REBEL SECURITY GUIDE

Keeping your accounts, devices, and communication secure is about solidarity with your fellow activists. If your accounts are compromised, you may open up others to security vulnerabilities. Remember, as in all things, we are only as strong as our weakest member. 

Of course, there’s no guarantee that any method will keep your information secure, but these guidelines are designed to help you avoid the most common kinds of cyber threats. 

BASIC SECURITY

We strongly advise ALL rebels to follow a few basic rules to increase the security of your personal accounts and devices:

  1. Use a password manager to store passwordsLastPass is a free, safe and effective option (but you can consider others as well). Whatever you chose, it should be installed on all your laptops and phones. 

  2. Always use strong, unique passwords. Your password manager can help create and store them for you automatically. If you have to create one manually, try four random words strung together (this is called a passphrase) and never reuse the same password for different logins.

  3. Secure your phone and laptop. For your phone, use an alphanumeric password that is at least 6 characters on your phone and require a password upon restarting. Your laptop should also require a password. If your device allows biometric locks (e.g. unlocking with your face or fingerprint) enable that as well!

  4. Communicate using encrypted apps. Keybase and Signal are both encrypted organizing tools which is why we use them to communicate within Extinction Rebellion. If you use Gmail, consider turning on Google’s Advanced Protection Program which gives activists an extra layer of security, or else sign-up for a free Protonmail account. 

  5. Be on the lookout for suspicious emails. These “phishing” emails can be targeted broadly or may be designed to specifically target you as an activist. Either way, the goal is to get you to unknowingly reveal passwords or other personal information so pay special attention to suspicious language, sender email, and anything with a warning from your email provider.

  6. Enable two-factor authentication on all your accounts that support it. Two-factor authentication is another layer of security. It requires someone to have access to both your password AND your phone number in order to compromise your accounts.

  7. Be careful  of public wifi. Avoid handling sensitive information while on public wifi or wifi without a password. Unsecured wifi networks allow bad actors to implement “man in the middle attacks”, allowing them to listen in on everything that you’re requesting or sending over the internet while you’re connected. 

  8. Protect your data while browsing. Add Ublock and Privacy Badger plugins to your browser to block trackers and prevent cookies while you’re on the internet. As a bonus, they also help web pages load faster since you aren’t downloading all that extra tracking code! 

  9. Enable basic controls for public Zoom meetings. If you are organizing an open zoom meeting (e.g. it’s publicly available on the website or open to non-XR members) practice some basic Zoom security measures to make sure that you aren’t “zoom bombed” during your meeting. Please note, if you are using video to plan anything sensitive or high-security, please use our private video tool Big Blue Button on Mattermost instead of Zoom.

  10. Avoid fraud calls, emails, and links. It’s really easy for a bad actor to obscure their caller ID, the url of a website, or the appearance of a link. If they are asking for money or personal information and something feels off, it probably is. To verify the origin of a call or email, find the person’s contact information and call/email them back to verify the request. We also recommend installing TrueCaller for enhanced caller ID and blocking spam. To verify a website or link, search for it in your web browser instead of following the link provided.  

ADVANCED SECURITY 

These suggestions are not necessary for most of our members, but if you are working on an action or handling sensitive information, we would suggest that you use these applications and devices. 

  1. Use a VPN to hide your location. If you are engaging in anything that could be remotely considered illegal or dangerous please use a VPN. A VPN allows you to quickly change your IP address (basically your computer’s home address) to anywhere in the world  to avoid tracing any online activities to your computer. We recommend using ProtonVPN for its ease of use and as a partner application to protonmail. 

  2. Prevent your devices from “phoning home”.  Oftentimes software reports back to its creators with information and data about your activities without your consent. If you want to make sure that your devices aren’t snitching on you, download Little Snitch which forces those applications to ask your permission before sending information back to its creator.  To prevent your phone or laptop from sending back location or other data while it’s turned off, consider buying a faraday bag for your devices or just wrap them in tinfoil or another conducting material for a DIY faraday cage. 

  3. Use a USB condom when using public charging outlets. Similar to a credit-card skimmer, a bad actor can add some additional hardware to a public outlet to “juice jack” your device. This allows them an open a passage into your device and scrape data while your device is charging. 

  4. Use a privacy filter and webcam cover. Privacy filters are useful for preventing shoulder surfing while you are working in a public space by placing a polarized film over your laptop screen. Webcam covers make sure that even in the event that someone takes control of your laptop camera (or you just forget to leave a meeting) that you aren’t being recorded when you aren’t expecting it! 

  5. Avoid facial recognition and video surveillance. If your actions require that you avoid video surveillance or you just require more privacy, Reflectacles have IR lenses and reflective material in order to “blind” surveillance cameras, facial recognition AI, and devices with flash but appear to be normal sunglasses in visible light.