If you’re planning to exercise your right to assemble, you’ll want to protect your privacy by limiting the information authorities can gather from your phone. Our guide shows you how.
By Max Eddy & Kim Key
When you take the streets to demonstrate your beliefs, it’s important to know your rights, but it’s also important to take steps to secure your phone from theft, loss, and, of course, surveillance.
The options for crowd surveillance are numerous. Stingrays and other IMSI catchers are controversial devices that have been used by local and federal law enforcement. These devices can trick your cell phone into connecting with it, instead of a cell tower, and intercept information (like SMS messages) without you necessarily realizing it. They can also extract identifying information from your phone and track your movements.
Even without fancy devices, law enforcement may be able to obtain information on your movements and activities from your wireless provider.
Intercepting individual messages from hundreds of thousands of people is doable, but it’s not particularly easy and doesn’t really make sense given the circumstances. Any authoritarian government monitoring a massive protest would likely be more interested in intelligence gathering for future investigation. Observers would want to know who is at the event, who they are with, and what information can be extracted to monitor them later.
On the Wi-Fi end of things, specially designed devices can trick your phone into connecting by posing as a friendly Wi-Fi network and your phone, trying to be helpful, may automatically connect. While Stingray and similar devices are tricky pieces of equipment, spoofing a Wi-Fi network is actually pretty easy. It can be as simple as renaming an access point to something common and relying on devices to automatically connect. More elaborate attacks use devices that mimic networks requested by victims’ devices. In fact, I had two such devices sitting on my desk for several years (for entirely legal reasons).
Intelligence agencies may use Wi-Fi attacks like this, but given how easy these devices are to set up and how many out-of-towners will be in the area, coupled with the fact that cell service is going to be bad, it’s a great opportunity for criminals to target easy prey. No matter how tempting, do not connect to Wi-Fi at or near the event, and I highly recommend turning off your Wi-Fi radio while in the general vicinity.
Your physical person can also be tracked, even in a large crowd. Facial recognition technology coupled with AI-powered detection can pick out and track individuals in groups. Aircraft surveillance can monitor the movements of individuals, and track them over time. At recent protests, a Reaper drone was deployed. Previously, the Atlantic reported several years ago that X-Ray vans can be used to scan individuals without their knowledge. It’s a sobering reminder of how complex and advanced some of the technology used around public protests is.
Social media has played a large role in organizing protests and amplifying the messages of demonstrators. However, it comes with some serious problems. For one thing, the information posted to these platforms can also be used as open-source intelligence for anyone trying to track who attends demonstrations. We’ve also seen how disinformation campaigns have sowed dissent and confusion into American life. Just recently, the false claim of a communications blackout in Washington, DC exploded on Twitter. Be sure to investigate information before and during a protest, to be sure you know what’s real.
While we tend to marvel at how cell phones send signals to satellites, phones actually rely on terrestrial antennas that can be overwhelmed when lots of people cram into a relatively small area. At many major events, wireless providers will often bring in mobile cellular infrastructure to try and serve the throngs. I experienced this first hand at President Obama’s inauguration in 2009, where despite the additional antennas, my phone was effectively useless for hours. Even after I walked far from the event, my phone was about as useful as a brick.
With that in mind:
Make arrangements in advance with your friends and visitors to meet at easily found locations that require little knowledge of the area.
Buy, print out, or draw maps of where you intend to be, since data may end up being a scarce commodity even after the protest begins to disperse. You can download maps to your phone for offline use, too.
Have prearranged signals you can use with people you trust. Sending a single emoji that means “we have to go, meet me at the place we planned” is much easier than typing all that information out.
When I tell people that their best defense is just to switch off their phones, they always seem disappointed. But it’s true. The best way to keep from being surveilled is to simply never be on the grid in the first place.
Unfortunately, it may not be practical advice. One of the ways protestors have amplified their message is by sharing photos, videos, and live streams in the moment. Shooting video of police interactions is also enormously powerful. While shutting your phone off will certainly make you harder to track, it may leave you without important tools to protect yourself.
One note on sharing photos and videos from a protest: However well-intentioned, this information could be used to implicate you or others. This isn’t to say people should not use their devices to share and document important events. Just keep it in mind. Consider blotting out or blurring faces when you do share photos.
If you bring a phone, assume that you are going to be surveilled and act accordingly. It’s also prudent to assume that you may be detained by law enforcement and that your phone may be confiscated. It might also get stolen. Either way, once it’s out of your hands, your phone may be unlocked and its contents dumped for future analysis. There are devices available to break into phones and retrieve their contents, but it may be easier for law enforcement to compel you to unlock your phone with biometrics.
Avoid using biometrics. Instead, lock your phone with a secure passcode (that means more than a few digits). If you must use biometrics, use the fingerprint scanner rather than facial recognition and learn how to enable your device’s lockdown mode. This prevents biometric authentication and requires your passcode to be used to unlock the device. On Android, hold the power button and select lockdown. On an iOS device, hold the power button and volume buttons for a few seconds until you see the power off, medical ID, and Emergency SOS screen. Tap cancel and the phone will require your passcode to unlock instead of biometric authentication.
Enable disk encryption. Most Android and Apple devices will do this automatically when you enable a passcode or biometrics but double-check.
Remove unnecessary apps and reinstall them later. Even when not in use, some apps can send and receive data. This can slow down an already spotty connection, and could be used to monitor your activity.
Log out of any apps you won’t need. By default, you usually only need to log in to an app once to use it. That’s a problem if you’re not in control of your phone.
If you back up your phone (and you should), make sure that your backups are secure with a complex, unique password and multi-factor authentication. This may require making changes to your Apple or Google accounts. To help you get started here are our guides to backing up iPhones and Androids.
Use encrypted communications whenever possible. If possible, set your messages to expire after a certain period of time. Note that this will likely require you to have a working data connection. If you cannot use encrypted messaging, send prearranged signals via unsecured means.
Shut off your Wi-Fi radio.
Disable location services until you absolutely need them.
Disable Bluetooth, unless you absolutely need it.
If you don’t need to use your data connection, switch it off, too. Note that this may hamper your ability to use encrypted communications.
If you have the means to do so, consider purchasing a completely different phone for the protest and leaving your personal devices at home. There are many affordable new Android phones available, and many wireless carriers can provide a prepaid service for your device. There are also low-cost plans from smaller carriers. I’ve purchased older Android devices off of eBay (Nexus 5x for a mere $40) and had little trouble using it for basic activities.
If you opt to go this route, you should still secure it as you would your personal device. But because it’s not going to be used for other activities, you can afford to be even more assiduous.
Don’t install any apps that aren’t absolutely essential.
Don’t connect it to any of your cloud services, such as your Google account.
If you must log in to an app to use it, see if you can enable a secondary PIN on the app itself. Signal offers the ability to require a PIN to unlock the app.
Only store the contact information in your Contacts app for people who are absolutely essential. Consider not using their real names in your address book, but something else that you’ll recognize easily.
Whether you’re protesting or just chatting with your family, use encrypted communications whenever possible.
The excellent Signal app for Android and iPhone lets you send encrypted messages to other Signal users. The app and its protocol are open source, so you can trust that it has been carefully examined for potential flaws, and have been endorsed by many security experts. The app looks and works just like your existing messaging client, and on Android can actually serve as a full-on SMS client replacement. You can also use it to make encrypted VoIP calls. For more, check out PCMag’s roundup of Signal tips.
One particularly useful feature of Signal is that your messages can be set to expire. This way, there’s little trace of your previous conversations in the app. Other secure messaging apps have similar features.
Messages sent through WhatsApp use the same Signal technology. You may have an easier time staying in touch using WhatsApp since it’s far more popular than apps like Signal. Do note that WhatsApp is owned by Facebook, which may be a nonstarter for many.
An app that works similarly is Briar. This app uses decentralized, encrypted peer-to-peer communications, and can even function offline using the Wi-Fi or Bluetooth radios on your device. I have not used this service, although it was audited and received praise from Cure53.
If you feel confident with your networking skills, you can self-host a Matrix chat room. These are encrypted and can be shared securely. You can access a Matrix chat through the Riot.im app or web interface, or any number of similar clients. I have only used this service a little, but the option to take total control of your messages is an attractive one.
The iPhone uses end-to-end encryption when sending messages between you and other iPhone users. So, whenever you see the blue bubble around text, you can rest assured that if the message is intercepted it cannot be read. Apple has done a great job securing its mobile devices, to the point that the FBI and US intelligence agencies have complained that it is too powerful. The stuff you’ve heard about the San Bernardino shooter’s phone being cracked is separate from this. Everything I have seen for the last decade or so indicates that Apple’s iPhone-to-iPhone messaging is excellent.
Keep in mind that this isn’t true if you’re messaging a non-iPhone user (the green message bubble people) and that iMessages can be sent as SMS when service is spotty. If you must send unencrypted messages, consider that they may be read by someone besides the intended recipients.
It’s also worth investing in a good VPN service, especially if you are traveling for a protest and plan on using hotel Wi-Fi during your trip. Using a VPN secures your web traffic from anyone snooping on the network you’re using, and can disguise your IP address as well as your true location when using the web. Given the spotty nature of cell service in 2020, and the spotty reliability of mobile VPNs, this may not make sense for use during an actual protest.
If you do decide to use some of these secure services, excellent! You’re taking the first steps to ensure that your life is a little more controlled and safer. But be sure that before you join the protests, you’ve tried out the tools for a few days and actually understand how they work and how to use them. The only thing worse than not being safe is thinking you are when you’re not.
So what’s the big takeaway from all of this? Stay smart, and plan ahead. Know where you’re going to go, make plans, and try to stick to them. Assume that you won’t have cell access and switch your phone off if you are very concerned. Always be wary of Wi-Fi networks, but not just because of Big Brother. Keep your head, and stay safe.