<img src="/assets/img/blog/web-security.jpg", class="center-element" alt="web security">
Security for Activists and Organizers
Working from home, socially distanced from our colleagues and friends, has resulted in more and more of our sensitive, personal, and private conversations and information being shared via the World Wide Web. So we at Colab thought now would be a great time to review some basics on how to stay secure while browsing and talking on the web. We have a series of simple suggestions that even non-technical folks can use to keep their private data private.
Before we get into tangible suggestions, there is a fundamental idea that we need to cover. Security experts call it "Threat Modeling," and it basically means that the strategies to prevent a nosy friend from reading your text messages are very different than the strategies you use to prevent a malicious hacker from accessing your bank account.
In order to be secure, you have to think about who you want to protect yourself against and how they might attack you. For example, I've been watching a lot of spy shows lately, and the characters are always using disposable phones and wearing ballcaps to hide their faces. But for most of us, those actions are not just inconvenient -- they're unnecessary. We're not the subject of an international manhunt, so it doesn't matter if a store security camera snaps a photo of our face.
You also need to think what information you want to protect, how sensitive it is, and why someone might want access to it. If 100,000 facebook messages were leaked, your conversation about sushi restaurants is only one of many. Even if an attacker found the chat, there is not much for them to do with the information. Your privacy was violated, but no additional damage can be done. The threat level is pretty low. On the other hand, if 100,000 home addresses of black activists are leaked they have a very real and serious security threat to worry about.
Now, on to the practical suggestions!
Enable HTTPS Everywhere
Accessing a website is a little like sending a letter. You write a letter to https://colab.coop asking to see our website, and then we write you one back with the site. But much like in the real world, that letter doesn't go straight from you to Colab. It gets passed from postal worker to postal worker (i.e. computer to computer) until it finally reaches its destination. For example, when I navigate to https://colab.coop my letter passes through 10-20 other computers along the way.
HTTPS (the first part of the URL above) is like sealing your letter with a big wax seal. When the other person gets it, if the seal is still intact, they know no one else read the letter or changed its contents along the way. They know the letter came directly from you. And while it's still possible someone might break the seal and forge a new one, it's pretty unlikely.
Most sites have HTTPS enabled by default, but not all. HTTPS Everywhere is a simple plugin that enables it everywhere it can be, so your browsing is secure.
Use a Password Manager
By now, most of us know the basic suggestions about passwords: they need to be long, and have numbers, capital letters, lowercase letters and special characters. What you might not also know is that most security experts also recommend using a unique password for every website.
So how are you supposed to memorize all those long, complex, unique passwords? Have a password manager do it for you! A good password manager will store and generate new passwords for you, and many even integrate with your browser so they can autofill credentials for you. My personal favorite is 1Password, which even has team functionality so you can securely manage login information for your whole organization.
Use Signal for End-to-End Encryption
Remember before when we were talking about how the internet is like mailing a letter? Well with email and text messages, you're mailing your letter without closing the envelope. Anyone who can get access to the letter can read everything in it.
If you're using Gmail as your email service, that means Google has access to everything you and your recipient say to each other. Now, Google is going to secure that information so that no one else can read it, but that won't prevent them from using it themselves to send you targeted advertising. Cell phones are even easier to hack then email, and modern surveillance equipment called Stingrays can easily intercept "the content of unencrypted phone call and text messages."
Now, going back to our conversation on Threat Modeling, the chance that someone is intercepting your text messages is tiny. But it's still possible, so you should always assume that someone might be able to read your emails and text messages, and never use them to send sensitive information like SSNs or credit card information. Instead, use a platform that offers "end-to-end encryption," a step up from regular HTTPS. Signal is a great choice, and it offers video, voice, and text chat.
For more information on this topic, please attend CoLab’s webinar, Web Security for Activists and Organizers this Thursday, July 9, at 11am EDT. Special guest Michael Loadenthal will discuss his experience as an anarchist activist dealing with political repression in online spaces. Registration is free and all are welcome!