Infosec 101 for Activists
219 comments
·February 4, 2025joecool1029
janmo
As I pointed out they also route all of their traffic through Cloudflare. They also have been caught red-handed logging the IP of an activist despite having previously advertised that they didn't keep any logs. Now they are using misleading terms such as "privacy by default" which according to them means that by default they won't log you but that they can be "forced" to log a user if a law enforcement agency asks them to do so...
Sources: https://therecord.media/protonmail-forced-to-collect-an-acti... https://x.com/andyyen/status/1884907496705339544
LWIRVoltage
Not sure why you didn't mention the law ruled heavily in favor of protonmail as a result of that massive fight between Protonmail and the authorities after that happened( they had to comply, while fighting back) - so as a result, they now have legal law BACKING for privacy even more and cannot be compelled like that again-
when they got that court order that wanted them to retain logs, they , challenged it immediately- and the rulingcame down - and they won.
They can no longer be compelled to cooperate in cases of crimes in other countries that match crimes in Swiss laws, as happened here- and this happened because they fought back -it just took time for the ruling to come down.
https://www.msn.com/en-us/money/other/protonmail-wins-privac...
https://protonmail.com/blog/court-strengthens-email-privacy/
So they are in a good position on that aspect -most countries aren't as solid legally.
logifail
> by default they won't log you but that they can be "forced" to log a user if a law enforcement agency asks them to do so
Not wishing to be negative, but how (or more specifically for how long) can any provider refuse to cooperate with law enforcement/the legal system?
Terretta
> how (or more specifically for how long) can any provider refuse to cooperate with law enforcement/the legal system
That's a good question.
https://en.wikipedia.org/wiki/Apple–FBI_encryption_dispute
As a result of this, Apple released a series of tools such as iCloud Advanced Security where they don't even have the keys (but causes user support issues, users can now "lose everything" with no recourse, which is why this isn't on by default; most users' "threat model" is more risk from deleting themselves accidentally than of nation state disclosure), along with the new feature that a phone not being actively used turns itself, off, and a few more things.
// See also: https://www.wired.com/story/the-time-tim-cook-stood-his-grou... or https://archive.is/fvAqN
janmo
The ones that don't end up shut down, in legal trouble or in jail.
See Lavabit, Tor Mail, Telegram, EncroChat, Sky ECC and others.
mvieira38
Yup. Unless you're providing a truly zero-access encrypted service such as chat (e.g. Signal), there truly is no way of avoiding it while staying afloat as a private company. It seems people don't understand that email, which is Proton's bread and butter, CAN'T be fully anonymous and private in relation to the provider unless the provider severely limits functionality by only allowing PGP.
fulafel
Framing the question a bit differently could help: The aim should be to engineer the system so that you don't (and can't) have access to the information, so you minimize vulnerability to legal attacks.
A strawman mod to protonmail could be to mandate the use of a VPN
cma
Asking them to is different than a warrant, they are free to refuse without one.
null
akimbostrawman
Service has to follow the law more breaking news at 11....they even before this have always advocated to use a VPN or Tor if your threat model is law enforcement.
ozzyanirim
Proton is still very much worth recommending, you can ignore the noise. The article you linked was debunked in this article which provides overwhelming evidence pointing to the org being liberal: https://www.reddit.com/r/Anarchism/comments/1id5v21/does_pro...
Not that it matters though, since I assume all of us here know how encryption works.
throwfgtpwd234
Proton also suffers from a pathology similar to the LavaBit problem. Better off using some other email service that doesn't insist on keeping GPG keys on its servers and using something like Mega instead.
b8
Proton has complied with legal orders and implemented JS to target a user. Mullvad is nice.
akimbostrawman
Nice FUD. They don't need to "implement JS" to get simple connection logs.
akimbostrawman
While I agree they should be "neutral" that is a hilarious and desperate attempt of a hit-piece while ignoring the valid criticism.
I guess that is to be expected by msm, good promo for proton imo.
mastazi
More resources on this topic:
Activist or Protester? by EFF's Surveillance Self Defense https://ssd.eff.org/playlist/activist-or-protester
The Protester's Guide to Smartphone Security by Privacy Guides https://www.privacyguides.org/articles/2025/01/23/activists-...
frontalier
eff's a good source for most people on most occasions
for everything else read material from anarchists. ex: https://opsec.riotmedicine.net/downloads#mobile-phone-securi...
neilv
Step 1: Determine your threat model.
Step 2: Realize that none of these measures are adequate for that threat model, in the current environment. (For pretty much any threat model.)
Step 3: Realize that some of these measures draw attention to yourself, however.
aendruk
> Realize that some of these measures draw attention to yourself
This makes a good case for using them all the rest of the time. If you’re in a relatively safe position you can help to normalize privacy to provide cover for those who need it now, and perhaps for yourself should you need it in the future.
fsflover
Please stop with the security nihilism: https://news.ycombinator.com/item?id=27897975
See also: https://qubes-os.org (my daily driver OS).
neilv
I think people should know what they're getting into.
Articles of the formula "Want to be an activist or journalist, resisting powerful tyrants? Just install these apps, to be safe!" can be misleading.
mexicocitinluez
wut?
How is removing biometric auth going to draw attention to yourself? Also, would love to know why this isn't an adequate measure for security.
dylan604
"realize some" was the comment. you're now assuming that biometric auth is part of that "some". assuming can get you into trouble. if biometric auth does not bring attention to yourself, that does not negate the validity of the comment.
people just need to calm down with the "gotcha" comments
mexicocitinluez
> : Realize that none of these measures are adequate for that threat model,
Just take the fucking L and move on. Christ.
wayathr0w
Some of the crowd here is already aware of the issues with these recommendations, so let's take things up a level.
https://www.notrace.how/ / http://i4pd4zpyhrojnyx5l3d2siauy4almteocqow4bp2lqxyocrfy6pry...
Peacefulz
Thanks! This looks like some interesting reading.
tptacek
One of the first things you can do with any of these kinds of lists is to see if they recommend Firefox over Chrome. It's an excellent shibboleth, because Firefox codes (rhetorically) profoundly more activist- and privacy- friendly than Chrome does, but Chrome has much more sophisticated and better tested runtime protections. Firefox seems like it would be the better recommendation, but if what you care about is not being easily (==cheaply) targeted by exploits, it's not.
ziddoap
The majority of activists aren't going to be targeted by a 0-day. Most probably won't even be purposefully, directly targeted. They're more likely to have their data given/sold to the government as part of a larger batch (geo-fence, etc.). I would not recommend a Google product with that considered.
The activists that are legitimately, specifically targeted should probably be past the "101" series of infosec and not be using either without significant other considerations and protections.
tptacek
My new line when people rebut this is just to ask: did the guide we're talking about lay this out, so that people could make up their own mind about whether their organization was likely to be targeted by federal law enforcement agencies, which license zero-day vulnerabilities and delivery platforms from 4-5 different providers, or instead by commercial telemetry?
Of course, none of them do, because the premise of that question is alien to them. It requires understanding that Firefox and Chrome have different runtime security postures, and to talk about that you have to be willing to push through a fogbank of people ideologically opposed to the idea that Chrome could be, at a technical level, better.
ziddoap
Your original comment sounded like (how I read it, at least) you think Chrome should be the default recommend in this (and similar) guides. Full stop, end of story.
This comment sounds like you think guides should be more nuanced regarding the specific threat model that is trying to be mitigated.
I agree with the second one.
jrm4
This is not smart. It's entirely reasonable that Chrome may be better on top of its exploit game; but this absolutely pales in comparison to the threat of universal surveillance that Google hits us with frequently. Shouts to the heroes on the inside, but what did I just hear about an AI removal pledge?
palmotea
>> One of the first things you can do with any of these kinds of lists is to see if they recommend Firefox over Chrome. It's an excellent shibboleth, because Firefox codes (rhetorically) profoundly more activist- and privacy- friendly than Chrome does, but Chrome has much more sophisticated and better tested runtime protections. Firefox seems like it would be the better recommendation, but if what you care about is not being easily (==cheaply) targeted by exploits, it's not.
> This is not smart. It's entirely reasonable that Chrome may be better on top of its exploit game; but this absolutely pales in comparison to the threat of universal surveillance that Google hits us with frequently.
So the smart thing is to use Chromium, then?
jrm4
I still doubt it? It's a marathon, not a sprint; I still trust Firefox more.
tptacek
See, this is what I'm talking about. If you're trying to protect activists from threats, protect them from threats. Making a political statement about commercial surveillance isn't doing that. A lot of these guides are LARPs.
How about this: if you feel strongly about commercial ad surveillance vs. susceptibility to drive-by RCE exploits loaded off web pages, look to see if the "infosec for activist" guides you're reading at least offer their readership the choice of risks. Does this one? (Rhetorical, obvs.)
franga2000
Commercial surveillance enables government surveillance. If an app constantly sends my location to a corporation by default, a government-level adversary can just demand it from that corporation, no need to burn a 0-day on me.
simpaticoder
>commercial ad surveillance vs. susceptibility to drive-by RCE exploits loaded off web pages
Is Firefox more susceptible to RCE exploits?
null
null
WA
Does the same apply for Chromium or does Chrome specifically have better runtime protection than Chromium? Why not mention Chromium?
tptacek
You lose auto-update, right? The only concern I have off the top of my head.
aborsy
Given that Google has vast resources, someone with no background in security should still be able to infer that Chrome is likely to be more secure.
On this topic, I wonder if Chrome’s safe browsing notably improves the user’s security?
It sends user’s private data to Google for scanning. The trade off has to worth it.
tptacek
This is another part of what I mean: people on message boards read these things as message board arguments, oblivious to the fact that the whole point of these guides, if they're for real, is to communicate with people who are making absolutely none of these inferences.
Dem0ngo
The point isn't that Firefox is less exploitable it's that it has less blatant tracking than alternatives like Chrome. If you're an activist I'd imagine that exploits are a scary thought but the more direct threat is the tracking we (un)knowingly succumb to every day.
idlewords
If your threat model is tracking, then worry about carrying around the 24/7 tracking device more than the specific software you run on it.
fsflover
Isn't it the software which is tracking you? You can switch off the cellular connection whenever you need to not be tracked by the towers (if you trust your software, or with a hardware switch on some phones).
ReptileMan
[flagged]
myrmidon
Do you think the blanket-pardon for J6 was ethically justifiable?
To me, a blanket pardon appears very problematic because I firmly believe that the underlying action (violent protest directly aimed at government representatives) was and is still a crime (I think that a group of protestors similarly storming the capitol or white house now would --and should-- not be pardoned either).
The whole thing is even more problematic because it basically directly rewards for loyalty to a person over the country/democratic ideals.
Personally, I have no doubt that a lot of them were honest, well-meaning protestors that caused little harm-- but definitely not all of them.
Commutations done for individual cases would have been much less problematic in my view.
ReptileMan
[flagged]
cma
They've already said they're going to deport pro-Palestine protesters with student visas who attended protests in the past, and are opening up 15,000 units at Guantanamo Bay for other immigrants to avoid us mainland law, along with an offering for units in an El Salvador concentration camp like megaprison.
some_furry
That they recommend a VPN and not Tor in their first table immediately makes me suspicious.
TheCraiggers
Why? I've personally seen more news articles about Tor users getting de-anonymized than I have VPN users. Purely anecdotal, I know, but the point being Tor is obviously not foolproof, so I am curious why recommending one over the other is apparently enough for you to call the entire article into question.
andrewflnr
Probably because deanonymizing VPN users isn't news.
some_furry
> Why?
Because if I was running SIGINT at the NSA and collaborating with the FBI to arrest activists, the very first thing I would do is start up a bunch of VPN providers that bill themselves as "private" and then log everything aggressively.
The second thing I would do is have useful idiots (i.e., influencers) spread vague anecdotes about Tor users being "de-anonymized" when VPN users are never "anonymized" to begin with. I would make sure these anecdotes never clarify whether it's "Tor users accessing Hidden Services and getting popped by a Firefox exploit" or "network attack that enables traffic correlation" so everyone fills in the blanks and assumes Tor is dangerous, when it isn't, thereby pushing activists to my VPN services.
After all. There is no real enforcement mechanism if a "private" VPN lies.
https://www.theregister.com/2011/09/26/hidemyass_lulzsec_con...
flashman
That's funny because if I was running SIGINT at the NSA I would do all of the above, and also compromise Tor
NoMoreNicksLeft
>Because if I was running SIGINT at the NSA and collaborating with the FBI to arrest activists, the very first thing I would do is start up a bunch of VPN providers that bill themselves as "private" and then log everything aggressively.
Sure. But with a limited budget (of both the financial sort and the effort sort), this just isn't feasible. Who the hell wants to manage not one but twenty seemingly private industry vpn companies? Can they even reach break even status so that it's not a drain on the budget? How long for that? Worse, it entangles their revenue with that of the NSA, making the NSA more vulnerable to the sort of leaks they don't like to have, exposing them to foreign intelligence services and even journalists.
>spread vague anecdotes about Tor users being "de-anonymized" when V
Ulbricht found out the hard way. When you've got every fiber tapped around the world, it becomes trivial to deanonymize Tor users. Granted that it's nearly impossible to climb to the top of the US government's shit list like he did, but if you do manage the feat, they'll know who you are within days.
giantg2
Or you spin up a bunch of Tor nodes to de-anonymize user on that system.
roenxi
> The second thing I would do is have useful idiots (i.e., influencers) spread vague anecdotes
An unfortunate factor at play in these matters (and that I note in the article) is that the intelligence services are known to run the occasional shell company [0]. It seems likely that some privacy-oriented providers are actually intelligence fronts - because if you were running an intelligence collection agency an obvious thing to try would be a privacy-focused email company or something.
If it isn't built on a trustless model it isn't trustworthy.
cherryteastain
I personally don't believe basic measures like turning off location services as suggested by the article will make a difference against a sophisticated adversary like a state actor. We know that modern phones are full of proprietary firmware with swiss cheese tier security which allow for 0 day remote code execution exploits [1]. The operating systems, although better, also have been targeted by RCE exploits [2].
Not to mention even turning a phone off does not guarantee it goes silent. Apple's Find My network works even for turned off devices. Now of course you can turn that feature off, but once the capability to track a turned off device is there, we have to assume that a nation state actor has exploits/backdoors that allow agencies to bypass basic software switches.
You have to assume everything you do on a mobile phone will end up in law enforcement/intelligence agency databases if you're put on a watch list.
[1] https://googleprojectzero.blogspot.com/2023/03/multiple-inte...
ReptileMan
>I personally don't believe basic measures like turning off location services as suggested by the article will make a difference against a sophisticated adversary like a state actor.
The majority of activists are not worth the effort or expense. And for the ones that are worth - those guides make no difference since they don't harden as much. If you want real security - then the least you must do is have two devices. One used for hotspot only.
mexicocitinluez
> sophisticated adversary
are these sophisticated adversaries in the room with us right now?
Most people are completely missing the point in this thread.
The idea that you'll be arrested by some super secret state actors and not Jim Bob the police dude is absurd.
_joel
Agreed, when they can own the baseband, you're kinda screwed.
edit: my knowledge is clearly out of date.
jorvi
Since the mid-2010s Apple has put every baseband / WiFi / Bluetooth radio either on USB or PCIe with an IOMMU that restricts access to only the pages required for networking and packet management.
I can't speak to when Android started doing this, but I know the common chipsets (Qualcomm, Exynos, Mediatek) also do this.
newscracker
This page says it was last updated a few weeks ago, but the recommendation against iCloud backups seems to have glaring errors and omissions.
> Keys to unlock the phone’s full-disk encryption are also stored in the iCloud backup. This arrangement allows law enforcement to request the backup data from Apple and use the key to unlock the entire phone. It also offers a convenience, where if the user forgets their unlock code, Apple can still recover the device.
This is not true. Even if it were, the advice to activists should in all cases be to enable Advanced Data Protection so that almost everything (except iCloud mail, contacts and calendar) are end-to-end encrypted (including iCloud phone backups). Apple cannot access the data or help in any kind of recovery when Advanced Data Protection is enabled. It is up to the user to set up recovery contacts and recovery key (and keep this safe).
greenie_beans
great! here are the github issues for the repo so you can make that change: https://github.com/InfosecForActivistsTeam/infosec-activists...
jmbwell
Is it correct that iCloud backups can lead to officials being able to unlock your physical device? That’s not consistent with my understanding of Apple’s circle of trust implementation.
I get that the backups can potentially be compromised, and of course having the backup means having most of what would be on the phone, but I would love to know more about how having a copy of a backup can compromise the physical device via iCloud.
tillulen
How much does a Firefox 0-day cost these days on the grey market compared to a Chrome 0-day with sandbox escape?
mr_mitm
Not sure how reliable this information is [1], but apparently, 200k vs 500k. Another [2] organization states 350k vs 1.5M (including LPE).
Arech
Disproportionally more if you divide it on the user base to get the cost of targeting 1 user when you want them all (and most of evildoers want that exactly).
tptacek
No, that's not at all how the market for high-end zero-day vulnerabilities work. It's interesting to see people just make random stuff up from first principles. Actual market participants have talked through this stuff; you can just find out empirically.
tptacek
Drastically less.
FollowingTheDao
Rule 0: DO NOT BRING YOUR PHONE TO PROTESTS.
I cannot stress this enough. We survived protests without them in the past. There will be plenty of professionals filming anything going on.
Coordination needs to be zero tech.
sjducb
This is the right answer. Bring a map and an action camera, maybe a burner dumbphone.
rpgwaiter
Good article, although it stresses the need to have trusted friends to protest with but doesn’t explain how to find, make, keep these friends. To be fair, I’ve been trying to figure that part put for like 10 years but it would be cool to have advice in that area as well.
Keep up the good fight!
samothrace
I think the recommendation is to go to events relevant to your interests, actively contribute, and speak to people.
Hesitant to recommend proton since they can't stay out of politics, I don't think mullvad has any similar slipups: https://theintercept.com/2025/01/28/proton-mail-andy-yen-tru...