Digital Security Tips for Protesters

The EFF has useful advice for protesters.

Full-disk encryption ensures that the files across your entire device are encrypted. This is a form of encryption that protects data at rest, as compared to in-transit encryption, which protects data that is transferred over the Internet. Full-disk encryption protects everything from your local database of text messages to the passwords you have stored in your browser. This is useful in case your device is confiscated by police, but also protects you in situations where the device is lost or stolen. Protest situations are often unpredictable, so losing your phone is distinct possibility.

Recent versions of Android and iOS require full-disk encryption capabilities to be built into devices. These should be protected by a strong password: 8-12 random characters that are nonetheless easy to remember and type in when you unlock your device. If devices are not protected by a strong password, the encryption may be easier to break using a brute force attack. Recent editions of the iPhone have employed specialized hardware to protect against this type of attack, but a complex password is still advisable.

In the past, iOS and Android used the same password to both boot your phone and to unlock it. Recently, both iOS and Android introduced a mechanism to allow you to unlock your device with your fingerprint. This is a convenient way to ensure that you enjoy the benefits of full-disk encryption without sacrificing convenience. However, in protest situations we suggest you turn this functionality off. A police officer can physically force you to unlock your device with your fingerprint. And as a legal matter, while the state of the law is in flux, there is currently less protection against compelled fingerprint unlocking than compelled password disclosure. You can always add your fingerprint back to the device after you’ve left the protest.

Signal is an app available on both iOS and Android that offers strong encryption to protect both text messages and voice calls. This type of protection is called end-to-end encryption, which secures your communications in transit (as discussed in tip #1). Other apps, such as WhatsApp, have implemented underlying cryptography. But we believe Signal is the better option because it implements best practices for secure messaging.

In addition to encrypting one-to-one communication, Signal enables encrypted group chats. The app also recently added the functionality of having messages disappear anywhere from 10 seconds to a week after they are first read. In contrast to some other services like SnapChat, these ephemeral messages will never be stored on any server, and are removed from your device after disappearing.

Recently, a grand jury in the Eastern District of Virginia issued a subpoena to Open Whisper Systems, the maintainers of Signal. Because of the architecture of Signal, which limits the user metadata stored on the company’s servers, the only data they were able to provide was “the date and time a user registered with Signal and the last date of a user’s connectivity to the Signal service.”

Automated License Plate Reader Systems (ALPRs) automatically record the license plates of cars driving through an area, along with the exact time, date, and location they were encountered. This technology is often used by law enforcement, or employed by private companies such as Vigilant and MVTrac who then share license plate data with law enforcement and other entities. Amassed in huge databases, this data is retained for an unknown period of time. These companies have lobbied and litigated vigorously against statutes that would ban the private collection of license plate data or otherwise regulate ALPRs. Effectively, your location can be tracked over time by your driving habits, with very few legal limits in place as to how this data can be collected and accessed.

Consider using alternative means of transportation if you would prefer that your movements and associations remain private.