Some time ago, a friend of mine sent me this Digital Safety Tips for Organizers: Online Privacy Checklist to look over.
I think it’s great and brings up a lot of important points regarding maintaining online anonymity for organizers. However, I think it can be touched up a bit with some broader knowledge and application when it comes to infosec practices for activists, especially considering the incoming presidential administration following the 2024 general election; who’s to say what tactics will be employed to defeat “the opposition?” In my opinion, it’s important to be over-prepared for these situations.
Some of these suggestions may seem highly technical for the inexperienced individual, and therefore may present a bit of a learning curve. They may also seem like overkill or inconvenient. But I promise you, when it comes to the many ways an individual can be tracked and subsequently doxxed and/or investigated and arrested, it is worth it to take the time to learn and employ these tactics.
Depending on the actions taken by an organization, even if by a decentralized collective of otherwise anonymous individuals, one misstep can mean the end for you, and potentially your comrades, at the hands of law enforcement or an ultra-right-wing lunatic (if you can even tell the difference between the two). Please note that this is not an attempt at fear-mongering, but rather to prepare you.
Because of various skill levels among individuals, if any of these steps prove to be too difficult for you, consider consulting a trusted and technologically-inclined comrade to assist you. Approach the learning process with an open mind, and you’ll solidify a lot of useful knowledge that can be applied in various ways to maintain your online privacy in several avenues of your online life.
As always, assess your threat model and make decisions based on that.
This document will cover the tech aspects of operational security and won’t go into detail about correlation attacks and stylometry attacks, which is when your usage of anonymous online activities is cross-referenced with your mobile devices and other online activities (like doing something illegal over Tor and immediately shutting down your computer and going to the mall), as well as the analysis of your unique pattern of expression (the way you communicate online). I may make a separate post about those at a later time.
A Concise Online OpSec Guide for Anarchists, Activists and Organizers:
1. Take Stock of Your Online Presence
- Check https://HaveIBeenPwned.com to see if your account credentials have been included in data leaks.
- If you’re running Linux, you can also use a tool called Breach-Parse, which may be a bit more thorough when hunting for your own breached credentials. Instructions for installation and usage can be found at the following link:
- Don’t be a victim of open-source intelligence
- Google yourself and take note of what you find about yourself through these searches. Is your address, phone number, email, etc appearing in publicly available databases?
- Data Removal Workbook: https://inteltechniques.com/data/workbook.pdf
- Google yourself and take note of what you find about yourself through these searches. Is your address, phone number, email, etc appearing in publicly available databases?
-
- Are you using social media and is it necessary that you use social media?
- Think of social media as a database of your personal information and behavior patterns. When it comes to a determined adversary, you can be identified even by the way you casually communicate through written channels, and you could be publishing personally-identifying information without even realizing it.
- Don’t use the same username on more than one account to prevent being tracked across several profiles.
- Be mindful of what can be seen in photos you are publishing on social media.
- Consider the doxx of Eric Clanton, the Berkeley Bike Lock professor, which led to his subsequent arrest.
- Are you using social media and is it necessary that you use social media?
-
-
- If it is necessary that you use social media, keep your personal profiles and activist profiles entirely separate.
- Any profiles you use to report on or talk about activist activities should be used with a pseudonym derived from something that is not personally connected to you. These profiles should only accessed from behind a truly anonymous VPN like Riseup VPN or, even better, through the Tor network.
- If it is necessary that you use social media, keep your personal profiles and activist profiles entirely separate.
-
2. Secure Your Accounts and Communication
- Use a Password Manager
- I recommend KeePassXC because it is a local database. Use the password generator in the tool to create long (20+ characters of random upper/lowercase letters, numbers, and symbols), unique passwords for your accounts.
- Store the password you use to access your KeePassXC database on a separate storage media in the event that your PC is compromised.
- Do not save passwords in your browser in the event that you are accidentally compromised through it.
- Use a two-factor authentication app like Authy on any and all accounts you can.
- Do not use text message 2FA if it can be helped. Keep in mind that your personal info is publicly available if you haven’t had it removed yet, and that information can be used to target you in an attack called a SIM Swap, which can be used to bypass your 2FA if it is SMS-based.
- Keep all email communications on encrypted email services such as Protonmail
- Consider using PGP to encrypt your emails, which will ensure your emails are only viewable by intended recipients, even if your email has been compromised, and will eliminate the chances of spear-phishing campaigns potentially leveraged against your affinity group/collective/etc.
- Use a throwaway email for quick communications that don’t need to be directly tied to your private persona.
- Guerrilla Mail is a great option for this.
-
- There are also some great anonymous email services on the Tor network:
- RiseUp (Anarchist created and maintained): vww6ybal4bd7szmgncyruucpgfkqahzddi37ktceo3ah7ngmcopnpyyd.onion
- Mail2Tor – mail2torjgmxgexntbrmhvgluavhj7ouul5yar6ylbvjkxwqf6ixkwyd.onion
- TorBox – torbox36ijlcevujx7mjb4oiusvwgvmue7jfn2cvutwa6kl6to3uyqad.onion
- There are also some great anonymous email services on the Tor network:
- OnionShare is a great hidden service for anonymously sharing files between individuals or devices.
- Use encrypted messaging apps on your phone and PC
- Signal is a great option, especially now with their username option. But I like Session better because it routes everything through a decentralized network like Tor, and you are identified by a hash instead of a username.
- Cwtch is another great option, as it works the same as Session and gives you an option to lock your profile behind a password.
3. Secure Your Devices
- Encrypt everything
- Use VeraCrypt, which can be used for Full Disk Encryption as well as creating encrypted containers for files, and even hidden containers.
-
- Ubuntu has a Full Disk Encryption option on initial installation.
- Do not leave your device unattended and unencrypted.
- Make your device tamper-evident.
- Spoof your MAC address:
-
- ***You can also spoof your hostname with this process***
- You can create a service on Linux that does this automatically on bootup:
-
- Create a script and make it executable (***run ifconfig to find your wireless interface***):
sudo nano /usr/local/bin/randomize_mac.shFile:
#!/bin/bash# Interface name (change this to your network interface)
INTERFACE=”<YOUR WIRELESS INTERFACE>”# Bring the interface down
sudo ip link set dev $INTERFACE down# Randomize the MAC address
sudo macchanger -r $INTERFACE# Bring the interface back up
sudo ip link set dev $INTERFACE upMake script executable:
sudo chmod +x /usr/locla/bin/randomize_mac.sh-
- Create a service file and enable it:
sudo nano /etc/systemd/system/randomize_mac.serviceFile:
[Unit]
Description=Randomize MAC Address on Boot
After=network.target[Service]
Type=oneshot
ExecStart=/usr/local/bin/randomize_mac.sh
RemainAfterExit=yes[Install]
WantedBy=multi-user.target
Enable the service:
sudo systemctl enable randomize_mac.service -
-
- Stop using Windows
- Using Windows while caring about your digital privacy is like locking the front door because you’re scared someone is coming in through the back door.
- Overwrite Windows with a Linux distro using a bootable USB drive and harden it with this guide: https://theprivacyguide1.github.io/linux_hardening_guide
- Use a VPN
- Use Mullvad and pay for it with Monero.
- set autoconnect, lockdown-mode and multihop to ON
- You can also use Riseup VPN, which is a free logless and login-less VPN created and maintained by anarchists, but there are less useful features than Mullvad.
- Use Mullvad and pay for it with Monero.
- Disable anything that sends info back to a service or company:
- Data sharing
- Location services
- Error reporting
- Usage statistics
- Use a timezone on your PC that is very far away from where you live because of timestamps.
- Turn off Bluetooth.
- Set your trash to only keep files for one hour
- Set your trash to delete temporary files every hour.
- Keep your username and hostname as generic as possible
- for example: user@linux
- For especially sensitive things, use TailsOS, which is an amnesiac operating system used through a bootable flash drive that leaves no trace on your device.
- Consider having a “burner” device that you only use on public WiFi for your activist activities.
- Use BleachBit to clean up your device if you need to
- Use wipe on Linux devices to render sensitive files unrecoverable when you no longer need them.
- wipe does 34 overwrites on files.
- Use exiftool to remove exif data from your files before you upload them anywhere.
- Use search engines that do not track you:
- Duckduckgo: duckduckgo.com / duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion
- Shoot: shootnnngg4akh7fkjmx5b5omsppt2zaefohzwnwryhy2c6mm3kbx6qd.onion
- Ahmia: juhanurmihxlp77nkq76byazcldy2hlmovfu2epvl5ankdibsot4csyd.onion
- Torch: torchdeedp3i2jigzjdmfpn5ttjhthh5wbmda2rr3jvqjg5p77c54dqd.onion
- Use LibreWolf for clearnet activities, NOT Chrome or Edge or Firefox
- Use browser extensions that block ads and trackers:
- uBlock Origin
- Facebook Container (if you’re using Meta platforms to spread news under your separate activist profile; do NOT use Facebook or Instagram apps on your phone)
- Privacy Badger
- Use browser extensions that block ads and trackers:
- If you are hacking, run any command that connects with another host through torsocks.
- you must have tor installed and tor.service enabled.
- Additional hacking tips:
- Use a long-range wifi card to connect to public WiFi far away or compromised routers.
- You can proxy through VPS or compromised servers.
- Additional hacking tips:
- you must have tor installed and tor.service enabled.
- If you’re using an Android device, consider using GrapheneOS
- Turn off biometrics on your devices. Newer androids and iPhones encrypt your device when the screen is locked behind a passcode.
- This is especially important for if you need to bring your phone with you to a protest. You don’t want your phone being decrypted by a cop just pointing it at your face.
4. Additional Resources
- Data Removal Workbook: https://inteltechniques.com/data/workbook.pdf
- DIY Data Removal Guide: https://joindeleteme.com/help/diy-free-opt-out-guide/
- AnarSec: https://www.anarsec.guide/ / http://uwb25d43nnzerbozmtviwn7unn7ku226tpsjyhy5n4st5cf3d4mtflqd.onion/
- NoTrace: https://www.notrace.how/ / http://i4pd4zpyhrojnyx5l3d2siauy4almteocqow4bp2lqxyocrfy6prycad.onion/