How activists should be thinking about cybersecurity - The Verge clock menu more-arrow no yes

Filed under:

How activists should be thinking about cybersecurity

A Vergecast interview with cybersecurity expert Matt Mitchell

Image: Signal

In this week’s edition of our Vergecast interview series, Verge editor-in-chief Nilay Patel and policy editor Russell Brandom talk with cybersecurity expert and founder of CryptoHarlem Matt Mitchell.

Mitchell has worked with activists in the US to help them better understand the tools technology offers as well as the threats it can impose. On The Vergecast, he discusses not only why activists should be thinking about cybersecurity and data minimization, but how tech is at the forefront of activism today and what attacks they can face from opposition because of it.

Below is a lightly edited excerpt from that conversation.

Nilay Patel: Let’s say you have founded a group. You’re all going to protest [NYC mayor Bill] de Blasio. There's the basic stuff like: don’t send unencrypted emails, move all your stuff to Signal. Are you teaching them how to use Signal, or are you saying what I worry about, which is the massive amount of attack surface area that comes just from using the internet now and buying devices and having that stuff in your life and in your 凯发k8官方旗舰店home?

Matt Mitchell: Yeah, I actually don’t teach them about Signal and stuff like that. I come at them from a “I’m a professional, I’m an expert in this.” I teach them about the capabilities and methods of their adversaries. Like this is what’s going to stop you from moving forward. And this is also where every tool you use has a problem, and it breaks so they can be an educated consumer.

You might tell people, “Hey, use this thing, send these encrypted emails, use Signal and you’re good.” That’s for like a normal, boring person, not for activists. Activists need a different game plan. They need to learn about like, do you have a data retention policy? What data are you creating every day? What’s your exhaustive data, your data footprint, and how quickly do you remove it? Do you delete it?

So that’s a big problem because they usually amass large amounts of data. And I tell them, “Look, this is going to end not with your favorite movie, whether it’s like Hackers or whether it’s Braveheart. This ends with you in a courtroom with a lawyer next to you, and you’re talking about deciding whether that lawyer has a folder worth of evidence that you’re defending against or those cardboard boxes upon cardboard boxes upon pallets of evidence that they’re defending against.” So we’re just talking about when you have your day in court, how can we make sure that your sentence is as low as possible?

Because that’s reality. If you’re an activist today, there is a huge amount of data that is being collected about you that you do not control. And then there’s even more amounts of data that’s being collected about you that you do control. And I just try to get them to get that down to as little as possible.

NP: Give me an example of data that activists don’t control that you help them get into line or manage more efficiently.

Sure, let’s talk about the six people who decide to meet at that Starbucks about your “de Blasio meeting.”

They all had to get there. And we all have phones. Some of us have the fanciest newest iPhone like you, and other people have like some basic Boost Mobile phones. But we all have phones. Those phones are on. Those phones are connecting to cell towers so they can maintain service and the location of those phones. You cannot turn off location services [because] of how your cell phone works.

So you can say, “Oh, I put it in a Faraday bag, wrapped it in foil, put in an Airplane Mode, and I move forward to get to the Starbucks.” But then you passed all kinds of cameras, whether they’re attached to an ATM or whether they were attached to a police box that’s just surveilling that corner or that street or that block and you pass through it. These are pieces of data that you don’t control.

Of course, you don’t want to have a 凯发k8官方旗舰店home assistant in your house, like an Alexa or an Amazon or something like that. You wouldn’t want that in the space. But there’s people around you who have data, and there’s an imprint, an outline that’s missing, and that’s your movements, the pictures, the video, all that data that’s collected. That’s the data that you do not control.

You might be getting junk mail. That means that your address, your name — first and last, whether it’s your actual government or some alias — that’s easily findable. I could search a data broker’s website, or I can pay a data broker to collect and find that information on you. That’s very hard for you to control.

But then there’s the information you do control. That’s the words you say, the words you type. You control that. And where you put them and how you manage them, you can control that.

So when you go to that Starbucks, did you pay with cash or you did you pay with your credit card? Did you pay with your Starbucks app? So it’s about that more holistic viewpoint, not just the basics that we talk about when you’re reading a quick article or things like that — because activism, it’s different from living in this crazy world we all live in.

We’ve all seen The Great Hack. We all understand like “They can see my tweets” or something. This is deeper. It’s another level because you’re actually not just a regular, boring person who has to deal with hackers who just criminally want to take your credit card or just create chaos, or a normal person who has to deal with over-policing or has to deal with ridiculous rules against them because of what law enforcement is able to do or what the city’s able to do or whatever. Data brokers who make an industry out of —especially the United States where we don’t have a lot of privacy protections if you don’t live in California — your data trail and selling and monetizing that. That’s a normal person.

But now you have to deal with that plus it’s compounded with your activism. So it’s about having that deeper conversation, but also explaining that you can win this and it’s a hopeful conversation at the end of the day.

Russell Brandom: This is what’s so interesting about this side of cybersecurity. It feels like 99 percent of the time when people are talking data exhaust, retention, what’s your footprint, it’s in the context of corporate cybersecurity, maintaining the status quo. Whereas the people you’re talking with, they’re really kind of going out there into new territory. And it’s sort of “how do I protect myself once I’m on the other guy’s turf?”

Exactly. It’s completely new territory, and there aren’t a lot of professionals in this area. So the first thing is, people do have an idea what the digital risk and threats are, but they actually don’t understand what’s in the wild — like what’s an actual capability or method of law enforcement or de Blasio or anything like that.

So it’s really just guessing, which is not good. So you want what people say is “an evidence-based approach.” You want to defend against what’s probably likely out there based on past research.

So a lot of my work is reading cases. Whether the cases are about the “worst of the worst” as they say. So there might be people who are in the trade of illegal images or images of child abuse or people who are selling narcotics to folks, things like that.

It’s the same methods that are used to go after those folks or to go after maybe like a terrorist or whatever the bad person of the day is. People are more likely to speak on those methods. Because we all, no matter what your viewpoint is, [agree] this is the enemy and this is criminal behavior. This is bad.

So people tend to get a little bit too much into it, and they’ll share a lot more information than they will if you research what happened to that person with the Greenpeace placard. That case is going to be really tight. It’s going to be a lot of information about how evidence was gathered there.

But it’s the same maybe individual out there, after they’re done catching this person, they’re going to go after catching the Starbucks anti-de Blasio people. So it’s about understanding that.

And it begins with things like, when you read a privacy statement from a company, a normal “I understand, I want to control my data” person might read “How do we sell your data? Or what do we how do we collect your data?” While an activist might read that section that says, “How do we deal with legal requests and government requests for information” — which may or may not be a subpoena or a warrant, it could just be someone saying, “Hey, can we look at that user’s account?”

When I talk to activists, the first thing I tell them is “Every technology that you use has to deal with and has to work with the people who you’re worried about.” Which is mostly someone is going to try to paint you as a horrible person for trying to create positive change. And that usually could be a force that has power, [or] people who are sitting on the seats of power who do not want to be removed from the seat of power, and they enforce the status quo that you’re trying to change.

So those folks are involved in this as well. And they’re going to use these requests to find out more about you and criminalize your behavior and eventually stop what you’re doing. There’s a red carpet that technology companies roll out for these people. And you need to know about it.

So when I talk to folks, the first thing I’ll tell them is like, “Hey, you use Google and everyone uses Google.” So then I’m like, “Look, there’s a website that is Google’s red carpet law enforcement request system, and that’s lers.google.com. Go there. Look at that thing. See what that looks like. That’s when someone just says. “Hey, I want to know what Russell is searching on Tuesday night at 凯发k8官方旗舰店home.” And Twitter has the same thing. Instagram has the same thing. Facebook has it as well. Facebook’s red carpet is Facebook.com/records.

If you have a domain name — that’s like NYPD in the de Blasio case, or maybe it’s the Pakistani Intelligence, it doesn’t matter — if your domain name matches, they just put in your email. It’s on the database of known domains. You’ll get an email that’s like, “Hey, if you want to know how to make requests about a Facebook user’s profile, fill out this form. Tell us what you want, and our legal team will look at it. And depending on where you are and who you are, it depends on whether we’ll push back hard or we might just fulfill the service.”

NP: When you go to the Facebook one, all you have to do is check a box that says “I am an ized law enforcement agent or government employee investigating an emergency, and this is a request.” And then you just check it.

Yeah, but then you have to put in your email. If you’re law enforcement, your email isn’t “@gmail.” But the problem is — maybe — that it doesn’t matter whether you’re day one out of police academy or whether you’re a lieutenant or someone who is on the special caseload who is looking for certain things. So it doesn’t matter who you are. As long as you are law enforcement, you can fill this thing out. So that’s problematic.