• Threat Modeling • What Am I Trying to Protect? • What Am I Trying to Protect?

• Threat modeling • What am I trying to protect? • What am I trying to protect?

• Who am I trying to protect it from? • What am I trying to protect?

• Who am I trying to protect it from?

• How likely is it that I will need to protect it? • What am I trying to protect?

• Who am I trying to protect it from?

• How likely is it that I will need to protect it?

• How bad are the consequences if I fail? • What am I trying to protect?

• Who am I trying to protect it from?

• How likely is it that I will need to protect it?

• How bad are the consequences if I fail? • How much trouble am I willing to go through to prevent the potential consequences? Secure communications Voice and Chat • End-to-End encryption

• Can verify device fingerprints

• Voice and video calls

• Two-person and group chats

• File sharing • End-to-End encryption

• Voice and video calls

• Two-person and group chats

• File sharing

• Cross-platform Signal Private Messenger

WhatsApp Messenger

Wire Secure Messenger

•Security Privacy Global public resource Transparency Ensure public benefit Community-based processes Accountability Trust Enrich lives of individual human beings

Tor users • Survivors of domestic abuse • People who want to learn about a medical condition or a controversial topic • Law enforcement / Military • Researchers • Companies • Dissidents and other people in countries with oppressive political regimes • Political activists • Journalists Tor usage considerations Tor usage considerations

You can destroy your own anonymity with Tor if you use it incorrectly To use Tor correctly: • Use Tor Browser Bundle or Tails • Don’t log into services like Google and Facebook • Stick with the default settings • Don’t open downloaded documents while using Tor • Don’t use BitTorrent with Tor

Portland Privacy

• Techno-Activism 3rd Mondays (TA3M) https://www.meetup.com/Portlands-Techno-Activism-3rd-Mondays

• PDX Privacy https://www.pdxprivacy.org

Secure communications Voice and Chat Email. The most utilized electronic function in the world. Still. And the biggest security hole of them all.

We kinda know that email is a cluster … Spam, scams, identity theft, misforwarding, reply all, typos – the list of things that can go wrong in email is ….. countless. And yet everybody uses it. Especially those of us who are not spring chickens

There are things we can do. Encryption. Partial encryption. Common sense. Let's start with common sense.

Common sense precautions Two factor authentication Long complex password changed every six months Autoset not for reply all Use the drafts function Don't ever email credit cards, SS#, bank account info and if sensitive street addresses Have an email address that is not firstname.lastname available.

Partial encryption Higher, not highest security

Email services from Proton Mail (Switzerland), Tutanota (Germany). Free services and paid.

List services RiseUp National Security Letters

Good points. Lets you use email pretty much as you have been used to using it. Bad points, not life and death reliable.

Do you need to step it up a notch? That is where full encryption comes in.

Notes.

Encryption is a pain. It's not 100% bulletproof. The safest kind of electronic communcation is no kind. Meet in person. Leave no trail. Deep throat was right. But if you must have substantive commmunication with real danger - encryption provides email anonymity beyond needle in a haystack

The principle. A public key is the alpha. A private key is the beta. When alpha meets beta, you can read a message. That's the only way. So it is all about keeping that private key secure.

Two protocols. PGP – Pretty Good Privacy GNUPG - GNU Privacy Guard

Then you need an encryption friendly email client. Usual choice is Mozilla Thunderbird with an add-on extension which in Thunderbird is Enigmail.

Then you generate your public and private keys. Your public key is published. Your private key is as secure as you can make it.

If you expect your laptop could get captured by the government, then guess what. If you have a file on it called my private key – no more encryption.

So respond to your threat model and be as crafty as possible about hiding your key (NOT IN THE CLOUD) while having it accessible enough that you can cut and paste it to read emails

Encrypted Tip Lines

If your outlet wants to have a tip line that you can promise is safe, there are two options:

1. Signal Tip Line. Lets people download Signal and then text you with full encryption

2. Secure Drop from Freedom of the Press Foundation

Privacy and Surveillance

Commercial Surveillance Law Enforcement Surveillance

Advertising vs Safety

Commercial surveillance feeding law enforcement NSL Metadata/AT&T Pipes Location Data Databases – ALPR/CLEAR

Regulation Principles

Transparency Legislative Oversight Definition of Appropriate Use/Inappropriate Use Auditing/Reporting Civil Rights Impact

Surveillance Transparency Ordinances

Focused on law enforcement uses Passed in Oakland, Berkeley, Davis, Seattle, Palo Alto, Santa Clara County, Nashville, Somerville and BART

Statewide CA – twice attempted

What you can do:

Information Gathering/Public Records Crypto Parties and Digital Security Workshops Model Good Security Practices – Be a Privacy Ambassador Ask questions Report on Privacy and Surveillance Look for Inappropriate Use and Lack of Transparency

What you can do:

Oakland Privacy – www.oaklandprivacy.org

Portland Techno-Activism Third Mondays (TA3M)

ASD Police Surveillance Project https://www.aaronswartzday.org/police-surveillance-project/

· WhatsApp - https://www.whatsapp.com End-to-end encrypted chat by Facebook that uses Signal's encryption protocol

· Wire - https://wire.com/en Secure messaging, file sharing, voice calls and video conferences protected with end to-end encryption.

Encrypted email

· OpenPGP (Pretty Good Privacy) - https://www.openpgp.org An encryption program that provides cryptographic privacy and authentication for data communication and is used for signing, encrypting, and decrypting texts, emails, files, directories, and whole disk partitions.

· GNU Privacy Guard - https://gnupg.org A complete and free implementation of the OpenPGP standard, which is the non- proprietary protocol created to allow encrypting email using public key cryptography technology.

· Mozilla Thunderbird - https://www.thunderbird.net/en-US A free and open-source, cross-platform, email client, news client, RSS and chat client developed by the Mozilla Foundation.

· Enigmail - https://www.enigmail.net A data encryption and decryption extension for Mozilla Thunderbird that provides OpenPGP public key e-mail encryption and signing.

· Tutanota - https://tutanota.com An open-source, end-to-end encrypted, email software and freemium-hosted, secure email service who's business model excludes earning money through advertisement, relying solely on donations and Premium subscriptions.

· ProtonMail - https://protonmail.com An end-to-end encrypted email service that uses client-side encryption to protect email contents and user data before they are sent to ProtonMail servers.

· Rise Up - https://riseup.net/en A volunteer-run collective providing secure email account, email list, VPN, online chat, and other online services. Website encryption

· Let’s Encrypt - https://letsencrypt.org A free, automated, and open Certificate Authority that gives people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites in the most user-friendly possible.

Password managers

· KeePassXC - https://keepassxc.org A free, encrypted, cross-platform, and open-source, password manager.

· Bitwarden - https://bitwarden.com Bitwarden is…

· Dashlane - https://www.dashlane.com A password manager app and secure digital wallet.

Virtual Private Networks (VPNs)

· Hotspot Shield https://www.hotspotshield.com/benefits/ A VPN utility developed by AnchorFree, Inc. used for securing Internet connections, often in unsecured networks; was used to bypass government censorship during the Arab Spring protests in Egypt, Tunisia, and Libya.

· Express VPN - https://www.expressvpn.com/ A virtual private network service, offered by the British Virgin Islands-based company Express VPN International Ltd., that encrypts users’ web traffic and masks their IP addresses.

· IP Vanish - https://www.ipvanish.com A commercial VPN service, based in the United States that provides end-to-end network encryption and masks its user's true IP address.

Proxy servers

· Startpage - https://www.startpage.com A search engine that allows you to do private Google searches and view resulting pages via a web proxy · Privoxy - https://www.privoxy.org A non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads.

Anti-tracking software

· HTTPS Everywhere - https://www.eff.org/https-everywhere A browser extension for Firefox, Chrome, and Opera that automatically encrypts websites, using a more secure HTTPS connection instead of HTTP, if they support it.

· Privacy Badger - https://www.eff.org/privacybadger A browser extension for Firefox, Chrome, and Opera that blocks spying ads and invisible trackers.

· Ghostery - https://www.ghostery.com A privacy and security-related browser extension and mobile browser application that enables its users to easily detect and control JavaScript "tags" and "trackers".

Location Data

· OpenStreetMap - https://www.openstreetmap.org/ An open source and more private alternative to Google maps. ckers".

Team collaboration tools

· Semaphor - https://spideroak.com/semaphor A secure team collaboration solution, using private blockchain encryption, for group messaging and file sharing without the risks of email or off-the-shelf tools.

· Rocket.Chat - https://rocket.chat A free, open source, enterprise team chat software for desktop and mobile use.

· Riot - https://riot.im An open source chat tool that offers voice and video conferencing and is available for desktop and mobile use, and you can host your own server for complete control or use theirs; end-to-end encryption is currently in beta.

· Mattermost - https://www.mattermost.org An open source, self-hosted alternative to proprietary SaaS (Software as a Service) messaging systems. Secure document sharing

· SecureDrop - https://securedrop.org An open-source software platform for secure communication between journalists and sources.

Operating systems

· Tails - https://tails.boum.org A live operating system that you can start on almost any computer from a USB stick or a DVD and which aims to preserve your privacy and anonymity.

· Qubes OS - https://www.qubes-os.org A security-oriented operating system (OS) that aims to provide security through isolation using virtualization.

Cloud storage

· NextCloud - https://nextcloud.com/about A suite of client-server software for creating and using file hosting services, similar to Dropbox, but free and open-source, allowing anyone to install and operate it on a private server.

· Spider Oak - https://spideroak.com A US-based collaboration tool, online backup and file hosting service that allows users to access, synchronize and share data using a cloud-based server.

· Tresorit - https://tresorit.com And online, end-to-end encrypted, cloud storage for businesses, where files are encrypted before being uploaded to the cloud.

· OwnCloud - https://owncloud.org/ A suite of client–server software for creating and using file hosting services, similar to Dropbox, but the Server Edition of ownCloud is free and open-source, and thereby allows anyone to install and operate it without charge on a private server.

Two-factor authentication

· YubiKey - https://www.yubico.com A hardware authentication device manufactured by Yubico that supports one-time passwords, public-key encryption and authentication, and the Universal 2nd Factor (U2F) protocols, allowing users to securely log into their accounts by emitting one time passwords or using a public/private key pair generated by the device. USB security

· USG - https://github.com/robertfisk/USG/wiki USG is a firewall for your USB ports, isolating bad USB devices from your computer, while still passing through the data you need.

· Aegis Secure Key - https://www.apricorn.com/flash-keys An encrypted storage device that provides a secure way to store and transfer data.

Privacy organizations

· Electronic Frontier Foundation (EFF) - https://www.eff.org A leading nonprofit organization defending civil liberties in the digital world, based in San Francisco, CA.

· Electronic Privacy Information Center (EPIC) - https://www.epic.org EPIC is a public interest research center in Washington, DC focusing on emerging privacy and civil liberties issues and protecting privacy, freedom of expression, and democratic values in the information age.

· Privacy International - https://privacyinternational.org A registered charity based in London that works at the intersection of modern technologies and rights.

· American Civil Liberties Union (ACLU) - https://www.aclu.org/ A nonprofit organization whose stated mission is "to defend and preserve the individual rights and liberties guaranteed to every person in this country by the Constitution and laws of the United States.

Threat modeling and security scenarios

· Seattle Privacy Coalition threat modeling guide - https://seattleprivacy.org/introducing-threat-modeling-for-seattlites A guide on how to think about privacy more holistically and to assess what threats exist.

· EFF Security Scenarios - https://ssd.eff.org/module-categories/security-scenarios Sample risk scenarios to help analyze possible risks and threats to our data. Educational resources

· Defend our Movements - https://defendourmovements.org A web-based clearinghouse of the most up-to-date and useful information about protecting your devices and data—whether on the Internet, through cell phone communications, or in your home or office.

· Surveillance Self Defense - https://ssd.eff.org An expert guide with Tips, Tools and How-tos for Safer Online Communications to help protect you and your friends from online spying.

· Tactical Technology Collective - https://www.tacticaltech.org A Berlin-based non-profit organization working at the intersection of technology, human rights and civil liberties.

· PEN America’s Online Harassment Field Manual - https://pen.org/research-resources/online-harassment-field-manual A guide that equips and empowers writers, journalists, and all those active online with practical tools and tactics to defend against online hate and harassment.

· A First Look at Digital Security - https://www.accessnow.org/cms/assets/uploads/2018/03/A-first-look-at-digital- security-digital-copy.pdf This booklet provides a friendly and personable first look at digital security for people at risk — activists, journalists, human rights defenders, and people in marginalized communities. Your Presenters

· Oakland Privacy https://www.oaklandprivacy.org Oakland Privacy is a citizen’s coalition that works regionally to defend the right to privacy and enhance public transparency and oversight regarding the use of surveillance techniques and equipment.. As experts on municipal privacy reform, we have written use policies and impact reports for a variety of surveillance technologies, conducted research and investigations, and developed frameworks for the implementation of equipment with respect for civil rights, privacy protections and community control.

· Portland Techno-Activism https://www.meetup.com/Portlands-Techno-Activism-3rd-Mondays/ Portland's TA3M connect software creators and activists who are interested in censorship, surveillance, and open technology.

· Media Alliance https://www.media-alliance.org Media Alliance is a Northern California democratic communications advocate. MA was founded with the belief that in order to ensure the free and unfettered flow of information and ideas necessary to maintain a truly democratic society, media must be accessible, accountable, decentralized, representative of society’s diversity and free from covert or overt government control and corporate dominance.