Rebel Security GUIDE
Keeping your accounts, devices, and communication secure is about solidarity with your fellow activists. If your accounts are compromised, you may open up others to security vulnerabilities. Remember, when it comes to security, we are only as strong as our weakest member.
For activists on the ground, here are a few tips for securing your phone before heading to a protest:
Consider leaving your phone at home. The best security is no device at all, so consider not bringing your phone or using a "dumb" burner phone with just a few critical contacts instead.
Use a password rather than biometrics to secure your data. Turn off unlocking your phone via fingerprint or facial recognition and instead use a password. While it’s not perfect, it does make it harder for others to unlock your device without your permission.
Encrypt your device. Of course, it’s still possible for others to gain access to your password-protected information so encrypting your device is another layer of protection in case it is confiscated. For Android, go to “Settings” > “Security & location” > “Advanced” > “Encryption & credentials” > “Encrypt phone.” For iPhone, as long as you have a passcode set up and it says “Data protection is enabled” at the bottom of the “Touch ID & Passcode” page, your information is secure.
Use airplane mode. Our devices record a lot of data while they are turned on. This includes location, which can be used to track yourself or others around you. Keep your device in airplane mode as long as possible to reduce the amount of information about your and others whereabouts.
And lastly, a note about the personal privacy of your fellow activists:
Do not photograph or record activists without permission. Not everyone can protest without repercussions, so do not take photos or videos that clearly show peoples’ faces without their explicit permission. If you do have a photo that includes a recognizable face, you can use Signal’s blur tool to obscure it. It’s important for us to record and promote protests, but be sure to do so without endangering others.
We also strongly advise all rebels to follow a few basic rules to increase the security of your personal accounts and devices:
Use a password manager to store passwords. LastPass is a free, safe and effective option (but you can consider others as well). Whatever you choose, be sure to install it on all your laptops and phones.
Always use strong, unique passwords. Your password manager can help create and store these for you automatically. If you have to create a password manually, try four random words strung together (this is called a passphrase) and never reuse the same password for different logins.
Secure your phone and laptop. For your phone, use an alphanumeric password that is at least 6 characters and require a password upon restarting. Your laptop should similarly require a password. If your device allows biometric locks (e.g. unlocking with your face or fingerprint) enable that as well! Note that, as recommended above, passwords are best when protesting in the streets.
Communicate using encrypted apps. Keybase, Signal, and CryptDrive are all encrypted organizing tools which is why we use them to communicate within Extinction Rebellion. If you use Gmail, consider turning on Google’s Advanced Protection Program which gives activists an extra layer of security, or else sign-up for a free protonmail account.
Use a VPN to hide your location. If you are engaging in anything that could even be remotely considered dangerous, please use a VPN. A VPN allows you to quickly change your IP address (basically your computer’s home address) to anywhere in the world to avoid tracing any online activities to your computer. We recommend using ProtonVPN for its ease of use and as a partner application to protonmail.
Be on the lookout for suspicious emails. These phishing emails can be targeted broadly or may even be designed to specifically target you as an activist. Either way, the goal is to get you to unknowingly reveal passwords or other personal information so pay special attention to suspicious language, the sender email address, cryptic messages that ask you to take an action (like clicking a link or opening an attachment), and anything with a warning from your email provider.
Enable two-factor authentication on all your accounts that support it. Two-factor authentication is another layer of security. It requires someone to have access to both your password AND your phone number in order to compromise your accounts.
Be careful with public wifi. Avoid handling sensitive information while on public wifi or wifi without a password. Unsecured wifi networks allow people to implement “man in the middle attacks,” which make it possible for them to access everything that you’re requesting or sending over the internet while you’re connected.
Protect your data while browsing. Add Ublock and Privacy Badger plugins to your browser in order to block trackers and prevent cookies while you’re on the internet. As a bonus, they also help web pages load faster since you aren’t downloading all that extra tracking code!
Enable basic controls for public Zoom meetings. If you are organizing an open zoom meeting (e.g. it’s publicly available on the website or open to non-XR members) practice some basic Zoom security measures to make sure that you aren’t “zoom bombed” during your meeting. Please note, if you are using video to plan anything sensitive or high-security, please use our private video tool Big Blue Button on Mattermost instead of Zoom.
Avoid fraud calls, emails, and links. It’s trivially easy for a bad actor to obscure their caller ID, the URL of a website, or the appearance of a link. If they are asking for money or personal information and something feels off, it probably is. In order to verify the origin of a call or email, find the person’s contact information and call/email them back to verify the request. We also recommend installing TrueCaller for enhanced caller ID and blocking spam. To verify a website or link, search for it in your web browser instead of following the link provided.
There is no guarantee that any method will keep your information secure, but the steps above are designed to help avoid the most common kinds of cyber threats.
If you ever receive a suspicious email or think your accounts may have been compromised, contact xrnyc-infra@googlegroups.com.