Overview and understanding threats
Below are some suggestions for protecting yourself online. They are general - so may or may not apply to you or your organization.
The first step in any plan to protect yourself on the Internet is to talk with your friends, colleagues and allies about what realistic threats face you and your organization.
For example, women working on all issues are more likely than men to receive threats of physical violence accompanied with the publication of personal information (such as home address, name of kids etc.).
Activists working against police brutality may be focused on tactics common to local police departments - such as the use of sting-ray devices that impersonate cell phone towers to intercept and spy on communications.
Activists in the BDS (Boycott, Divestment, and Sanctions) movement may be focused on keeping personal communications and networking information private to avoid providing grounds for a subpoena for a grand jury investigation.
Having a clear idea of the threats facing you will help you decide which steps should be taken.
The second step is to make a plan. Security is an on-going task. Some of the steps below you have may already taken. Be prepared to re-consider what additional steps you need take on a regular basis.
What: Signal is a cell phone app for Android and iPhones that provides end-to-end encryption of text messages.
Why: Signal can replace your standard text message app. It will automatically detect when you are sending to another user on Signal and will send an encrypted message. If the user you are sending to is not on Signal, it will send a normal text message.
Additional Information: Although it is nearly impossible for anyone to access the content of your messages, it is possible to reveal the "meta" data - in other words, who you are communicating with and when.
Full Disk Encryption
What: Encrypting your disk means scrambling the contents of your computer in a way that can only be de-crypted with a password.
Why: Just because you have to login to your computer or phone does not mean the data on your computer is safe. It is possible to remove the hard drive and copy everything. That means: all the email messages you have downloaded, any passwords you have saved in your browser (if you are not using a master password - particularly a problem with cell phones), any files, including ones saved on file sharing services like Nextcloud or Drop Box, etc.
What: Account management means ensuring that the logins to sensitive resources are kept as secure as possible. That means both keeping track of your passwords (ideally using a password manager - which provides a secure place to store a different, long password for every site that you visit) and also ensuring that user accounts are disabled or removed as new staff and volunteers leave the organization.
Why: The more logins that work, the greater the chance that one will be compromised. Ensuring that unused logins are removed helps keep things more secure. In addition, if you use the same password for every site and that site is compromised, then attackers can use your password to access your information on other sites. This happens regularly. Also, if your passwords are easy to remember, you are more likely to have our accounts compromised. This is one of the most common ways people's personal information is compromised.
- Organizations: Designate one person as the account manager - every time someone leaves the organization, their job is to ensure their logins no longer work. This person can also be charge of maintaining a password manager. If you need to share your passwords with other staff people, then using KeePassX is the way to go. There is one master password shared by staff and with that password you can lookup the other passwords in use. This option also works for individuals. In both cases, you will need to access the password database every time you need a password. Typically, the password database is shared via a network share or via Nextcloud or another file sharing service.
- Individuals: Although KeePassX is a perfectly good tool for individuals, you can also use simpler and more light weight approaches. For example, if you enable a master password in Firefox and your disk is encrypted, you can let Firefox remember your passwords in the browser. You may want to install password generator plugin so you can generate a new and secure password for each site. If you use multiple devices and they are all running Firefox, then you can sync your passwords between devices. Mozilla (the maker of Firefox) stores this data encrypted so not even they can figure out your passwords.
- Lastpass: both organizations and individuals might also consider Lastpass. Lastpass is corporate, proprietary software, which we typically don't recommend because it threatens the movement by creating a dependency on software and infrastructure we cannot audit or trust. However, Lastpass has the advantage of supporting both computers and mobile phones, creating a convenience factor that is useful and in some cases outweighs the disadvantages. If having both computer and mobile support means you can't use either of the other options, then Lastpass is certainly better than no password manager.
Upgrade and Update
What: This resource is not actually a "thing" you can download and install, but a practice. All your devices (desktop computer, laptop computer, iPhone, Android phone) AND your web site (if you are running Drupal or Wordpress) is running software. All software always has bugs and vulnerabilities - and most software has fixes for these problems, but the fixes will only protect you if you click "Yes" to run the upgrade.
Why: At best, if someone takes advantage of out-of-date software that runs some part of your organization, they will install some kind of advertising software that sends spam or displays ads making your computer slow and requiring hours of work to properly fix. At worse, it will be a political attacks that seeks to expose sensitive data or embarrass your organization, hurting your reputation and trust with your network.
- Pick a schedule to upgrade your computer. It could be everyday or once a week. Always shutdown (and install updates if there are any) on this schedule.
- Always update your phone when prompted.
- Ensure that someone (either on staff or a consultant or a volunteer) is upgrading your web site on a regular basis.
There is a trade-off with all security steps you employ, including this one. Whenever you upgrade your computer, you run the risk of something breaking, preventing you from getting your work done. Keep that in mind when choosing when you run updates (not before a big deadline), but don't let that fear prevent you from running the upgrades!
What: Nextcloud is a file, calendar and contacts sharing service. Like Drop Box, it allows you to share a folder on your computer or your phone that is synchronized with anyone you want. Like Google Docs, it allows you to edit your documents via the web. And, it provides an alternative to backing up your phone contacts and calendar items to Google or Apple.
Why: Google, Drop Box and other corporate providers are corporate, centralized services whose primary concern is profit. They are vulnerable to legal requests for turning over data, and can terminate your account at any time. Nextcloud is free software, designed to be federated (many different Nextcloud sites can share with each other) and can be run by people you know and trust. Additionally, all Android and iPhones, by default, copy all of your contacts and calendar items to Google and Apple servers.
How: If you are a May First/People Link member, no more steps are needed. Simply go to: https://share.mayfirst.org/ and get started. Additional documentation is available on the May First/People Link support page. If you are not a May First/People Link member, or you want to install your own version of the software, visit the Nextcloud web site for more information on how to install it or to lookup other providers.
What: PowerBase is a web-based database designed for organizers, based on the free and open source software CiviCRM, that collects all of your data together in one place.
Why: As organizers we have a responsibility to protect the data we collect, especially if we are organizing in communities that are increasingly vulnerable to state violence, like immigrants and people of color. Is our data safe in corporate databases like NationBuilder, whose CEO celebrates Donald Trump's use of the service? PowerBase is hosted by PTP and May First/People Link with a history of fighting government subpoenas and not just supporting, but actively participating in our movements.