Archive for the 'Privacy & Technology' Category

Tell City Council that Feds Must Follow Seattle Law

Call for action: Demand transparency related to federal government surveillance in Seattle

tl,dr

Email the city and insist that city employees document cooperation with federal requests for surveillance cameras.

Details

What: Meeting of Seattle City Council Committee on Energy and Environment. Agenda:  https://seattle.legistar.com/View.ashx…

When: Tuesday, January 24, at 2 pm

Where: Council Chambers at Seattle City Hall (601 5th Avenue, at Cherry)

Why: Of interest in the agenda is item #2:

Warrantless Surveillance Cameras in Seattle: How to protect
the privacy of Seattleites and reverse the proliferation of
surveillance cameras installed by the Seattle Police
Department and Federal law enforcement agencies on SCL
polls in public space without democratic authorization or
transparency.

As many of you will know, Seattle currently has legislation about surveillance equipment on the books. Currently, however, federal agencies ignore it (because it doesn’t apply to them) and use city resources to put up their own cameras. Seattle Privacy has documented several cases where the ATF or FBI entered into informal, off-the-record, verbal agreements Seattle City Light employees allowing the placement of cameras on utility poles.

We support the committee’s study of this issue call on the committee members to back corrective legislation.

What you can do

Attend the meeting if you can, and speak out during the public comment period.

If you can’t attend, you can submit a public comment by emailing the committee members:

For example, you might feel that…

  • Any agreements between federal and city agencies regarding surveillance equipment should be written down and FOIA-able.
  • The public should know who makes the call to allow ATF cameras.
  • The lack of transparency in the city’s dealings with the federal government is at odds with our status as a sanctuary city.

We’ll be at the meeting, and hope to see you there.

On the nature of surveillance, self defense, and activism

The Seattle Privacy Coalition instructed our first anonymous group of Seattleites who are victims of abusive surveillance or at risk of becoming a victim. Overwhelmingly, the students of our first workshop were women, even though everyone that attended ranged in age, background, race, nationality, ethnicity, and sexual-orientation. Despite their differences, their commonality was their genuine care for people — society — to such a degree that their non-violent actions are considered a threat to corporate and government power.

The concern

Almost 226 years ago, our fundamental rights as Americans were ratified. Broad protections were guaranteed to us against search and seizure, something that we, as a society, now sometimes call privacy due to the large amount of our lives willingly and unwillingly propelled into digital spaces. Objection to intrusive search and seizure of physical objects has evolved into our ability to control personal information made harder by advancing and cheapening technology.

Corporations, governments, and law enforcement agencies do not have a right to abuse people by way of deploying advanced technology. They may have the ability and privilege to do so, but that ability and privilege cannot and should not become a slippery slope to control people who are exercising their government-sponsored and government-protected right to protest perceived abuses of power. What is the significance of our constitutional protections unless we act, so that our rights become right and our values proven?

Despite the stark ethical differences between rights and privileges, activists are readily harassed, stalked, physically abused, or murdered. Anyone guided by justifiability and morality can understand why we need to support this vulnerable population of people.

The workshop

In large part, surveillance self-defense is about technology and education. Similar to the practice of martial arts, self-defense is learned by empowering one’s self with knowledge and control over mind, body, and environment. Understanding technological threats and assets will help non-violent activists achieve their goals. To best achieve our objectives, we approached this training with the wisdom of a teacher and also the curiosity of a student. Everyone there had something to share and learn.

Our students were not tech-savvy. Many of them had cell phones that were merely recommended to them by family members or casual friends. One of them had a Windows phone, something even our technologists didn’t know if it employs storage encryption. Even though only one person was the facilitator over the course of almost five hours of training, various Seattle Privacy Coalition co-educators were participants of the training and regularly contributed facts, metaphors, and applied real-time research.

We started off by introducing the Seattle Privacy Coalition and notable facts about the organizers, like not being associated with law enforcement or intelligence services. A story was told to create some initial privacy empowerment and a statement about everyone’s right to identity-self-determination while  participating in the workshop.

We started our curriculum by highlighting the cause of risk, which can be characterized by a balance between threat and vulnerability. Throughout the workshop, distinctions were made by attributing the specifics of scenarios to either a threat or a vulnerability to best appreciate any given risk.

The first tool provided to our students was not software; it was an information resource, one regularly brought back into the dialogue. The Electronic Frontier Foundation‘s (EFF) online guide titled “Surveillance Self Defense” (SSD) was chosen to be our primary reference material. Their amazing and much needed work is where we got the name of our new program. We think that the EFF’s SSD should discuss the notion of a vulnerability, not just the notion of a threat when assessing risk regarding “An Introduction to Threat Modeling“.

Another SSD concern was the need for a preemptive list of jargon in each article. As you might notice, one of the Seattle Privacy Coalition’s goals is to provide constructive feedback to the EFF from our experiences with our activist and journalist students.

Graciously, one of our students enjoyed sharing the words of every acronym that we used to instruct with. It was a healthy reminder that our students need a lot of breakdown, which in effect, leads to a lot of segues. Seattle Privacy Coalition needs to include more subtle structure into our curriculum plans so not to spend as much time on segues. Segues created a condition where it became too easy for non-technologists to get lost. We regularly asked if everyone were comfortable with the previously discussed topic so people could easily ask questions.

Other over-arching concepts included the differences between active and passive surveillance, and also the differences between transport encryption and encrypted storage. The Seattle Privacy Coalition needs to add a section disusing a basic concept of encryption in our upcoming workshops.

The majority of our students were iOS and OS X users, which was slightly unfortunate since we don’t have any Apple users among the active Seattle Privacy Coalition volunteers. Creating power users out of Apple users was a clear challenge in our workshop, but we were able to educate on a few important self-defense tactics and operations.

Regardless of the lack of Apple iOS and OS X experience, we were able to cover many outstanding encryption tools. We only instructed on the use of open source tools made by The Guardian Project, Open Whisper Systems, and The Tor Project . We limited our tools training to these developers because of their commitment to human rights, attention to usability, and their verifiable skills at employing strong encryption through careful software development.

We covered topics like “data linkability” and applied its concept throughout the workshop. We covered notions of “metadata” and applied its concept throughout the workshop. We covered search and seizure laws and rights. We covered Washington state audio and video recording laws and responsibilities. We made sure every Android and iOS user had storage encryption enabled. We also discussed OTR advantages in light of the above chosen software tools.

We spent a lot of time talking about cell phone communication encryption as a matter of risk deterrence. We did this by covering basic cellular network infrastructure and various vulnerabilities. Discussing SS7 vulnerabilities, baseband processor vulnerabilities, and IMSI-catcher threat detection was a primary knowledge area that we think is critically important for activists.

With only five hours before everyone was completely wiped, we barely had enough time to cover the proper use of Tor. Regrettably, Tor was talked about only as a solution. We did not comprehensively discuss threats and vulnerabilities. We did not have enough time to include any hands-on exercises which we think is ideal for showing activists how easy it is to install and use the above mentioned software tools. We also were not able to talk about HTTPS or PKI, which would have been useful after a basic intro to encryption.

Lastly, while we were able to discuss contact management for cell phones, we did not discuss contact management for personal computers. In fact, while 5 hours is a lot of time, we had no time for talking about personal computer hardening aside from a few brief mentions of Tails Linux. The only attendees to raise their hands as being Linux users were those from the Seattle Privacy Coalition.

In Retrospect

Everyone walked away having learned many important things, and with a some healthy paranoia. Seattle Privacy Coalition volunteers learned a lot too, particularly about the nature of this specific underrepresented community in Seattle. The Seattle City Council is advised by the Citizens Technology and telecommunications Advisory Board (CTTAB), and in a couple months, CTTAB will be hosting a privacy symposium specifically looking at underrepresented communities that are often hurt by data mismanagement or surveillance. Activists are not only underrepresented, they’re often abused and misunderstood by capitalists, politicians, and journalists. We hope that these surveillance self-defense workshops will help our fellow residents, our city, and our perception of privacy moving forward.

Surveillance Self Defense for Activists, January 2015

foto_no_exif

 

Greetings Seattle activists!

Seattle Privacy Coalition is starting a new workshop in Seattle called Surveillance Self Defense, a name gratefully adopted from the Electronic Frontier Foundation’s “Tips, Tools and How-tos for Safer Online Communications“. Our workshops will be free to the public but limited in space.

Surveillance Self Defense for Activists will start in January 2015 and occur every-other month. So if you miss January’s, remember that another workshop will happen in March 2015. We are also starting Surveillance Self Defense for Journalists, which will begin in February 2015.

Our first workshop, for activists, will be on Sunday, January 18. Registration is not yet open. The time, location and curriculum will be announced when registration opens next week. Curriculum will include securing your phone and computer (and related communication) for on-the-ground activists, no matter if you’re an organizer or participant.

 

There will be no form of registration that will record who is attending, so no Facebook, Meetup, or email invites of any kind. This is done to protect the privacy of the attendees. Depending on our workshop space, we will have a limit to how many people we can accommodate. We’ll know how many people to expect based on how many anonymous surveys are submitted.

Below is a set of draft survey questions that we’ll be asking each participant to answer before they attend. They have been created with the help of Internews’ SaferJourno project. We’re putting these here now just to give you an idea of what kinds of things we’ll be educating you about:

  1. Do you use a cell phone when participating in protests?
  2. What is the operating system of the cell phone that you take to protests?
  3. Select the capabilities of said cell phone:
    1. Phone calls
    2. SMS (text messaging)
    3. Data (internet access via 2G, 3G, or 4G)
    4. Bluetooth
    5. Camera
    6. Video camera
    7. (fill in the blank)
  4. When participating in protests, what communication platforms do you use?
    1. Google Hangouts
    2. Apple iMessage
    3. SMS/texts
    4. Facebook Chat
    5. Email
    6. Twitter
    7. (fill in the blank)
  5. Do you know any differences between HTTP and HTTPS?
  6. Have you used privacy enhancing tools such as a VPN or Tor, either on a computer or on a cell phone?
  7. Have you ever sent an encrypted email before?
  8. Is your cell phone password protected?
    1. Yes, with a pin number
    2. Yes, with a password
    3. Yes, with a pattern
    4. Yes, with a fingerprint
    5. Yes, with a faceprint
    6. No
  9. Is your cell phone’s storage encrypted?
  10. Do you know what an IMSI-catcher, or “Stingray”, is?
  11. Regarding the personal computer that you use to coordinate protests, what is its operating system?
  12. Have you ever had a personal computing device seized or confiscated?
  13. Are you currently a victim of active surveillance?
  14. Do you drive, carpool, bus, bike, or walk to protests?
    1. Drive
    2. Carpool
    3. Bus
    4. Bike
    5. Walk
  15. Do you use your electronic debit, credit, and/or bus card(s) before, during, or after attending a protest?
    1. Yes, debit/credit
    2. Yes, bus (Orca) card
    3. No
  16. Do you have access to a technical specialist when you have questions about digital safety tools and practices?
  17. What topics would you like to see covered at this workshop?
  18. Will you be bringing your cell phone or laptop to the workshop? We encourage you to for our hands-on training.

Please be sure to check back here next week for registration! For organizing queries, please send an (ideally PGP encrypted) email to “yawnbox at riseup dot net”. If you’re a security or legal educator and wish to get involved, please email me.

Cheers!

There’s a new Web security bug, but Seattle Privacy’s server has been patched

Today the security community announced a new vulnerability in one of the most widely used security protocols for Web traffic, SSL Version 3. Now that we are in an age of cute branding for new bugs — e.g., Heartbleed and Shellshock — the new vulnerability will apparently be known as POODLE.

The Seattle Privacy Web server has been updated so as to forbid use of SSLv3 by old, vulnerable Web browsers. This may affect users of Internet Explorer 6 on Windows XP, but nobody else should notice a thing.

Note: If YOU are still using XP, honestly, go install Linux on that ancient machine and you’ll have a modern, supported, secure operating system.

We get excellent coverage in the Seattle Times

Seattle Privacy Coalition hits it big in the Seattle Times. In the paper edition, we are on Page One above the fold! Click the screen shot to see the original article.

seatimes_phil_lee