The Activist’s Guide to Counter-Surveillance

This guide provides a layered defense strategy for activists to protect their privacy, security, and ability to organize against government and municipal surveillance. These are not theoretical concepts; they are practical, actionable steps to create a safer environment for dissent.

---

Layer 1: Individual Digital Defense (The Foundation)

Your personal security is the bedrock of your group’s security. If one person’s digital life is compromised, it can expose the entire network. Treat these steps as mandatory.

Secure Baseline: Your Digital Armor

1. Full-Disk Encryption (FDE): This makes the data on your computer unreadable without your password. If your device is seized, your data remains safe. Modern operating systems (Windows, macOS, Linux) and smartphones have this built-in. Action: Ensure FDE is enabled on all your devices (laptops and phones). It is usually on by default, but verify it in your security settings.

2. Strong Passcodes, Not Biometrics: Your fingerprint or face can be legally compelled by law enforcement in many jurisdictions. A strong passcode cannot.
   • Action: Use a long, unique passcode (at least 12 characters with numbers, symbols, and mixed case) for your phone and computer. Disable fingerprint and face unlock, especially when heading to a protest.
3. Regular Software Updates: Updates aren’t just for new features; they contain critical patches for security vulnerabilities that governments and hackers exploit.
   • Action: Enable automatic updates on all your devices and applications. Don’t delay them.

Communication Security: Speak Freely

1. Signal for All Sensitive Communication: Signal uses end-to-end encryption, meaning only you and the recipient can read your messages. Your telecom provider, the government, and even Signal itself cannot access your content.
   • Action: Mandate Signal for all group chats and sensitive one-on-one conversations. Set messages to disappear by default (e.g., after one week) to minimize your data trail.
2. Verify Safety Numbers: This step ensures you are talking to the right person and not an impostor or a man-in-the-middle attack.
   • How-To: In a Signal chat, tap the person’s name at the top, then “View Safety Number.” Compare this number with your contact in person or through another secure channel (like a video call on Signal). If they match, mark it as verified.

Anonymity: When You Need to Disappear

1. Tor Browser for Research: When researching sensitive topics, Tor hides your IP address, preventing websites and network observers from knowing who you are and where you are connecting from.
   • When to Use: Use Tor for researching opposition groups, accessing blocked websites, or any online activity you don’t want tied to your real identity.
   • Action: Download and use Tor Browser from the official website: torproject.org.
2. Tails OS for High-Stakes Activities: Tails is a complete operating system that runs from a USB stick. It forces all your internet traffic through Tor and leaves no trace on the computer you use it on.
   • When to Use: Use Tails for high-risk tasks like leaking documents to a journalist or communicating as a whistleblower.
   • Action: This is an advanced tool. If your work involves high personal risk, research and learn how to use Tails OS properly.

Mobile Security: Hardening Your Most Vulnerable Device

Your smartphone is a tracking device. For serious activism, you must take serious measures.

• GrapheneOS or CalyxOS: These are privacy-hardened versions of Android that give you granular control over your device, limit tracking, and protect you from sophisticated mobile surveillance.
  • Action: If you are a key organizer or face significant risk, acquiring a Google Pixel phone and installing GrapheneOS or CalyxOS is one of the most powerful defensive steps you can take. This is a primary defense against mobile exploits and location tracking.

---

Layer 2: Group Operational Security (OPSEC)

OPSEC is the practice of protecting your group’s plans and activities. It’s a mindset, not just a tool.

The Need-to-Know Principle

Limit the spread of information. The fewer people who know a detail, the smaller the risk of it being leaked, whether accidentally or through an informant.

• Action: Before sharing any piece of information (who, what, when, where, why), ask yourself: “Does this person absolutely need to know this for the action to succeed?” If the answer is no, don’t share it.

Secure Planning Protocol

How you plan is as important as what you plan. Insecure planning is a gift to your opposition.

• Forbidden Platforms: NEVER plan actions on Facebook (public or private groups), Instagram, Twitter DMs, SMS/text messages, or standard email. These platforms are routinely monitored.
• Secure Methods:
  1. In-Person: The most secure method, provided you can ensure the location is private and attendees have left their phones behind.
  2. Encrypted Group Chats: Use Signal for all digital planning.
  3. Anonymous Documents: Use tools like CryptPad or Etherpad (hosted on a trusted server) for collaborative planning documents instead of Google Docs.

Data Minimization

Don’t create data that can be used against you. If it doesn’t exist, it can’t be stolen, leaked, or subpoenaed.

• Action:
  • No Member Lists: Do not create or store centralized lists of members or supporters.
  • No Meeting Minutes with Names: If you must take notes, focus on action items, not who said what.
  • Purge Data: Regularly delete old chat histories and documents that are no longer needed.

---

Layer 3: Direct Technical Countermeasures

These are active measures to defeat specific surveillance technologies you may encounter.

Countering Stingrays (IMSI-Catchers)

Stingrays are fake cell phone towers used by police to track the phones of everyone in a given area. They are a dragnet surveillance tool.

• Best Defense: The most effective defense is to deny it your signal.
  • Action: When near a protest or sensitive location, turn your phone completely off. If you must have it on for communication, use Airplane Mode whenever you are not actively using it. Wi-Fi and Bluetooth should also be turned off.
• Advanced Defense: GrapheneOS provides enhanced network security controls, including the ability to disable 2G connectivity, which can help mitigate some Stingray attacks.

Countering Facial Recognition

Facial recognition is used to identify protesters from photos and videos, often long after an event.

• Break the Algorithm: Your goal is to obscure the key features algorithms use for identification (eyes, nose, mouth, jawline).
  • Action: Wear effective face coverings. A combination of a well-fitting mask, sunglasses, and a hat/hood is highly effective. Certain makeup patterns (like CV Dazzle) can also work but are less subtle.
• Protect Others: Do not post identifiable photos or videos of other protesters online without their explicit, enthusiastic consent. Blurring faces before posting is a good practice.

Countering Data Brokers & Social Media Scraping

Police purchase data from brokers who scrape your information from social media and other public sources to build a profile on you.

• Action:
  1. Lock Down Profiles: Set all your social media profiles (Facebook, Instagram, Twitter, etc.) to private.
  2. Use Pseudonyms: Where possible, do not use your real name on public-facing accounts.
  3. Review and Prune: Regularly go through your old posts, photos, and friend/follower lists. Remove anything that reveals sensitive personal information or connections. Remove people you don’t know or trust.

---

Layer 4: Legal & Strategic Defense

Technology alone is not enough. Use the law and public pressure as powerful shields and swords.

Using the Law as a Shield

Proactively use existing laws to protect your rights and create costs for surveillance.

• Example - Illinois BIPA (Biometric Information Privacy Act): This law requires consent before a private company can collect your biometric data (like a face scan).
  • Action: Publicly and explicitly refuse to consent to biometric collection at events or in spaces where it’s used. Support and publicize lawsuits against companies that violate these laws. This builds a legal and financial deterrent.

Freedom of Information Act (FOIA)

FOIA is a law that gives you the right to access information from the federal government. Most states have similar public records laws for state and local agencies.

• What It’s For: You can use it to uncover what surveillance technology your local police department has purchased, how they are using it, and what policies they have (or don’t have).
• Action: Learn the basics of filing a public records request in your state. Organizations like the ACLU and MuckRock have templates and guides. Submitting requests can expose surveillance programs to public scrutiny.

Public Advocacy: The Ultimate Counter-Surveillance

Surveillance thrives in secrecy. The most powerful countermeasure is to drag it into the light.

• Action:
  • Community Awareness: Organize community meetings to educate your neighbors about local surveillance.
  • Legislative Advocacy: Campaign for local ordinances that ban or restrict the use of technologies like facial recognition.
  • Build Coalitions: Work with other groups (immigrant rights, racial justice, housing advocates) to build a broad coalition against mass surveillance. When surveillance becomes politically costly, its expansion is slowed.