Privacy for Protestors
Protestors are being targeted online and in real life because of their opinions and support for a specific cause. How can you protect yourself?
By standing up for causes that matter to them, protesters across the country have been doxxed, lost their livelihoods, and experienced cyberstalking. To ensure that you don’t end up in a potentially dangerous situation while rising up, it’s crucial that you know how to protect yourself before, during, and after a protest. Keep on reading to learn about the kinds of risks protesters face, whether there are any laws that address them, and the steps you can take to ensure your security both online and offline.
The U.S. Constitution protects your right to protest. Indeed, according to the First Amendment, “Congress shall make no law … abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble.” Yet, the proliferation of digital surveillance tools has meant that protesters are increasingly being targeted for their beliefs and actions, both by law enforcement officials and other protesters.
Risks and Threats to Protestors
Protesters face a number of risks when they voice their opinions or show their support for a specific cause. The most common threats for protesters include police surveillance, doxxing, swatting, mobile malware, stalking, and cyberstalking. Below, we take a look at each one in greater detail.
If you’re planning on attending a demonstration or a protest, be wary. Your local police likely have the equipment and tools they need to identify you. Data gleaned from these tools can be combined with publicly available information to match protesters to social media profiles, credit reports, and criminal histories.
Here are just some of the tools law enforcement agencies have been known to use to surveil protesters:
- Drones. These unpiloted aircraft can be kitted out with video cameras, automated license plate readers, heat sensors, and radar to spy on protesters. Some drones may also be equipped with cell-phone interception technology and GPS trackers. According to The New York Times, by mid-June, the Department of Homeland Security had logged at least 270 hours of surveillance footage of protests from drones, helicopters, and planes.
- Automated license plate readers (ALPRs). ALPRs are sophisticated cameras that capture license plate numbers, along with the time, date, and geographic location. They can be mounted on police cars, road signs, and similar objects.
- Social media monitoring software. Law enforcement officers frequently observe public and private social media accounts, hashtags, and digital message boards. Police can also infiltrate private messaging channels to track protesters and predict upcoming actions.
- Body-worn cameras. Worn by law enforcement, body cameras are supposed to hold police officers accountable. However, they can also be used as a surveillance tool against individuals exercising their right to free speech.
- Cell-site simulators. Otherwise known as Stingrays, dirtboxes, or IMSI catchers, cell-site simulators look like actual cell-phone towers and trick phones into connecting to them. Once your phone is connected, the police can know if you were at a protest.
At least one in four local or state police departments in the U.S. can use facial recognition technology, making it easier for police officers to reveal protesters’ identities in photos, videos, and real-time.
It’s impossible to know what law enforcement officials might do with this data — and that’s a problem. Some of this information is undoubtedly being used to investigate crimes that occur during protests, like looting or violence. But some of it is also likely to end up in government databases to be potentially used at a later date, like if a person commits an unrelated crime.
Doxxing (or doxing) involves leaking personally identifiable information — like email addresses, phone numbers, and home addresses — online, usually with the intent of harassing, embarrassing, or harming the victim.
Accessing someone’s personal information is easier than you think. This is thanks to poor social media security practices and an abundance of people search sites and data brokers that are willing to sell people’s personal information to more or less anyone willing to pay for it (a practice that, believe it or not, is legal).
That being said, some doxxers may also use illegal methods, like hacking, to get their hands on information that can expose their target.
Recently, doxxing has become a common weapon between opposing protest groups:
- In 2017, a man lost his job after being identified online to participate in the Unite the Right Rally in Charlottesville.
- In 2020, an activist shared the name and mugshot of another activist on Twitter after the latter was charged by Portland police for disorderly conduct, resisting arrest, and interfering with an officer.
- Also in 2020, the Mayor of St. Louis revealed the names and addresses of protesters on Facebook Live.
Once someone has been doxxed, they may be targeted through swatting. A form of harassment, swatting involves perpetrators reporting a fake violent emergency, hoping that local police forces go to the unsuspecting target’s home.
The aim here is usually to frighten the victim. For example, in 2020, a man reported a hostage situation inside the home of a prominent activist, which led to a heavily armed SWAT team descending on her home. Luckily, the situation was resolved quickly.
However, things don’t always work out that way. Indeed, swatting can quickly turn deadly. In 2017 an unarmed man was killed in an unrelated swatting incident.
Although mobile malware, malicious software that targets mobile devices, hasn’t been used to track protesters in the U.S. yet, that doesn’t mean that this type of surveillance won’t become a thing in the future. After all, this tactic has already been used elsewhere.
In 2014, Hong Kong protesters were targeted by a smartphone spy app masquerading as an app for the Occupy Central pro-democracy movement. Once installed, the app requested access to the owner’s location, contacts, phone call log, text messages, and web browsing history. The app has been linked to the Chinese government.
More recently, an app claiming to be the official Android app for Nexta, a Belarusian independent news resource, harvested protesters’ data, including geolocation information, which was likely sent to the country’s security forces. Google eventually removed the app from the official Android Play Store, but not before it was downloaded thousands of times.
Stalking and cyberstalking
Another threat protesters face is stalking. In 2020, a protester was shown threatening video footage by other protesters following him home after a riot to let him know they were watching him.
But stalking doesn’t just happen offline anymore. A form of stalking, cyberstalking is when a person stalks or harasses someone through online channels like email or social media. A man was sentenced to three years in prison for stalking and threatening protesters online in 2020.
What Does the Law Have to Say About That?
The good news is that when it comes to most online and offline risks, affected individuals are usually protected by state and federal laws (with a few exceptions, of course). Here’s what the law has to say about each one of the above threats to protesters.
A lot of the information law enforcement obtains on protesters is considered public domain (like public posting on social media and forums), which isn’t problematic from a constitutional point of view. In contrast, when it comes to police use of drones, body-worn cameras, ALPRs, cell-site simulators, and facial recognition technology, the rules tend to differ from one state to the next.
For example, regarding ALPRs, New Hampshire state law restricts the use of this technology by law enforcement “for specified purposes.” Moreover, it asserts that the records of number plates read “shall not be recorded or transmitted anywhere and shall be purged from the system within 3 minutes of their capture, unless the number resulted in an arrest, a citation or protective custody or identified a vehicle that was the subject of a missing or wanted person broadcast.”
If the leaked information is part of the public record (i.e., marriage and divorce records, traffic violations, and arrest records, among other things), then doxxing isn’t illegal (but it is unethical).
Conversely, if the published information is off the public record (i.e., bank account numbers and similar), doxxing is illegal. Doxxing may also be illegal if the data was acquired via unlawful means (for example, hacking) or if the conduct can be classified as harassment, cyberstalking, or extortion.
There are no federal anti-swatting laws. However, several states — like California, Colorado, and Kansas — have passed some type of swatting legislation.
For example, according to California Penal Code 148.3, “Any individual who reports, or causes any report to be made, to any city, county, city and county, or state department, district, agency, division, commission, or board, that an “emergency” exists, knowing that the report is false, is guilty of a misdemeanor.” However, any person that “knows or should know that the response to the report is likely to cause death or great bodily injury, and great bodily injury or death is sustained by any person as a result of the false report, is guilty of a felony.”
While causing intentional damage using malicious code is against the law, tracking down the person or persons who wrote or distributed the rogue code is far from easy.
However, if the person or persons can be identified, they could be prosecuted under several federal laws, like The Computer Fraud and Abuse Act (CFAA), The Stored Communications Act (SCA), The Electronic Communications Privacy Act (ECPA).
Federal law aside, every state has its own computer crime laws, as well.
Stalking and cyberstalking
Even though the terms “extortion” and “blackmail” are often used interchangeably, they don’t actually mean the same thing. Blackmail is when one person threatens to reveal sensitive information about someone else as a means of coercing them. In contrast, extortion typically involves the threat of physical harm unless the extortioner gets compensation, whether it’s money or a non-tangible benefit. Because both extortion and blackmail involve threats to get something of value, most states include them under the same statute.
Both crimes are illegal in all 50 states. Federal statutes make many types of extortion and blackmail a crime, too
How to Protect Your Privacy As a Protester
1. Make your social media accounts private
If your social media accounts are public and you’re in the habit of uploading photos and videos online, then you’re making it very easy for law enforcement and potential doxxers to identify you both before, during, and after a protest.
Ideally, you want to make your social media profiles as private as possible. You should also be mindful of the information you share about yourself, your friends, and any protests you attend.
It’s important to be careful about who you accept as friends, as well. There have been cases where police officers pretended to be someone else to spy on protesters on Facebook.
2. Delete your name from data brokers and people search sites
Even if you make your social media accounts private, chances are that some of the information that was previously public now lives on a data broker site like Whitepages, Spokeo, or Intelius.
Data brokers are companies that collect information about individuals from a wide range of online and offline sources, like public records and social media. They then sell this data to other data brokers, companies, agencies, and individuals.
In many cases, data brokers can have scarily accurate information on people, including their addresses and address history, interests and affiliations, employment details, information on marriages and divorces, as well as details about their relatives.
This means that law enforcement seeking information on someone can bypass the need for warrants by gathering personal data on protesters via data brokers. Similarly, doxxers can acquire all the information they need to expose someone online by Googling someone’s name and then paying a small fee for their victim’s data broker profile.
3. Use strong passwords
Your passwords should be made up of letters, numbers, and symbols, and you should never use the same password more than once. A password manager, like Abine Blur, can help you generate strong passwords. It can also store all your logins in one place and log you into all your services and accounts automatically.
To make your accounts even more secure, enable two-factor authentication wherever possible. That way, even if law enforcement officers get their hands on your phone and manage to crack your passwords, they still won’t be able to log in to your essential accounts.
4. Invest in a VPN
In 2017 the Justice Department demanded that a web-hosting and domain registration company hand over more than a million IP addresses belonging to activists behind a recent protest. Besides visitor logs, the Justice Department also requested contact information, including emails. However, the company contested the warrant and it was eventually withdrawn. But what if it hadn’t been? What if the company had handed over the details?
To stop something like that from happening again but with more dire consequences, you should obscure your online activity.
Whether you’re coordinating a protest or only looking for information on a gathering over the internet, you should use a secure browser (like Tor or DuckDuckGo) and a virtual private network (VPN) to hide your identity. Searching in private mode doesn’t do much for your privacy and internet service providers can still hand over information to investigators if requested to do so.
5. Ditch your phone
To prevent law enforcement from tracking you or confiscating your phone, consider leaving it at home (along with your smartwatch or Bluetooth headphones). Instead, arrange to meet your friends at a particular time and place.
If it’s not practical or safe for you to go to a protest without your phone, but you don’t want it linked to your identity, you could buy a cheap “burner” phone. To ensure the new phone can’t be connected to you in any way:
- Buy it with cash, a gift card, or a Masked Credit Card.
- Use a new, prepaid SIM card.
- Don’t turn the phone on when you’re at home.
- Create a new Gmail account on public WiFi (or via a VPN) to download essential applications, like encrypted communication platforms (more on these below).
- Avoid saving the phone numbers of the people you may want to contact (try to memorize them instead).
- Turn the phone off when you leave the protest.
You could also make your current phone safer by backing up all your data before heading out to a protest (in case your device is confiscated and you need to delete the data remotely) and encrypting it. If you have a passcode on your iOS device, it’s already encrypted. Most Android devices are automatically encrypted too, but if you’re not sure, go to “Settings” and then “Security” to see if “Device Encryption” is activated.
In addition, log out of or uninstall non-essential apps, limit what information appears on your locked screen, and turn off location services. That last point is critical if you use Google apps, as police have been known to use geofence warrants. This search request allows law enforcement to obtain information on all mobile device users within a specific geofenced area. If your Location History is enabled, Google can comply with these requests.
Try to use a password rather than biometrics to secure your phone (passwords are protected under the Fifth Amendment) and, if possible, activate airplane mode or turn your phone off until you need it.
6. Use end-to-end encrypted apps
If you use text messages (or SMS) to communicate with other protesters, there’s a chance that your messages will be intercepted. That’s because the content of SMS messages isn’t protected, and neither is the destination.
Instead, opt for an end-to-end encrypted secure messaging app. Signal is a popular choice and has a disappearing messages feature. If enabled, it’ll delete all messages in a conversation after a specific time limit.
7. Walk, bike, or use public transport to get to the protest
As we mentioned already, law enforcement may use ALPRs to track people’s movements near protests. To avoid being identified, leave your car in the garage and instead walk, bike, or use public transport to get to the rally.
8. Hide faces and scrub metadata in photos and videos
If you take photos or videos at a protest, be wary of the kind of information they expose. Not everyone wants others to know they’ve attended a protest. Before you share any images or videos from the event, anonymize them by blurring out other protesters’ faces, identifiable tattoos, and scars (Obscura Cam and Image Scrubber are just two tools that let you do this quickly and easily).
It’s also a wise idea to avoid capturing details that could give away where you are, like street signs or business names, especially if you’re protesting close to home.
You should remove metadata from all the photos you take, as well. Metadata is information that records where, when, and with what device a photo was taken and can be used to identify the photographer or the people in the images.
There are tools that can remove metadata for you, but you can also typically disable location metadata on both Androids and iOs devices. Alternatively, if you need to quickly post a photo with metadata, take a screenshot of the image and share that instead (screenshots don’t include the same kind of sensitive metadata).
9. Cover Up
There’s no way for you to control who records you at a protest (be it other protesters, police officers wearing body-worn cameras, or private camera networks).
So if you don’t want to be identified, cover at least some of your face and think about hiding your hair under a hat (particularly if you have an eye-catching hairdo) and your eyes behind polarized glasses or goggles. Also, be sure to hide any distinctive marks, like tattoos, birthmarks, and scars.
- DeleteMe is a subscription service that deletes your personal data from some of the biggest data brokers and people search sites out there. There’s also a step-by-step guide on how you can remove your name from their databases yourself, as well.
- AccessNow, a non-profit that defends the digital rights of people worldwide, has a thorough self-doxing guide.
- Abine Blur helps you stay anonymous online through services like masked emails and credit cards and a password manager.
- Amnesty International has a handy list of what to wear, bring, and know for a protest.
- Surveillance Self-Defense is a project by the Electronic Frontier Foundation that teaches protesters how to stay safe regardless of where their campaigning takes them.
- The Electronic Frontier Foundation has a list of surveillance technologies used in southwestern border communities in the U.S.
- American Civil Liberties Union provides a map that shows you which state and police departments use stingray tracking devices.
- The National Conference of State Legislatures details state statutes on Automated License Plate Readers (ALPRs) and unmanned aircraft.
- LexisNexis, a computer-assisted legal research provider, offers a Protesters’ Rights Resource Kit that includes resources to inform protesters of their legal rights.