Operational Security at Protests for Aspiring Activists

Discussions spiked recently over how student activists can best protect themselves after it was revealed that the Director of Community Safety Gary Granger went against Reed’s policy by disclosing the address of Jacob Hoopes, a Reed alumnus, to authorities, who was subsequently arrested on July 25 in connection with the June 14 protest outside of the Portland ICE building. In response, some students and alumni are pulling their information from the alumni database in IRIS, which is the central Reed information system. While this sends a message to the administration, it ultimately does very little to protect your information from disclosure to outside law enforcement, and it severely hampers preservation of institutional knowledge by making it much harder for future students to contact alumni. Ace Lackey, producer for the Center for Life Beyond Reed's Burn Your Draft podcast, said, "If [students] really want to contact you [as an alumnus] for some reason, and either you only had your Reed email linked to your Handshake, and that has been culled because [you've] graduated, or they don't have any other contact info for you, that's the point at which they can check the directory."

When you go to change your IRIS information privacy settings, you are informed that the information is still visible to some staff and faculty even after deletion. This style of extensive logging is common for liability and security reasons, and Reed can always be compelled to disclose your information if the government has a subpoena or arrest warrant against you. That begs the question: what can you do to keep yourself safe while exercising your rights?

1. Shut the fuck up! Don't talk to cops about anything. Don’t talk to them about yourself, your friends, or your family, even if you didn't do anything illegal. You have the right to remain silent, and exercising that right cannot be held against you in court. If you talk to the cops, they may argue that you chose to waive this right.

2. Have a threat model: make a set of assumptions about who you're trying to stop, what you're trying to stop them from doing, and how you expect them to go about it. Your operational security (opsec) plan is not useful without defining its scope. For example, you're not going to stop the government from shooting an ICBM at you, but you can prevent being visually identifiable from protest camera footage. When you ask "is this measure overkill?", the threat model provides answers.

3. Make sure you and everyone involved is okay with the expected level of risk. Have a plan in case the risk goes above people's tolerance. That plan should include objective criteria; it should be immediately clear whether risk tolerances have been exceeded or not.

4. Don't be visually identifiable. Cover your face and any tattoos or other identifiable features. Ideally, wear an outfit that you have not been photographed in and don't wear elsewhere. Bring a change of clothes for when you leave.

5. Plan your communication according to your threat model. Leaving your phone at home is ideal, but if you're not familiar with the area, then being without instant communication and navigation could be more of a risk to you than having your phone on your person. Using end-to-end encrypted messaging services such as Signal is the best policy for communication. Services that claim to be end-to-end encrypted, but are not open source, offer no security guarantees. iMessage and WhatsApp make this claim, but ultimately provide no supporting documentation.

6. If you're bringing your phone, disable biometrics (face ID and fingerprint), Bluetooth, and WiFi. Police are allowed to force you to open your phone using biometrics, but are not allowed to make you hand over your password. Bluetooth and WiFi are used for precise location tracking, and can divulge your location much more precisely than cell tower tracking. You may want to consider putting it in a Faraday bag to block wireless signals. If you do so, consider discussing criteria with any other people involved for when you will take your phones back out to coordinate communication.

7. Be mindful of any photos you take. Don't take identifiable photos of other people at protests without consent, and definitely don't post them online. Scrub metadata from any photos you take. Metadata is information stored in your photos that can include the device used to take them, the time and date of the photo, the camera settings used, and the location of the photo. A quick and dirty way to scrub metadata is to screenshot the photo and then share the screenshot. Otherwise, removing metadata can be done manually or with free editing tools.

The security risks posed by bringing your phone to a protest are multi-faceted, and require more discussion than a single list item. The most obvious risk is location tracking. Your phone's general location, down to approximately a quarter mile, can be tracked by cell tower triangulation. Since the Carpenter v. United States court ruling in 2018, obtaining this data requires a search warrant, except in cases of emergency or national security. Your phone's location can also be tracked more precisely via Bluetooth and WiFi, to a precision of less than five meters. This location data is usually called "precise location." Apps with access to Bluetooth or WiFi, but not access to precise location, are capable of re-deriving precise location information based on the wireless data.

On iOS, clicking the Bluetooth icon in the control center changes it from blue to white, and says "disconnecting from Bluetooth devices." This does not disable Bluetooth beaconing for Find My iPhone. To fully disable Bluetooth, you must flip the switch in your settings. Additionally, newer iPhones can send Find My beacons while shut down. If you hold the power and volume buttons down on your phone, and below the power off slider it says, "iPhone Findable After Power Off," it's capable of continuing to send these beacons. You can click on that text, and it will prompt you with a pop up to temporarily turn off the finding feature. This will disable it until the next time you power your phone on.

The other risk posed by your phone is confiscation. If you are arrested, your phone may be confiscated and searched. If authorities gain access to your phone, they may be able to read your end-to-end encrypted messages because they are decrypted on-device. Some phones allow you to set additional restrictions and password protections on a per-device basis, which would be beneficial to enable for your communications apps and photo apps. The police cannot compel you to hand over your password, but as previously mentioned, they can compel you to hand over your biometrics. Even if they don't have your passcode or biometrics, there are companies such as Cellebrite that sell phone forensics devices. These devices exploit unpatched security vulnerabilities to bypass security measures on your phone. They're not always successful, and you can decrease the likelihood of forensics devices breaking into your phone by keeping your operating system up to date.

In short, it’s important to have a threat model, know the risks you’re taking, and take proportionate steps to mitigate those risks. Don’t be visually identifiable, do your best not to be digitally identifiable, and be mindful of who and where you photograph.