end up in front of a jury.
  • If you do answer questions, you're allowed to stop at any time. But still don't do it in the first place.
  • Under some states, you can be compelled to give your name (but nothing else). Before you leave your house, look up whether your state has this policy. These are sometimes called "Stop and Identify" laws.
  • If possible, write down the details of what's happened.
  • Do not physically resist the officer, even if they're violating your rights. Instead, write down the violation. Then file a written complain later and/or contact a lawyer or your local ACLU.
  • Useful things to write down in this case: the officer's name, their badge and patrol car numbers, the agency the officer is from, contact information for witnesses
  • If you're injured, photograph the injuries
  • You don't have to consent to searches of your person or your car. If you don't, make it very clear that you don't. The officer may pat down your clothes for a weapon, but anything beyond that requires your consent.

The ACLU also provides additional information for non-citizens, people taking photos or videos, young people (e.g. college students) and deaf people.

More resources

A lot of the above is based on the ACLU's excellent "Know Your Rights" booklet. The ACLU also has a page specifically devoted to rights violations at demonstrations and protests.

PRISM Break is a good resource for technology that will help you resist mass surveillance. Signal is on that list and is very, very good and extremely easy to use; it's what I recommend. Keep in mind, however, that following recommendations from PRISM Break is not a substitute for leaving your phone at home.

If you have more resources or tips that should be listed here, contact me (or edit this on GitHub) and I'll be sure to add them.


~