We are OSINT-surgency. We compile and analyze data that is public though the eyes of the adversary, for the purpose of helping insurgents analyze, reflect on, and harden their security.
During a recent protest in a small town we have observed terrible security practices that we would like to point out.
In general, we do not think that protests are a good use of comrades’ time and energy. We think that engaging in protests exhausts activists by corralling them into prescribed march routes and coaxing them into a sense of having ‘accomplished something’ while in reality the have only strengthened the state by providing data about the strategies and risk profiles of activists as well as practice responding to them. We do not feel that this increases activists’ freedom or political power. We are not necessarily opposed to spur-of-the-moment participation in actions as opportunities arise, but we think there are important factors to take into consideration:
Assessing the Terrain
Differences in the location, population, number of participants, fervor of the moment, political climate, all provide differences in opportunities for actions. Whether or not an action will benefit those involved or increase their freedom and political power depends on the situation and the context. A large and raucous protest in a large urban area such as New York City or Hong Kong provides different opportunities for action than a small protest related to a small demographic group in a small town with a largely-forward-facing activist scene and a large police force. It is crucial to be sensitive to this context when planning and engaging in actions.
The Risk of Metadata
A lot of the risks that activists open themselves up to when participating in actions are not immediately obvious. Law enforcement cares just as much about mapping the social networks of activists as it does about catching individuals directly engaged in illegal activities. This allows them to narrow their attention to a reasonable subset of potential actors when word of an upcoming event surfaces or when responding to an event. When an outsider appears on the scene, it is easy to target this individual specifically and is in fact highly valuable to do so. Capturing an outsider enables law enforcement to map their social networks with the new network. This provides invaluable data to law enforcement and strengthens their knowledge of activist social networks and actions.
The security breaches we’ve seen include but are not limited to the following:
** Getting arrested
No one plans to get arrested. However, engaging in activities that might lead to arrest are particularly problematic when the terrain involves a small scene with mostly front-facing activists in a small march that was publicly organized. Behaviors such as vandalism may make sense in the middle of a large protest full of rioters setting things on fire. It makes less sense in a small protest organized by identifiable actors. This makes it easy to target individuals engaged in illegal activity and begin mapping their social networks.
In this particular case, the arrest resulted in releasing someone’s deadname to the public which was previously unknown even to some who were close to this person. This increases the attack surface of everyone affiliated with the deadnamed person because now everyone has knowledge about the person’s identity, their past actions and risk profile, and their past social affiliations and networks. This information can will be spread by the public and can even be spread unintentionally by friends, which can intentionally and unintentionally incriminate people.
Continuing to discuss and spread information about the deadnamed person and their history is also harmful. Information about past and future actions should always be on a strict “need-to-know” basis and should not be discussed by anyone who isn’t directly and currently involved with an action. The reason for this is that people can *unwittingly* share incriminating information such as social network metadata and current and past affiliation with the person involved.
Do not assume that using disappearing messages provides cover to spread this information. There is no good reason to disseminate information about an individual’s past identity, activities, and social affiliations, nor to speculate about whether these actions are good or bad, worthy or unworthy. Spreading this information among social networks increases the information that people might unwittingly share in the future. If it’s in your head you can share it. If it’s not in your head, you can’t.
** Posting photos of the action without obscuring people’s faces
Never post photos of people involved in actions without obscuring their identities. This puts everyone at risk in many ways, some of which aren’t immediately obvious–For example, providing further facial recognition data on an individual who was previously not connected with their current name and location, and their social affiliations which were previously unconnected with photo evidence that is now available on the internet. In this particular case, even if the person posting the un-censored photos did obscure the faces of the participants in the photos, the social media account used contains clear, unobscured photos of the ‘organizers’ and their social affiliations. This means that simply knowing the social networks of the organizers is enough to narrow down the participants’ identities, which are often forward-facing in other places on the internet.
** Debating the specifics about the event on social media
When someone on social media asks stupid questions about the organizers or participants of an event in which illegal activities occur, responding vaguely with details about the structure of the organization or details about the people involved, or refusals to ‘out your friends’ can all unwittingly reveal information about the existing social affiliations of yourself and others, such as that (1) ‘the organizers’ are people in your social network, (2) the organizers are involved in illegal activities, and (3) you are friends with people who are engaged in illegal activities. It is best not to get involved in online debates about the specifics of actions themselves and the people involved, or at least to consider the unintended implications of what you might be spreading on the internet.
** Changing your behavior when ‘engaging in radical activity’
Suggestions such as that people should drop out of signal threads, delete threads, or turn off devices before ‘engaging in radical activity’ are simply bad suggestions. If it is the case that the metadata on your device, such as who you are talking with and when, or your location and your activities and habits, is being used to identify your potential involvement in sensitive actions, then a dramatic change in that activity is just as incriminating as a direct connection with the activity itself. It is better to let your metadata paint a picture that nothing about your behavior is suspicious or has changed, for example by leaving your phone on and at home.
** Choreographing the march on social media
In 2008 during a Pittsburgh G20 protest march, an individual who was similarly choreographing the march via Twitter was [[https://www.democracynow.org/2009/10/6/twitter_crackdown_nyc_activist_ar… by the police]]. Today there is simply no excuse to publicly link a social media account with several uncensored photos of several participating individuals with real-time participation in an event which resulted in allegedly illegal activities.
** Associating public space with the group who engaged in these activities on social media
Do not post to social media that a locally-known, public-facing activist space has been ‘taken over’ by the people who organized an action in which allegedly illegal acts occured, especially not immediately after the action has concluded. When you associate the space with people who are allegedly engaged in illegal activities you put the space at risk of greater suspicion and surveillance.
At a minimum, all documentation of events by those spearheading said events should cease. By doing so, you allow the adversary to connect public and obscured identiies, therefore making their maps of unrest more robust. Should activists continue to adopt the strategy of protest, let public-facing figures and uninvolved bystanders spread visibility of the event. All illegal action is not recommended. The recurrence of the same people at actions combined with small numbers make new people and illegal action stick out to your adversary. Finally, when data on a comrade is released, it is suggested that comrades do not continually rehash it. Doing so increases the attack surface of everyone involved and the probability that this information might be spread accidentally, which increases the chances an adversary will use that information for their own ends.
We hope that our comrades will continue to build strong security culture as they develop their tactics and increase their capacity for building joy and freedom. We’d like to recommend some readings about security culture for activists:
This report is free to dissect, detourn and distribute.