digital harm reduction: an intro to online privacy floh & cleve perverscité 2016

✴ Introductions (us & you) ✴ Building personas & scenarios ✴ A dive into technology ✴ Solutions (for our personas & scenarios)

harm reduction approach ✴ security vs convenience ✴ priorities ✴ improbable ✴ parallel to physical security

personas: pick one or build your own ✴ There is no universally useful security advice ✴ Preserve some anonymity in this group ✴ Breakout into small groups

example personas: jean-pierre Jean-Pierre is a teenager going to high school and living at home with his conservative family. He has recently started exploring his sexuality online and in person and thinks he might be gay. He is bullied by his brother and his brother’s tech-savvy friends. What risks does Jean-Pierre face? browser history, fb privacy settings, breaking into fb or email, physical phone security, fear of being outed, fake grindr profile, being pranked, check network traffic, forums/porn access disk encryption, ublock origin, privacy badger, VPNs or Tor, good passwords

example personas: alex Alex is a porn performer and sex worker. They also go to graduate school part- time. They use mobile apps for communicating with clients. They’ve been harassed by cops on multiple occasions but never arrested or charged. Many of their family, friends, and classmates do not know they are a sex worker. They recently had a bad breakup with someone who is very vindictive. What risks does Alex face? phone number to legal name lookup, malicious disclosure to school, grants revoked because of additional income, separating banking info, risks of using the same device for multiple personas, crossing borders, being tracked via gps using Tor for work, Signal (or WhatsApp, not Telegram), disk encryption (bitlocker or filevault), good passwords (&change them!), review logged in devices in gmail and facebook

example personas: marina Marina is a trans fashion blogger with a large Youtube, Twitter, Instagram following. She also works at a Big Name Corp where she is not out. Recently, trolls have begun harassing her online, making all kinds of horrible threats that she is not sure are credible. What risks does Marina face? bank account info linked to google account, threat of transphobia generally, shitty dynamics at work, linking pseudonym (?) to real life, trolls finding where she works,getting doxxed, accounts getting hacked, physical risk after being doxxed, doxxing leading to toxic work situations, ads if using work computer, culture of putting all your info into the world, and not being able to revoke it later, real name policies, how social media companies deal with harrassment google yourself! (identity management), wayback machine, ad blocker, good passwords, exif removal from photos (gps), separate your identity chains (e.g. which email is your backup for your twitter), if she owns a domain, whois protection

example personas Lara is a community worker and activist who works with at-risk youth, who may be undocumented, drug users, or in abusive family situations. She is worried about receiving compromising information from them. What risks does Marina face?

example personas … (some things that didn’t make it in here: organizing demos, criminalization of HIV transmission)

risks: jean-pierre ✴browser history ✴fb privacy settings ✴brother & friends breaking into fb or email ✴physical phone security ✴fear of being outed ✴fake grindr profiles (brother & friends, gangs, even cops in places where being gay is illegal) ✴being pranked ✴brother & friends (or parents) check network traffic ✴discovery of forums/porn access

risks: alex ✴phone number to legal name lookup ✴malicious disclosure to school ✴grants revoked because of additional income ✴separating banking info ✴risks of using the same device for multiple personas ✴crossing borders ✴location-tracking (GPS, etc)

risks: marina ✴bank account info linked to google account ✴threat of transphobia generally ✴shitty dynamics at work ✴is she using a pseudonym? risk of linking pseudonym to real life ✴ trolls finding where she works ✴getting doxxed (address published online) ✴accounts getting hacked ✴physical risk after being doxxed ✴doxxing leading to toxic work situations ✴targetted ads if using work computer ✴culture of putting all your info into the world, and not being able to revoke it later ✴real name policies (e.g. FB) ✴how social media companies deal with harrassment

A dive into the technology…

what happens when you visit a webpage?

what happens when you visit a webpage? hosting provider datacenter ISP … national borders, literal oceans nicerecipesite.com beautifulgayunicorns.com subversivesite.org

what happens when you use an app? hosting provider datacenter ISP … national borders, literal oceans grindr tinder facebook twitter pokemon go

how can someone “hack” you?

how can someone “hack” you? interception

how can someone “hack” you? interception • wifi • creepy sysadmin • stingrays • request to ISP

how can someone “hack” you? impersonation

how can someone “hack” you? impersonation • password cracking • stealing your laptop • social engineering/password reset

how can someone “hack” you? breach provider

how can someone “hack” you? breach provider impersonate sysadmin/dev

how can someone “hack” you? breach provider some other dark magic

how can someone “hack” you? ask the provider nicely (law enforcement)

what about metadata? hosting provider datacenter 74.59.127.65 43.250.192.3

how can i protect my data? ✴ protect your account (passwords!) ✴ use a trusted provider ✴ encryption ✴ reduce your metadata

can i trust my provider? ✴ values/mission statement ✴ business model ✴ security capacity

types of encryption ✉ ✉

types of encryption ✉ ✉ ✉

types of encryption ✉ ✉ ✉ ✉ ✉

transport encryption (https) sees gibberish ✉ ✉ ✉ X

transport encryption (https) sees gibberish X ✉

“at rest” encryption sees gibberish X ✉

“at rest” encryption sees gibberish, unless he can get the key X ✉

“end to end” encryption ✉ ✉ Xsees gibberish

“end to end” encryption … is not magic ✉ ✉

tools & solutions reviewing the scenarios

password tips ✴ do not reuse — especially for important accounts ✴ make it long — words can be easier than symbols, especially on mobile ✴ make it random (no 1337 substitutions of your favourite book — if you think it’s a clever strategy, it probably isn’t!) ✴ try a generator: random.org, https://passphrases.peerio.com, Diceware ✴ password managers: keepassX (free), 1password () ✴ two-factor authentication where available (e.g. google/gmail)

harm reduction: jean-pierre ✴good passwords!!!! ✴disk encryption (bitlocker for windows — howto, filevault for mac — howto) ✴phone disk encryption (default on latest ios, has to be set up on android) ✴(auto-)locking phone and computer ✴adblocker (e.g. ublock) & privacy badger to protect against malware and unwanted ads ✴https everywhere to prevent some traffic sniffing (domain can still be seen, and some sites don’t have HTTP) ✴anonymize connection to prevent traffic sniffing ✴Tor (free, trusted, but slow for video) ✴VPNs (you have to put your faith in it, but fast. There are many, look with those that don’t keep logs of your activity. e.g. tunnelbear, PIA)

harm reduction: alex ✴use Tor for sex work (e.g. posting ads), maybe separate computer with always-on Tor connection (but not a burner phone because that is HARD and not that useful) ✴Signal (or WhatsApp, not Telegram) for communicating with clients ✴disk encryption ✴phone disk encryption, locking phone when crossing borders ✴good passwords (& change them if worried ex might have them!) ✴review logged in devices in gmail and facebook

harm reduction: marina ✴identity management: ✴ google yourself / doxx yourself — name, old usernames, other identifying data ✴ use the wayback machine to find sites you thought didn’t exist anymore ✴ if she owns a domain, make sure the registrar has whois anonymization (otherwise your address is easy to look up) ✴ adblocker to prevent unwanted ads on work computer ✴ antivirus/ being careful with attachments ✴ good passwords (esp. for sensitive accounts) ✴ remove exif from photos (gps coordinates — guide) ✴ separate identities (don’t link work email to youtube) ✴ don’t use the same email as password reset backup for all your accounts! (single point of failure)

resources ✴ RiseUp.Net, Communications Security https://help.riseup.net/en/security ✴ Hygiene in the digital public square: https:// hygiene.digitalpublicsquare.com/ (especially the Identity section!) ✴ EFF, Surveillance Self Defense https://ssd.eff.org/ ✴ Tactical Tech, Security in a Box https://securityinabox.org/en ✴ Freedom of the Press Foundation, Encryption Works https://github.com/ freedomofpress/encryption-works/blob/master/encryption_works.md ✴ Tactical Tech, Gender and Security https://gendersec.tacticaltech.org/ wiki/index.php/Main_Page