With ever more Supreme Court fuckery going on I'd like to help comrades in my local org be better secured against potential breaches.
Ideally I'd like to recommend 1-3 options that meet these needs:
- Easy to use
- Can be used on phones as well as mobile devices
- Doesn't retain any network traffic data
Any ideas on what options we have?
There’s two ways to do this:
The online organizing way is to use a paid vpn to prevent local WiFi attacks and isp snooping, harden all devices and computers that will be used, only use encrypted communications and develop data security practices compatible with the possibility of being jammed up.
You gotta have real knowledge and awareness to pull this off as an individual, or a huge point of trust/failure in one person who does it for you.
If you do all that then the cops will just use metadata and inference to get warrants or just have someone infiltrate you or turn a trusted member.
The other way, the way the bolsheviks used, is to only organize in person and develop a no-trust framework for interacting with your community.
Then the cops will infiltrate or turn members but you have at least prepared for it and expect it.
IDK if we're at this level of need right now. But I want to start people on the path to doing these things as a habit.
I could see our org doing mutual aid to help undocumented immigrants hide, help women cross state lines for abortions, etc. in the near future. I want us to be ready to cover our tracks before we need to.
I’m saying this not to belittle or hurt you, but to make my point clear:
You are not capable of what you’re saying. It is not possible to safely include people in your group while doing what you’re saying.
If that sounds like too much of an assumption, if it sounds like I’m being hyperbolic, think of this completely not yanked from the local headlines amalgamation of cop activities in the surrounding handful of rural counties over the last year:
You’re doing something, an opponent shows up to agitate. There is violence, the police show up. Did everyone leave their phones at home? Does everyone’s phone have biometrics turned off? Is everyone trained to resist interrogation? Has everyone changed login credentials from data breaches? If their phones are Apple, do they have lockdown and advanced data protection turned on? are they not carrying the recovery code on their person? If they’re using an android phone, is it running a trustworthy non manufacturer install? Are they capable of figuring out if an android version is trustworthy? If they’re all in some trustworthy encrypted chat, are they treating it like there’s someone screenshotting?
A vpn wouldn’t help at all if any one of those things were wrong.
Just recently, a peaceful talk about Palestinian resistance was interrupted by Zionists and violence broke out. Are all your people 100% prepared even when it’s a seemingly friendly environment?
Don’t organize online. In person or bust. Don’t take computers with you unless they’re wiped clean except for the bare minimum that is needed to do the job they’re gonna be used for. A phone is a computer.
I understand completely and I am aware that there are levels of security my little org is not going to realistically meet.
For anyone reading this planning more "sensitive" things: loose lips sink ships, and follow the advice above!
My org is what I would consider more of a pipeline for disaffected Democrats to become baby leftists and eventually, maybe, do something cool for the community. As such the threat is more from right-wing activists disrupting events or trying to doxx members, get people fired, etc. So I want folks to start getting the basics locked in now so that if they radicalize more it will be easier going from "I have a password manager and VPN" level secure to "drop the phones in this Faraday bag before entering this meeting".
You're asking the wrong question. VPNs are cool and all, it won't really protect your communication, especially not from a government actor. A VPN can sort of trick a website into thinking you are at a different location and in some ways can mask what you are doing from your ISP. It won't protect you from the government.
What you want is GPG encryption of your communications. GPG can be used in 2 main ways, you can encrypt files/text or you can sign files/text. Each person has a private key and a public key. In the case where you encrypt a message, you would take the public key of the person that you want to receive the message to encrypt the message and then the encrypted message can only be decrypted by the recipients private key. In the case where you sign a message, you use your private key to generate a "signature" string and then other people can take your public key and the signature to confirm that you wrote the message that you signed.
You can set this up with an email client like Thunderbird (equivalent to firefox).
Great points! Would be good to also get everyone on the same e2ee messenger app, like Signal.
https://dessalines.github.io/essays/why_not_signal.html
matrix is almost certainly more secure, although not without its own problems
I wouldn't call matrix more secure. The amount of metadata it leaks can be enough to get you arrested or killed. It's objectively better when communicating with unknown people and better for groups but I'm not sure it's a better replacement for SMS. The CIA funding isn't a nail in the coffin because the US government has a vested interest in keeping operatives safe with non-incriminating technology, such as tor.
fair enough, for sure use case should be considered with this stuff and signal is probably "good enough" for most people who aren't actively planning to overthrow the government/do terrorism or whatever
A lot of VPNs are owned or connected to Israeli intelligence agencies or other assorted shell companies.
Mullvad is your best bet but VPNs don't make you private. In fact they should just be called Virtual LAN networks. Most of your traffic on the clearnet is encrypted already via HTTPS and VPNs only obfuscate your IP address from the website you're connecting to. A lot of the fuckery comes from the nonfree clientside JS code that is executed on a lot of websites that can track you as well as nonfree web browsers.
VPNs won't protect you against bad digital practices.
A much better approach to digital privacy is to make sure that your org can function entirely on free software that respects your freedoms. Example: instead of organizing via Discord, Social Media, etc. you can organize via XMPP or Matrix which can be deployed by your org if needed. Instead of creating documents via M$ Office or Google Docs you can use a office suite like LibreOffice and store everything locally and only share copies when needed. Instead of meeting over Zoom you can meet over Jitsi Meet.
This in my opinion, is far more impressive and worthwhile task than asking your members to pay for a VPN. It actually educates your org on good computing practices rather than security theatre that you'll have to pay into.
There's a big fucking reason why YouTubers can sponsor VPNs but no one seems to be aware of FOSS.
and VPNs only obfuscate your IP address from the website you're connecting to.
If you're in the US, ISPs can legally sell your data since 2017, so another purpose of VPNs is to obfuscate what sites you are visiting from your ISP.
under most cases, they only have this data via DNS. it's encrypted once the actual https request is made - only the destination ip address is available at that point. so encrypting DNS and securing that is probably more important than the protection a VPN provides. if you use a VPN without some form of DNS encryption, you're trading one ISP you don't trust for a second you shouldn't trust but inappropriately are. DNS anonymization is an extra step you can and should take to ensure you're not trusting your DNS provider, either - it works by tunneling encrypted DNS requests through shared, public relays.
what you actually need a VPN for is to mask your ip address to the website you're visiting and to mask the ip address you're visiting from your ISP. these are important considerations but it's useless if you don't first protect DNS, ensure you can't be tracked via cookies/be fingerprinted, and ensure you're only connecting to websites over https.
VPNs are an important and useful tool but they're not the first or best tool for digital hygiene. you have to tackle each layer, one at a time. start at the top and work down the hierarchy.
it's encrypted once the actual https request is made - only the destination ip address is available at that point.
HTTPS includes the domain of the site you're visiting in plaintext, and your ISP will get that information about every request you make unless you're using a VPN/a proxy/Tor, DNS aside.
mullvad
insert spiel about how VPNs are generally pretty overhyped as a privacy tool but if you're in US you want one that's not american owned, mullvad is swedish and does actually have very good protection policies for customer data. https://mullvad.net/de/blog/2023/4/20/mullvad-vpn-was-subject-to-a-search-warrant-customer-data-not-compromised they got raided by swedish authorities and due to their no logging policy the data that was sought after simply didn't exist. you can also pay them in various anonymous ways including cash in a postal envelope lol. also it's only 5 euro
ProtonVPN is okay iirc
Just don't use a free one or the ones being advertised by ytbers
I suggest the high tech of a pencil and a piece of paper. The NSA can't read shit. If they want to spy on you, they have to pay some guy to do it, and that costs money.
If you mail stuff then they have to pay someone to tamper with your mail and it should be kind of easy to tell if that's happened. Use codes. I kinda wonder if the lemon juice thing still works.
Pack rice around packages extremely tightly using clear packaging (tape). Send a photo to the recipient. If it was opened, then the rice orientations won't match the image.
Mullvad.
No US based. Actual decent Swedish protection laws, which is where they’re based. No logging of anything. Accepts cash in the mail anonymously.
Proton or Mullvad.
Proton has the benefit that you can also get their google replacements in the same package.
Though as said, vpns are overhyped for security.
Proton is CIA. It's modern crypto AG
https://encryp.ch/blog/disturbing-facts-about-protonmail/
Also read their blog post about supporting HK. they are a TAIWANESE company and Taiwanese companies do not do this. They do whatever they can to minimize controversy.
I'm not saying they're great or perfect, I'm saying they're one of the better options. The CIA is embedded everywhere, they're basically unavoidable.
m u l l v a d
Mullvad is paid, tho.
ProtonVPN has a free subscription so maybe that would help less tech-savvy comrades dip their toes 🤷🏼♀️ it’s very limited, but might just be what gets them into online privacy. Good luck & be safe out there ☮️
Mullvad fits your criteria. Proton is annoying to use on phones I think but they do have a free VPN.
Really there's very little that a VPN is suitable for over TOR. Probably, if you can't run it over TOR it's not secure over a VPN either.
