by Robb Ott, Technology and Surveillance in Dystopia Desk

We exist in an era where the state is leveraging surveillance and technology to engage in an intensifying campaign against activists, protestors, and any others who oppose them. Last September, the office of the President signed an executive order declaring “Antifa” a terrorist organization. The fact that Antifa it not an actually existing organization has not stopped White House officials from using the refrain over the past few months. Several activists across different states are currently facing federal charges with the common theme of “conspiracy” or “terrorism” charges being put forth against the defendants. The stakes for standing up for change are higher than ever and the stakes for remaining silent are immense. With cloud and communication services being deeply integrated into the daily lives of most people who do not think twice about using them. Those fighting for change for the better must utilize a higher standard of security than they would otherwise, but is this enough?

Organizers can take steps to be safer. One option is to move away from services that actively surveil their users, such as Google, and move towards encrypted services, such as Signal or Proton Mail, which are allegedly more secure. Google has a long track record of violating the privacy of its users. For one, Google can automatically scan all Gmail and Drive content to feed into their AI models, although users who find the setting can manually opt out. Another piece of evidence includes a recent $68 million dollar settlement. That figure was reached after it was revealed that Google Assistant had been recording conversations of its users without users knowledge or consent.

Texts sent over standard services are highly susceptible to subpoenas from the state. Service providers can make surveillance simple for the authorities by tracing messages back to the person who owns the cellphone. Organizers often treat encrypted messaging services as though they were talismans of protection whose very presence ensures absolute safety. However, in the recent “Stop Cop City” trial, a defendant who provided a Proton mail account for their “Defend Atlanta Forest” contact information, still saw their identity unmasked. Does this mean that the service is inherently flawed? Do we need to stop working digitally entirely and instead pass paper notes written in lemon juice like Cold War spies?

The way forward is neither through absolute reliance on “privacy oriented tech services” nor complete abandonment of them. Instead, we must critically examine how we make use of these systems while recognizing their shortcomings. Even a note written in code, in lemon juice, on flash paper can be incriminating, if it is found by the wrong person.

In the aforementioned Stop Cop City case, the issue was not that the defendant’s Proton Mail account was hacked or that Proton’s administrators rolled over to requests and served their user up on a silver platter. Instead, this person was identified through the credit card they used to pay for their premium account subscription. Proton AG, the Swiss Company behind Proton Mail, was required by Swiss law to hand this information over to the Swiss state and the US government leveraged that compulsion to their advantage. There are many different payment options that could have averted this crisis: cryptocurrency, gift cards purchased with cash, sending cash to Proton directly (they allow this!) or by not signing up for a premium account in the first place! In this case, the encrypted service did not fail, the user’s method of engaging with the service did.

Activists who engage with any supposedly “secure” or “private” tech service need to critically evaluate the context in which they use it. The concept of Threat Analysis, used frequently in the cybersecurity world, can come in handy. One lists the possible negative outcomes, then starts working on imagining how these might be achieved by bad actors (called “threat vectors”), then lists the possible ways that one can mitigate these (”threat mitigations”), before finally deciding whether the risks outweighs the benefits of engaging with the service.

Let’s use activists who use encrypted messaging services to organize as an example. A potentially negative outcome includes messages falling into the hands of the state and subsequently used to prosecute said activist. Some possible threat vectors include, among other things, the phone itself being confiscated by law enforcement, the account being unlocked via biometrics without user consent (which is legal!), storage of app metadata (such as text in a notification) outside the app and accessed later, or the use of malware to circumvent app security. Threat mitigations for the aforementioned vectors might look something like this: not having the phone on one’s person when engaging in activism, avoiding biometric locks (such as FaceID) in favor of secure unique passwords, ensuring app settings are in line with best privacy practices, and regularly performing security updates and rebooting phones. The user can then decide how viable each of these mitigations are and whether they can be reliably implemented. Not all mitigations are practical for all use cases, and that is a perfectly acceptable place to land.

Every activist who utilizes technology as a tool has a responsibility to conduct a proper threat analysis before employing it in their own organizing practices. We cannot treat brands that promise privacy as a panacea on its own. Essentially, organizers should use the master’s tools to tear down the master’s house. But we should not do so overconfidently or without doing our due diligence.