Going to a Rally Makes You a Suspect
January is going to be a busy month for Virginia. A fresh set of anti-gun and anti-assembly laws have been filed. And to put it mildly, they are not going to pass without a fight.
Since the filing of these proposed laws, most counties in Virginia have elected to become ‘second amendment sanctuaries’. There is open sentiment that new laws, if enacted, will not be enforced at the local level.
Escalating things, an armed rally is scheduled to take place on January 20th at the Virginia Statehouse.
There’s a very real chance that hundreds or even thousands of Virginians (and some imports) could be outside of the capitol building — rifles in hand — at 8AM on Monday, January 20th, 2020.
This could bring any number of outcomes. Some positive. Some negative. Either way it’s a safe bet that law enforcement at all levels will be out in force both visibly and covertly spread amongst the crowd.
If you’re planning on being there, it makes sense to consider the following concepts relating to political activism, cell phones, and information security.
Police can’t make you open your phone.
Use a Passcode, not Touch ID or Facial Recognition.
Whether the police can force someone to open their phone or not has gone back and forth in the courts for years. Until recently the general consensus was that you could be forced to use your fingerprint but not be forced to give a password. It’s important to understand that Virginia actually ruled in 2014 that law enforcement can force someone to unlock their phone with their fingerprint, but not force them to give them a passcode. This is not the case anymore, but I’m sure that a lot of cops don’t know this. Remember, cops don’t have to be correct about the law to force someone into something, they just have to think they’re correct about the law.
The rationale was that because a fingerprint is something police can collect as a routine part of an arrest, using your finger to open a phone would be allowed. Conversely, information that’s only in your mind (like a passcode) cannot he forced via warrant; it’s a Fifth Amendment protection. In the dumbest terms possible: they can’t force you to share your thoughts (a password that only you know) but they can force you to share biological data like a fingerprint, blood, or hair sample.
At least, that was the case in VA until January.
New Federal Ruling in 2019
Early in 2019, A federal judge in California decided that you don’t have to give a password OR give a fingerprint/facial recognition.
Judge Kandis Westmore of the U.S. District Court, Oakland, California, decided that “if a person cannot be compelled to provide a passcode … a person cannot be compelled to provide one’s finger, thumb, iris, face, or other biometric feature to unlock that same device.”
So as it stands, right now, the police can’t force you to open a cell phone. Remember this and don’t be intimidated. But it’s probably still safer to keep your phone locked with a passcode because the police can’t simply misbehave and force you to comply. They can ultimately just hold you down and stick your thumb on the phone if they really wanted to. The passcode is safest.
Police Are Scanning Your Phone With a ‘Stingray’
Even if your phone isn’t stolen by police, the information is not necessarily secure.
A stingray is an electronic warfare device that emits a signal that spoofs the one produced by a cell tower. It’s a honeypot. This tricks your phone into connecting to it, and allows LE to intercept things like your messages, data, contacts, calls (sometimes) and more. You’re basically routing all your data through a small cell phone tower operated by cops.
Virginia State Police is known to operate these devices. They are generally indiscriminate and can collect data from you and everyone around you.
These libertarian Snapchat groups are not encrypted. Neither is the Telegram app when using group text. Neither is Instagram, Android text, or Twitter DM. iMessage is encrypted, but only when talking to other iPhone users. WhatsApp and Facebook Messenger are also encrypted, but I wouldn’t trust anything sensitive to Facebook.
Do not be fooled into thinking you’re being covert. You need to understand that if the police are close to your device, then your communications can be easily intercepted unless you’re encrypting all traffic emitted by your phone via VPN.
Purchase Order by VA State Police
This purchase order was obtained from a national FOIA census regarding stingrays and dates back to 2014. It’s possible the program has been expanded. It’s possible the program has been minimally used. The information is well guarded. But at the very least, it’s a reasonable bet that VSP is driving around a 2014/2015 Suburban that can intercept your calls.
Avoid the Stingray Problem
There are a few ways to approach the Stingray problem:
- Don’t bring a phone.
- Bring a burner that’s loaded with an end-to-end encrypted chat app like Keybase and encrypt all traffic with a VPN.
- Broadcast ‘in the clear’ at high risk to yourself and others.
It’s all fun and games to make memes and shitpost on Instagram, but we’re very quickly transitioning from just being on small corners of the internet into being live and in person with a firearm.
Virginia law requires a warrant in order to use a stingray, but that doesn’t apply to the feds or to state and local police under a federal task force. There’s also very little transparency or public oversight regarding Stingrays, so it’s a fair bet that they’ll be in use during the rally.
This means that playtime is over. Taking an undisciplined approach to information security is not fair to the other people you talk to. Remember that if you’re reading this, there’s a good chance you’re already on a cell diagram on the wall in Langley somewhere.
Advocating for the second amendment and freedom in general is always a worthy cause, but the FBI and law enforcement have a long track record of using illegal means to prevent disruption to social order.
You have nothing to gain from allowing the government to monitor your communications. Encrypt what comes and goes from your devices. The government hates it. If nothing else, you’re doing the people you communicate with a favor by not broadcasting their information too.
What Do I Do, Then?
My suggestion would be this: buy a burner phone with cash. Don’t use your real name. Pay for a month of VPN service with a prepaid debit card or bitcoin (~$8), and also use an encrypted group chat app like Keybase.
Set your burner up with throwaway accounts on ProtonMail. Don’t use your real name for anything. Don’t use your real e-mail accounts as backups or password resets. Accounts like “email@example.com” are how you go to prison. Try something like “hNX_7_d_sp1@protonmail.com”.
Use your burner to document the rally, take photos, and chat on Keybase, but make sure that the phone’s privacy settings are maxed out and that VPN is always on. Just use the burner for political activism. It’d be smart to avoid texting your family, friends, boss, or anyone except other like-minded individuals from the burner.
VPN will encrypt your data even as it passes through the stingray. Police will be able to see that your phone is sending and receiving data, but not what that data is.
Separate your phone from the battery and SIM card once you’re clear of the rally and make sure they end up somewhere like the bottom of a river.
I would keep your regular phone either (a) off-site or (b) turned off unless there’s a serious emergency and it’s worth the potential information compromise to use it.
Stop Displaying Information on Locked Screens
Another consideration is exactly how much information your phone broadcasts from the home screen. If police start the screen, can they slide over to your recent texts or calls? What do your widgets show? If someone texts you while your phone is closed, does it show a preview of the message?
You should obviously configure your phone so that the least amount of information is openly displayed if you’re at risk of scrutiny by law enforcement.
You can turn off previews on iPhone pretty easily. Android is device/OS specific, so search the internet and you’ll find a guide. It’s simple to do. The last thing you want is your phone to light up and say “Boogaloo Time! Grab your SBR and auto sears buried under the tree at Nick’s house!” on the locked screen.
You can also disallow access to your apple wallet, calendar view, missed calls, etc. on iPhone in the “Settings > Touch ID & Passcode” area of your phone.
Use VPN on Public WiFi in Hotels and Restaurants
Many people will travel for this event. That means hotel wifi, restaurant wifi, and other shared networks.
You should always be on VPN on a shared network. This rule applies in general, but it especially applies if you and a few friends are in town to be part of a group marching on the capital building with rifles.
Go ahead and connect but make sure you’re on VPN. This is simple to do and takes 3 seconds. There’s no excuse not to.
I would strongly suggest against connecting to public wifi “in the clear”, as government surveillance might not even be your biggest concern. Intercepting pics, chats, and passwords is actually alarmingly easy to do for anyone with a free network sniffer like Wireshark. Loose lips sink ships. You’re not clear to plan your protest on group chat just because you’re back at the hotel and on WiFi.
To make a long story short — consider doing the following:
- As an activist, you make yourself a target.
- Police can’t make you unlock your phone, though.
- Police can read your messages unless you’re using a VPN.
- Don’t use public wifi unless you’re on a VPN.
- Keep your real phone turned off unless you need it to be on.
- Pay for as much as possible with cash or a prepaid debit card.
- Don’t use your real name in email addresses.
- Use privacy-focused e-mail like ProtonMail (it’s free)
- Don’t open your phone for cops
- Don’t let your phone broadcast messages on the lock screen
- Have a communications protocol for your group before you get there.
Stay safe, everyone.