12 August, 2020

The OPSEC of Protesting

The OPSEC of Protesting
Ochaun Marshall
Author: Ochaun Marshall

For the past three months thousands of people have been protesting in the United States due to the deaths of George Floyd, Breonna Taylor, Tony McDade, and others. Many of the protesters are posting, recording, and streaming live while demonstrating. This begs the question…

How do I protect myself online while protesting? 

Most of the answers to this are the same as how to keep overall security hygiene. In this post I’ll go over some of the most important considerations for someone who is attending a protest. Most of these steps require at least a couple of hours of preparation beforehand.  Three of these are general security hygiene and three of these focus on encryption. Then, we’ll focus on tying it all together with additional considerations for the privacy concerns of an individual and the people around them. I’ll add here that most of the public demonstrations that have been going on are peaceful events in which no arrests are made.

OPSEC is the process of identifying what information can be gathered by the opposition and what measures can be taken to reduce risk of exposure. 

1. Update your OS and Apps

Application and Operating system patches are the basics of good security hygiene. Companies routinely release updates to desktop and mobile apps for security reasons. Most of these other precautions are useless if you’re running older versions of applications with remote code execution (RCE) flaws. We’ve covered how to handle application and system patches for systems in active development, but most people just need to patch when the opportunity presents itself. 

2. Use a Password Manager 

Complex passwords create an excellent line of defense for online accounts, weak passwords are an open doorway into your digital life. We’ve covered how to manage passwords before, but some of those tips are worth repeating here. One of the best ways to secure your account is to create a password manager with a long complex passphrase. There are dozens of articles about which Password manager is the best. The best password manager is the one that you actually use. As long as you have a secure system where you store passwords and can rotate them easily when individual ones are compromised, you’re golden. 

3. Use MFA on All accounts 

Multi Factor Authentication (MFA) is another powerful line of defense against account compromise. A Time-based One-Time Password (TOTP) generated through an app or a hardware token is recommended since there are known attacks against SMS Authentication. There are a number of multi factor authentication apps for Android and IOS: Authy, Google Authenticator, LastPass Authenticator, Microsoft Authenticator, and Duo Mobile. Like password managers, the best security control here is the one that is available and what you will use. If SMS authentication is all you have, then work with it until something better comes along. 

4. Use encrypted communication apps
Cell phone communications weren’t designed to be confidential from the beginning. SMS text messages are not encrypted, which means cell phone providers, governments and criminals can view the contents of your text messages. If attackers are willing to set up a fake cellphone tower, they will be able to intercept voice communications as well. This attack has been a well known part of the DefCon experience for years.  

This article was written from the perspective of someone living in the United States. Protesting is not just a right here, it is a responsibility. Public demonstration is the necessary catalyst of change. This nation was born through protest and protest has been a defining feature of many of its turning points. However, this is not the same situation in other parts of the world.

In Hong Kong for example, you may have the government actively try to monitor, arrest and silence you. When you have nation-state actors as opposition, the game changes and it brings a new meaning. Encryption is one of the most powerful enemies of the surveillance state. It grants people the powerful ability to have private conversations. That is why we recommend that you use messaging apps that encrypt data in transit like wire, signal or telegram

5. Encrypt data at rest (Bitlocker or 3rd party)

While you’re protesting there is a possibility that you may be arrested or have your devices seized by authorities. This is why it is important to make sure that your data is protected at rest as well. Data at rest, is your data when it is not being used or sent to someone else. Like when your phone is powered down. On Desktops you have the ability to use tools like Bitlocker. However, if you are protesting, chances are your communication is done entirely though your phone. In order to enable encryption turn on the appropriate settings for IPhone and Android. For developers and advanced users, you can use the configuration options for Metadata, File and Full-disk encryption.

6. Consider using a VPN

A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. VPNs provide users with a secure tunnel to protect their network traffic from interception or interference. There are over a dozen VPN services to choose from if you’re just looking for something to use right away. If you’re extremely paranoid and want to set up your own VPN connection you can set up your own though one of the many tunneling protocols available.

7. Consider your tolerance for risks
OPSEC is complicated since there are many techniques, tools and strategies. Some of them fall into these general categories, and some of them are entirely different. For example, some people recommend using the Tor Browser only to further anonymize web traffic or install a privacy based operating system like Tails. What you do depends on your goals and your tolerance for risks.  

Photos and videos from the event posted online are the easiest way to identify protestors. It has been used to identify protesters in Charlottesville and Black Lives Matter Protesters in NY and around the country. Phone generated data has been used to analyze the demographic makeup of the protests in various cities. This begs the question…

 Do you want to be permanently associated with this event? 

For many people the answer is a simple yes. Government officials, celebrities, law enforcement, and activists support a cause when they associate their identities with it publicly. For others the answer is no. They are willing to dedicate their time, effort and finances to a cause, but are unable to lend their identities to it for fear of retribution. This is a choice that every individual must make on their own.

Every strategy laid out in this article must be examined in that light. So for some that means some of the steps above. For others it may mean following the steps above and using other strategies to protect identity like face coverings, burner phones, use of social media, turning off the GPS on your smartphone. It is important that you not only make that choice for yourself, but allow others to make that decision as well. If you are posting photos that are intended to be publicly available, you should use apps that blur other people’s faces

Technology both facilitates and complicates the human condition in many ways, especially in the tradition of protesting. We’ve gone over seven different strategies to use to improve the OPSEC of demonstrating and we have developed a thought process of determining which actions to take through one question: Do you want to be permanently associated with this event?

Additional Resources




Protecting your Kids from Online Threats


Join the professionally evil newsletter

Related Resources