Digital security 101 for protesters

Your phone is a powerful tool against authority. Its communications networks can give a group of protesters a level of situational awareness that would astonish a group of Marines 20 years ago. Its cameras and sensors and ability to store its data safe(er) in the cloud can hold police to a level of accountability that is unprecedented in human history.

Your phone is also a weapon that can be turned against you. It knows everything about you. It knows where you are and when, and who you communicate with. It also has access to your Google or iCloud account, which probably holds the keys to every other account you have, as well as most of your deepest darkest secrets. It knows if you're worried about that lump on your testicle or in your breast. It knows if you've been emailing your ex behind your current paramour's back. Whatever you've been doing or thinking or wondering on the internet -- your phone knows.

So obviously you don't want some random cop rifling through your phone (read: the unfiltered contents of your second brain) on a whim, just because you got arrested on a trumped-up public nuisance misdemeanor. If you're going to DC the weekend of Trump's inauguration, you wow, really don't want that to happen if you get arrested by a National Guard who is under the command of the Department of Homeland Security. If you stand against the status quo, the alphabet soup agencies are your enemy. They should be considered as such in your threat model.

So let's talk about keeping your phone secure. This guide is going to be mostly focused on Android, because that's what I have and know. iOS has most of the same features though. I'll try to at least point you in the right direction for each one.

Step 1: Screen locks

9c97 Screenshot_20170115-114723.png
Your phone needs one of these. Slide to unlock is for prey animals.

The first, easiest, and most fundamental step is just to have a screen lock. You should have a decently strong PIN or password protecting your phone. This is just a good idea in general, because if you drop your phone at the movie theater, you also don't want a thief rifling through your second brain. Do you bank online? Then somebody with your phone and half a brain could probably get into your bank account without too much trouble. Think about that.

Biometrics (Fingerprints? Maybe. Faces? No.)

A lot of phones have biometric unlocking features these days. They're super convenient, I know. I'm borderline paranoid, and day-to-day I even use the fingerprint reader on my phone to bypass the PIN, because my PIN is long and a pain to type in.

By all means, use your fingerprint reader. It's convenient as hell. There are a few things to take into consideration though.

If you wind up in court, or under duress by the police, you cannot be compelled to give up a PIN or password. You can invoke the 5th amendment, and that's pretty much that. You can, however, legally be compelled to unlock a phone with your fingerprint. The police will then just hold you down and physically force you to put your finger on the reader so they can get in.

So, if you use your fingerprint reader, be prepared to power your phone off if you're about to get arrested. On both Android and iOS biometrics don't work for the first sign-in upon booting. Fresh out of a reboot Android won't even show notifications for text messages on the lockscreen until you actually enter the PIN or password. So powering off your phone locks it in a fashion that leaves you able to plead the 5th if asked to unlock it.

For similar reasons, you shouldn't use face unlocking if your phone supports it. Obviously you don't want the police to be able to unlock your phone just by holding it in front of you.

Be careful with Smart Lock

Android has a feature called "Smart Lock," that will bypass your screen lock under certain circumstances. It can unlock without a password or PIN when you're at home, or when you're connected to particular devices. I personally use it, but carefully. Mine only unlocks from my truck's Bluetooth stereo -- because even with my phone mounted to the dashboard, typing in a PIN while driving is unsafe. Paranoid or not, I don't want to crash and die trying to skip a song or look at my GPS.

If you have Smart Lock turned on, make sure not to take anything that smart unlocks your phone with you to a protest. You don't want to get arrested, and have the cops able to access your phone freely just because you're also wearing a smartwatch that disables your phone's screen lock when they get close together.

Step 2: Whole-device encryption

df78 Screenshot_20170115-112939.png
A screenshot from a Nexus 5X, showing that Encryption is not turned on.

Modern Android and iOS devices both contain systems that allow strong encryption of where they store all your data. Without these a motivated (and not even especially skilled) person could just open up your phone and connect a computer directly to the storage chip, rendering your screen lock entirely moot.

How exactly these systems work isn't really important to you, but suffice to say that they work very well. A relatively new iOS device -- and most relatively new Android devices -- has well designed security and will thwart all but the very most elite and motivated of adversaries. If you just turn on encryption your phone's physical security is about as bulletproof as is possible.

It might be on by default

ee66 Screenshot_20170115-112955.png
A screenshot from my Pixel, showing that Encryption is turned on.

If you have a brand new iPhone, Nexus, or Pixel phone, encryption is turned on by default. As long as you didn't turn it off during the initial setup when you bought the phone, you're probably done! I think a lot of Samsungs are also encrypted by default.

How to know for sure

Open up your phone's system settings and look for settings that use the word "encryption." In Android it's under "Security" then under a header called "Encryption."

iOS users can learn how to turn on encryption from this guide to encrypting your iPhone published by the EFF.

Stay tuned for part two

This was really just the bare minimum. I've put it out separately from more advanced topics in part for ease of digestion, and in part to get it out the door right now. I've got a lot of friends and comrades who are going to be in the streets in the next few weeks. I especially want to help keep the ones going to DC for Trump's inauguration safe in the best way I know how.

Part two is going to cover some more advanced (and scarier) attacks your devices might come under at a protest. If you think you might not read that part, remember one thing: Just turn off WiFi and Bluetooth while you're at a protest. No good can possibly come from having them on. That alone will keep you safe from the most common threats.

Stay tuned this week for part two. In it I'll tackle protecting all of your devices against outside electronic threats. We'll cover VPNs, some basic opsec strategies, and how to identify and protect yourself against network-level attacks like honeypot WiFi hotspots and "dirtbox" cell site simulators. I also want to cover good password habits and password managers. There might actually need to be three parts by the time I finish this whole information dump.

Part two posted

UPDATE: part two is now available: Protester digital security 101: part 2