Defend Dissent
Defend Dissent
Defend Dissent
GLENCORA BORRADAILE
Publication and ongoing maintenance of this textbook is possible due to grant support from Oregon State
University Ecampus.
Privacy (open.oregonstate.education/privacy)
This book was produced with Pressbooks (https://pressbooks.com) and rendered with Prince.
Contents
Acknowledgments ix
What Is Encryption? 6
Password Cracking 39
What Is Metadata? 54
In Context: Disruptj20 62
Part 2: Digital Suppression of Social Movements (in the US)
Modes of Suppression 66
Surveillance Adversaries 76
Surveillance Strategies 77
Surveillance Tactics 78
Physical Attacks 96
Remote Attacks 99
Authentication 105
Versioning 122
Acknowledgments
I thank Michele Gretes for codeveloping CS175 and the Civil Liberties Defense Center’s digital security
trainings with me and helping with drafts of this book. I thank the Civil Liberties Defense Center for
creating space for educating activists on digital security.
Acknowledgments | ix
Introduction: Why Digital Security?
In the summer of 2013, Edward Snowden shook the world with a trove of disclosed documents from
the National Security Agency (NSA), Central Intelligence Agency (CIA), and a host of other global
three-letter agencies. For more than a year, there were weekly (if not daily) revelations of just how
extensive these agencies’ digital information-gathering capabilities were, particularly those of the
United States. It felt as though the NSA was able to get any information that went through internet
or phone networks that wasn’t encrypted plus some information that was weakly encrypted and
some more information that wasn’t encrypted on corporate servers. That feeling is close to the truth.
At the time, I had been engaged in environmental activism and was aware of how social movements
had historically suffered from state repression that was made possible through spying. The sheer
extent of the information that the NSA and CIA were able to gather meant that suppression efforts
by the State could be that much easier and more effective. The more information the State knows
about your activities, the easier it is for it to interfere with your goals.
So I was worried. Could we combat climate change when the odds were stacked against all the
groups working to do so? What about systemic racism? Did we have any hope?
Not long after the Snowden revelations, I partnered with the Civil Liberties Defense Center (CLDC), a
nonprofit that provides legal support to social movements that “seek to dismantle the political and
economic structures at the root of social inequality and environmental destruction.” The CLDC gives
know-your-(legal)-rights trainings to social movement participants, emphasizing how to protect and
invoke one’s First and Fourth Amendment rights: the right to free speech and the right to no illegal
searches and seizures. These rights are eroded with mass surveillance. This is quite clear with Fourth
Amendment rights, but for First Amendment rights, legal scholars often point to this chilling effect:
citizens restrict their speech if they know they are being surveilled. To complement the CLDC’s legal
trainings, I started regularly holding digital security trainings for activists centered on the premise
that encryption is the only way to protect your First and Fourth Amendment rights in the modern
world of mass surveillance. This book has grown out of these educational efforts.
It isn’t enough to download a “secure” app. First, what does “secure” even mean? Security is a
complex, subjective, and multifaceted concept. While perfect freedom from risk is usually out of
reach, especially when digital technologies are involved, strong relative protections are possible.
In order to evaluate or at least explain (and convince a group of people to take advantage of)
the relative protections of an app requires some understanding about cryptography and what
information is at risk (and with what likelihood) when using a given app or digital service.
Our trainings scratch the surface of the information that I would like to impart. Social movement
As might be gathered from the references to the First and Fourth Amendments, this book is rooted
in the political arena of the United States. While much of the book will be relevant outside of the US,
we recommend that anyone applying this knowledge in other countries seek additional advice.
1. I want this book to be accessible to any curious person. Going into further details in
cryptography would require some college-level mathematics. I also believe that one doesn’t
need to understand specific cryptographic protocols to make reasoned digital security
recommendations—one can lean on cybersecurity experts for that.
2. The state of mass surveillance and the apps that are available to counter surveillance are
constantly changing. As I put the finishing touches on this book, I am resisting the urge to
include the latest news on State surveillance capabilities.
3. I want the book to be short enough to read in a weekend.
This is a basic introduction to cryptography: enough to understand the basics of what information
is protected and what is not and why. Some interesting concepts (such as forward secrecy and
blockchains) are left out because I felt that these advanced topics might overwhelm my intended
audience. However, the curious reader, after reading part 1, should be able to appreciate, say, the
Wikipedia articles on more advanced topics like forward secrecy and blockchains.
When describing cryptographic protocols, most people refer to a cast of characters: Alice sends
a message to Bob, and Eve might be eavesdropping on their communications. The companion
course for this book focuses on civil rights–era social movements—particularly Black liberation
1. Assata Shakur was a member of the Black Liberation Army and the Black Panther Party (in the
early 1970s), was targeted by the FBI (as described in the chapter “Mechanisms of Social
Movement Suppression”), and is still a political refugee in Cuba.
2. Bobby Seale is a cofounder of the civil rights–era Black Panther Party and was also subject to
surveillance and harassment by the FBI.
3. J. Edgar Hoover founded the FBI and has been deemed responsible for the surveillance and
repressive efforts of the FBI. We occasionally refer to Edgar as “the Man” where appropriate (i.e.,
in the chapter “The Man in the Middle,” where a man-in-the-middle attack is standard
cryptographic terminology).
While the remainder of the book is likely to require significant updates in the coming years, part 1 is
likely to stand the test of time.
1. How social movements have historically been suppressed in the US (and where surveillance
plays a role) in the chapter “Mechanisms of Social Movement Suppression”
2. What surveillance and other digital threats are in use in the US in the chapter “Digital Threats to
Social Movements” In this part, we use “the State” to refer to any constellation of governmental
and nongovernmental organizations that represents established power structures with the
resources and motivation to deploy a wide range of suppressive strategies and sophisticated
technical measures against social movements.
We keep this part deliberately short so that we can move onto the last part, which is more
empowering. In part 2, we pick illustrative examples to give an overview of how mechanisms of
social movement suppression are used and what types of surveillance and other digital threats are
in play. The chapter “Digital Threats to Social Movements,” in particular, will never be up to date, as
new threats and capabilities are constantly being developed and deployed. We hope that anyone
who reads this part quickly follows up with the last part.
Part 3 is intended to be empowering. Starting with threat analysis (which is country and context
dependent), we quickly move into classes of tools to protect your information. I say classes of
tools rather than specific tools because specific tools can come and go as the projects supporting
• What Is Encryption?
• Mechanisms of Social Movement Suppression
External Resources
1. The basic elements of encryption: the plaintext, the ciphertext, the cipher (or encryption protocol),
and the cryptographic key
2. How some classic encryption methods work
3. Ways that encryption can be broken
4. An unbreakable cipher
Let’s start with the basics—think “pen and paper encryption”—before moving on to more complex
encryption methods made possible by computers.
Encryption is the process of scrambling a message so that it can only be unscrambled (and read) by
the intended parties. The method by which you scramble the original message, or plaintext, is called
the cipher or encryption protocol. In almost all cases, the cipher is not intended to be kept secret.
The scrambled, unreadable, encrypted message is called the ciphertext and can be safely shared.
Most ciphers require an additional piece of information called a cryptographic key to encrypt and
decrypt (scramble and unscramble) messages.
Consider the first and perhaps simplest cipher: the Caesar cipher. Here, each letter in the message
is shifted by an agreed-upon number of letters in the alphabet. For example, suppose you wanted to
encrypt the plaintext
by shifting each letter in the message forward by three places in the alphabet, so that A becomes
D , B becomes E , and so on, with Z wrapping around to the start of the alphabet to become C . The
plaintext gets encrypted to the following ciphertext:
To decrypt this message, the recipient would do the reverse, shifting each letter in the message
backward three places in the alphabet, so Z becomes W and A wraps around through the end of
the alphabet to become X . For the recipient to be able to decrypt the message (quickly), they would
What Is Encryption? | 6
have to know the key to the cipher. For the Caesar cipher, this is the number of places that each
letter is shifted in the alphabet; in this example, it is the number 3 . A Caesar cipher key can also be
represented by a letter of the alphabet corresponding to the result of the translation from A . For
example, a shift of 3 would be the key D , a shift of 23 would be the key Z , and the shift of zero (the
identity shift) would be the key A .
Let’s review the terms. In this example, to apply the cipher (or encryption protocol), one must
simply follow these instructions: “To encrypt, shift each letter in the plaintext message forward in
the alphabet by n letters. To decrypt, shift each letter in the message ciphertext backward in the
alphabet by n letters.” The key is the amount of the shift, n.
Of course, the Caesar cipher is not a strong cipher, and you certainly shouldn’t trust it to keep your
plans secret. All an adversary would need to do to break (or crack) your secret code (ciphertext) is
to try every possible backward shift through the alphabet. There are not many possibilities, so this
wouldn’t take long: since the key A makes the ciphertext equal the plaintext, there are only twenty-
five possible keys. Such an attack is called a brute-force attack, in which an adversary attempts to
decipher an encrypted message by trying every possible key. This attack is feasible in the case of the
Caesar cipher because there are very few possible keys.
The Vigenère cipher is a set of Caesar ciphers, each with its own key. Typically the key is given as a
word, and the position of the word’s letter in the alphabet indicates how the letter A is shifted, as in
a Caesar cipher. This is easiest to see with an example. Suppose you wish to encrypt the plaintext
ACT
Then
• Encrypt every third letter starting with the first letter of the plaintext ( R , P , T …) with a Caesar
cipher that maps A to A (a shift of zero, or a Caesar cipher with the key A or 0 ).
• Encrypt every third letter starting with the second letter of the plaintext ( E , E , E …) with a
Caesar cipher that maps A to C (a Caesar cipher using the key C or 2 ).
• Encrypt every third letter starting with the third letter of the plaintext ( S , C , X ) with a Caesar
cipher that maps A to T (a Caesar cipher using the key 19 ).
7 | What Is Encryption?
To break this cipher, suppose your adversary knows the length of your key: your adversary would
try to decrypt the ciphertext with all possible three-letter words (or, in general, any three-letter
sequence of letters) of that length. In this example, that would require at most 25 × 26 × 26 =
16,900 attempts, which is more than could be easily attempted by hand but is trivially done by a
computer. If your adversary doesn’t know the length of your key, then they would have to try many
more possible keys (as many as 25 + 25 × 26 + 25 × 26 × 26 + … ) to apply this brute-force
method to break the encryption. Notice that the longer your key is, the more difficult brute-force
methods are—and the harder an adversary must work to break the encryption.
A Vigenère cipher—whose key is a sequence of randomly selected letters and is at least as long as
the message plaintext—makes possible a cipher known as the onetime pad. Historically, the key
itself would be written on a pad of paper and distributed among communicating parties. To encrypt,
a Vigenère cipher is applied to the plaintext, where each letter in the onetime pad is used only once
before proceeding to the next letter and so on. Decryption relies on possession of this onetime pad,
and the starting position in the key. It is impossible to break this cipher without the key—that is,
it is impossible to guess the key and crack the ciphertext, even with unlimited time and resources.
This is because a ciphertext of a given length could correspond to any plaintext of the same length.
For example, without knowledge of the random key, the onetime pad-encrypted ciphertext SOU
DUCYFUK RXL HQKPJ could (with equal probability) correspond to either the plaintext ALL ANIMALS
ARE EQUAL or FEW ANIMALS ARE HAPPY . Without the key, there is no way to know what the intended
(plaintext) message is! Omitting spaces between words or encrypting the spaces between words
(using a twenty-seven-letter alphabet ABCDEFGHIJKLMNOPQRSTUVWXYZ_ , where _ is a space) would
make it far more difficult to guess even the set of possible plaintext messages.
Of course, the onetime pad has the practical problem of how to exchange the key (the onetime
pad itself), which is as long as the message, or as long as the total length of all possible future
messages. Despite that, it has been used historically, with groups sharing a onetime pad in person
and then sending messages over insecure channels. In the late 1980s, the African National Congress
(ANC), at the time fighting apartheid in South Africa, used onetime pads to encrypt messages
between foreign supporters and in-country operatives. The onetime pads (the keys) were physically
transported by a trusted air steward who worked the Amsterdam-to-Johannesburg route.
Incidentally, the ANC also computerized the encryption and decryption, making it possible to
translate encrypted messages into tonal sequences transmitted over a phone connection and
recorded to—or received from—an answering machine, allowing for asynchronous communication.
What Is Encryption? | 8
• Modern Cryptography
External Resources
• Jenkin, Tim. “Talking with Vula: The Story of the Secret Underground Communications Network of
Operation Vula.” Mayibuye: Journal of the African National Congress, October 1995.
9 | What Is Encryption?
Modern Cryptography
We recommend that you read the chapter “What Is Encryption?” before reading this chapter.
Modern cryptography is not something you do by hand. Computers do it for you, and the details of
the algorithms they employ are beyond the scope of this book. However, there are certain principles
that will help you better understand and evaluate modern digital security tools.
Modern cryptographic protocols are designed to force an adversary (not in possession of the
cryptographic key) to spend (close to) as much time as it would take to try every possible key
to break the code. Recall that trying every possible key is known as a brute-force attack. The
parameters of a given protocol are chosen so that this amount of time is impractical. Usually, the
most important parameter is the length of the key. Just as with the classic Vigenère cipher, longer
keys mean that more possible keys must be explored in order to guess the correct key. As time
goes by and computer processing becomes faster and more powerful, often longer keys are required
to guarantee that a brute-force attack would be infeasible. For this reason, many cryptographic
protocols will mention the key size in terms of the number of bits it takes to represent the key.
Computers represent information, including cryptographic keys, in binary—using just 0s and 1s.
Just like the numbers 0 through 9 represent the digits of a decimal number, the numbers 0 and 1
represent the bits of a binary number. How many three-digit decimal numbers are there? 10 × 10 ×
10 = 103 = 1000—that is, the numbers 0 through 999. Likewise, there are 2 × 2 × 2 × 2 = 24 = 16 four-bit
binary numbers.
As an example, the AES cryptographic protocol may be referred to as AES-128 or AES-256 when
using the protocol with 128-bit or 256-bit encryption keys, respectively. In AES-128, there are 2128
Modern Cryptography | 10
= 340282366920938463463374607431768211456 possible keys. In AES-256, there are 2256 =
115792089237316195423570985008687907853269984665640564039457584007913129639936
possible keys. Trying every possible key—or even a small fraction of all possible keys—for AES-256 is
computationally infeasible, even given the computational power of nation-states such as the United
States.
Since as early as the nineteenth century, mathematicians have held as a standard that cryptographic
schemes should be secure even if the method being used is not secret. This is based on the following
principle: If security requires keeping the method secret, then one risks all messages that have ever
been encrypted or ever will be encrypted with that method being revealed if the method is ever
uncovered. On the other hand, if your method only requires keeping the key secret, then one only
risks those messages that have been encrypted with that particular key being revealed if the key is
compromised.
In fact, the more transparency around a cryptographic method, the more you can trust the security
of the method. To understand this, consider how an encryption program (or any computer program,
in fact) is created. It starts with an algorithm as to how to perform the encryption. A programmer
turns this algorithm into a source computer code. A computer compiles this source code into the
program or app that runs on your computer or phone.
From algorithm to
source code to
compiled source
code
11 | Modern Cryptography
A good computer programmer should be able to translate from an algorithm (1) to source code
(2) and back. A security professional would be able to evaluate the security of a cryptographic
protocol based on the algorithm but should also evaluate the source code to be certain of its faithful
implementation (that there are no mistakes or bugs, whether intentional or not). However, as a user,
you would only have access to the compiled program (3). Unfortunately, given only the compiled
code, it is impossible for anyone to re-create the source code.
So unless the source code is available, no one can be certain that the security claims of an app
are true. On the other hand, having just the compiled program is enough for a hacker to try to
break the security of the app. Many software projects make their source code available to the public:
such software is called open-source software and includes many well-known projects, security and
otherwise, such as Signal, Firefox, and Linux. The alternate is closed-source software and is popular
among projects that aim to monetize their product through sales of proprietary software, such as
Safari, Internet Explorer, Windows, and Mac OS. While it is possible to evaluate the security of closed-
source software (e.g., through private audits), it is much more difficult to maintain this on an ongoing
basis. Open-source projects are open to scrutiny by anyone, giving every opportunity for security (or
other) problems to be discovered.
Since the encryption method is typically public in modern cryptographic protocols, the way that one
achieves security is through protecting their encryption key. What this looks like in practice depends
on where the key resides. In the case of Signal, a secure instant messaging app, the encryption key is
a file on your phone, and it protects your phone. In the case of a password manager that syncs your
passwords to the cloud, the key that encrypts the file storing all your passwords is derived from or
protected by the password that you use to log into your password manager.
End-to-end encryption involves scrambling a message so that it can only be read by the endpoints
of a conversation. But here’s where the confusion comes in: What are the endpoints? Are they just
you and your friends? Or is the server an endpoint too? It depends on the application. As an example,
https (which secures communications between you and the servers hosting the web pages you
visit) is encrypted so that only you and the server can decrypt the content of the web pages. Signal
encrypts messages so that only you and your friend that you are messaging can read them. In
both cases, only the people or entities that need to know the information are able to decrypt the
information. This is the heart of end-to-end encryption.
Modern Cryptography | 12
Assata (left) is trying to get a message (Ursula K. Le Guin’s The Dispossessed) to Bobby (right) over
the internet:
But the ghost of mean old J. Edgar Hoover haunts the infrastructure. This Man in the middle here is
able to intercept, read, and change any unprotected message sent between our two friends. Like so:
(Edgar could also just read and send the message along unaltered.) To make matters worse, saying
that an app uses “encryption” (without being specific about who holds the keys) doesn’t guarantee
that messages remain private and authentic. For example, if a server between the two comrades is
managing the encryption keys, anyone with access to the server could read and modify all messages
between them. However, if Assata and Bobby are encrypting their message (with the blue key), then
Edgar won’t be able to read the message and wouldn’t be able to replace the message with one that
can be decrypted with the blue key:
13 | Modern Cryptography
Encryption stops
the Man in the
Middle from being
able to change the
message
How do you know whether an application uses end-to-end encryption? The best indication is that
there is some way to verify encryption keys—Signal makes this easy with safety numbers. We will
describe this in more detail in the chapter “Authenticity through Cryptographic Signing.”
Another way to reduce exposure to a malicious interloper is through peer-to-peer messaging, where
it is said that there is “no server” in between managing your messages or contacts. Even this can be
a bit misleading, however: there is a tremendous amount of internet infrastructure in between you
and your friends; it’s just invisible to most users and apps. As described above, this infrastructure is
precisely what the State exploits to conduct undetectable, suspicionless mass surveillance.
Possibly the first modern encryption techniques were used during World War II. Predating modern
computers, the protocols were supported by sophisticated mechanical devices. Most notable among
these is the Enigma machine used by Nazi Germany. The Enigma is an electromechanical device
that allowed you to set a particular key, type in the plaintext, and get the ciphertext output. With the
same key, typing in the ciphertext would output the original plaintext.
Modern Cryptography | 14
Enigma machine,
courtesy of Greg
Goebel
The key is an order of the rotors and initial positions of the rotors (pictured above). Standard
operation required using a new key every day. The keys were listed by day in handbooks distributed
to operators of Enigma machines—these are essentially onetime pads of keys. Incidentally, these
were printed with water-soluble ink, allowing quick destruction of the key book when at risk of falling
into enemy hands.
Much effort went into breaking Enigma-encrypted messages. Several machines were captured
during World War II, but even in possession of the machine, decrypting messages was nearly
infeasible (as with truly modern ciphers whose methods are public). Alan Turing, one of the founders
of computer science as a discipline, worked at the secretive Bletchley Park, the central site for
British code breakers during World War II. Turing designed the bombe, a type of computer specially
designed for deciphering Enigma messages. The bombe was not enough. (In fact, decrypting
Enigma messages without a key is incredibly challenging even with modern computation
capabilities; at least one famous Enigma message intercepted during the war remains encrypted
to this day.) However, the bombe in combination with the fact that most early morning messages
contained weather reports or the phrase Keine besonderen Ereignisse (“nothing to report”) did allow
the Allies to break Enigma enciphered messages regularly.
15 | Modern Cryptography
Turing’s work during the war has been estimated to shorten the war by more than two years.
However, his work remained unacknowledged throughout his life, since work at Bletchley Park was
classified, and in fact, he was criticized for not contributing to the war effort. More tragically, as a gay
man, he was persecuted by his own government to the point of being charged with a crime in 1952.
Found guilty of homosexual acts, he was given the choice of chemical castration or imprisonment.
Choosing the former, he only lived another two years, reportedly ending his own life by cyanide
poisoning.
External Resources
• Caraco, Jean-Claude, Rémi Géraud-Stewart, and David Naccache. “Kerckhoffs’ Legacy.” 2020.
Media Attributions
Modern Cryptography | 16
Exchanging Keys for Encryption
We recommend that you read the chapter “Modern Cryptography” before reading this chapter.
Eavesdropping communications through the internet can be done at many points: the Wi-Fi
hotspot you’re directly connected to, your internet service provider, the server hosting the web pages
you visit, national gateways, and the vast array of routers and switches in between.
First consider a physical example, illustrated below. Suppose Assata wants to send Bobby a package.
She puts it in a strong box with a large clasp that can take multiple locks (1). She puts a lock on the
box, but Bobby doesn’t have a key to the lock. Assata mails the box to Bobby, who cannot open it
(and neither can anyone else while the box is in transit). Bobby puts his own lock on the box (2), a
lock that Assata doesn’t have the key to. When Assata receives the box, she removes her lock and
sends the box back to Bobby (3). Now Bobby can open the box because it is only secured with his
lock (4). The box cannot be opened in transit—an eavesdropper would have to break Assata’s lock,
Bobby’s lock, or both.
This illustrates that it is possible to send something securely without meeting first to exchange
(agree on) a key. However, we aren’t about to start physically mailing lockboxes in order to exchange
encryption keys. What we need is a mathematical version of this that we can use for digital
communications.
Let’s see how we would do this without physical boxes and locks. Suppose you have an encryption
protocol where you can encrypt any text (as we always expect), that you can apply multiple times for
layers of encryption (as we also always expect), and that you can encrypt and decrypt the layers in
any order you wish and end up with the same result. A mathematical operation satisfying this last
property is said to be commutative. (All the encryption protocols we describe in the chapter “What
Is Encryption?” are commutative.) Let’s see this with an example, using the Vigenère cipher.
AT ONE TIME IN THE WORLD THERE WERE WOODS THAT NO ONE OWNED
AE RBE ELAE TQ HHP ZCRWG HHPUS WPUS WZRRS EKOT YR CNP RKNPG
and sends the result to Bobby. Bobby doesn’t have the key! But Bobby encrypts this ciphertext with
a Vigenère cipher and key LEOPOLD to get the doubly encrypted text
and sends the result back to Assata. Assata “decrypts” the message from Bobby with her key ( ALDO )
to get (the still encrypted message)
LX CCS ELXI WC HSH HSFAR EKPVS LSCH HSCSG EKLX BD CYH ZABTR
and sends the result to Bobby. Finally, Bobby decrypts this with his key ( LEOPOLD ) and gets the
message that Assata wanted to send Bobby in the first place:
AT ONE TIME IN THE WORLD THERE WERE WOODS THAT NO ONE OWNED
Note that, in this example, Assata did not share her key ( ALDO ) with anyone, and Bobby did not share
his key ( LEOPOLD ) with anyone either. Because the Vigenère cipher is commutative, it did not matter
that the message was encrypted with Assata’s key, then encrypted with Bobby’s key, then decrypted
with Assata’s key, and finally decrypted with Bobby’s key. All that matters is that the message was
encrypted and decrypted once with each key. Any eavesdropper would only see one of the three
intermediate ciphertexts.
In modern cryptographic systems, rather than sending the entire message back and forth with
different layers in this way, one has an initial exchange, much like in the above examples, to settle on
a key to use for the intended communication. You could imagine that Assata, rather than sending
the message AT ONE TIME IN THE WORLD . . . , sent an encryption key to use for a longer
communication. We will describe the mathematical basis for key exchange as it is used by almost all
modern communication, called the Diffie-Hellman key exchange.
First, let’s see how this is done with paints instead of mathematics (illustrated below). We will assume
that if you mix two colors of paint together, you can’t unmix them; specifically, even if you know what
one of the two colors was, you can’t figure out what color was mixed with it to get the resulting
mixed color.
Assata and Bobby start by agreeing on one paint color (in this example, yellow) and an amount,
say 10 mL (1). They can do this over an insecure communication channel and should assume that
an eavesdropper will know what the color and amount are too. Then Assata picks a color (in this
case, rusty orange) and keeps it secret (2). She mixes 10 mL of yellow with 10 mL of rusty orange to
get a coralish color (3). She sends this to Bobby over the insecure channel, understanding that an
eavesdropper will see it. Bobby does the same thing, with his own secret color (4).
Now to the paint sample received from Bobby (5): Assata mixes in 10 mL of her secret color (6),
resulting in a dark purple (7). Bobby does the same thing. Assata’s unpleasant brown–dark purple
is obtained from a mix of 10 mL each of yellow, her secret color, and Bobby’s secret color. Bobby’s
resulting paint mix is obtained from a mix of 10 mL of yellow, his secret color, and Assata’s secret
color. So Bobby also ends up with the same unpleasant brown–dark purple (8)! Can the
eavesdropper create the dark purple? The eavesdropper sees yellow (1), the mix of yellow and
Assata’s secret color (3), and the mix of yellow and Bobby’s secret color (5). But to create the
unpleasant brown, the eavesdropper would have to unmix in order to obtain Assata’s or Bobby’s
secret colors, which they can’t do.
Let’s revisit this process mathematically. We do so with a commutative mathematical operation that
is hard or impossible to reverse. A mathematical operation or function that is hard to reverse is called
a one-way function. Let’s represent our mathematical operation with the symbol ☆—that is, a ☆ b =
c for some numbers a, b, and c. Commutative means that a ☆ b = b ☆ a. That ☆ is one way means
that if you know b and c, you cannot easily figure out what a is. In practice, one should only be able
to figure out what a is by a brute-force (or close to brute-force) attack: by trying every possibility for
a. You may think of ☆ as the multiplication sign (which is commutative but is not one way). (For
those mathematically inclined, ☆ can be modular exponentiation for real implementations of Diffie-
Hellman.)
Illustrated below, Assata and Bobby agree on a number p, which is public (1). Assata chooses a
secret number a (2), computes p ☆ a (3), and sends the result to Bobby. Since ☆ is one way, an
eavesdropper will know p and p ☆ a but will not be able to (easily) determine a. Bobby chooses a
secret number b (4), computes p ☆ b, and sends the result to Assata (5). An eavesdropper knows p ☆
b but not b. Assata computes (p ☆ b) ☆ a (7), using the message from Bobby (5) and her own secret
number (6). Bobby computes (p ☆ a) ☆ b (8), using the message from Assata (3) and his own secret
number (4). Since ☆ is commutative, (p ☆ b) ☆ a = (p ☆ a) ☆ b, and so Assata and Bobby now have
computed a common number. Since the eavesdropper only knows p ☆ a, p ☆ b, and p, and since
☆ is one way, the eavesdropper has no efficient means of computing Assata and Bobby’s shared
common number: it is secret to Assata and Bobby. Assata and Bobby can use this shared number as
their cryptographic key.
Diffie-Hellman key exchange is used all over the place as a means of agreeing on a cryptographic
key. It is used as the basis for most forms of encrypted communications that you will encounter.
Most notably, it forms the basis of key exchange when you connect to a website via https. When
you visit a website, the URL will either start with http:// or https://. In the former case, none of your
communications with the server of the website are encrypted. In the latter, communications are
encrypted, and the key used to encrypt those communications is generated using Diffie-Hellman
key exchange.
Remember that the first thing that Assata and Bobby do is agree on a number p that forms the
basis of their key exchange. This number is public, but we assumed that our mathematical operation
However, in 2015, researchers showed that 18 percent of the top one million https domains use the
same value of p. Two other communication protocols that depend on Diffie-Hellman key exchange
are SSH (secure shell) and VPN (virtual private network). The same researchers showed that 26
percent of SSH servers and 66 percent of VPN servers used the same value of p in their Diffie-
Hellman key exchange. This means that a powerful adversary would have little trouble breaking the
encryption.
While the Diffie-Hellman protocol is strong and reliable, this highlights that those who implement
the protocols need to do so with care to ensure that they are in fact secure.
External Resources
• Adrian, David, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex
Halderman, Nadia Heninger, et al. “Imperfect Forward Secrecy: How Diffie-Hellman Fails in
Practice.” In Proceedings of the 22nd ACM SIGSAC Conference on Computer and
Communications Security, 5–17. Denver: ACM, 2015.
Media Attributions
We recommend that you read the chapter “Modern Cryptography” before reading this chapter.
A hash function is any (computer) function that transforms data of arbitrary size (e.g., a name, a
document, a computer program) into data of fixed size (e.g., a three-digit number, a sixteen-bit
number). The output of a hash function is called the digest, fingerprint, hash value, or hash (of the
input message).
A cryptographic hash function has the following properties that make it useful for cryptographic
applications:
The first two of these properties are similar to most encryption protocols. If you encrypt the same
message on two different occasions, you would expect the same result, assuming you are using
the same encryption key. Given only the ciphertext, it should be infeasible to generate the plaintext
(without the decryption key). However, encryption allows you to go backward, from ciphertext to
plaintext, using the decryption key. Hash functions are inherently one way: there is no key to go
backward. That the result is sometimes called a digest or a fingerprint is a useful analogy: while the
output of a cryptographic hash function does not encode all the information of the input message
(in the way that a ciphertext does), it encodes enough information that you can use it to identify the
input (relying on properties 1 and 3) and that this is very difficult to fake (property 2).
We will see applications of cryptographic hash functions in the chapters “The Man in the Middle,”
25 | Cryptographic Hash
“Passwords,” and “Public-Key Cryptography,” but let’s look at a simple use here, known as a
commitment scheme.
Assata and Bobby are both trying to solve a difficult math problem. Assata gets the answer (S) first
and wants to prove to Bobby that she has the answer before he has solved it without leaking the
solution to him. So Assata takes a cryptographic hash of the solution S, hash(S), and gives Bobby
hash(S). Since the hash is cryptographic, Bobby can’t learn S from hash(S) (property 2). When Bobby
eventually solves the problem, finding S for himself, he can compute hash(S) and check that the
result is the same as what Assata gave him. By properties 1 and 3, Bobby knows that Assata’s input
to the hash function must be the same as his input to the hash function, thus proving that Assata
solved the problem first. (Property 4 was not used here, but without this property, if Assata got a
solution that was close to correct but not quite, the two outputs might be very similar, and a cursory
comparison may not uncover that they are different.)
There are many different cryptographic hash functions in use today, but describing them in detail is
beyond the scope of this book. However, to give you a sense of what they might look like, we give an
example that satisfies some, but not all, of the properties that cryptographic hash functions have.
The example hash function is called chunked XOR . Exclusive, or XOR , is a function that, when given a
pair of inputs, outputs true (or 1) if the inputs are different and false otherwise. So, for example, apple
XOR banana = 1 , apple XOR apple = 0 , 0 XOR 1 = 1 , 1 XOR 1 = 0 . We can take a chain of
XOR s on binary numbers (0s and 1s) and get a meaningful answer: 1 XOR 1 XOR 0 = 0 , 1 XOR 1
XOR 0 XOR 1 = 1 . For a sequence of binary numbers, XOR returns 1 if there are an odd number of
1s in the chain and 0 otherwise.
Chunked XOR operates on a binary input. (If your input is not binary, you could represent it in binary
first, the same way a computer would.) We group the input into chunks equal to the size of the
output of the hash function—for example, groups of eight bits. We line the chunks up vertically, and
then XOR the contents of each column, as illustrated below:
Cryptographic Hash | 26
input: 00111011 11101101 00101000 00101011 01011000 11001110
chunked: 00111011
11101101
00101000
00101011
01011000
11001110
This is a hash function in that no matter what the length of the input, the output will always have
the same length (eight in this example). You should be able to see that chunked XOR satisfies the
first property of cryptographic hash functions. However, it fails on the remaining properties. It is easy
to create an input message (but not necessarily your desired input message) with a given output
hash—for example, you could concatenate 11111111 11111111 onto the result of the hash. For the same
reason, you could create multiple messages having the same output hash. Finally, changing a single
bit of the input message will change only a single bit of the output hash.
In 2008, a US district judge ruled that if the US government wants to cryptographically hash your
private data, then they need a warrant first. The case in question had a special agent of the
Pennsylvania Office of the Attorney General copy the hard drive of a suspect’s computer. The special
agent computed a cryptographic hash of the copy (so that it could be later compared to the original
to prove that they did not tamper with it, relying on properties 1 and 3). The agent then used a
forensic tool that computed a cryptographic hash of each individual file (including deleted but not
yet overwritten files) on the copied hard drive and compared these hashes to hashes of files in a
database of contraband files. The agent found three matches between hashes of files on the hard
drive and hashes of contraband files. By properties 1 and 3, this means that the hard drive contains
at least three illegal files. The judge on the case determined this practice (of hashing the files and
comparing them to known hashes) to constitute a search of the hard drive, violating the accused’s
Fourth Amendment rights to protection from illegal searches and seizures. As a result, the evidence
could not be used in trial.
We should disclose the particulars of the case, which involves the possession of child pornography.
While we would never defend the right of possession (or the creation or distribution) of child
pornography, it is important to imagine a power (in this case, that of determining the existence of
particular files on a computer) to be used in a way that you would not want it to be used. Music
27 | Cryptographic Hash
that a friend shared with you? Images of oil spills? Images of #blacklivesmatter protests? Earth First!
Journal articles?
• Passwords
• The Man in the Middle
• Authenticity through Cryptographic Signing
External Resources
• United States of America v. Robert Ellsworth CRIST, III, Defendant. Criminal Action No. 1:07-cr-211.
627 F.Supp.2d 575 (2008).
Cryptographic Hash | 28
The Man in the Middle
We recommend that you read the chapters “Exchanging Keys for Encryption” and “Cryptographic
Hash” before reading this chapter.
In the chapter “Exchanging Keys for Encryption,” you learned how two people can agree on a
cryptographic key, even if they have not met. While this is a robust method, it suffers from the
limitation that on the internet, it is difficult to be sure that you are communicating with the person
or entity you are trying to communicate with, be that a friend you are instant messaging or emailing
or the server that you are trying to load a web page from. We will first show how an eavesdropper
can intercept your communications with our lockbox example from the chapter “Exchanging Keys
for Encryption” and then show how this plays out in a Diffie-Hellman key exchange. These
interceptions of communications are called attacks.
Recall that Assata was able to send Bobby a secure package by sending a lockbox back and forth
three times: once with her lock on it, once with Bobby’s lock on it, and finally with her lock removed
and only Bobby’s lock on it. However, how does she know it is actually Bobby who receives the
package? And how does she know that it is Bobby’s lock on the box when it is sent back to her?
Illustrated below, suppose Edgar intercepts the lockbox from Assata to Bobby with Assata’s lock on
it (1). Edgar could send the lockbox back to Assata with his own lock on it (2). Unless Assata is able to
tell the difference between a lock from Edgar and a lock from Bobby, Assata would assume that the
lock is Bobby’s lock, remove her lock, and send the package on to Bobby (3). If Edgar intercepts the
package again, he can now open the box and examine the contents of the package, since it only has
An impersonation
attack
In the situation as described, Bobby never received a package at all. Edgar could go further though
(illustrated below). Edgar could, after opening the lockbox from Assata (4), choose to send it along
to Bobby, using a mirror image of the same three-exchange method, so that Bobby thinks he is
receiving a locked box from Assata (5–8).
Edgar passes along Assata’s original message (just inspecting the message for himself), then we
call this a passive man-in-the-middle attack. If Edgar substitutes the package with a completely
different package, we call it an active man-in-the-middle attack. In either case, Edgar would need
to intercept all packages between Bobby and Assata, as the packages will be addressed to Bobby or
Assata, not Edgar.
These types of attacks are called man-in-the-middle attacks because Edgar is the man in the middle
of Assata and Bobby’s communication. (In the case of J. Edgar Hoover, quite literally “the man.”)
Let’s see how this plays out in the Diffie-Hellman key exchange, using the notation we introduced in
the chapter “Exchanging Keys for Encryption.” Recall that in order for Assata and Bobby to generate
a key, they first agree on a number p. Assata picks a number a, computes p ☆ a, and sends the
Suppose, though, that Edgar is able to intercept Assata’s and Bobby’s communications. Then Edgar
can do one Diffie-Hellman key exchange with Assata and another Diffie-Hellman key exchange with
Bobby, illustrated below. Assata will think that she doing a Diffie-Hellman key exchange with Bobby,
when really she is exchanging keys with Edgar, resulting in the beigeish key p ☆ a ☆ e. Bobby will
think that he doing a Diffie-Hellman key exchange with Assata, when really he is exchanging keys
with Edgar, resulting in the blueish key p ☆ b ☆ e. In the end, Assata and Edgar have a shared key
(left), and Edgar and Bobby have a shared key (right). But Assata and Bobby think that they have a
shared key with each other.
A
man-in-the-middle
attack against the
Diffie-Hellman key
exchange
When Assata and Bobby start using what they think is their shared key, Edgar will have to keep
up the ruse in order to not be discovered. You see, Assata will encrypt a message with the key she
has. If this message makes it to Bobby, Bobby won’t be able to decrypt the message because he
doesn’t have the same key! What Edgar needs to do is intercept the encrypted message and decrypt
it with the key they share with Assata. Edgar now has two choices. Edgar could simply read the
message, encrypt it with the key he shares with Bobby, and then send it to Bobby. This would be a
passive man-in-the-middle attack: Edgar is reading the messages between Assata and Bobby that
Assata and Bobby think no one else can read. Edgar’s other option is to change the message from
If Assata and Bobby, after a Diffie-Hellman key exchange, can reliably compare their keys and see
that they are the same, they can be assured that any eavesdropper has not mounted a man-in-the-
middle attack and can only see their encrypted communications. As a reminder, this is because the
parts of the Diffie-Hellman key exchange that an eavesdropper sees does not allow them to create
the hidden parts of the keys that Assata and Bobby each select (a and b in the above figure). Indeed,
the most basic way to spot a man-in-the-middle attack is for Assata and Bobby to compare their
keys.
If Assata and Bobby try to compare their keys, can’t Edgar manipulate the communication to make
it seem like their keys are indeed the same?
Of course! Then Assata and Bobby should compare their keys over a different communication
channel. For example, if they were originally communicating over the internet, then they should
compare keys over the phone. The assumption is that it would be much harder for Edgar to intercept
Assata’s and Bobby’s communications over all the different communication channels that could be
used to compare keys. Ideally, Assata and Bobby would meet in person to compare keys. Either way,
this is called an out-of-band comparison: the band refers to the communication channel, and keys
should be compared outside of the band of communication that the keys are exchanged through.
But wait, if Assata and Bobby have another means of communicating, then why don’t they just
exchange keys the old-fashioned way, without any fancy math to worry about?
Well, cryptographic keys, for modern cryptographic methods, are very long—hundreds or thousands
of characters long. It can be cumbersome to do a manual exchange of keys. If a designer of a
method for secure communications wanted to automate the exchange of keys over a different
communication channel, that designer would have to specify that second communication channel,
making the whole secure communications system cumbersome to use. (Imagine having to make a
phone call in order to visit a website.) Edgar would also then know what channel the keys are being
exchanged on and could play the man in the middle on that channel.
Absolutely. So instead of comparing the entire key, Assata and Bobby compare the cryptographic
You may recall that a cryptographic hash is sometimes called a fingerprint, and so we call the
process of comparing the cryptographic hash of keys fingerprinting. Various communication apps
may use different terminology for this, including safety numbers, verification, and authentication.
In-Band Fingerprinting
There are two methods to compare keys in band that are not commonly used but are clever and are
variations on the out-of-band fingerprinting we described above.
The first relies on the use of a weak password. If Assata and Bobby both know something, like the
name of Assata’s first pet or the street Bobby grew up on (say “Goldman”), that their presumed
adversary doesn’t know, Assata and Bobby can use this as a weak password. Assata combines her
key with the weak password (“Goldman”) and computes the cryptographic hash of the result. Bobby
does the same thing with his key. Assata and Bobby then compare the result in band (i.e., over the
communication channel in which they are already communicating). Because of the properties of the
cryptographic hash, Assata and Bobby will only have the same result if they have the same key and
the same password:
Fingerprinting
If Edgar is playing the man in the middle, then Edgar shares a key with Assata and a different key
with Bobby. Edgar would have to risk passing along Assata’s hash or would have to guess the weak
password to be able to compute a result that is the same as what Assata computes and the same as
what Bobby computes (as in the figure below). The password does not need to be strong because
only a small number of incorrect guesses (e.g., “panther”) would be tolerated between Assata and
Bobby before they assume the man is in the middle: a brute-force attack by Edgar to guess the
password is not feasible.
The second method is used for key comparison in voice and video calls. Here, Assata hashes her key
into two human-readable words (instead of a string of numbers and characters as we have seen).
Bobby does the same thing. If Assata and Bobby have the same key (i.e., there is no man in the
middle), then they will have the same set of words. Assata reads the first word, and Bobby reads the
second word, so each can compare the result of the hash. If Edgar is in the middle, Assata and Bobby
would have different pairs of words. Edgar would have to synthesize Assata’s and Bobby’s voices (and
possibly videos) to speak the words that Edgar shares with Assata and Bobby in order for Edgar’s
ruse to continue.
If a method of secure communication does not provide the ability to compare (fingerprint) keys,
then there is little benefit to using end-to-end encryption. Man-in-the-middle attacks can be
automated in our global surveillance system, so if a man-in-the-middle attack cannot be spotted (by
fingerprinting), then it might as well be carried out by default. However, if fingerprinting is made
possible, then the man risks being uncovered, particularly if the attacks are automated and widely
carried out. Everyone does not need to go through the process of fingerprinting as long as some
users do to prevent the widespread deployment of men in the middle.
Of course, for users at risk of targeted surveillance, fingerprinting is essential to the security of their
communications.
Many people know that the internet is heavily censored in China by the Great Firewall of China.
Starting in mid-January 2013, parts of GitHub, a site primarily used to host computer programming
code but that can also be used to share more general information, were blocked in China. By
January 21, 2013, the entire domain was blocked. However, given GitHub’s central role in computer
development and business and the importance of this sector to the Chinese economy, the public
backlash successfully unblocked GitHub by January 23, 2013. On January 25, a petition on
WhiteHouse.gov was started asking for those involved in building the Great Firewall of China to be
denied entry into the United States. The petition linked to a GitHub page, created the same day,
listing Chinese individuals accused of contributing to China’s censorship infrastructure. The next
day, reports appeared in social media of a man-in-the-middle attack of users accessing GitHub,
showing that the equivalent of the fingerprint check for accessing a website via https was failing.
The Chinese government had learned that they could not block GitHub, and since GitHub supports
https, the Great Firewall could not block accesses to particular pages within GitHub (e.g., based on
keyword matches), since https encrypts that information from an eavesdropper. The next option
is a man-in-the-middle attack. Any users who ignored warning signs of the attacks would be at
risk of their government knowing what pages they were accessing or possibly editing. The Chinese
government is the presumptive deployer of widespread man-in-the-middle attacks between users
in China and other major internet services, such as Outlook, Apple’s iCloud, and Google.
China isn’t alone in launching man-in-the-middle attacks. Similar attacks have been caught in Syria
and Iran too.
External Resources
Media Attributions
We recommend that you read the chapter “Cryptographic Hash” before reading this chapter.
1. When “password protected” means something is encrypted and when it does not
2. How passwords are defeated
3. What password practices you can use to minimize the risk of your passwords
4. How encryption keys can be generated from passwords
All passwords are used to control access. Account passwords are used to grant access to an online
account, for example. Rarely, though, is the information in that account encrypted with a key that
you control, and it is likely that your information is not encrypted at all. That is, the information
is usually readable by the provider (e.g., Google, Dropbox). Other passwords are used to unlock an
encrypted file or document, and we will refer to these as encryption passwords. The use of an
account password is like telling a bouncer your name and having that name be matched on a list
of approved guests, whereas the use of an encryption password is more like using a key to unlock
a safe. In the first case, it is up to the bouncer (a metaphor for your online account provider) to give
you access. In the latter case, the safe represents the ciphertext, and the contents of the safe are the
plaintext—gaining access to the plaintext is impossible (or at least impractical) without the key or
password. (In fact, encryption keys are in some cases generated from the password, as we describe
below.)
That said, even though your information is not encrypted with an account password, you should
still minimize the people who could have access to your information. But to understand why we
recommend the password practices we do, it helps to understand how passwords can be
compromised.
Passwords | 38
Password Cracking
Passwords can be compromised or cracked one at a time or as a whole batch, as in all the passwords
for all the accounts on a given system. Passwords are hot commodities. Since people frequently use
the same password for many accounts and “popular” (a.k.a. terrible) passwords are used by many
people ( 123456 , password , qwerty , admin , welcome , password , to name a few real examples),
discovering passwords used for one service can result in an account compromise for a different
service and possibly for a different person.
To crack one password, an adversary could do so via the same means that you enter your
password—for example, via a website. This is relatively easy for the website operator to help protect
against—for example, by locking an account after a few incorrect password entries or forcing delays
after entering the password to slow down repeated guesses. Another way the account provider can
help is by allowing for two-factor authentication. This is where, in addition to entering a password to
access an account, you must also enter an authentication code that is delivered to you via text, via
an app on your smartphone, or to a physical authentication key (such as a YubiKey). To compromise
your account, an adversary would need your password as well as your device that receives the
authentication code.
An adversary could also physically access the device (your phone or computer) on which you enter
your password. More likely—and as is regularly reported in the news—the server on which your
password is stored is compromised or hacked. In this case, it won’t just be your username and
password that is compromised; everyone who has an account on that system will be at risk. Although
an adversary who has gained access to a database of passwords on the server will likely have access
to your account information too, as we alluded to above, the point of the hack might be to gain
access not to the hacked service but to another service entirely.
A responsible web service provider won’t store your password in plaintext on their server but will
store a cryptographic hash of your password. To uncover a password (or all passwords), an adversary
computes the cryptographic hash of a guessed password and compares this to the database of
stolen passwords. In practice, password-cracking tools (e.g., John the Ripper) use three techniques:
1. Dictionary attacks: trying dictionary words, common salts of dictionary words (e.g.,
pa55w0rd , fr33d0m ), and previously cracked passwords
2. Brute force: trying all possible combinations of letters and numbers of symbols (for practical
reasons, this method only works for relatively short passwords)
3. Precomputed hashes: comparing against a table of cryptographic hashes of possible
passwords that are computed ahead of time
A user can foil the first two techniques by using good password practices (described below). A
service provider can make password cracking less practical by using a cryptographic hash function
that is slow to compute or uses a lot of memory. This wouldn’t be noticeable for a single password
39 | Passwords
(such as would be done when you log in) but would slow the computation of the hashes during
cracking.
A service provider can further foil the use of precomputed hashes if they add a long random
sequence of characters (salt) to your password when you log in. This salt can be stored in plaintext
with your username, so an adversary would have this information too but would not have had the
salt when the precomputed table of hashes was prepared. Additionally, if two users have the same
password, because their salt will be different, the cryptographic hash of their passwords with the
corresponding salts will be different. This forces an attacker to uncover each password individually.
For all of this, you are trusting the online service provider to responsibly store and protect your user
information, including your hashed password, if they have even hashed it. The rest is up to you.
To guard against the methods deployed in password cracking, your passwords should be sufficiently
long (to prevent brute-force attacks), be uncommon (to prevent dictionary attacks), and not be
reused (so if one of your accounts gets compromised, all your accounts aren’t compromised).
To accomplish this, use a password manager to generate and store all the passwords that you
don’t need to manually type in. The password manager should be able to generate strong random
passwords for you such as bdY,Fsc_7\&*Q+cFP . This is great for a password that you never have to
type in—that is, a password that the password manager will input for you.
For passwords that you will necessarily need to type in (e.g., a password you enter on your phone, the
password you protect your password manager with, the password you use to encrypt or unlock your
computer), use a diceware password, a.k.a. a passphrase, a.k.a. a random sequence of words such as
remake.catfight.dwelled.lantern.unmasking.postnasal
You can generate this password manually using dice and a word list. Many password managers will
also generate such passwords, although you probably won’t need many of these.
Note that the two above examples of passwords are randomly generated. This is important because
even if you think your password is awesome and strong, if you came up with it with your brain, then
someone else’s brain probably also came up with it, and so it is susceptible to dictionary attacks.
Passwords | 40
XKCD password
strength
In some cases, passwords are used to unlock an encrypted file or device. An encryption key in this
case is in fact generated from a password or passphrase using a key derivation function, which
is, essentially, a cryptographic hash function. The input to the cryptographic hash function is your
password, and the output is the cryptographic key. Why would this work? Let’s revisit the properties
of cryptographic hash functions:
1. Regardless of the length of the input, the output is always the same size. So no matter how
short (and weak!) your password is, you will get a cryptographic key of the right size. (But a
short and weak password is susceptible to the password-cracking methods we discussed
above.)
2. The same input always results in the same output. So your password will always generate
the corresponding cryptographic key you need.
3. It is infeasible to generate the input from the output. So if someone manages to get your
key, at least they won’t be able to re-create your password.
4. It is infeasible to find two different inputs that result in the same output. So someone
trying to crack your password would be unlikely to even find some other password that
41 | Passwords
results in the same cryptographic key as yours.
5. A small change to the input changes the output so extensively that the new hash value
appears uncorrelated with the old hash value. Well, this property isn’t as useful for
cryptographic key generation…
In 2016, longtime activist DeRay Mckesson had his Twitter account and two email addresses
compromised in a targeted attack despite having a two-factor authentication set up. His adversary
was able to get control of his phone by calling Verizon and requesting a new SIM card and knew
enough about Mckesson to convince Verizon to do so. Once the adversary had access to Mckesson’s
phone number, they were able to receive password-reset codes to change his passwords and gain
access to his accounts. It is a reminder that no security measure will be perfect, and for those who
are subject to targeted attacks (in this case, Mckesson was targeted for his support of Black Lives
Matter), extra vigilance is necessary. Here, the fact that access to Mckesson’s phone number could
be used to force a password reset reduced account protections from two-factor to one factor: only
phone access separated an adversary from Mckesson’s account rather than a password plus phone
access.
External Resources
• Dreyfuss, Emily. “@Deray’s Twitter Hack Reminds Us Even Two-Factor Isn’t Enough.” Wired, June
10, 2016.
• Wikipedia. “John the Ripper.” December 29, 2020.
• TeamPassword. “Top 50 Worst Passwords of 2019.” December 18, 2019.
Passwords | 42
Media Attributions
43 | Passwords
Public-Key Cryptography
We recommend that you read the chapter “Exchanging Keys for Encryption” before reading this
chapter.
Encryption protocols can be classified into two major types. In symmetric-key cryptography, the
key used to decrypt a message is the same as (or easy to transform from) the key used to encrypt
the message. This is the case for the basic ciphers (Caesar, Vigenère, and the onetime pad) that
we described in the chapter “What Is Encryption?” (There are, of course, modern symmetric-key
ciphers that are used—for example, to encrypt the data on your phone or computer.) As we saw,
these protocols are challenging to use for communication because you need to first find some way
to privately share the key with your communication partner. Diffie-Hellman key exchange gave a
method for two people to generate a shared key (that can be used in a symmetric-key encryption
protocol) while only communicating over an insecure channel (such as the internet).
1. It is infeasible to generate the private key from the public key: the keys must be generated
together.
2. A message that is encrypted by the public key can only be (feasibly) decrypted with the
corresponding private key.
Suppose Bobby wants to send Assata an encrypted message. Assata creates a private-key/public-
key pair and sends Bobby her public key (over an insecure channel). Bobby uses the public key to
create the ciphertext and sends the ciphertext to Assata. The ciphertext can only be decrypted using
Assata’s private key. Even though anyone may have Assata’s public key, the only thing that can be
Public-Key Cryptography | 44
done with the public key is encrypt messages that can only be decrypted using Assata’s private key.
Security is therefore achieved by keeping the private key private: secret and secure.
Generating public
and private keys
and sharing a
public key,
encrypting with a
public key, and
decrypting with a
private key
In this model, anyone can, in fact, publish their public key. For example, Assata could publish her
public key online so that anyone wishing to send Assata an encrypted message could encrypt that
message with her public key first. Likewise, Bobby could create his own pair of public and private
keys and publish his public key online so that others could send him encrypted messages that only
Bobby could decrypt with his (securely stored) private key.
Let’s revisit Diffie-Hellman key exchange through the lens of symmetric and public-key
cryptography. Recall that Assata and Bobby agree (publicly/insecurely) on a number p. Alice picks a
(secret) number a and computes p ☆ a to send (publicly/insecurely) to Bobby. One could thus view a
as Assata’s private key, p ☆ a as Assata’s public key, and this scheme as part of a public-key protocol.
But Bobby picks his own secret number b and combines it with Assata’s public key to get p ☆ a ☆
b. Likewise, Assata combines Bobby’s “public key” p ☆ b with her own private key to get p ☆ b ☆
a. Since p ☆ a ☆ b = p ☆ b ☆ a, Assata and Bobby have a common key to use for encryption, and
they use the same key for decryption. In this way, this is part of a symmetric-key protocol. For these
reasons, the Diffie-Hellman key exchange lies somewhere between public-key and symmetric-key
cryptography.
45 | Public-Key Cryptography
Combining Public-Key and Symmetric-Key Cryptography
For these reasons, public keys are generally used to encrypt a symmetric key for a given
(communication) session. Suppose Bobby wishes to send Assata an encrypted message. Bobby
generates a symmetric encryption key and encrypts the message with the symmetric key using
a symmetric cipher. He then encrypts the symmetric key using Assata’s public key. He sends the
encrypted message and the encrypted key to Assata:
Combining
symmetric and
public key
cryptography—encr
ypting
Assata decrypts the encrypted key using her private key and then uses the result to decrypt the
encrypted message:
Combining
symmetric and
public key
cryptography—decr
ypting
Public-Key Cryptography | 46
Since the public key is only used to encrypt keys (which are typically random-looking strings), the
public key does not age, because methods of breaking the encryption that rely on human-language
phrases would fail. An added benefit is that if one message is successfully decrypted, that does not
help in breaking the encryption of a different message, since each message is encrypted with a
different key.
Phil Zimmermann, a longtime antinuclear activist, created PGP in 1991 so similarly inclined people
might securely use bulletin-board services (BBSes, the Reddit of the 1980s) and securely store
messages. He developed PGP as an open-source project, and no license was required for its
noncommercial use. Posting it initially to a newsgroup that specialized in grassroots political
organizations, mainly in the peace movement, PGP made its way to a newsgroup used to distribute
source code and quickly found its way outside the United States. Users and supporters included
dissidents in totalitarian countries, civil libertarians, and cypherpunks. However, at the time,
cryptosystems using keys larger than forty bits were then considered munitions within the definition
of the US export regulations. PGP was initially designed to support 128-bit keys. In February 1993,
Zimmermann became the formal target of a criminal investigation by the US government for
“munitions export without a license.” Zimmermann challenged this by publishing the entire source
code of PGP in a book, which was distributed and sold widely. Anybody wishing to build their own
copy of PGP could cut off the covers, separate the pages, and scan them using an OCR program,
creating a set of source code text files. While the export of munitions (guns, bombs, planes, and
software) was (and remains) restricted, the export of books is protected by the First Amendment.
After several years, the investigation of Zimmermann was closed without filing criminal charges
against him or anyone else.
US export regulations regarding cryptography remain in force but were liberalized substantially
throughout the late 1990s. PGP encryption no longer meets the definition of a nonexportable
weapon.
47 | Public-Key Cryptography
• Authenticity through Cryptographic Signing
External Resources
• Electronic Frontier Foundation. “A Deep Dive on End-to-End Encryption: How Do Public Key
Encryption Systems Work?” Surveillance Self-Defense, September 29, 2014.
• Zimmermann, Phil. “Why I Wrote PGP.” 1999.
Media Attributions
Public-Key Cryptography | 48
Authenticity through Cryptographic
Signing
We recommend that you read the chapters “Cryptographic Hash” and “Public-Key Cryptography”
before reading this chapter.
Public-key cryptographic systems can often be used to provide authenticity. In PGP, this is allowed
by the complementary nature of the public and private keys. In the beginning, two cryptographic
keys are created, and either can be used as the public key; the choice as to which is the public key is
really just an arbitrary assignment. That is, either key can be used for encryption as long as the other
one is used for decryption (and the one used for decryption is kept private to provide security).
Once you have assigned one cryptographic key as the public key and the other cryptographic key
as the private key, you could still choose to encrypt a message with your private key. However, then
anyone with your public key could decrypt the message. If you make your public key, well, public,
then anyone could decrypt your message, and so this would defeat the purpose of using encryption
to achieve message privacy.
However, this should illustrate to you that the only person who could have encrypted a message that
can be decrypted with your public key is you, the person with your private key. Encrypting a message
with your private key provides the digital equivalent of a signature and is called cryptographic
signing. In fact, cryptographic signing provides two properties of authenticity:
The second property comes from the fact that a tamperer would have to alter the ciphertext
These properties are only meaningful if you are the only one who controls your private key, since
anyone who gains control of your private key could cryptographically sign their own altered text.
In practice, rather than encrypting the entire message, one would encrypt a cryptographic hash
(a.k.a. digest or fingerprint) of the message for the purpose of cryptographic signing. This is done for
efficiency reasons. Let’s consider the protocol for Assata signing a message and Bobby verifying the
signature, as illustrated in the following text.
Assata takes a cryptographic hash of her message and encrypts the result with her private key,
creating a signature, which she can attach to the message:
Creating a
signature
Bobby takes the signature and decrypts it using Assata’s public key, giving the hash that is the same
as what Assata generated. He then takes his own cryptographic hash of the message and compares
the result to the decrypted hash he received from Assata:
Cryptographic hash
functions are
infeasible to
counterfeit
Recall that cryptographic hash functions are infeasible to counterfeit. So if the two hashes that
Bobby generates (one directly from Assata’s message and one from Assata’s signature) are the
same, then we know two things:
Note that Edgar, in a man-in-the-middle attack, could simply remove the signature. So for
cryptographic signing to be effective, you need to agree to use cryptographic signing all the time.
Modern end-to-end encrypted messaging apps generally have signing built in by default, though
this is often invisible to the average user.
As in our example above, cryptographic signing can provide authenticity to messages in a similar
way that traditional handwritten signatures and wax seals did. However, you can cryptographically
sign more than just messages (such as emails).
Verifying Software
Perhaps the most explicit and common use of cryptographic signatures is for verifying software,
even if you aren’t aware of it. Software such as apps will only do what their developers want and say
they will do if they haven’t been tampered with on the way from the developer to your computer or
phone. Responsible developers will sign their products in the same way as we described signing for
messages. A program or app is really just a computer file (or set of files), which is just a sequence
of characters or a type of message. If a developer has signed their software using public-key
cryptography, a careful user can check the signature by getting the developer’s public key and
performing the validation illustrated above. (The developer should provide their public key via a
channel different from the one you downloaded the software from. This would allow an out-of-band
comparison as described in the chapter “The Man in the Middle”—the public key, which you use for
validation, is out of band from the message or software download.)
To trust Assata’s public key, Bobby should really verify her public key by checking the fingerprint of
the key, as we have described. Otherwise, Edgar, the interloper, could furnish Bobby with a public key
that he holds the corresponding private key for. But if Bobby has verified that Assata’s public key is
Suppose Cleaver wants to send Assata an encrypted message and wants to be sure that Edgar is not
going to play the man in the middle. But Cleaver does not have a secondary channel through which
to verify Assata’s public key. However, Cleaver has received and verified Bobby’s public key. So Bobby
can send Assata’s public key to Cleaver with his signature. If Cleaver trusts Bobby and has verified his
public key, then Cleaver can verify his signature on Assata’s public key and trust that Assata’s public
key is genuine.
This is the basis of the web of trust. Rather than directly verifying fingerprints of keys, you can do so
indirectly, as long as there is a path of trust between you and your desired correspondent.
Warrant canaries or canary statements inform users that the provider has not, by the published
date, been subject to legal or other processes that might put users at risk, such as data breaches,
releasing encryption keys, or providing back doors into the system. If the statement is not updated
according to a published schedule, users can infer that there has been a problem that may put
their past or future data at risk. Riseup.net, for example, maintains a quarterly canary statement
that is cryptographically signed so that you can ensure its authenticity—that is, that the people at
riseup.net wrote the statement. They include a link to a news article dated on the day of release in
their statement to give evidence that the statement was not published before the day of release.
The use of warrant canaries began as a way to circumvent gag orders in the US that accompany
some legal processes in which the US government can force someone to withhold speech. On the
other hand, the US government can rarely force someone to say something (particularly that isn’t
true) and so could not compel a provider to keep up a canary statement that falsely claims nothing
has happened.
The term originates from the use of canaries in coal mines to detect poisonous gases: if the canary
dies, get to clean air quickly!
• Metadata
Media Attributions
1. What metadata is
2. What metadata can reveal
3. Why metadata is difficult to protect
What Is Metadata?
Metadata is all the information about the data but not the data itself and is best illustrated with a
few examples.
1. For a phone call, the metadata will include the phone numbers involved, the start time of the
call, and the length of the call. For cell phone calls, the metadata will likely include the location
of your phone (the GPS coordinates), the cell tower that you are connected to, and even the
type of phone you are using. Metadata of phone calls would not include the audio transmission
itself—this would be the “data.” The historical use of recording phone-call metadata is for the
purposes of billing.
2. Most modern digital photographs include information about the time and place the photo was
taken, the type of camera used, and its settings. In this case, the photo itself is the data. Many
websites, such as Facebook, Twitter, and Instagram, remove this metadata for your privacy
when you upload a photo or video. Others do not, such as Google, Flickr, and YouTube.
3. Almost all modern color printers, at the request of the US government to printer manufacturers
over fears of their use in money counterfeiting, print a forensic code on each page that may be
visible or not. In this case, the printed sheet (less the forensic code) would be the data, and the
information encoded by the forensic code would be the metadata. The forensic code, which
may or may not be visible to the human eye, has been known to include the day and time the
sheet was printed and the serial number of the printer used.
The first disclosure by Edward Snowden revealed that the NSA was collecting all the metadata
of calls made by Verizon customers, forcing a conversation about metadata into the public
consciousness. A debate on what privacy was being invaded by this practice ensued. Earlier that
year, the Associated Press fought back against the collection of metadata obtained by subpoena
from the Justice Department, saying, “These records potentially reveal communications with
Metadata | 54
confidential sources across all of the newsgathering activities undertaken by the AP during a two-
month period, provide a road map to AP’s newsgathering operations, and disclose information
about AP’s activities and operations that the government has no conceivable right to know.” A
court opinion noted that the collection of GPS data through such metadata collection “can deduce
whether he is a weekly churchgoer, a heavy drinker, a regular at the gym, an unfaithful husband, an
outpatient receiving medical treatment, an associate of particular individuals or political groups.”
In an internal document, the NSA has referred to metadata as being one of the agency’s “most useful
tools.”
When you visit a website, information is being sent between your computer and the server of the
website through the internet. At a basic level, a message is sent from your computer to the server
requesting the contents of the website, and then the contents of the website are sent from the
server to your computer. The information being sent over the internet is often referred to as traffic,
and any message being sent will actually be broken up into many shorter messages or packets. Each
packet has three main parts:
1. The header includes the internet address of the sender and the receiver (e.g., your computer
and the website’s server) and a description of the type of data that is being sent (e.g., HTML).
2. The data is the content of the message (e.g., the content of the web page or part of the web
page).
3. The trailer indicates the end of the packet and provides proof that the packet has not been
corrupted in transit (using a hash function).
The metadata is composed of the header and the trailer. The header is difficult to protect or conceal
because it indicates where a packet should be sent. Just like sending a letter, an address is needed
for delivery. Your internet address, or IP address, is related to your physical location; in fact, often your
physical location can be determined from your IP address.
This description applies to any information that is sent over the internet—email, video streaming,
VOIP calls, and instant messages included.
In May 2017, Reality Winner disclosed NSA documents reporting on Russian interference in the
2016 US presidential election. Her arrest, days before the story was published, prompted much
speculation around how she was so quickly identified as the whistleblower, with many people
pointing the blame at the website Intercept for their handling of the story. Reality Winner had
55 | Metadata
anonymously mailed a color printout of the documents to the Intercept. In standard journalistic
fashion, the Intercept sent a photograph of the documents to the NSA for verification. The same
photograph was redacted and made public in their reporting. Shortly after the publication of the
story, several people pointed out that printer forensic code was visible in the photo and determined
the day and time the document was printed and the serial number of the printer. While it is possible
that the FBI could have identified Reality Winner from this information (to best protect its source,
the Intercept should have redacted the forensic code from the photo), it is probably more likely she
was outed by logs of file accesses on her work computer.
• Anonymous Routing
External Resources
• CNN. “AP Blasts Feds for Phone Records Search.” May 14, 2013.
• Electronic Frontier Foundation. “Justice Department Subpoena of AP Journalists Shows Need to
Protect Calling Records.” May 13, 2013.
• Electronic Frontier Foundation. “Secret Code in Color Printers Lets Government Track You.”
October 16, 2005.
• Snowden Archive—the SIDtoday Files. “The Rewards of Metadata.” Intercept, January 23, 2004.
• New Yorker. “The Metadata Program in Eleven Documents.” December 31, 2013.
• Intercept. “Top-Secret NSA Report Details Russian Hacking Effort Days before 2016 Election.” June
5, 2017.
• Atlantic. “The Mysterious Printer Code That Could Have Led the FBI to Reality Winner.” June 6,
2017.
Metadata | 56
Anonymous Routing
We recommend that you read the chapters “Exchanging Keys for Encryption” and “Metadata” before
reading this chapter.
Your IP address is just one piece of metadata that is necessary in order to get information to your
computer. When browsing the web, though, a lot of other metadata, while not strictly necessary, is
transmitted to “maximize your browsing experience.” This information includes details such as what
browser plug-ins you use, your time zone, and your screen size and can be used as a unique identifier
across IP addresses that you use to connect to the internet.
Who has access to all this metadata that can be used to identify you? Without encryption, such as
using https, any eavesdropper would have access to this metadata as well as the content of your
communications. Encryptions will protect some metadata from your ISP and eavesdroppers (such
as which browser you are using) but not your IP address and not the web domains you are visiting.
And the servers of the websites you are visiting will have access to your metadata as well as any
content.
57 | Anonymous Routing
But since metadata is used to get information to you, is there any way to protect this metadata, and
who could you protect it from? We describe two ways to anonymize your web browsing.
Virtual private network (VPN) technology began as a means to extend a local network (such as
a university’s or company’s network) to remote locations (such as off-campus housing and home
offices) so that no matter where you were, you could access the same resources as you would if you
were on the local networks (such as library and software subscriptions). While connected to a VPN,
a web page host will see the IP address of the local network the VPN is extending as your address,
the IP address of your home. For this reason, VPN use has become popular for anonymizing your
location.
A VPN operates as a (hopefully benign) middle man (illustrated below). Rather than sending all her
web requests directly, Assata sends all her web requests to her VPN, the VPN fetches her request
from the internet for her, and then the VPN sends the results back to Assata. The specifics of how this
is done vary between different VPN services, but generally, the communications between you and
the VPN are encrypted. The protective quality of a VPN relies on many other people also connecting
to that VPN. An eavesdropper looking at communications to and from the VPN will be able to
identify the individuals connecting to the VPN and the web requests the VPN is fetching but ideally
will be unable to match those web requests with the corresponding users because there are too
many simultaneous requests in and out of the VPN.
Virtual private
networks
Of course, the VPN provider knows all your internet behavior, and with their cooperation, an
adversary would too: you are trusting your VPN provider with that information. However, your ISP
Anonymous Routing | 58
(without using a VPN) has access to the same information: you are putting the same trust in your
VPN provider as you must in your ISP. The difference is that your ISP does not conceal your IP address
from destination servers on the internet, while a VPN does. Some increased privacy risk, however,
comes with using the same VPN across many connection locations (e.g., home, work, coffee shop),
giving a single entity (that VPN) a more complete view of your internet use than available to the ISP
at each location.
The Onion Router, or Tor, is a means of accessing the internet anonymously while sidestepping
trust issues and gets its name from using layers of encryption (like the layers of an onion). Rather
than using one middle man with whom you trust all your information, you use (at least) three
intermediaries, chosen at random from a selection of thousands of volunteer servers (illustrated
below). Traffic through this path of intermediaries is encrypted so that the first (entry) node only
knows that you are accessing the internet via Tor, the second (relay) node only knows that someone
is accessing something on the internet via Tor (but not who specifically or what specifically), and the
last (exit) node only knows that a certain web page (for example) is being requested by a Tor user
(but not which Tor user).
Tor
The way this is done is by Diffie-Hellman key exchanges first with the entry node, then with the
relay node, and finally with the exit node as follows (and illustrated below). (1) Assata establishes a
cryptographic key that she shares with the entry node (which we will call the entry key, in red). This
establishes an encrypted communication channel between Assata and the entry node. (2) Assata
uses this encrypted channel to communicate with the relay node via the entry node. The traffic
between the entry and relay nodes is not encrypted, but Assata uses the channel via the entry node
59 | Anonymous Routing
to establish a cryptographic key that Assata shares with the relay node (the relay key, in blue). All that
the relay node knows is that it is setting up a shared key with some Tor user but not the identity of
that Tor user. (3) This process is repeated to establish an encryption key that Assata shares with the
exit node (the exit key, in green). (4) This created a sequence of keys (red, blue, green) that allow for
encryption between Assata and the entry, relay, and exit nodes, respectively.
For Assata to send a request to disruptj20.org, she encrypts the request, addressed to disruptj20.org,
with the green key and addresses this to the exit node; she wraps this in a message addressed to
the relay node and encrypts this with the blue key; she wraps this in a message addressed to the
entry node and encrypts this with the red key. The message is sent to the red node. The first layer of
encryption is removed by the entry node (with the red key that the entry node shares with Assata),
revealing a message addressed to the relay node. The second layer of encryption is removed by the
relay node (with the blue key that the relay node shares with Assata), revealing a message addressed
to the exit node. The third layer of encryption is removed by the exit node (with the green key that
the exit node shares with Assata), revealing a message addressed to disruptj20.org, which the exit
node forwards along. This is illustrated below (1).
For disruptj20.org to send information back to Assata, the web server sends the information back to
the exit node. The exit node encrypts with the green key and sends it to the relay node. The relay
Anonymous Routing | 60
node encrypts with the blue key and sends it to the entry node. The entry node encrypts with the
red key and sends it to Assata. Assata can remove all three layers of encryption because she has all
the necessary keys. This is illustrated below (2).
In order to re-create your path through the Tor network and therefore your web request, your
adversary would need to control all three nodes that you select as your entry, relay, and exit nodes.
Even an adversary who controls 80 percent of the Tor network would only have a 50 percent chance
of controlling all three nodes that you select. Since there are thousands of Tor nodes (that anyone
can volunteer to operate), this is unlikely.
An alternate attack that an adversary could take would be a confirmation attack. In this scenario,
the adversary is trying to prove that you have visited a particular web service. If they can access your
web traffic (e.g., through your ISP) and the web traffic of the target web service (through legal or
extralegal means), then your adversary may be able to match up your use of Tor to access the web
service from Tor based on their timing. This type of correlation was used in the case against Jeremy
Hammond, convicted for hacking activities conducted by the activist collective Anonymous.
Other attacks have been made on Tor too, but the Tor project is very responsive to improving their
technology and security. We discuss obstacles to anonymous browsing below and pitfalls a user
may run into as well as best practices when trying to access the web anonymously in the chapter
“Protecting Your Identity.”
Many people in countries where censorship of the internet is common, such as China and Iran,
use VPNs and Tor to access the uncensored web. On the other hand, evidence of VPN traffic can
61 | Anonymous Routing
be gleaned from the metadata of internet communications, and governments can use this to
block all such communications, as has been done in China and Syria in their censorship efforts.
Other countries, such as Iran, are known for blocking access to specific VPN providers that are not
sanctioned by the government.
Tor as a whole can be blocked from use (e.g., by a government), since Tor nodes are publicly listed.
This is done by simply blocking all traffic addressed to the Tor nodes. This is overcome by the use
of bridges, a set of Tor nodes that are not publicly listed, which you use in lieu of a publicly listed
entry node. To get access to a small set of bridge nodes, you need to email the Tor project from a
restricted email account (e.g., Google, Riseup!, or Yahoo!) to request one. Tor can also be blocked by
packet inspection—that is, by looking at the metadata of the communications (as with VPN traffic).
The Tor project makes this process challenging by using methods of obfuscating Tor internet traffic
so that it doesn’t look like Tor traffic.
VPN and Tor are also used to gain access to particular sites that might not be available in your
jurisdiction because of a choice of the web host. This is common for many media platforms such as
Hulu and Netflix. To this end, companies will often block access to content from known VPN service
providers or from Tor exit nodes.
In Context: Disruptj20
On January 20, 2017, mass protests erupted around the inauguration of the forty-fifth president
of the United States. Much of the organizing for those events was coordinated on the website
disruptj20.org. In August 2017, it came to light that the US Department of Justice had issued a
warrant to the disruptj20.org web host DreamHost requesting, among other items, “all HTTP request
and error logs,” which would include the IP addresses of all individuals, purported to be 1.3 million
people, who visited the website, along with which subpages they visited, how often they did so, and
any text a visitor may have typed into the web page.
Of course, anonymous browsing technologies would have protected the IP addresses of visitors to
that site.
Anonymous Routing | 62
External Resources
• The Great Firewall of China keeps track of which and how many or how many times sites are
censored in China.
• Search Warrant to DreamHost, August 2017.
Media Attributions
63 | Anonymous Routing
PART 2: DIGITAL SUPPRESSION OF
SOCIAL MOVEMENTS (IN THE US)
Before reading this chapter, it’s a good idea to (re)read the introductory chapter “Why Digital
Security?” and recall that our primary focus in this book is US social movements.
The US has a long history of interference, including on its own soil in the form of suppressing
the efforts of social movements and, in particular, liberatory and leftist social movements. Labor
organizing, independence, civil rights, and environmental movements have all been subject to
opposition by the US government, often at the behest of or in cooperation with large corporations.
In trying to grapple with the risks associated with a social movement not attending to digital
security, it is helpful to look at how the State has interfered with social movements in the past.
This history can be overwhelming, and it can be tempting to dismiss this as something that has
happened in the past but that is not happening now. Going through this history can also lead to
defeatism, especially in light of the additional digitally enhanced tools that the State can employ
against an adversary (perceived or actual).
However, since we should not condemn ourselves to repeat mistakes of the past, we need to attend
to enough history to learn appropriate lessons so that our movements may be successful moving
forward. In order to do so without turning this into a history textbook, we draw on the scholarship of
Jules Boykoff, who categorized the ways in which the US has messed with social movements in the
twentieth century. Boykoff enumerated twelve modes of suppression, which we compress to seven
in this presentation.
Understanding these historical modes will allow us to predict how digital surveillance could support
or enhance those modes, as we will discuss in the chapter “Digital Threats to Social Movements.”
But more importantly, we will be able to see how encryption and attending to digital hygiene can
Modes of Suppression
These are seven ways in which the US has suppressed and continues to suppress social movements,
each with a few examples of its use. Unfortunately, these examples are far from exhaustive.
1. Direct Violence
Beatings, bombings, shootings, and other forms of violence are carried out by the State or other
institutions or nodes of power against dissident citizens.
This may be the result of the policing of large groups (such as when the Ohio Army National
Guard fired at students during an antiwar protest at Kent State University, killing four people and
injuring nine others) or targeted assassinations (such as in the FBI-organized night-raid shooting
of Black Panther Party leader Fred Hampton). To risk an understatement, these actions discourage
participation in social movements for fear of life and limb.
The legal system allows for harassment arrests, public prosecutions and hearings, and extraordinary
laws that are used to interfere with individuals in biased fashions. The State arrests activists for minor
charges that are often false and sometimes based on obscure statutes that have remained on the
books, buried and dormant but nevertheless providing vessels for selective legal persecution. Public
prosecutions and hearings can land dissidents in jail or consume their resources in legal proceedings
that sidetrack their activism and demobilize their movements. Current supporters and potential
allies are discouraged from putting forth dissident views. Prosecution and hearings publicized in
the mass media reverberate outward into the public sphere. Another form of legal suppression, the
State promulgates and enforces exceptional laws and rules to tie up activists in the criminal justice
labyrinth. This is the legal system being used to squelch dissent.
Controversial stop-and-frisk programs allow police officers to briefly detain and at times search
people without probable cause. Free-speech zones greatly limit the time, place, and manner of
protests. Those arrested at First Amendment–protected protests on the inauguration of Donald
Trump faced public prosecutions that were unlikely to ever reach a conviction. And certain crimes,
such as arson or the destruction of property, are elevated to terrorism when they are accompanied
by a political motive and allow for the State to greatly increase the punishment doled out. Other laws
3. Employment Deprivation
One’s political beliefs can result in threats to or actual loss of employment due to one’s political
beliefs or activities. Some dissidents are not hired in the first place because of their political beliefs.
This is typically carried out by employers, though the State can have a powerful direct or indirect
influence.
Recently, we have seen university professors forced out of their jobs or have job offers revoked,
as with Steven Salaita, whose offer of employment as a professor of American Indian studies was
withdrawn following university donors’ objections to a series of Tweets critical of Israel and Zionism.
For several years (but since struck down by a federal court), government contractors in Texas were
required to sign a pledge to not participate in the pro-Palestinian Boycott, Divestment, and Sanction
movement or else they would have their contracts canceled; this resulted in the firing of an
American citizen of Palestinian descent who worked as a school speech pathologist and refused to
sign the statement.
4. Conspicuous Surveillance
Conspicuous surveillance aims primarily not to collect information (which is best done
surreptitiously) but to intimidate. This is intended to result in a chilling effect, in which individuals
guard their speech and action out of fear of reprisal. It may drive away those engaged in activism
or make it difficult to encourage new activists. Although the chilling effect has been deemed
unconstitutional, it is difficult to prove harm in a court (as required), so it is a safe means of
suppression (from the perspective of the surveiller).
The FBI has a long history of “knock and talks” or simply visiting the houses of dissidents and activists
(and those of their families and employers) to “have a chat” in order to let people know that they are
being watched.
5. Covert Surveillance
Surveillance might be concentrated or focused, as with the use of spies, targeted wiretaps, and
subpoenas or warrants for data; the use of infiltrators (covert agents who become members of the
target group); or the use of informants (existing group members who are paid or threatened in
order to extract information). Surveillance might also be diffused, such as the accumulation, storage,
and analysis of individual and group information that is obtained through internet monitoring, mail
openings, and other mass-surveillance techniques.
6. Deception
Snitch jacketing is when a person (often an infiltrator) intentionally generates suspicion that an
authentic activist is a State informant or otherwise maliciously present in a social movement group.
Infiltrators or informants who are in place to encourage violence or illegal activities or tactics (rather
than simply report on activities) are known as agent provocateurs and do so in order to legally entrap
or discredit the group. False propaganda is the use of fabricated documents that are designed
to create schisms or undermine solidarity between activist organizations. These controversial,
offending, and sometimes vicious documents are meant to foment dissension within and between
groups.
FBI infiltrators have acted as agent provocateurs by leading them down a path to illegal activity
that they would not have otherwise followed. Mohamed Mohamud was an Oregon State University
student who was contacted by an undercover FBI agent who over a period of five months suggested
and provided the means to bomb the lighting of the Portland Christmas tree on November 26, 2010.
The bomb was a fake, but Mohamud was sentenced to thirty years of imprisonment.
Eric McDavid spent nearly nine years in prison for conspiring to damage corporate and government
property after a paid FBI informant acted as an agent provocateur, encouraging McDavid’s group
to engage in property destruction and providing them with bomb-making information, money to
buy the raw materials needed, transportation, and a cabin to work in. McDavid’s conviction was
overturned due to the FBI failing to disclose potentially exculpatory evidence to the defense.
There are two major types of mass media manipulation: (1) story implantation, whereby the State
makes use of friendly press contacts who publish government-generated articles verbatim or with
minor adjustments, and (2) strong-arming, whereby the State intimidates journalists or editors
to withhold unwanted information from reaching publication. In addition to that, mass media
deprecation portrays dissidents as ridiculous, bizarre, dangerous, or otherwise out of step with
Following the invasion of Iraq after 9/11, antiwar sentiment was consistently downplayed through
underreporting. As just one example, the September 2006 antiwar protests that saw more than two
hundred thousand people take to the streets across the US was reported by the Oregonian in this
way: A one-hundred-thousand-strong antiwar protest in Washington, DC, was reported on page
10, along with an article on a Portland protest. The article estimated one hundred people at the
protest, even though aerial evidence pointed to over three thousand. A counterdemonstration to the
Washington, DC, antiwar protest was covered on page 2 with a larger photo and longer text, even
though only four hundred people attended.
This resource would be lacking if we didn’t talk about censorship and other interference with
information technology. It is an additional mode of suppression with particular relevance to the
Information Age that dovetails with deception and mass media influence, wherein access to the
internet or related infrastructure is blocked or otherwise denied to social movements—for example,
cutting off internet or mobile network access during a protest, censoring certain sites or types of
internet traffic, or shutting down a social movement group’s website.
Boykoff does not include this in his catalog of suppression, since its use is not widespread within the
US by the US largely due to the country’s constitutional protections. However, its use is widespread
around the globe. Governments have been known to cut off internet access at the country level
(such as the week-long total shutdown of the internet in Iran as a means to suppress protests)
or limit access to certain sources (such as the Great Firewall of China blocking Google, Facebook,
Twitter, and Wikipedia). US companies also participate in this, complying with foreign censorship:
Zoom (a web conferencing service) shut down the accounts of three activists at the behest of China,
who had planned online events to commemorate the Tiananmen Square massacre.
From the 1950s through the 1970s, the FBI conducted a set of secret, domestic counterintelligence
activities, which became known as COINTELPRO, under the leadership of FBI director J. Edgar
Hoover. Originating with US government anticommunist programs during the Red Scare,
COINTELPRO was exposed through the theft of boxes full of sensitive FBI paperwork obtained
through a burglary in 1971 by the Citizens’ Commission to Investigate the FBI, the members of
which only went public in the wake of Ed Snowden’s disclosures, with remaining COINTELPRO
documents coming to light through Freedom of Information Act (FOIA) requests. The commission’s
leak resulted in the formation of the US Senate’s Church Committee in 1975, which castigated the FBI
for the “domestic intelligence activities [that] have invaded individual privacy and violated the rights
of lawful assembly and political expression” and ultimately shut down COINTELPRO. The Church
Committee prefaced their admonishment this way:
We have seen segments of our Government, in their attitudes and action, adopt tactics
unworthy of a democracy, and occasionally reminiscent of totalitarian regimes. We have
seen a consistent pattern in which programs initiated with limited goals, such as preventing
criminal violence or identifying foreign spies, were expanded to what witnesses
characterized as “vacuum cleaners,” sweeping in information about lawful activities of
American citizens. The tendency of intelligence activities to expand beyond their initial
scope is a theme which runs through every aspect of our investigative findings. Intelligence
collection programs naturally generate ever-increasing demands for new data. And once
intelligence has been collected, there are strong pressures to use it against the target.
All the following modes of suppression were used by the FBI or support partners as part of
COINTELPRO or against COINTELPRO targets:
1. Direct violence
The murder of Fred Hampton mentioned above was a joint operation of the FBI and Chicago Police
Department. Fred Hampton was the chairman of the Black Panther Party, a revolutionary socialist
political organization of the late 1960s through 1970s that aimed to protect Black Americans and
provide social programs (such as free breakfast and health clinics). The Black Panther Party (BPP)
was labeled as a “Black nationalist hate group” by the FBI for inclusion as a COINTELPRO target.
Hampton’s assassination was supported by other modes of suppression, including the following:
• Covert surveillance. A paid FBI infiltrator provided intelligence that made the raid leading to
Hampton’s murder possible.
• Deception. The same infiltrator created an atmosphere of distrust and suspicion within the
Communist and Black Panther Party member and COINTELPRO target Angela Davis was charged
with “aggravated kidnapping and first-degree murder” in the death of a judge in California who
was kidnapped and killed during a melee with police, even though Davis was not on the scene.
California held that the guns used by the kidnappers were owned by Davis and considered “all
persons concerned in the commission of a crime, whether they directly commit the act constituting
the offense . . . , principals in any crime so committed.” Davis could not be found at the time and
was listed by J. Edgar Hoover on the FBI’s “Ten Most Wanted Fugitives” list. Months later, Davis was
apprehended and spent sixteen months in prison awaiting a trial in which she was found not guilty.
3. Employment deprivation
Prior to Davis’s battle with the legal system, she was fired from her job as a philosophy professor
at UCLA for her Communist Party membership in her first year of employment in 1969, calling her
unsuitable to teach in the California system. The firing was at the request of then California governor
Ronald Reagan, who pointed to a 1949 law outlawing the hiring of Communists in the University of
California. This highlights the lingering Red Scare era or McCarthyism that ran through the 1940s
and 1950s. The FBI supported the demonization of communism through a predecessor program to
COINTELPRO: COMINFIL (Communist Infiltration) probed and tracked the activities of labor, social
justice, and racial equality movements.
4. Conspicuous surveillance
Among the first round of FBI documents to come to light about COINTELPRO was a document
memo called “New Left Notes.” The New Left refers to a broad political movement of the 1960s
and 1970s, groups of which campaigned on social issues such as civil, political, women’s, gay, and
abortion rights. In discussing how to deal with “New Left problems,” the FBI Philadelphia field office
memo says, “There was a pretty general consensus that more interviews with these subjects and
hangers-on are in order for plenty of reasons, chief of which are it will enhance the paranoia endemic
in these circles and will further serve to get the point across [that] there is an FBI Agent behind every
mailbox. In addition, some will be overcome by the overwhelming personalities of the contacting
agent and volunteer to tell all—perhaps on a continuing basis.”
The Church Committee reported enumerated covert surveillance that “was not only vastly excessive
in breadth . . . but also often conducted by illegal or improper means.” Notably, both the CIA and FBI
had “mail-opening programs” that indiscriminately opened and photocopied letters mailed in the
US on a vast scale: nearly a quarter of a million by the CIA between 1953 and 1973 and another 130,000
by the FBI from 1940 to 1966. Further, both the CIA and the FBI lied about the continuation of these
programs to President Nixon.
6. Deception
The FBI often sent fake letters or flyers in order to drive wedges between otherwise aligned groups.
Below is an example of a cartoon drawn by FBI operatives as a forgery of movement participants and
is intended to incite violence between the Black nationalist groups Organization Us (coestablished
by Maulana Karenga) and the Black Panther Party (with prominent members Huey Newton, David
Hilliard, Bobby Seale, John Huggins, and Bunchy Carter). The cartoon depicts BPP being knocked off
by Karenga. The FBI later claimed success in the deaths of two BPP members by US gunmen.
Manipulation of the mass media was an explicit tenet of the FBI’s COINTELPRO against the New
Left. According to the Church Committee, “Much of the Bureau’s propaganda efforts involved giving
information to ‘friendly’ media sources who could be relied upon not to reveal the Bureau’s interests.
The Crime Records Division of the Bureau was responsible for public relations, including all
headquarters contacts with the media. In the course of its work (most of which had nothing to do
with COINTELPRO), the Division assembled a list of ‘friendly’ news media sources—those who wrote
pro-Bureau stories. Field offices also had ‘confidential sources’ (unpaid Bureau informants) in the
media, and were able to ensure their cooperation.”
External Resources
• Boykoff, Jules. Beyond Bullets: The Suppression of Dissent in the United States. AK, 2007. Oakland,
CA.
• Wikipedia. “2019 Internet Blackout in Iran.” December 18, 2020.
Media Attributions
We recommend that you read the chapters “What Is Encryption?” and “Metadata.” After reading this
section, be sure to read the chapter “Defending against Surveillance and Suppression.”
Social movements challenging powerful individuals, organizations, and social structures face a
broad range of surveillance risks. Specific threats vary widely in technical sophistication, likelihood,
and potential for harm. Threat modeling is a process whereby an organization or individual
considers their range of adversaries, estimates the likelihood of their various data and devices falling
victim to attack, and finally considers the damage done if attacks were to succeed. (And then they
work to protect the data that is most at risk and that would be the most damaging to lose or have
accessed.)
We think about surveillance in the following order to inform how to protect oneself:
• Who is your adversary? Is it a neighborhood Nazi who is taking revenge on you for your Black
Lives Matter lawn sign? Is it an oil corporation that is fighting your antipipeline activism? Is it
the US government trying to prevent you from whistleblowing? By understanding who your
adversary is, you can surmise their resources and capabilities.
• Is your adversary going after you in particular, are they trying to discover who you are, or are
they collecting a lot of information in the hopes of getting your information? What surveillance
strategy are they likely to employ? This will help you understand what type of data and where
your data may be at risk.
• What particular surveillance tactics will your adversary employ to get that desired data? This
will help you understand how to protect that data.
We examine surveillance risks starting with the adversary because it is strategic to do so. No one can
achieve perfect digital security, but one can be smart about where to spend one’s effort in protecting
oneself against surveillance. In an actual threat-modeling discussion within an organization or social
movement, who potential adversaries are is often more readily apparent than how such adversaries
Surveillance Adversaries
We generally think of adversaries in terms of what resources they have available to them. For the
purposes of this book, we will limit ourselves to three adversary categories:
Nation-states have access to the most resources in a way that may make it seem like their
surveillance capabilities are limitless. Even so, they are unlikely to be able to break strong
encryptions. Here, we think of the National Security Agency (NSA) as the entity with access to the
most sophisticated surveillance capabilities. The disclosures by Edward Snowden in 2013 give the
most comprehensive window into nation-state-level capabilities and are searchable in the Snowden
Surveillance Archive.
Large corporations and local law enforcement are often heavily resourced and share information
with each other but don’t necessarily have access to the capabilities of nation-states. However, the
use of technology to aid in surveillance is widespread among law enforcement agencies in the US,
as illustrated below in this screenshot from Electronic Frontier Foundation’s Atlas of Surveillance.
Atlas of police
surveillance
technologies
Individuals have the least resources but might know you personally and so be able to more
effectively use social engineering to obtain your data.
Note that techniques available to lower-resourced adversaries are also available to higher-resourced
adversaries. As an example, corporations and law enforcement employ informants and infiltrators,
So while these categories are not sharply defined, they can act as a starting point for understanding
the risks and focusing on your adversaries’ most likely strategies and your most likely weaknesses.
Surveillance Strategies
There are two broad strategies of surveillance: mass-surveillance and targeted surveillance.
Mass surveillance collects information about whole populations. This can be done with the purpose
of trying to better understand that population. For example, the collection and analysis of health-
related data can help identify and monitor emerging outbreaks of illnesses. Mass surveillance may
also be used as a strategy to identify individuals of interest within the surveilled population. For
example, video feeds from security cameras can be used to identify those who engaged in property
damage. Or mass surveillance may garner information about a particular individual. For example,
information collected from the mass deployment of license-plate cameras can be used to track the
movements of that particular individual.
Targeted surveillance only collects information about an individual or a small group of individuals.
For example, wiretapping intercepts the communications of a particular individual. Targeted
surveillance allows for the existence of prior suspicion and can (conceivably) be controlled—for
example, law enforcement obtaining a warrant based on probable cause before intercepting
someone’s mail.
Historically, there was a clearer divide between targeted and mass surveillance. However, in the
digital age, many tactics of targeted surveillance can be deployed on a mass scale, as we will discuss
further. In addition to this classic division of surveillance strategies, we draw attention to a bigger
strategy that is unique to the digital age.
Collect-it-all may simply be viewed as mass surveillance on steroids but goes far beyond what may
have historically been viewed as mass surveillance. Where mass surveillance may encompass things
like security cameras, the monitoring of bank transactions, and the scanning of emails, collect-it-all
aims to vacuum up any information that is digitized. Collect-it-all goes further: for any information
that isn’t online or available (e.g., video from truly closed-circuit security cameras), it digitizes it and
then collects it. Collect-it-all is infamously attributed to General Keith Alexander, former director
of the NSA, whose mass-surveillance strategies were born in post-9/11 Iraq and were described as
follows: “Rather than look for a single needle in the haystack, his approach was, ‘Let’s collect the
whole haystack. Collect it all, tag it, store it… And whatever it is you want, you go searching for it.” This
Adversaries and
their surveillance
strategies
Surveillance Tactics
To go over all the surveillance tactics that are available to adversaries at all levels would fill an
encyclopedia. Here we illustrate a few examples of surveillance programs and tactics that support
the surveillance strategies above. We illustrate these programs (below) according to the minimum
level of sophistication required to use the tactic and the number of people whose information would
be collected via these means.
We start with what most people probably think of when they think of mass surveillance: the
interception and possible recording of vast amounts of communications. Many mass interception
programs were uncovered as part of Edward Snowden’s disclosures in 2013. STORMBREW,
FAIRVIEW, and BLARNEY are three such programs through which the NSA collects data in transit
by partnering with telecommunications companies and getting access to data passing through
submarine data cables. This allows for the collection of any unencrypted content and all associated
metadata while it is in transit from origin to destination. However, these programs cannot see
content that is typically encrypted in transit, such as email or files in cloud storage. The PRISM
program is a partnership of the NSA with various internet companies (such as Google, Microsoft,
and Facebook, as illustrated below) to allow NSA access to data held on company servers. That is,
if the information was encrypted in transit and so not collectible via STORMBREW, FAIRVIEW, and
PRISM Collection,
National Security
Agency
Once you have a whole lot of surveillance data, what do you do with it? Surely the man will not be
able to find my tiny little needle in that massive haystack. This is where data mining, from basic
search to (creepy) predictive machine-learning models, comes in to make vast amounts of mass-
surveillance data (including from disparate sources) useful to powerful adversaries.
The most basic functionality is the ability to search—that is, given a large amount of data, retrieving
the data of interest, such as that related to a particular person. XKEYSCORE acts as a Google-type
search for the NSA’s mass-surveillance data stores. While the functionality is basic, the sheer amount
of information it has access to (including that from the NSA programs highlighted above) places
XKEYSCORE (and any related program) as accessible to only the most powerful adversary.
On the other hand, Dataminr searches publicly available data (such as social media posts) to uncover
and provide details of emerging crises (such as COVID-19 updates and George Floyd protests) to
their customers, which include newsrooms, police departments, and governments, through both
automated (software) and manual (human analysis) means. Dataminr and other social
media–monitoring platforms, of which there are dozens if not hundreds, have come under fire for
Going further, Palantir is one of many policing platforms that supposedly predict where policing is
needed, be that a street intersection, a neighborhood, or an individual. In reality, these platforms do
little but reinforce racist norms. Predictive policing platforms use current police data as the starting
point and tend to send police to locations that police have been in the past. However, communities
of color and impoverished neighborhoods are notably overpoliced, so predictive models will simply
send police to these areas again, whether or not that is where crimes are being committed.
Going further still, EMBERS (Early Model Based Event Recognition Using Surrogates) has been used
since 2012 to predict “civil unrest events such as protests, strikes, and ‘occupy’ events” in “multiple
regions of the world” by “detect[ing] ongoing organizational activity and generat[ing] warnings
accordingly.” The warnings are entirely automatic and can predict “the when of the protest as well as
where of the protest (down to a city level granularity)” with 9.76 days of lead time on average. It relies
entirely on publicly available data, such as social media posts, news stories, food prices, and currency
exchange rates.
Another surveillance tactic that comes to mind is that of the wiretap. However, the modern
equivalent is a lot easier to enable than the physical wire installed on a communication cable, from
which wiretap gets its name. One modern version is the cell site simulator (CSS), which is a miniature
cell tower (small enough to be mounted on a van). To cell phones in the vicinity, this tower provides
the best signal strength, and so they will connect to it. At the most basic level, a CSS will uncover the
identities of the phones in the area. (Imagine its use at the location of a protest.) Different CSSes have
different capabilities: Some CSSes simply pass on the communications to and from the broader cell
network while gaining access to metadata. In some cases, CSSes are able to downgrade service—for
example, from 3G to GSM—removing in-transit encryption of cell communications with the service
provider and giving access to message content. In other cases, CSSes can block cell communications
by having phones connect to it but do not pass information onto the greater cell phone network.
CSSes are fairly commonly held by law enforcement agencies (as illustrated in the map at the start
of this chapter).
Surveillance equipment, including CSSes and high-resolution video, can also be mounted to
surveillance drones or unmanned aerial vehicles (UAVs), which can greatly increase the scope of
surveillance from a few city blocks to a whole city. This is one example where tactics of targeted
surveillance are expanded toward a mass level. Persistent Surveillance Systems has pitched the use
of UAVs to many US police departments. Persistent Surveillance’s UAV uses ultrahigh resolution
cameras that cover over thirty-two-mile square miles in order to be able to track the movements of
individual cars and people, saving a history so that movements can be tracked backward in time.
Attacking Devices
The above tactics attempt to collect data while it is in transit or when it is held in the cloud. A final
place to collect your data is right from your own device (phone or computer). This might happen if
your device is confiscated by the police during a detention or search. We will discuss this more in
the chapter “Protecting Your Devices,” but we highlight some tactics for extracting device-held data
here.
Cellebrite is an Israeli company that specializes in selling tools for extracting data from phones and
other devices, such as their Universal Forensic Extraction Device (UFED), which is small enough to
carry in a briefcase and can extract data quickly from almost any phone. However, this requires
physical control of your device. NSO Group (another Israeli company) sells the ability to remotely
install spyware called Pegasus on some iPhones and Androids that will extract text messages, call
metadata, and passwords, among other data. The NSA has a family of malware (malicious software)
denoted QUANTUM that can either gather data or block data from reaching the target device. But
the NSA is able to install this malicious software on a mass scale with the use of their TURBINE
system, which is able to disguise NSA servers as, for example, Facebook servers and use this as a
means to injecting malware onto the target’s device.
While Pegasus and QUANTUM can be deployed widely, it can be politically dangerous to do so,
as these programs are generally met with public outcry. The more widely an invasive surveillance
technology is deployed, the more likely it is to be discovered, as was the case with Pegasus.
Personalized Harassment
While outside the realm of typical surveillance, personalized harassment should be in mind when
considering digital security risks. Doxxing, phishing, and password sniffing are techniques available
to the lower-resourced adversary but shouldn’t be ignored for that reason. You may wish to revisit
the story of Black Lives Matter activist DeRay Mckesson from the chapter “Passwords,” who had
his Twitter account compromised despite employing two-factor authentication. All his adversary
needed was access to some personal information, which may have been discoverable from public
sources or through personal knowledge.
Password sniffing can be as low tech as looking over your shoulder to see you type in a password
or can involve installing a keystroke logger to record you typing in your password, but this requires
the ability to install a keystroke logger on your device, for which there are methods of varying
degrees of sophistication. Traditional password sniffing captures a password as it passes through the
network, which can be possible if the traffic is not encrypted, and again requires varying degrees of
sophistication but certainly could be deployed by a skilled individual.
Surveillance Tactics
In 2016, opponents of the construction of the Dakota Access Pipeline (DAPL) set up a protest
encampment at the confluence of the Missouri and Cannonball Rivers, under which the proposed
oil pipeline was set to be built. The pipeline threatened the quality of the drinking water in the
area, which included many Native American communities, including the Standing Rock Indian
Reservation. Eventually the protest encampment would grow to thousands of people and was in
place for ten months.
Energy Transfer Partners, the company building DAPL, employs a private security force, which, a few
months into the protest encampment, unleashed attack dogs on the protesters. In addition, Energy
Transfer Partners very quickly hired TigerSwan to aid in their suppression of the protest movement.
TigerSwan is a private mercenary company that got its start in Afghanistan as a US government
contractor during the war on terror. As such, TigerSwan employs military-style counterterrorism
tactics and referred to the Native American protesters and others who supported them as
insurgents, comparing them (explicitly) to the jihadist fighters against which TigerSwan got its
start. TigerSwan’s surveillance included social media monitoring, aerial video recording, radio
eavesdropping, and the use of infiltrators and informants.
Eventually local, regional, and federal law enforcement would be called in, with TigerSwan providing
situation reports to state and local law enforcement and in regular communication with the FBI, the
US Department of Homeland Security, the US Justice Department, the US Marshals Service, and the
Bureau of Indian Affairs. While many (but not all) of the tactics employed by TigerSwan would be
illegal for government law enforcement to adopt, the State is able to skirt this by receiving updates
from private companies. This is common practice in many areas in law enforcement, with police
departments buying privately held data that would violate the Fourth Amendment if the data was
collected directly by the State.
The public-private partnership between state law enforcement agencies, Energy Transfer Partners,
and TigerSwan was instrumental in bringing an end to the protest encampment, with the State
eventually violently removing protesters through the use of tear gas, concussion grenades, and
water cannons (in below-freezing weather), resulting in approximately three hundred injured
protestors (including one woman who nearly lost an arm).
While the encampment ended and the pipeline eventually was built, continued opposition
eventually led to a court ruling that the pipeline must be shut down and emptied of oil in order to
complete a new environmental impact review.
It is important to remember that even though mass surveillance collects information about almost
everyone, the harm it causes is differential. Certain groups are surveilled more heavily, or surveillance
information about certain groups is used disproportionately. Examples of groups in the US that are
disproportionately harmed by State and corporate surveillance are Muslim Americans, Black and
African Americans, Native Americans, and social movement participants, as we discussed in the
chapter “Mechanisms of Social Movement Suppression.”
We encourage you, after this rather dismal account of all the ways your data can be swept up, to
immediately start reading the chapter “Defending against Surveillance and Suppression.”
External Resources
• Canadian Journalists for Free Expression. “Snowden Surveillance Archive.” Accessed February 9,
2021.
• Electronic Frontier Foundation. “Atlas of Surveillance.” Accessed February 9, 2021.
• Department of Homeland Security. “Fusion Centers.” Accessed February 9, 2021.
• Google. “Transparency Report.” Accessed February 9, 2021.
• Nakashima, Ellen, and Joby Warrick. “For NSA Chief, Terrorist Threat Drives Passion to ‘Collect It
All.’” Washington Post, July 14, 2013.
• Greenwald, Glenn. No Place to Hide: Edward Snowden, the NSA and the Surveillance State.
London: Hamish Hamilton, 2015.
• N, Yomna. “Gotta Catch ’Em All: Understanding How IMSI-Catchers Exploit Cell Networks.”
Electronic Frontier Foundation, June 28, 2019.
• Stanley, Jay. “ACLU Lawsuit over Baltimore Spy Planes Sets Up Historic Surveillance Battle.”
American Civil Liberties Union, April 9, 2020.
• Biddle, Sam. “Police Surveilled George Floyd Protests with Help from Twitter-Affiliated Startup
Dataminr.” Intercept, July 9, 2020.
• Ahmed, Maha. “Aided by Palantir, the LAPD Uses Predictive Policing to Monitor Specific People
and Neighborhoods.” Intercept, May 11, 2018.
• Muthiah, Sathappan, Anil Vullikanti, Achla Marathe, Kristen Summers, Graham Katz, Andy Doyle,
Jaime Arredondo, et al. “EMBERS at 4 Years: Experiences Operating an Open Source Indicators
Forecasting System.” In Proceedings of the 22nd ACM SIGKDD International Conference on
Knowledge Discovery and Data Mining—KDD ’16, 205–14. San Francisco: ACM, 2016.
• Boot, Max. “Opinion: An Israeli Tech Firm Is Selling Spy Software to Dictators, Betraying the
Country’s Ideals.” Washington Post, December 5, 2018.
• Intercept. “Oil and Water.” 2016–17.
• Fortin, Jacey, and Lisa Friedman. “Dakota Access Pipeline to Shut Down Pending Review, Federal
Judge Rules.” New York Times, July 6, 2020.
We recommend that you read the chapters “Mechanisms of Social Movement Suppression” and
“Digital Threats to Social Movements” before reading this chapter.
You may hear that there is no such thing as perfect digital security, and we agree. The surveillance
capabilities of a well-resourced adversary are nearly limitless, and those that we described in “Digital
Threats to Social Movements” barely scratch the surface. However, not all risks are equal, not all
surveillance tools are equally likely to be used, and there is a lot that an individual and a group can
do to reduce the threats due to surveillance.
In this model, surveillance capabilities refers to your opponent’s level of resources, as discussed in
the chapter “Digital Threats to Social Movements.” Suppression risk refers to the ways in which your
opponent may try to undermine you, as discussed in the chapter “Mechanisms of Social Movement
Suppression.”
It is important to keep in mind that surveillance supports suppression both indirectly and directly.
Many of the examples we gave in the chapter “Mechanisms of Social Movement Suppression” were
indeed supported by surveillance:
• The direct violence meted out on Black Panther Party leader Fred Hampton through a
We can reduce digital security threats by decreasing surveillance capabilities or suppression risk or
by increasing the effort required to obtain one’s data.
Most activists have little immediate control over surveillance capabilities. However, there are a
number of laudable efforts to regulate surveillance with some success, such as the banning of face
recognition and CSS in certain jurisdictions. But unless your social movement work is aimed at trying
to ban or limit surveillance, going down this route would take you away from your goals.
Likewise, activists have little control over suppression risk. You could minimize the risk of suppression
by reducing the threat to your opponent, but then you would be succumbing to the chilling effect.
That leaves us with increasing the effort required to obtain your data, which is the focus of the
remainder of this book. While protecting all data is important (the more your opponent knows about
you, the better they can undermine you), we encourage putting any additional effort in protecting
your data toward the most protective strategies. So to guide that effort, you should keep in mind the
surveillance capabilities of your opponents and their likely modes of suppressing your efforts. To this
end, focus on protecting data that
Understanding point 1 will be through a deep understanding of the efforts and opponents of a given
social movement. To consider point 2, we need to understand where your data is (described below)
and how to protect it (which will be discussed in the remaining chapters of this book).
We take different protective strategies depending on where data is vulnerable. Your information
becomes data when it is put on a device (e.g., a cell phone or laptop) and then may be transmitted
through the internet via service providers. We distinguish here between websites where you may be
browsing or cloud providers where your data may be held (from Google to Facebook).
In the remaining chapters, we discuss how to protect where your data is. In the chapter “Security
Culture,” we discuss how to decide whether your information becomes data (when you have control
over it) and whether to store your data in the cloud—that is, whether you want your data to transmit
over the red arrows. In the chapter “Protecting Your Devices,” we discuss how to protect data that
is held on devices that you have control over (e.g., your laptop and cell phone). In the chapter
“Protecting Your Communications,” we discuss how to protect your data while it transmits from you
to your destination, be that a website, cloud provider, or another person. In the chapter “Protecting
Your Remote Data,” we discuss how to protect data that is held in the cloud if you have made the
decision to do so.
We then discuss how to protect your identity—that is, how to be anonymous or pseudonymous
online and break through censorship—in the chapter “Protecting Your Identity.” Finally, we discuss
how to select digital security tools in the conclusion and give the principles we use for our
recommendations.
In the years leading up to 2013, Edward Snowden collected data from his workplaces (mostly NSA
subcontractors) that he had access to in his role as a systems administrator. Snowden’s leaks of
troves of classified material illustrated just how advanced and broadly deployed the surveillance
tactics of many of the world’s most powerful governments were. However, in order to make these
disclosures, Snowden was up against a powerful adversary: the National Security Agency itself.
Snowden was unlikely to achieve long-term anonymity—his goal was to keep his behaviors
(collecting information) and goal (whistleblowing) unknown for long enough to leak the information
to journalists, who would responsibly report on it, and hopefully long enough to get to a safe haven,
where he could live in freedom. It took months for Snowden to set up an encrypted communications
channel with Glenn Greenwald (a journalist known for fearless, deep reporting), this being in the
days before “plug-and-play” end-to-end encrypted messaging apps. But once the reporting on
Snowden’s disclosures started, he knew his identity would be discovered and unmasked himself.
Snowden didn’t end up where he had hoped (Latin America). His US passport was canceled during
his flight from Hong Kong (where he disclosed his leads to Glenn Greenwald) to Russia, preventing
him from further air travel. Snowden was able to claim asylum in Russia.
However, Snowden was very successful in his whistleblowing, with the reporting lasting for years
after and with numerous changes to our communications: encryption is more commonly available
now, so much so that many people don’t even know when their conversations are end-to-end
encrypted.
• Security Culture
External Resources
We recommend that you read the chapter “Defending against Surveillance and Suppression” before
reading this chapter.
Social movements aware of the history of informant-driven suppression by State and private
adversaries have developed what is termed security culture. This term refers to information-sharing
agreements and other group practices intended to minimize the negative impacts of infiltration,
surveillance, and other suppressive threats to the group, its work, its membership, and broader social
movements; that is, security here means something much broader than digital security. The term
culture indicates an aspiration for security principles and practices to become reflexive and intuitive.
The ideal security culture helps a group to safely and easily communicate and bring in new members
(if desired) while avoiding excessive paranoia or cumbersome procedures and policies.
Although perspectives and practices on security culture vary widely, some important widespread
principles you should adhere to are the following:
Let’s explore some of these elements in detail and how they relate to digital security.
Security Culture | 92
Need to Know: Minimize Information Sharing and Digitizing
The first principle of keeping secrets is to minimize the number of people who must be trusted to
keep them. Of course there is a spectrum of information sensitivity, from public announcements to
open meetings, from in-development press releases to specific places and times of direct actions.
Deciding what information needs to be protected and being careful to protect it is only part of the
picture; people also need to accept that they won’t have access to sensitive information unless they
need it to do their work.
From a digital security perspective, this also means deciding what information becomes digitized.
(Do you really need a Google Doc listing all the people who plan on attending a protest? Do you really
need to post identifiable photos of people who showed up? Do you need those posts to be public
and geolocated?) Limiting the amount and extent of information sharing dovetails with good digital
security practices because no platform or means of communication can be considered perfectly
secure.
Before taking specific digital security measures (such as using possibly complicated end-to-end
encrypted technology), consider what information needs to be stored, be shared, or even exist in a
digital format—perhaps (absent a global pandemic) we should be meeting and discussing our ideas
in person as much as possible. Keep in mind that any digital information is extremely easy to copy,
and so even a strong encryption can only protect information to the extent that every human with
access to it can be trusted. Not even a perfectly designed secure app or digital platform can stop
information from being compromised by an infiltrator or defector within a group.
Get to know the people that you work with so that you can trust them with whatever risks you
decide to take together. But when you decide to digitize information, you are potentially welcoming
more “people” (well, corporations and the State) into your organizing circle. If your group uses, for
example, Gmail for communications among group members, then Google also has all those emails,
and those emails can be easily subpoenaed by the State. So you should be ready to trust that any
entity has access to your unencrypted data, whether that entity is a human with whom you interact,
your internet service provider, your cloud storage provider, or your email provider.
Social movements in the past have been crushed by gossip and rumors, with the State using our
human weaknesses to engage in gossip and rumors to its advantage, as we discussed in the chapter
“Mechanisms of Social Movement Suppression”: the use of snitch jacketing, agent provocateurs, and
93 | Security Culture
false propaganda as tactics of deception depend on social movement participants believing the
source and repeating information.
For digital security, we can aim to authenticate the source of information. This is particularly
important online, where one can more easily pretend to be someone one isn’t, either through low-
tech means (such as fake accounts or stealing an account) or high-tech means (such as redirecting
network traffic). We will discuss authenticating digital sources in the chapter “Protecting Your
Communications” and the conclusion, “Selecting Digital Security Tools.”
But a very basic consideration is one’s use of social media, where gossip and rumors abound and
where the details of our personal lives make infiltration unnecessary to get to know what your
weaknesses might be. Social media platforms should only be used to publicly distribute information,
and conversations there should never be considered private.
These protective actions have the potential to protect you from social media monitoring, subpoenas
and search warrants, and doxxing.
Leading up to the 2008 Republican National Convention in Saint Paul, Minnesota, different social
movements came together around the opposition to the Republican Party’s support of the war in
Iraq. The coalition of protest groups adopted the following principles ahead of the convention in
order to make space for different groups’ views and strategies and reduce the risks one group is
facing from affecting another group:
1. Our solidarity will be based on respect for a diversity of tactics and the plans of other
groups.
2. The actions and tactics used will be organized to maintain a separation of time or
space.
3. Any debates or criticisms will stay internal to the movement, avoiding any public or
media denunciations of fellow activists and events.
4. We oppose any state repression of dissent, including surveillance, infiltration,
disruption and violence. We agree not to assist law enforcement actions against
activists and others.
These rules have become known as the “Saint Paul Principles” and have been adopted by many
coalitions of groups in the years since. The principles elevate notions of security culture from an
intragroup level to an intergroup level. They are designed to help different groups come together if
they have the same ultimate aim but may disagree on how to get there and to increase the success
that the overarching movement will be successful in their agreed-upon aim.
Security Culture | 94
What to Learn Next
External Resources
95 | Security Culture
Protecting Your Devices
We recommend that you read the chapters “Passwords” and “Digital Threats to Social Movements”
before reading this chapter.
The amount of data you keep on your phone and laptop is staggering. Contacts, emails, photos,
documents, calendars, tax returns, banking details, and, in the case of a smartphone, often a detailed
history of your location as long as you’ve had that phone. A lot of this data you will also share
with your cloud storage providers (i.e., Apple, Google, Dropbox), but that is the focus of the chapter
“Protecting Your Remote Data.” Here we focus on protecting the data that you keep with you on your
laptops and cell phones from a remote or physical attack.
Physical Attacks
By a physical attack, we mean that your adversary would first gain physical access to your device
through loss, theft, or confiscation. You may lose your phone at an inopportune moment that places
it in the hands of an adversary rather than a Good Samaritan, or your adversary may steal your
phone. More likely your phone may be confiscated while crossing a border or during an arrest, either
planned or unplanned.
Those who were swept up in the mass arrests during the protests of the presidential inauguration on
January 20, 2017 (J20), had their phones confiscated and subject to search by a tool from the Israeli
company Cellebrite, which extracts all information on a device (phone or computer) and all remote
accounts that device has access to (e.g., Google, Facebook, Dropbox). In the article “How to Protect
Yourself from the Snitch in Your Pocket,” one J20 defendant described the eight thousand pages
of data that a Cellebrite tool extracted from his confiscated cell phone; he received this information
from his lawyer as they prepared for his defense:
A detective testifying at a J20 trial noted that among the phones that had encryption enabled, he
was only able to access basic device information and not the contents of the phone storage. iPhones
and Android devices that are running up-to-date operating systems have encryption enabled by
default, while Apple and Microsoft computers need to have this enabled. Encrypting your device is
not, however, a panacea. The encryption that protects your device is only as strong as the password
protecting it.
For phones and some laptops, one can often choose between a typed passphrase or biometric input
(such as a fingerprint). A fingerprint is more convenient than a typed password. For the purposes
of encryption, your fingerprint will be paired with a passphrase (which should be as strong as
you can manage). However, if your device is confiscated by law enforcement, your fingerprint may
be compelled from you. So when the risk of device confiscation is high, one should still consider
removing the ability to biometrically unlock your device.
There are additional protections against physical interference that one might consider. A privacy
screen can obscure an eavesdropper from seeing the passwords (and anything else) you type.
Faraday bags can prevent your phone from transmitting or receiving information; among other
things, this can prevent your phone from recording location information. The ability to remotely wipe
your phone is provided by major cell phone manufacturers, and while it may relinquish control over
your device to the same corporations that may share your information with your adversaries (as we
discuss in the chapter “Protecting Your Remote Data”), it may be a useful tool in certain situations.
By a remote attack, we mean that an adversary would access the data on your phone or laptop
through an internet or data connection. There are companies that design and sell the ability to infect
your device (usually focusing on smartphones) with malware that would allow their customer (your
adversary, be it a corporate or state agent) to gain remote access to some or all your information.
For example, Citizen Lab uncovered wide and varied use of the spyware Pegasus created and sold by
another Israeli company, NSO Group. Coupled with some social engineering to convince the target
to click on a link, the spyware grants the ability to turn on and record from the phone’s camera
and microphone, record calls and text messages (even those providing end-to-end encryption), log
GPS locations, and send all this information back to the target’s adversary. Citizen Lab reported
that Pegasus attempts were made against Ahmed Mansoor, a human rights defender based in the
United Arab Emirates, and twenty-two individuals in Mexico ranging from politicians campaigning
against government corruption to scientists advocating for a state tax on sugary drinks.
Remote attacks, such as those sold by NSO Group, rely on flaws in computer software known as zero-
days. Such flaws are unknown to the software provider (e.g., Apple or Microsoft). Until they are known
(which happens on “day zero”), there is no chance that the software provider could have fixed or
patched the vulnerability, and so there is no chance that a victim could protect themself. Computer
security is often a cat-and-mouse game. The products of malware and spyware creators (such as
NSO Group) are only good so long as the targets (or more accurately, companies like Apple, Google,
and Microsoft) don’t know about the malware being deployed. As soon as they do, they fix their
products so that the malware is no longer effective.
But these product fixes only work if the target (you) updates their device. So the lesson here is
to install all security updates as soon as they are available. Unfortunately, smartphones do not
receive security updates indefinitely, with particular devices (e.g., Nokia 5.3) only being supported by
an operating system (e.g., Android) for a few years. You can check if an Apple or Android phone is
receiving security updates through the settings.
Many malware products require phishing for installation on the target’s device: convincing the
target to click on a link or opening a file (in either an email or a text message). So the second thing
you can do is be wary of what you click on. Do you know the sender? Are you expecting something
from the sender? Does anything seem, well, fishy? In fact, it was vigilance that led Ahmed Mansoor
to avoid spyware infection: he sent the phishing text along to Citizen Lab, which led to their reporting
on the abuse of spyware from NSO Group.
Finally, be wary of the apps you install and what permissions you grant them. Does a flashlight app
need access to your contacts and camera? Do you really need to install that game created by an
In September 2020, it came to light that the Department of Homeland Security was “extracting
information from protestors’ phones” during the extended protests during the summer of 2020 in
Portland, Oregon. Purportedly using a novel cell phone cloning method, the government was able
to intercept communications to the phones of protestors. While this is disturbing and likely illegal,
the details of the attack remained classified. However, we can try to infer likely methods of attack
and likely protective practices.
If the cloning method requires a physical attack, most likely the compromised phones are those that
were confiscated in prior arrests during the summer. However, this limits the surveillance potential
to only the phones of arrestees and allows them either to no longer trust their phones or to factory
reset their phones to remove possible malware.
On the other hand, if the cloning method can be done remotely, this greatly expands the number of
phones that might be compromised and has no signaling event.
In either case, the use of in-transit and end-to-end encryptions would still protect phone
communications (but perhaps not metadata), as you can learn about in the chapter “Protecting Your
Communications.”
External Resources
• Earth First! The Journal of Ecological Resistance. “How to Protect Yourself from the Snitch in Your
Pocket.” Winter 2017–18. (A digital version of the article is available at protestarchive.org)
• Marczak, Bill, and John Scott-Railton. “The Million Dollar Dissident: NSO Group’s iPhone Zero-Days
We recommend that you read the chapters “The Man in the Middle,” “Passwords,” and “Digital
Threats to Social Movements” before reading this chapter.
The best way to protect your online communications is through encryption. But not all encryption is
equally protective. We will focus on the concepts that distinguish between the degrees of protection.
Encrypted or Not
The most basic version of encrypted communications is in-transit encryption, where your
information is encrypted between your computer and a server. In the context of browsing the web,
this is the best you can do to protect the content (but not the metadata) of your communications
from an adversary. Most web browsers indicate whether your browsing is encrypted by the URL, as
illustrated below.
HTTP, not
encrypted
In the top example, the information is transmitted unencrypted. The full URL in this case is
http://whenisgood.net , where http indicates accessing a web page without encryption. This
browser (Firefox) emphasizes this point with a struck-through lock. In the bottom example, the
information is encrypted: https indicates accessing a web page with encryption, and the s stands
for “secure.” The keys used for this encryption are exchanged between your computer and the
whenisgood servers using the Diffie-Hellman key exchange, as described in the chapter
“Exchanging Keys for Encryption.”
Using http , every entity on the path between you and the website pictured below can access the
content of your web browsing (such as the pictures being loaded and any information you might
type into a web form). Further, anyone snooping on the communications between the entities on
these paths (such as between Comcast’s network and the internet backbone) may also have access
to your browsing content. We qualify this with may because the communications between two
entities on this path may be encrypted. For example, the communications between a cell phone and
a cell tower are encrypted in most cases.
By contrast, when you use https , only you and the website (technically, the servers that are hosting
the website) have access to the content of your browsing. We specify content here because certain
metadata would still be known by entities on the path between you and the website, such as the
basic URL of the website, the amount of time you spend browsing the website, and the amount of
information you are downloading from the website.
In-Transit Encryption
When we communicate with another person by email, instant messaging, or video chat, those
We call this in-transit encryption because the content is encrypted while it is in transit between
Assata and the communication provider and between the communication provider and Bobby.
The in-transit encryption keys are generated separately for each part of the path between Assata
and Bobby, pictured below. The provider (center) performs a Diffie-Hellman key exchange with
Assata, generating a shared key, and performs a separate Diffie-Hellman key exchange with Bobby,
generating a different shared key. When Assata sends a message to Bobby through the provider,
the message is first encrypted with the key Assata shares with the provider, and then the message
is transmitted to the provider. The provider decrypts the message with the key that Assata and the
provider share. Then the provider re-encrypts the message with the key that the provider shares with
Bobby before transmitting the encrypted message to Bobby. Bobby can then decrypt the message.
Therefore, the message only exists in a decrypted state on Assata’s and Bobby’s devices and the
provider’s servers; the message is encrypted when it is in transit between these entities.
In-transit
encryption
While in-transit encryption protects your communications from many potential adversaries (such
as your internet service provider, the Wi-Fi hotspot, or a snoop along the communication channels),
the communication provider still has access to all that information. Even if the provider is not a
direct adversary, they may share that information with an adversary (such as through a subpoena
or warrant). End-to-end encryption (E2EE) will protect your communications from even the
communication provider.
For E2EE (pictured below), Assata and Bobby exchange keys (using a Diffie-Hellman key exchange or
a similar procedure). While their communications are routed through the communication provider,
so long as the provider isn’t mounting a man-in-the-middle attack, the communications through
the provider are encrypted with a key that only Bobby and Assata have access to. That is, the
message only exists in a decrypted state on Assata’s and Bobby’s devices. Assata’s and Bobby’s
devices are the endpoints of the communication (hence end-to-end encryption).
End-to-end
encryption
Authentication
While E2EE is the gold standard, there are further considerations. As mentioned above, end-to-end
encryption is only established if the communication provider (or another third-party member) does
not mount a man-in-the-middle attack starting at the time of key exchange. However, as we covered
in the chapter “The Man in the Middle,” if Assata and Bobby verify their keys through independent
channels, they can determine whether or not a man-in-the-middle attack has occurred and so
whether their communications are truly end-to-end encrypted.
While many apps or services claiming E2EE provide the ability to verify keys, many do not, providing
little guarantee to trust the claims of E2EE. Further, for those E2EE apps that do provide the ability
to verify keys, most operate on a Trust on First Use (TOFU) basis. That is, communications may
begin without verifying keys first. However, while actually doing key verification is the only way to
guarantee E2EE, the existence of the ability to verify keys is protective against automated man-in-
the-middle attacks, as even a small fraction of users verifying keys would catch widespread man-in-
the-middle attacks.
And, of course, E2EE only protects the communication between devices—it does not protect the
There are many apps and services for video chatting between two or more people, with varying
degrees of security. Here are three illustrative examples:
• Wire provides the gold standard of E2EE. Each user has an account that can be accessed from
multiple devices (e.g., laptop and smartphone). There is a public key for each device that is used
to establish an encryption key for a session (e.g., a video call), and the fingerprints of these keys
can be compared to verify true E2EE. Wire allows E2EE video calls for groups of up to twelve
users.
• Zoom allows video calls for much larger groups and does provide E2EE in that a video stream is
encrypted and decrypted by the users with the same key. However, this key is established and
distributed by the Zoom servers. Since Zoom has access to the encryption key, this cannot be
considered true E2EE. Further, there is no mechanism for users to verify the encryption keys. As
of summer 2020, Zoom had a proposal for establishing keys for true E2EE, but it has not yet
implemented it.
• Jitsi Meet also provides large-group video conferencing, but only using in-transit encryption.
However, Jitsi Meet is available to be hosted on any server (including your own, if you are so
inclined). There is an instance of Jitsi Meet hosted by May First, a nonprofit that provides
technical solutions to social movements and is a trusted third party to many groups. Even
though May First has access to these communications, some would prefer to trust May First
over a profit-driven solution such as Zoom.
External Resources
Media Attributions
We recommend that you read the chapter “Protecting Your Communications” before reading this
chapter.
The cloud is ubiquitous. Since the early 2000s, data is increasingly stored not exclusively (or at all) on
your own device but on the servers of the companies that manage your device or operating system
or whose services you subscribe to. If that data is not encrypted with a key that you control, that data
is at risk for compromise.
Accessing your remote or cloud data or storage is similar to accessing a web page, as pictured below.
In most models of accessing cloud storage, the information is protected by in-transit encryption,
which would protect your data from potential adversaries along the path from your device to your
cloud storage provider’s servers (pictured below).
However, as discussed in the chapter “Digital Threats to Social Movements,” data that is stored
remotely (and is not encrypted) is accessible by government adversaries by subpoena or warrant or
may simply be shared with third parties. Unfortunately, even if we avoid the most explicit forms of
remote data (such as what is offered by Dropbox or Google Drive), many of our devices encourage
the remote backup of all our data (such as Apple devices to the iCloud), in some cases making it
very difficult to avoid (as for Android devices to a Google account). This includes a potential wealth of
There are many choices for cloud storage. In the following list, we describe a few options that
illustrate the breadth of options, from not encrypted and not trusted, to not encrypted but trusted,
to encrypted.
• Google will happily store all your information (email, files, contact information, device backups)
for free. Of course, they extract value from this by using your data, but they can’t do so if that
data is encrypted with a key that only you control (and so it isn’t). As we saw in the chapter
“Digital Threats to Social Movements,” Google returns data in response to roughly 80 percent of
subpoena requests.
• The software ownCloud provides Box- or Dropbox-style cloud storage but, like Google’s
products, only uses in-transit encryption. (An enterprise version of ownCloud does provide
some end-to-end encrypted file storage and sharing.) However, ownCloud, like the video-
conferencing app Jitsi Meet, is available to be hosted on any server (including your own). Also,
like Jitsi Meet, there is an instance of ownCloud hosted by May First, a service provider that is
trusted by many. Even though May First has access to your stored data, some would prefer to
trust May First over Google.
• CryptPad is a collaborative editing platform that offers an end-to-end encrypted alternative to
Google Docs. Documents are accessed by a link that includes the key for decrypting the
document, but that key appears after a # in URL—for example, https://cryptpad.fr/
pad/#/2/pad/edit/bpsky2zF5La8sZ_i-6r_cTj9fPL+ . The part of the URL after the # is known
as a fragment identifier and is not transmitted to the server but is only used within the
browser—in this case, to decrypt a given pad. Since the encryption key is part of the URL, one
must take care in sharing such a link (i.e., only share this link over an encrypted channel, such as
Signal).
• Keybase has a number of features including an end-to-end encrypted storage system akin to
ownCloud or Dropbox. Unlike CryptPad, Keybase offers stand-alone apps (rather than operating
in a browser) and handles the management of keys.
We recommend that you read the chapters “Public-Key Cryptography” and “Anonymous Routing”
before reading this chapter.
In the chapter “Anonymous Routing,” we compared and contrasted virtual private networks (VPNs)
and Tor as two methods for disguising one’s metadata online. This can help one achieve anonymity
or pseudonymity, but this is difficult to do over the long term. In this chapter, we will focus on skills
for using Tor over VPN, but these lessons apply to using a VPN. One needs to additionally remember,
though, that when using a VPN, the VPN provider knows who you are and the metadata of your
internet communications (and the content, if it isn’t encrypted). While we will focus on using Tor via
the Tor Browser, know that there are other applications (such as secure-messaging applications or
whole operating systems) that route internet requests through the Tor network.
Before we describe different ways to use Tor, let us consider the difference between anonymity and
pseudonymity. These terms are used in different ways in different contexts, and we restrict our use
here to online communications and behavior.
Anonymity refers to being without a name or, more generally, without any identifier that could link
to you. If you visit a website anonymously today and the same website anonymously tomorrow, the
website should not even be able to tell that it was the same person both times. All the website should
know is that “someone visited me anonymously yesterday” and “someone visited me anonymously
today.”
Pseudonymity refers to using a false name, with few or no people knowing your true identity. For
example, Samuel Clemens published under the pseudonym Mark Twain, but of course his publisher
Tor can be used to hide information about your identity (such as your physical location) and achieve
anonymity and pseudonymity. For the novice user, Tor is accessed using the Tor Browser or Tor-
compatible apps. For a more advanced user, non-web-browser communications can be routed
through Tor by using an operating system (such as Tails or Whonix) that routes all your web traffic
through Tor.
Using the Tor Browser as you do any other browser, including accessing emails or social media
usernames that are linked to you, will conceal your physical location from those accounts. Each time
you open a new Tor Browser tab or window and after a certain delay, Tor will route your web requests
via a new location. However, many email and social media platforms will flag your account activity
as suspicious if it is being accessed from different locations, as it will appear to be when accessing
through Tor. So while it is possible to use Tor all the time and for everything, it may not be practical.
If you are able to navigate these difficulties, you will still need to be smart to consistently hide your
physical location by avoiding the following behaviors:
Achieving Anonymity
Using Tor can help you achieve anonymity. However, you will need to restrict your behavior to
ensure you don’t leak information that could break your anonymity. To that end, in order to maintain
anonymity, you need to avoid the following behaviors during your anonymous session (in addition
to those for hiding your physical location):
If you create a pseudonym that is unrelated to your true identity in order to, for example, post press
releases or participate in forums, Tor can help ensure that your pseudonym stays unrelated to your
true identity. However, to keep your real and pseudonymous identity separate, you need to avoid the
following behaviors:
• Accessing different pseudonymous (or your pseudonymous and real) identities in the same
session, as this can link these identities
• Accessing a pseudonymous account even once outside of Tor
• Using two-factor authentication with a phone (as your phone, even if it is a “burner,” can reveal
your physical location)
• Posting media with revealing metadata (such as location)
Note that the longer you attempt to maintain a pseudonymous identity, the more opportunity you
give yourself to make a mistake. In addition to the mistakes above, your writing style can be used to
identify you using stylometry. The more examples of your writing style that are available (under both
your real and pseudonymous identity), the easier it would be to identify you.
Tor Warnings
There are some additional things to be aware of when accessing the internet via Tor.
As with any protective technology, nothing is perfect. If an adversary (Edgar) is able to watch Assata’s
connection to the Tor network as well her connection leaving the Tor network (to Bobby’s website),
Edgar will be able to determine that Assata is visiting Bobby’s website. This is called an end-to-end
timing attack or correlation attack.
If you attempt to use applications not designed for Tor over the Tor network, they may leak
identifying information, such as screen resolution or a unique set of settings you may have.
Finally, when using Tor, keep in mind it only provides anonymity—for privacy, you need to be
accessing web pages using end-to-end encryption via https (though unfortunately not all websites
support this).
The tools you use to protect yourself online are only useful if they are the real thing. In 2019, it was
discovered that a false version of the Tor Browser was being promoted by people interested in (and
successfully) stealing Bitcoin. They made the malicious “Tor Browser” available through incorrect
domains like tor-browser[.]org and torproject[.]org (instead of the authentic domain, torproject.org).
To protect yourself from such mistakes as downloading from the wrong site or to protect yourself
from a man-in-the-middle attack that supplies you with a malicious app, apps such as the Tor
Browser make it possible for you to check the signature of a download, as we discussed in the
chapter “Public-Key Cryptography.”
External Resources
• Hancock, Alexis. “Phony HTTPS Everywhere Extension Used in Fake Tor Browser.” Electronic
Frontier Foundation, October 31, 2019.
• Tails. Accessed February 9, 2021.
• Tor Project. “Tor Project: Overview.” Accessed February 9, 2021.
• Whonix. “Tips on Remaining Anonymous.” December 26, 2020.
• Whonix. “Whonix: Software That Can Anonymize Everything You Do Online.” Accessed February 9,
2021.
There are many different digital security tools from which to choose. Decisions about which to use
can be overwhelming. When we recommend a tool, we try to pick one so that we can minimize our
trust in its providers. The required criteria listed below are selected with this in mind. We include
additional technical criteria that would be nice to meet but aren’t as essential. Finally, there are
some nontechnical criteria that technology providers offer that can help when making decisions
among the myriad of choices.
Rarely will a tool be perfect, as we will illustrate with examples. Part of the selection process is finding
the tool that is right for the group that will use it. This might result in compromises, even on the
required criteria. And note that not every criterion is applicable to every tool. For example, the Tor
Browser provides the ability to anonymously browse the internet, but on its own, it does not aim to
provide end-to-end encryption, so the first set of criteria doesn’t apply.
Finally, choose a tool carefully and test it out before asking a lot of people to adopt it. There is a social
cost to asking people to use something new or change their practices, and you want to minimize
how often this happens.
Required Criteria
1. End-to-end encryption (as described in the chapter “Protecting Your Communications”) allows
us to follow the security culture principle of minimizing the number of trusted parties. End-to-
end encryption allows you to keep your data from the tool provider (but not necessarily the
metadata). Implementing end-to-end encryption is our number-one criterion for protecting
1. A digital security tool should be cross-platform and otherwise widely accessible. By “cross-
platform,” we mean that it would be (ideally and if applicable) able to run on Linux, Mac, and
Windows operating systems as well as Android and iOS smartphones. Further, tools should play
well with screen readers and other accessibility measures. Compromises on this should not be
taken lightly. Perhaps at the moment, everyone in your group has Android devices, and so
using an Android-only communication tool might be OK—for now. But what if in the future,
someone wants to join the group who doesn’t have an Android phone (or any smartphone)?
2. Security audits are when a (responsible and respected) third party evaluates the security of a
given tool by looking at their code and server practices. For some tools, this is an unreasonable
ask. For example, Whonix, an anonymity- and security-focused operating system based on
Linux, has not undergone a security audit. But no operating system has undergone a complete
Nontechnical Criteria
1. The financial model of a provider can impact the ability to access a tool (if you need to pay for
access), the long-term stability of the tool (what happens if they run out of money?), and the
motivations of the provider (are they monetizing your data or metadata?). Choices range from
free, to freemium (pay for more services), to pay to play.
If a tool is free to use, one should ask why. Is it run by a large company that can monetize even
the metadata (such as Facebook having access to contact networks of WhatsApp)? Or is it
running on donations and grants?
2. If a tool is movement oriented, this can be either positive or negative. As discussed at the end
of the chapter “Protecting Your Communications,” an unencrypted video-conferencing option
through movement-oriented May First was more trustworthy than through Zoom, which has
been known to engage in censorship and data sharing with authorities. On the other hand, a
VPN option through movement-oriented Riseup might draw more attention from authorities
as opposed to hiding among the users of a more populous VPN.
3. Provider transparency can help build trust. Most major companies publish transparency
reports, as discussed in the chapter “Defending against Surveillance and Suppression.” In many
cases, these only underscore how much the companies are willing to share their data with your
opponents. Another option is the warrant canary, which we discussed in the chapter
“Authenticity through Cryptographic Signing.”
There are a number of guides and resources that delve into more detail for particular users or particular
aspects that we recommend for further study:
• Digital Defenders Partnership. “Digital First Aid Kit.” Accessed February 9, 2021.
• Electronic Frontier Foundation. “Security Education Companion.” Accessed February 9, 2021.
• Electronic Frontier Foundation. “Surveillance Self-Defense.” Accessed February 9, 2021.
• Tactical Technology Collective. “The Holistic Security Manual.” Holistic Security. Accessed February
9, 2021.
• Tactical Technology Collective and Frontline Defenders. “Digital Security Tools and Tactics.”
Security in a Box. Accessed February 9, 2021.
The licensor cannot revoke these freedoms as long as you follow the license terms.
APA (7th)
Online:
Print:
APA (6th)
Online:
Borradaile, G. (2021, March 29). Defend Dissent. Retrieved [Retrieval date e.g. March 30, 2021], from
https://open.oregonstate.education/defenddissent/
Print:
MLA (8th)
Online:
Print:
MLA (7th)
Online:
Borradaile, Glencora. “Defend Dissent.” 29 Mar. 2021. Web. [Retrieval date e.g. 30 Mar. 2021].
Print:
Chicago
Online:
Print:
Borradaile, Glencora. Defend Dissent. Corvallis, OR: Oregon State University, 2021.
If you find an error in this text, please fill out the form at bit.ly/33cz3Q1
1.0 MM/DD/YYYY
Versioning | 122