On Friday I attended a free workshop at SLU Law hosted by the National Lawyers Guild – St. Louis Chapter and the Electronic Frontier Foundation titled Surveillance Self-Defense 101: A CLE Workshop for Lawyers, Students & Activists. It was a pretty cool event and I learned a lot about not only how to keep oneself secure when it comes to surveillance, but also some of the issues and concerns activists and lawyers face when working with complex technology and law.
Here are a few of my notes. These are a bit ramble-ly, but I hope useful for anyone who couldn’t attend or a refresher for those that did.
Three rules of security.
1. No such thing as total security – just shades of more or less secure
2. We didn’t ‘go dark’. We were dark for many years, until folks started using technology they thought was secure, but wasn’t. Our ‘going dark’ is just returning to a state prior. Encryption, as a form of security, is one way we ‘go back’.
Security vs convince vs money – if you have more money you can pay someone to make something that is convenient AND secure. Less money often means less security at the cost of convince.
Https was an example that was secure, but not convenient and it cost money. Newer programs help to make the net secure, convent, and inexpensive.
3. Think about security as understanding your weakest link in a circle of security. You can have secure independent systems, but the weakest tool/service/avenue can undo all of that.
You might not have anything to hide, but those you work for (clients) or with (peers) might. Making yourself vulnerable puts them at risk. you can become the weakest link.
“Threat Models” can be grouped into three general types – personal, political, legal.
Personal – how our personal life is interacting with the world. Using personal email addresses for affairs(!) or political activism. Overlapping your personal and other areas of your life puts your assets at risk!
Again, look back to the weakest link. Who might be acting against you? What might they do if they can connect your personal life with your activist/professional/legal, etc.?
Example: Twitter accounts – influential accounts like FEMA, could have a higher threat model than say an individual, given that access to their account could cause serious damage – like a large-spread panic (Emergency flood warning for New York City!)
Assets – what do you have to protect? Rosters, client lists, strategy documents, SSN of family, medical history, finances, etc.
Federal government can’t keep the addresses of CIA agents secret – for 6 months the Chinese government infiltrated the portion of the government in charge of personnel records.
What we know of the NSA is only the tip of the iceberg – what Snowden revealed 3 years ago is only a small part of their capabilities.
Subversion (especially with minorities) by governments of communities (threats or promises (green cards)).
Not just federal, but local as well. Stingray devices – we only knew because someone who was being prosecuted found references in court documents. License plate readers and intersection light cameras as other venues of surveillance.
The fight against surveillance is at multiple levels (just like the focus – dragnet, targeted, on the street)
Street – cameras on street corners – fight with a local ordinance
Alderpeople have a discretionary budget where these street cameras are coming from!
Local – police department license plate readers – fight with laws, protest
Federal – ??? [I was sucked into an interesting story and didn’t take good notes here.]
Facial recognition does a poor job on darker skinned people – resulting in more false positives! Look for research this summer coming from Georgetown.
[We then broke into small groups and talked about our threat levels and assets]
These are questions to ask yourself when determining your threat models for the various tools, software, services, hardware, you use and the data and information contained within.
- What are your assets?
- What do you need to protect?
- What are in your communications?
- What are the threats to those assets?
- Who would want it?
- How bad would that be (if they got access)?
- How badly do they want it?
- How high on the dial do you need to wrap your security?
Signal for Mobile messaging – encryption from end-to-end. Can be your default txt app on Android.
- Also, how to encrypt your hard drive on Apple computers: https://support.apple.com/en-us/HT204837
[I was able to ask a question to the hosts.]
Media, both fictional like TV shows and movies, and uh, factual like news reporting often poorly conveys the nuance of technology – especially around hacking, encryption, privacy etc.
What recommendations do you have in combating this skewed interpretations of reality?
[The answer was to advocate knowledge to people you work with, help educate others, and keep learning and sharing your knowledge.]