 Hi everyone. My name is Victoria Wilk. I'm the Program Director for Digital Safety and Free Expression at Farron America. We are a non-profit that celebrates and defends the written word here in the US and internationally. And I'm joined today by Harlow. I'm going to let Harlow jump in and introduce herself. Hey everyone. I'm Harlow Holmes. I'm the Director of Digital Security at Freedom of the Press Foundation. So welcome to this social distancing social from Future Tense. I love that name. A partnership of Slate, New America and Arizona State University. A huge thanks from Harlow and I to all of our partners for hosting us and to all of you for taking the time after I'm sure what was a long day to join us. We are going to be leading today a hands-on cyber self-defense workshop. So you're going to want to have your phones available on hand. And in our work on digital safety, Harlow and I generally work with writers, journalists and newsrooms. And as the protests against systemic racism and police brutality have swept the nation, we have seen journalists arrested, assaulted, shot with rubber bullets and tear gas and had their equipment confiscated and damaged. But of course it is not just journalists who are currently at risk. Most of us have seen the videos of protesters, many of them peaceful, also being arrested and attacked. And the aggressiveness of the response to the protests has really surfaced some very real digital safety concerns around surveillance and privacy that we feel it is absolutely critical for you folks to know about. And so in recognition of the period we're living through, Harlow and I decided at the last minute to pivot the session a little bit and to really focus on digital safety in the context of protests. However, whether or not you are engaging in the protests in any way or can do so, you know, people have health concerns, they have other reasons why they can't, we're confident that much of this information is still going to be useful to you and still things that you're going to want to know about. So what a lot of us don't realize is just how much our cell phones are telling on us to everyone all the time. In this moment when folks are out protesting, that's not only a privacy problem, it's actually also a security and safety problem. So our plan for today, our agenda, if you will, is first of all to help you figure out if you're going to go to a protest, should you bring your phone? And if you bring it, what are the risks that your phone might actually be posing, what are the pitfalls that you should be aware of? That could include your phone being stolen, lost or confiscated, potentially by law enforcement, it could include your phone sending out signals in real time, identifying you and where you are. And we also want to encourage you to be mindful about post-protest surveillance which a lot of folks are not aware of and we'll walk you through what that looks like and how to be more mindful of it. And if we have time, which I hope we will, we'll talk a little bit about tightening your security and privacy settings on your social media accounts on Twitter and Facebook. If we run out of time, we'll do a separate session on that and some other point in the future. But I do have a couple of caveats. The first one is that none of this is foolproof or airtight. We don't have any magic solutions to some of these issues. Our phones and our apps are basically built to track and surveil us in real time and the government has all kinds of surveillance technology that we don't even know about. So this guidance is really meant to make you aware of risks and vulnerabilities and to help you shore those vulnerabilities up as much as you can. The second caveat is that not everybody has the same concerns and therefore not all the guidance that we're going to offer will apply to you or even make sense or be relevant to you. You know whether how you treat your security in protests or anywhere outside depends on whether let's say you're a journalist or an activist or an organizer or let's say you are a protester who feels very passionately about the issue but you're undocumented and you're deeply concerned about your identity being exposed or your status being discovered. So depending on which of those categories you fall into right you might have totally different ideas about how you take the information that we're going to share today and apply it in your own life and that is one of the reasons why folks who work on security whether it's physical security or digital security talk about threat modeling and I'm going to let Harlow explain a little bit what threat modeling is and why it's relevant. So threat modeling is a it's an information security term but ultimately what it means is compartmentalizing your decision making around three to five basic questions but we'll simplify it here. First off what is it that you're actually out there to protect by having a concise answer to that question. You can actually like you know prevent yourself from taking like way too many precautions that don't actually make sense or you know applying too few precautions which is actually even worse. And another question that you would ask is like who am I protecting these things from. Is this going to be you know a person that I meet on the street at this protest. Is this going to be you know a three letter agency that I might meet. Is this going to be like cops that you know might only briefly enter into my life. So having a concise kind of answer to that question helps a lot. And then ultimately it all boils down to what resources do do either have in this equation. What resources does this perceived adversary have and what resources do I have in order to mitigate these particular threats. And so this is a hard question to answer. It's usually like you know a combination of time money and you can't do anything about your time and money. We can definitely work on boosting your skill in order to address these things. Thank you. So we're going to start with the critical question of do you bring your phone if you're going out to a protest or if you're going anywhere where there is a security concern a safety concern a privacy concern. And I'm going to ask Harlow to talk us through the kinds of signals that our phones are sending out literally every second in real time without us even knowing about them in many cases which it's actually critical we know about. Sure sure. So when we're thinking when we're bringing up threat modeling just before we actually want to kind of think about yourselves once again in like three different categories. As Victoria says some will apply to you. You'll might identify with those some you might not. But this a person who might bring their phone is a person who is you know like a public journalist someone who is out there ultimately to witness to broadcast whose identity is is known because it's also tied to your your professional work and it's tied to this event. So that said there's also people who might want to prepare or sorry might want to bring a separate phone one that does not that is not automatically tied to so much of like you know their digital life and then there might be people for reasons that Victoria outlined might not bring their phone at all or any phone at all. So the reason why phones are such like a nexus point for this particular question has to do with the fact that phones broadcast a lot of information all the time. Just for for background a phone has a couple of radios on them they have upwards of three separate radios on them one being the radio that lets the phone behave like it's a phone meaning that's the radio that allows you to send and receive text messages make and receive phone calls that interact with cell phone towers. But then there's other radios there are your Wi-Fi radios right which is what you use to connect to the internet via Wi-Fi and otherwise known as access points and then there's also Bluetooth which is for very very close you know kind of near field communication that is like more proximity based and so Bluetooth is what is the radio that allows you to communicate with your earbuds or with even with your smart watch or even like you know kiosks that you might see on the street as you walk through. Right which is all to say that if what that means in practice though is that your phone could be locating you in a particular place at a particular time in real time to law enforcement or to other agencies and connecting it to your name right or to your identity. So that's something that a lot of us don't know but you need to be aware of and so the question is okay do you leave your smartphone at home for some people that is not actually not hard to do right depends on what you're out of trying to achieve but if you need your smartphone to communicate with people to organize etc you need a phone for text messaging for whatever you could bring something that is like a dummy or a burner phone that is basically clean and it just has some of the very basic stuff you need on it to communicate or if you're going to bring your smartphone you have to do some prep work to it and we're going to walk you through that in detail right things that you need to know about how to protect your smartphone if you're going to bring it but again a burner or a dummy phone could work for some people and I'll just have Harlow explain what exactly a burner phone is I think Harlow might be frozen so oh there she's back yep sorry says my my connection to the internet is unstable great during a webinar what could go wrong um well in this scenario we might just have to turn off your camera and that way you can at least so talk me through a burner phone what's a burner phone okay um so a burner phone um is uh well a lot of people when they hear the term burner phone they think of you know something that they saw in the wire or something like that but ultimately what it is is it's not it's a a phone that has been prepared um in a certain way in order to get help you get your work done so you want to be able to you know like record take photographs report file etc but you don't necessarily want it to be connected to your entire life's let's say gmail history or um text correspondence with your friends and family you know like personal photos things like that um so uh another upside to it is that in the event that your burner phone is either seized or um possibly damaged and destroyed uh the harm that's done to you is uh entirely minimized so not everyone can afford a burner phone now that everyone wants to deal with their burner phones and people are very attached to their smartphones if you're going to bring your smartphone we're going to walk you through some things you need to keep in mind so how to protect yourself from your own smartphone this is a checklist um we are going to walk through each of these things in detail i only put it up in case anybody is feeling really industrious and they want to take a screenshot because they want to remember some of things they need to think about before they leave their house if they're going to go participate in a protest or or in any place where they're kind of concerned about being located or their identity um so we're going to walk you through those things some of these you could potentially do now some of them you won't need to do now you will need to do before you you know in the right context and some of them i don't recommend you rush because if you mess them up you might create a headache for yourself so we'll kind of talk through it as we go along so step one this might seem obvious but i'm going to say it back up your phone right if you're in a situation where your phone is broken or destroyed or confiscated uh you want to have the core stuff that you need on your phone at your disposal and so in each of these slides we're going to show you on an iphone what the pathway is so that at least you can find it so you know where it is next time and we tried to do that for androids but as all of you know androids very wildly so if it's not exactly where we say it is in your androids probably because your android has slightly different settings than the android we checked out so just you might have to fish around a little bit or just google it but um back up your phone but the question is do you do it locally like on a computer or something in your house or do you do it in the cloud and i'm let harlow kind of address what are the pros and cons of those two options sure so um like most of us we um automatically do when we set up our phone um associated to our iCloud or to google drive and that can be fine because there are certain situations where you definitely want to make sure that when you get a new phone um you automatically have your contacts ready to go or you automatically have those photos of yours that are so precious to you in the cloud someplace safe um however uh let's just um be mindful of the fact that there are certain properties in both iCloud and in google drive that are um ultimately subpoenable um things like photos things like contacts are not end to end encrypted when they're in the cloud and so that does and even things like iMessages um so that does mean to a certain extent there are certain properties certain assets of yours that can be available via subpoena um and so in which case you might want to um do uh introduce local backups which can be performed on um as victoria says on your computer locally um you know put onto a like a hard drive for things that are a little bit more precious to you if that is of concern personally i like to do a combination of both and i should say we are mostly going to address questions at the end i'm paying attention to the questions i'm actually happy to address all the questions that i'm seeing but i'm going to save some of them for the end and if there's one that's directly about the thing that we're talking about i'll jump in in the middle but i want you to know that if i'm not answering them now i see them and we'll get to them next step is to make sure that your phone is encrypted uh and i'm going to have um harlow jump in and explain what encryption means and what it is in terms of the data on your phone and then we can talk you through on different devices how that could work um so what encryption means and by which we mean full disk encryption uh this means that when your phone is powered off uh its entire contents are essentially scrambled and this is great because when you're if someone else has access to your phone they cannot easily um you know open it up and see what the contents are nor can they do things like modify the contents i.e putting software on it behind your back that you don't know about and so uh this is actually kind of essential uh it's not only for protests that you want to encrypt your phone it's just something that you do if uh you know you would love to have turned on if you lost your phone in a cab or if you have kids in your house who you know are mischievous or anything like that so um the first step to protecting a phone is to make sure that full disk encryption is enabled and the cool thing is is that uh iphone's actually for a very long time have come out of the box uh come encrypted out of the box so you don't even have to worry about it for android most newer androids are also encrypted out of the box but it always makes sure to check depending on your model and so uh this slide displays exactly how you can do that once again your mileage may vary per phone that you have thank you harpa all right so folks took a look at where on android in particular they can double check that their phone is encrypted now here we're going to get into some of the nitty gritty and this is where things get a little bit complicated and a little bit nuanced um i would encourage you to be at least a little bit wary of face id and touch id i'm not telling you not to use it and we'll walk you through pros and cons of using it or not using it let me let me help back up and say one thing the single best thing you can do to protect your phone is to create a long and complex passcode you know most of us have some kind of passcode set up on our phone it's usually four digits um and uh when i set up that harlow is a friend of mine and i go to her when i'm trying to figure out if i'm doing the right thing in terms of cyber security and i was like with great pride told harlow that i had changed my code to six uh numbers and she totally burst my bubble and said that that was not anywhere near good enough and then she explained to me why which he's going to explain to all of you because it was a revelation for me so well i mean um so the default passcode of six digits that you're usually like guided towards when you initiate a new iphone is not sufficient uh the reason why um and this is only if your phone is seized but the reason why is because um law enforcement agencies have access to uh you know certain devices that actually um leverage the fact that uh you know they can churn through six combinations combinations of six numbers um while uh unlocking a phone fairly easily and so the longer and more complex your pass raises the more of a fighting chance we like to say you're giving your phone um for resisting this type of brute forcing attack and so the reason i say be a little bit wary of touch ID and face ID is because technically and legally if you are asked by law enforcement or by anybody else frankly to unlock your phone you are not required to do so without a warrant you do not have to hold your face up to your phone you don't have to hold your finger up to your phone you don't have to enter your passcode law enforcement is required to have a warrant to go into your phone and in order to have a warrant they have to have a reasonable suspicion that you are doing something wrong uh however in practice it can be easier to intimidate someone into using their face or their finger to open their phone than it is to get them to say they're very very long very complicated passcode out loud and so some folks have been recommending if you look at like cheat sheets on cyber security and digital safety and protest some folks have been recommending uh turning off face ID and touch ID having a very very long passcode so the very long password passcode part i'm 100 on board with personally i'm also more comfortable turning off my face and touch ID however if you think about practically speaking how annoying that could be if you're like out somewhere right and you're trying to put in a 10 multi-letter multi-number passcode um obviously it's a lot easier if you have touch or face ID so you can do several different things um you can first of all remember that at least your video and your photos you can access even when your phone is locked usually by swiping from the right to the left on iphones and i think androids have similar shortcuts so if you need to get to that part of your phone which a lot of folks have been using you can do that um the other option is something that harlow just taught me which is essentially harlow can you explain it it's like lockdown yeah lockdown mode um so this is a gesture that most phones have uh that actually clear your biometrics uh from its local cache and so what that means is that um if you find yourself under duress you perform this little maneuver and then the next time you want to open up your phone again you have to enter that complex passcode and so um this is what i uh do usually like when i'm walking around and things are normal and i feel safe and and uh you know like nimble um i do have my biometrics on but i've also practiced the gesture for my phone in order to enable lock mode and i even have it timed down to you know how many seconds it will take me to do so so if i ever feel you know like clouds looming or whatever um then uh i know that it's if it's time to enable lockdown mode in order to clear the face id i have that option right and as a kind of another layer of security if you're looking at least on an iphone and i think it's in similar place in android where you've got face id or passcode or whatever that part of your phone is you know i think it's older phones it's touch id and passcode um you can scroll down and there's a section called allow access one locked and it has a bunch of toggles and uh the things to really pay attention to in that section so that that's stuff that your phone even when locked one could actually get to even if you've got your passcode on one thing is to turn off usb accessories and another thing is to turn on erase data and harlow is going to walk you through what each of those things implicate right so if you turn off usb accessories and you turn on erase data what is the point of that why would you bother doing that um the reason why is uh well for the two different features one has to do with the prospects that if your phone is seized and someone plugs in a device into your phone then they are i guess prevented from interacting with that phone as a live device ultimately what it does is it means that if ever your phone is is locked and something is stuck into it via usb uh then it can only draw power um and so and for erase data the point of that um is that if uh you do find yourself in a in a situation where someone is trying to get into your past for uh your your phone using like a variety of passphrases in order to guess it um your phone will be essentially practice a factory reset after 10 bad tries and it wipes all that data all right so one thing i've seen a lot of in cheatsheets and guides around cyber security in this moment is a recommendation that people turn off location tracking on their phones and i was very diligently doing that and again we had one of those moments where i bragged to harlow about how good i was about my cyber security and then harlow it's good it is good yeah and you're going to explain why it's good but also why you shouldn't let it give you a false sense of security like the one i had when i was diligently turning off my location we're not telling you not to turn off your location at all it's just important to understand what it doesn't get you yes exactly um once again we want people to have practical advice um and not mythological advice so um ultimately a phone is a phone is a phone and when you have a phone in your pocket it is going to interact with a variety of services in order to behave as a phone and in order to please you being a phone so um that means that your phone always knows what cell towers it's seeing and that information might be recorded by your telephone company um if you have a smartphone and our our lesson is definitely tailored towards smartphones um a smartphone might ask apple and google or it might tell apple and google you know like a certain conditions about your environment that aren't necessarily like attached to your google profile or saved in your apple id but it is information that apple and google do have as a company and so um the reason why in this slide we're showing you like you know where these settings are they're located in the privacy section and what that means is that it definitely like limiting um your apps like you know your yelp and uber and you know that game of sudoku that you for some reason downloaded limiting their access to your location services definitely does um protect you as like a consumer from a privacy standpoint but um you have to go through ex ex exorbitant lengths in order to actually protect your location from these players um and ultimately it's more likely that in the event of something horribly horribly gone wrong uh that a law enforcement agency will um you know like issue a warrant to google or apple for this um granular location data then it is that they will like you know go to yelp and say like oh you know who is giving the yelp review at this time on the street corner um so just keep that in mind when you're printing your location services thank you harlow arguably more importantly than turning off your location although by all means feel free to do that is to actually turn off notifications like the the pop-ups you know that come down on your phone because if you have gone through the effort of creating a very long password and you've gone through the effort of making sure that your phone is locked uh and encrypted but if you've got little notifications popping up with all of the information that people are you know sending you or texting with you uh that kind of is only your attempts to uh keep your information private only gets you so far so we walk you through again on iphone you go into notifications and you can uh it's a set show previews to when unlocked or never so basically you're never going to have previews and again it's easy to toggle a step on and off when you're in there are moments when you're going to need that to be the case there are moments when you don't need to be the case in android there's more nuance in terms of what you can actually achieve and um again i'll hand over to harlow to talk about the fact that in android you can fine tune it some you can fine tune it in the iphone too uh but and i think android has a setting that uh iphone doesn't yes um so in both of these platforms uh per app you can say um what types of notifications get shown up and then there's also going to be certain apps that give you even more granular control so um i'll take a signal i guess as an example um within signal you actually have within the notifications you have the option to show someone's name and the entire content of their message someone's name only and also um just a plain notification that says someone is pinging you on signal and the reason why this is important is because um as we talk about like you know the different apps that you can use to communicate the different things that you might use when you're out and you know like organizing or coordinating with with your team um ultimately if someone takes your phone and even if it's locked you get the bubble that pops up and says like so and so says let's meet on the corner of fifth and third um that ultimately will not prevent someone from reading that and one of my favorite anecdotes uh i won't name names but you know like it's entirely possible that someone will grab your phone um not unlock it at all but just wait for those notifications to pop up and then just like place it face down on a copy machine and that's how you know your correspondence gets entered into an evidence locker so um this is why um just like going through the variety of notification settings that you have on whatever phone that you have um really really makes all the difference even if you are applying the best end-to-end encryption communications thank you harlow i think before we move on to the next section i'm going to flag some of the questions that are great connected to what we've been talking about some of the questions we're actually going to answer in a little bit so i might hold off on this and if we still haven't answered them we'll we'll come back to them i'll i'll make an effort not to leave that anybody's questions so um we've got someone who says let me see oh harlow mentioned law enforcement has ways to crack six-digit encryptions or six-digit pass codes i think is probably what that was intended to say but i'm not sure um was this after 24 the 2015 san bernardino attack i thought apple refused or could not help law enforcement unlock phones has this changed um so uh the so actually that was back in the day when it was four-digit pass codes um and uh ultimately what happened with that case is yes apple refused to um uh defeat their own technologies in order to allow the fbi to open up that phone um the fbi then followed up with uh um you know a statement saying well you know what never mind apple we got it some other way now um the details have yet to come out or yet to be like entirely publicized but we do in the information security community believe that the fbi um uh um worked with a for a digital forensics company that specializes in creating um a combination of exploits that take advantage of flaws within the iphone of that day that model that um the perpetrator had uh in order to um abuse uh the fact that it was like a kind of trivial pass code and other flaws that were present in that particular iphone so um there this is um uh you know just kind of the way that it works in very very high-profile very serious cases where law enforcement absolutely wants this particular uh device to be opened um if they cannot go through the manufacturer they will go to companies that make these uh type of exploit chains in order to get exactly what they want um and so this is why we can say what goes on in the future maybe like next year when we're talking about this very same thing i'll be like well you know what now we're doing 14 digits and then victoria is going to cry and i'm sorry and scream yep exactly um but uh it is a little bit of a cat and mouse game and this is where we are right now i think some of the other questions i'm seeing are a little bit technical so i think i'm going to save them for the end but they're seen we will address them i promise all right so let's say you decided you're going to bring your smartphone you've done some of the steps in terms of turning off your notifications making sure it's backed up making sure it's encrypted uh making sure it's got a long passcode some things to keep in mind while you're actually out and about again i'm going to give you a checklist and the off chance that you're super diligent and want to have a screenshot of it but then we're going to walk you through all of these things in detail so these are all things to consider when you're out and about with your phone step one if you can keep your phone off a good chunk of the time that's probably the safest that maybe you only turn it on when you need to kind of figure out where you're going or if you're meeting up with somebody um or you want to take photo or a video but overall you could keep your phone off that's not practical for everybody so a piece of advice that's been circulating pretty actively is to turn off airplane mode which is a very good idea you know all you have to do in most phones to turn off airplane mode is swipe from the you know from the top or diagonally click a button you've turned on airplane mode that's great the only issue is that do you remember how car harlow was saying that there are three signals that your phone could or radios that your phone is using right it's bluetooth wi-fi and also your kind of cell phone signal airplane mode addresses only one of those three things so again you don't want to have a false sense of security if you turn on airplane mode and i'll um hand it over to harlow to talk about some of the other things you have to do in order to get the kind of security that you think that you have when you turn off turn off airplane turn on sorry airplane mode sorry can you repeat that last but i um my internet was having problems again totally so i was explaining why airplane mode can give you a false sense of security and i was going over to you to talk through the other um things you need to adjust in order to actually have that security yes so as victoria said um we talked about the other radios and if you've ever actually use airplane mode on an airplane but are still listening to spotify you might notice that bluetooth is still available it depends on the type of uh phone that you have some phones allow for this some phones don't but uh don't take for granted that airplane mode is going to um stop all of the radios from communicating um so in which case you also if you do want to protect yourself from um you know pinging out not only your um subscriber id via airplane mode but also pinging out you know information about your wi-fi address or your bluetooth connections then you also want to go through the settings specifically not the shortcuts but the settings in order to turn those off and the reason why we say do it in settings rather than relying on the shortcuts like the control panel or whatever um is because uh those are actually lying to you a little bit they don't necessarily turn off those radios but they just put them in passive mode and they're still kind of doing their thing and so one thing harlow recommends if you don't want to bother turning all the settings off although truly it's not very hard what's you know where they are and what you need to do um is to get something called a fairday bag which effectively blocks um your phone from communicating with or sending out signals and receiving signals that all three kinds of signals basically so you pop your phone in there take it out when you need it pop it back in which is not the easiest way but uh is in some ways more convenient for some folks it is a cost that you incur but um it is the easiest way to make sure that you're doing all of this correctly without actually having to think about it and especially if you find yourself in duress situations then yeah that's your best bet so in an ideal world I mean I should say that you should assume that any communications you're sending out and around are likely able to be intercepted or being intercepted right folks have the technology to be able to intercept those communications which is why if you do need to communicate with someone in an ideal world what you should be doing is to use end-to-end encrypted messaging apps and uh the one that's kind of the gold standard that people recommend is signal WhatsApp is also end-to-end encrypted but it's also owned by Facebook so how you feel about WhatsApp and using WhatsApp depends a little bit on how you feel about Facebook although again it is end-to-end encrypted and I'll have Harlow explain that in a second um what you don't want to do well I should let me just say one thing if you're going to use signal or WhatsApp effectively you have to make sure that both parties have it right you've got to cajole somebody into downloading signal you got to do it yourself you got to cajole somebody else into doing if you get enough of your friends on it it becomes a lot easier which is something that both Harlow and I have been doing uh but you do want to be mindful of iMessage and so first I'll let Harlow explain kind of what end-to-end encryption is in relation to messaging and then um she can talk through why iMessage is something you need to be really careful with I could if my internet worked do you want me to do we can hear you I'll jump in and when Harlow is back I'm back she's back yes I apologize having a very bad day on the internet um so uh end-to-end encryption is the principle that um the only parties that can actually read uh any content that's going between those two parties uh are those two parties um unlike let's say Facebook or a chat over Google or something like that um when that's yes your connection to that service is encrypted to that service but that service still does have its own copy of the things that you say and that could be used against you in the case of um you know like a subpoena or hacking or any other types of things that could go wrong um so as Victoria said uh right now the gold standard are things that are made with the signal protocol which includes signal whatsapp and to a certain extent although not entirely inspired by the signal protocol wire and there are a couple of other apps that have the same qualities um iMessage is also end-to-end encrypted however iMessage is end-to-end encrypted only between iMessage partners and if you remember um Victoria said that in order to have this end-to-end encryption uh everybody has to be using the same app they have to be speaking the same language and so if you've ever used an iMessage um or if you've ever tried to send an iMessage to someone who let's say is on an android you might notice that instead of getting a blue bubble you get a green bubble and that means that um instead of having end-to-end encryption what iMessage is doing is it's sending that same message over SMS and that is SMS messages or text messages are the most unsafe ways of communicating with people they're heavily surveilled um they are also easily trivially hackable uh i'm not going to get into the weeds about this but it can be surveilled it can be hacked and it is absolutely not safe and so what makes iMessage problematic um is that you might find yourself in a situation where you are talking to an android person and you don't necessarily realize it until the bubble pops up as green or more likely um you might find yourself in a place where your connectivity to the iMessage service is interrupted and then um because iMessage can't be reached it'll just send it to your iphone friend as a text message and so in order to avoid this confusion that could be possibly dangerous um uh we uh you know like uh use iMessage but with that caveat in mind so the other thing we want to draw your attention to is post protest surveillance and what that means is basically um essentially there are roomfuls of folks in law enforcement and various agencies that look through people's public social media posts and their live streams and use those to identify the faces of people uh out and about protesting and uh a lot of folks don't realize that by live streaming or by you know posting zillions of photos of other protesters including their faces up close that they could be putting those people at risk and so we feel like it's important it's an important thing to know it also could put you at risk so if for example let's say you are a journalist with a public profile or somebody who just doesn't want a whole bunch of people they don't know to know where you live right you want to make sure that if you're photoring or videoing next to your own house you are not including the intersection of your street or your front door and if it sounds like i'm being absurd i can tell you that in the last several months i've been on uh zoom webinars where people have inadvertently revealed their cell phones and their addresses and a whole bunch of other personal information that they didn't mean to reveal so i do actually encourage you to be mindful in this kind of hyper virtual era that we're all in now about what you might inadvertently be exposing yourself to you know there are cases of doxing there are cases of stalking these are all things that you don't want um to make yourself more vulnerable to like i said it's also important to be more mindful of uh exposing somebody else's identity inadvertently without intending to do them any harm so we encourage folks to request permission when possible if you're taking a close-up shot of somebody ask them if it's okay before you post it and truly think twice about live streaming harlow do you want to add anything yeah um so uh i mean ultimately um as journalists uh your mandate is to uh record what you see and to tell that story of what you saw but that said especially as far as like live streaming is concerned um when you live stream to a platform what you post becomes essentially user-generated content and quite frankly um different law enforcement agencies if you go to any police department they just have a room of people who sit there and follow hashtags on major platforms looking for photos that they can then use and pick apart in terms of the visual information that they see in order to like place that into photo uh sorry um facial recognition databases uh tattoo databases there was actually a yesterday there was an amazing story that came out um about uh the work done to find uh this woman who uh was um uh she was vandalizing a cop car and they found her via a t-shirt that she bought on etsy and then through like a cascading uh like a acrobatic cascade of subpoenas found exactly who she was based off of this t-shirt that she bought off of etsy that was part of a photo that was published in a um in a journalist's uh you know like social media presence so uh that said you know like um we're not here to uh talk to about the um your ethical mandate um as journalists not at all uh you innately know these things but we just want to remind you what is technically possible as you make these decisions I'm gonna actually jump in here and say a couple things um you know I know that not all the folks on the call are journalists and I saw a question that uh isn't in the Q&A anymore but I actually think it's it's a valid and important thing to explain you know folks have asked when when we're kind of trying to share this information well you know if you're not breaking the law if you're not rioting or looting why should you have to hide your identity right and I think it's really important to understand several things every single one of us in the United States has a constitutional right to protest there is nothing criminal or wrong or bad about protesting it's actually our civic duty the issue is that we have noticed over many years that protest is sometimes treated not infrequently by law enforcement agencies as a criminal activity and moreover people who are belong to certain uh demographic backgrounds namely people of color are disproportionately subjected to surveillance to abuse to being trailed and tracked and accused of things that they didn't do and had nothing to do with and so we want to make sure that if we are being in our opinion uh egregiously and disproportionately surveilled if our privacy is being violated and in some cases our constitutional right to protest is being treated as a criminal act that we are armed with resources to make decisions that keep us safe so I just wanted to make that clear like Harlow and I aren't here to try to tell you how to get you know how to break laws or do things wrong without people finding out we don't believe that you should be doing that we strongly discourage you from doing that and you might actually get in trouble our guests will get arrested if you do and that's that's how the law works the problem is the law doesn't always work the way it's supposed to do and so you should be aware if you are being surveilled and could potentially be connected to times or places or things that you had nothing to do with and if you are more vulnerable to those sorts of um kind of incursions so I just wanted to be totally clear about that because I did see folks kind of chatting about it or asking about it and so I wanted to explain I don't want to speak for Harlow I'm speaking from my position and I don't know if Harlow wants to jump in or add anything but I will also say that Harlow and I often work internationally with journalists who are at great risk from their state and so they really do need to understand and that's true sometimes here too they need to understand the things that they have to do to keep themselves safer while still doing their job or exercising their civic duty no that's well said sorry if I got a little high horsey but I also love to do a good rant from time to time let it out I agree 100% thank you so on that note if you are taking photos of people I would encourage you especially if you don't have their permission to do so encourage you to consider blurring faces and watching out from metadata we've seen some questions about metadata I don't know if there have been any questions about blurring faces but I'll let Harlow take this one and explain both tricks around blurring faces and why you might do it and also tricks around stripping metadata yeah so I like to kind of preface this by saying that photographs or you know digital images have two parts to them similar to when images were analog you have the the visual part that you see like the glossy part of the photo and then on the back you have that matte part that's just printed with like you know the time that the Walmart printed it out on their printer and that's metadata but both of these things have to be taken into account especially when you're sharing sensitive images so on that front part you might want to blur people's faces and not all blurring techniques or obfuscation techniques are created equal there are there are iPhone shortcuts for instance that might assist you in you know like finding faces within a photo either blurring them or redacting them there's a really really great app called ObscuraCam by which is for Android that does a similar similar thing and actually Signal now allows you to blur faces they do it in a very very elegant way that isn't easily read re sorry like undone which is great but then if you want to take care of the metadata and I do see a question in here about how you know how to make metadata go away ultimately the easiest way of doing that is to replace that image that you post with a copy of it that you make yourself and the easiest thing to do is to screenshot it instead of like posting that photo taking a screenshot of the photo and then that metadata is supplanted by you know the metadata of the screenshot which is perfectly or should be perfectly innocuous also do know that Signal in itself is and is the only app that allows for end-to-end encryption that also will redact the metadata from photos not everything that you send but it will redact from photos and that's great because you can you know like you don't have to think you don't have to go through too many steps in order to like automatically scrub metadata and also you could use the notes to self feature which is in Signal in order to like you know just take photos without metadata that you save for yourself for later but you could also if I understood correctly basically use Signal to text a photo to yourself and they're there by stripping it of metadata yes yeah and that was that yeah like we're trying to give you like we understand that if we give you some guidance that's incredibly impractical and time consuming the chances that you do at our slimmer so a screenshot or better yet running a photo through Signal quickly will actually strip the metadata in a really quick and easy way for you and this goes for photos it doesn't unfortunately not yet go for video yeah so we have this is just our last slide and then we're going to delve into Q&A which we see a lot of really really good questions here this is not a technical point this is just a safety point if you're going out and engaging in protests or marches write down some phone numbers on your arm or on a piece of paper somewhere most of us don't have our emergency contacts necessarily memorize some of us might but you also might consider a lawyer like finding a local legal aid facility if you are a reporter you can write down the phone number for the committee the reporters committee sorry Harlow I just blank reporters committee yes RCFP I always call them by their acronym they have a legal 24-7 legal hotline but make sure you have some numbers written on you somewhere or on a piece of paper on you somewhere that you could call if you get separated from your phone and you need help so that's my last point Harlow do you have any last points you want to make before we delve headfirst into Q&A um no let's let's do it let's do it okay you could if you want you can start okay um and they're pulling out questions yeah all right I'll start from the bottom actually or towards the bottom um so a lot of these actually fall outside of the realm of of mobile and so I'm going to take a couple of mobile questions can I ask you to not read the person but read the question out loud just in case for sure otherwise can you know what it is okay um so we did cover the one about the strategy for locking up phones with a password or a fingerprint reader or whatever and which is the safest and we can't really tell you what is the safest but I hope that we definitely addressed your questions about the options that you have and ultimately um make that work for you I think that that is the most uh um the most important thing to practice what works best for you um so you'll need it in in cases where it actually counts um another person asks about uh using um instead of using smartphones using uh what they like to call feature phones I guess things that don't necessarily know a feature phone would have GPS I guess you're thinking about a quote-unquote dumb phone that's what we used to call the old phones that don't have GPS and do nothing but calls and simple text messages and you know buying them in cash and activating them quote-unquote anonymously um I would actually I mean so um we can only give you options and we can only give you technical advice um I personally don't recommend going with a uh a phone that doesn't have certain capabilities for certain reasons we did discuss the fact that phone calls and text messages that go over cell towers are entirely available and so you do want to have a phone that is capable of providing extra protection and not having to speak in ridiculous codes and things like that and also it's in while it is definitely possible to buy things to buy phones and to activate them anonymously uh it's not something that I mean we're not going to give you advice about um you know how to we want to give you advice that is above board that works rather than giving you advice that might get you into serious trouble if you make one mistake and the mistakes are many given the amount of surveillance that our country and all countries quite frankly are under so that's my answer to that hello um let me just see somebody asked actually I I keep all connected devices you know phone included on VPN all the time thoughts on this practice so do you mind just explaining what VPN is and then sharing your thoughts on that practice sure um so that's a great question um a VPN is a virtual private network and what it means is it creates an encrypted tunnel uh between your device and a server somewhere else that you subscribe to that pretty much like does the interneting for you as I like to say um and so this is great because uh instead of letting your telephone company know or you know your internet provider know um or even like the person who owns the wi-fi know exactly what websites you're looking at um if you're on signal or if you're on whatsapp or like whatever um all they know is that you're connected to a VPN and they really really can't do anything about it if you have a good VPN by your side so um I actually do recommend this and um if we're going to take it so like once again everything takes practice um and a little bit of exploration so I'm not going to say like go out and like you know just choose a VPN and put it on and off you go um ultimately I do want people to like shop around and be like consumers um or like put on your consumer cap as you're shopping for the VPN that works for you um but uh just um to bring it back to like the scenario that we're spending time on um it even if you are using signal even if you are using whatsapp right you still go out there and everyone knows that you are on signal because your phone if they can see what's going on on the network whether you're on somebody else's wi-fi or if you're connected to a stingray we didn't talk about that um too much but or you know if someone has access to um the radio signals in the air they will know that your phone is contacting signal in order to exchange a message so the only way to thwart that is to have a VPN on your mobile phone so yeah um and I will just say I think the I want to emphasize the point Harlow was making that not all VPNs are created equal some of them are shady uh and could actually be putting your security and safety at risk and tracking you and selling what you're doing downstream so you really do want to make sure that you pick uh a VPN that's tried and tested and there are some really good articles from you know wire cutter and other um digital outlets that talk talk you through like what's a good VPN and what's not a good VPN let me see what else do we have I mean I think we could tackle some of the questions that are more computer based I'm I really interested in this question um I've read that especially investigative journalists should when working on a sensitive story remove the microphone camera and bluetooth from their computer do you agree um well uh there is so what we're talking about here is an air gap meaning you don't want a computer that is connected to the internet or otherwise have any choice any way of transmitting data um to someone who might like uh get to your story um so yes if you are working on something that is so sensitive that it requires an air gapped computer you can totally rip out the microphone camera and bluetooth and also wi-fi the bluetooth and the wi-fi are usually on the same chip by the way um go ahead and destroy your computer and just know that you will never use that computer normally again um but that is and those um those scenarios exist absolutely um at freedom of the press foundation I would say like 30 of my work is working with journalists who are doing those exact things um that said there are easier ways of doing of going about this that don't require destroying your computer um if you want to uh have a look at this really cool project called tales um which uh is a operating system that's built for more sensitive purposes that lives on a usb stick so instead of turning on your computer and booting into windows or whatever you can um pop in this usb stick turn on your computer boot into this usb stick and then you have a space in order to like disconnect it to the internet like you know do your your typing put your notes to upload or not upload but like um uh pop in your source interviews and stuff like that that's a really really um feasible solution um otherwise if you're not going to go that far and you're really just worried about your privacy um have a look at like why like maybe don't write your sensitive story in google docs because google docs uh google will read your google docs um there have been uh plenty of or not plenty of but there have been cases in which um someone was working on a story that was so um uh let's say spicy uh that it flagged google and google locked them out of their own story because they thought that the subject matter was inappropriate or illegal and they had to flag the user um if you are curious and you look at like the bottom right hand corner of your google doc that you're working on and you have that little explore star you click on that and machine learning processes reveal to you about what google knows about the content that you're writing and so um you don't even have to click that button for that to happen they're already doing that on every single document you you you put there um but that's just an interesting um view into uh what they're actually doing so uh it depends on on what you're working on not everything is going to be Watergate you know again um so just be mindful that you have options and make those decisions based off of your quote-unquote threat model Harlow you're the best thank you for that it was really really informative um I I think that the other three questions were the other let's see um two of the questions feel really technical to me so maybe Harlow if she doesn't mind might just type type an answer to the folks who are if it's an easy one I feel like they might be technical enough for other folks to follow um I like the one about this laser microphone um I do I'll just I'll type the answer but I want everyone to hear about um laser microphones that allow eavesdropping through walls at a distance of up to 400 meters and windows up to 100 meters and what can you do to protect yourself uh what like scenario um is best to protect yourself and I think that this is an interesting question especially because we're all working from home and so like you can't you can only do so much um when you're working from home you don't necessarily have like the ability to move to like you know an anonymous cafe or check into a hotel or whatever which is like what Ellsberg did when working on the Pentagon papers like those days are over what do you do um that's a very interesting question it might be a little bit beyond the scope of what we want to talk about but I'm more than happy if you ping me um offline to answer those questions all right well I feel like we have covered the questions um we covered the core material I think we we're not going to have time to delve in any depth into social media settings I feel like it's probably better if we save that for another time um I just want to thank Karlo for doing this with me if Harlow wants to thank you Victoria yeah it's my pleasure um if Harlow wants to drop any answers into the very very specific questions she can otherwise it might make sense for folks to to reach out to her directly um I don't know if uh folks from New America have anything they wanted to add as we wrap up but Harlow is there a way to contact you or a way that you would recommend panels contact or participants contact you if you they have any further questions yes um we are at Freedom of the Press Foundation so freedom dot press and I'm Harlow H-A-R-L-O at freedom dot press thanks Adam Great Daphine said we're going to go ahead and wrap up thank you so much for the wonderful session today this event will be uploaded to YouTube within 24 hours after the event ends thank you all so much bye bye everyone thank you