If you would like to see the first two installments of this series, you can check out Part 1, which is a security overview, and Part 2, which covers basic computer security.
Today I’d like to address basic things you can do to protect the data on your phone or other mobile device, as well as using safeguards to keep yourself from being listened in on and revealing your location. As with my previous post on computer security, this diary will cover basic measures, with future diaries discussing more advanced safeguards.
One caveat—mobile devices are not my area of expertise. I don’t use a smartphone or a tablet. Hopefully someone can add to this info or correct any errors in comments.
There are two main threats you face when using a portable device. They are access to your private data and surveillance.
If you have essential data on your mobile device (which I will hereafter refer to as MD), there is a risk that someone may attempt to access your device without your permission. This is especially important if you will be taking pictures or video of protest events and/or excessive police force. If you are arrested, or if the police confiscate your MD, or if your MD is lost or stolen, your data is at risk. Protecting your MD bio-metrically or with a password is no protection at all, since you can be forced to access the device (whether it’s legal for someone to do that or not.
That being said, using password protection is essential. If the MD is simply lost or confiscated, a decent password can help prevent access. Part 2 of this series includes a section on choosing strong passwords (and random letters and numbers aren’t best—see the diary). Be aware that thumbprint authentication is little better than no protection. See here for six ways thumbprint authentication can be defeated (seven if you count the use of an actual severed thumb). And I hope it goes without saying that a simple 4-digit PIN is not sufficient.
But since accessing your MD is often fairly easy, you will want to make it as difficult as possible for your data to be accessed and/or destroyed. The best first step is to encrypt your data. Both Android and I-Phone allow you to encrypt a phone without installing anything extra. A quick explanation of how to do this can be found here, and a longer explanation of the process and how it works on Android phones can be found here. Encrypting tablet devices is pretty much the same as encrypting a home computer, and you can find out all about that in the second diary of this series.
Be aware that phones are inherently less secure than other devices, and you could still be forced to allow someone to access your encrypted data. IMO the absolute best measure is to take a separate phone with you to street actions. If all you need to do is communicate with others, a cheap “dumb phone” (calls and text only) is a good idea. These are available at dollar stores at very low prices.
If you take any video of marches or police actions, it can be erased and lost by police or others very easily. A good solution to this is the ACLU’s Mobile Justice app. Designed to securely record police misconduct, this nice little app allows you to upload your video to the ACLU immediately after recording it. A nice feature is that if arrest or confiscation of your phone is imminent, simply stopping the recording will automatically upload the video..
Another solution is to livestream your video. I know very little about this, but will attempt to address it in a future diary after I’ve learned more.
A second issue with mobile devices in the ability of law enforcement and others to conduct surveillance of your communications and your location. A widely used law enforcement tool called Stingray is now widely used to spy on phone users. It essentially sets up a fake cell-phone tower that intercepts signals from any phone within range. But it can be beaten. An excellent app called Signal is available for both I-Phone and Android devices. Signal encrypts your phone calls and texts, and they are not decrypted until they arrive at the recipient’s phone. The app must be installed at both ends, so you will need to arrange this ahead of time with others in your group.
In the second part of this series I discussed the use of a VPN for accessing the Internet. This also applies to mobile devices. VPN apps are available for all mobile platforms. Just be sure to do some research and make sure the VPN does not keep logs on its users.
Adversaries can also monitor your location if you carry a phone. GPS data can be intercepted or subpoenaed from your service provider. But simply turning off your GPS, or for that matter even turning off your phone, is not enough. Even when your phone is turned off, it is searching for nearby cell-phone towers. When it finds one, the tower picks up the phone’s signal, disclosing your location. This also works with the fake Stingray towers I mentioned earlier. If this is a concern, you must actually remove your phone’s battery. Obviously, you won’t be able to use your phone if you do this, but it’s really the only way I know to hide your location from an adversary.
Some people who have reason to hide from the authorities use cheap phones like the ones I described earlier and then just throw them away. Anyone monitoring that phone would know where you were, but not where you went afterward. Probably not something that would be useful for most of us.
One last note. If your MD is confiscated or stolen and then returned to you, you should know that there exists monitoring software, available on the open market, which someone can install on your phone and use to monitor all your communications remotely. While this is unlikely to happen, it might be wise to have a knowledgeable person check your phone to make sure there’s nothing on there that you didn’t put there.
This has been a basic discussion of mobile security, and I’ve probably missed a few things that I hope others will mention in comments. I will try to post further information in later diaries. I don’t use mobile devices myself except for a basic dumb phone, so I’m still learning.
Hopefully this post will be a springboard for further discussion. I will be monitoring comments, but sometimes it may take me a while to reply, as I am old, slow, and somewhat crippled.