Infosec 101 for Activists

Original Article ↗ Hacker News Discussion ↗

Alternative / “Better” Resources

  • Multiple commenters point to other guides as more credible or advanced: EFF’s Surveillance Self-Defense, Privacy Guides’ protest phone guide, Riot Medicine opsec, No Trace Project, and Anarsec.
  • Some say the linked guide feels unpolished and “LARP‑y,” lacking evidence of the authors’ real‑world experience under state repression.

Phones, Networking, and Threat Models

  • Strong faction: do not bring your regular phone to protests at all. Suggest burners, dumbphones, maps, or even “zero tech” coordination.
  • Others argue that phones are practically necessary for coordination and that advice should be about risk reduction, not perfect security.
  • Some emphasize that most activists’ real adversary is local police, not NSA‑level “own the baseband” actors; others insist that state‑level capabilities (baseband RCE, Pegasus, “Find My” on powered‑off devices) mean you should assume a compromised environment.

Legal Rights and Police Interaction

  • Know‑your‑rights resources (NLG, ACLU) are shared; consensus that you should clearly and explicitly invoke your right to remain silent and ask for a lawyer.
  • Disagreement over how to interpret Berghuis v. Thompkins and whether silence alone can be used against you; some corrections note you can remain silent without waiving rights if you don’t then start talking.

Tor, VPNs, and Service Providers

  • The guide’s preference for VPNs (and omission of Tor) is a major credibility red flag for several commenters.
  • Critiques: VPNs are trust‑based and easy intelligence targets; Tor at least distributes trust, though exit‑node and traffic‑correlation attacks exist.
  • ProtonMail/ProtonVPN draw heavy criticism (past logging of an activist’s IP, Cloudflare fronting, legal compulsion); others counter that Proton fought in court and strengthened legal protections, and that any non‑zero‑access service must comply with lawful orders.
  • Mullvad and Matrix are mentioned as preferable in some threat models; email is widely seen as structurally bad for real anonymity.

Browsers, Apps, and Messaging

  • Dispute over Firefox vs Chrome/Chromium: one camp treats a Firefox recommendation as a “tell” that the authors don’t understand modern sandboxing; another prioritizes tracking resistance and corporate surveillance over exploit cost.
  • Safari is questioned; reasons to prefer Firefox include openness and cross‑platform use.
  • Signal is broadly recommended but criticized for phone‑number metadata and centralization; alternatives like Session, Matrix, and even Mega are floated. WhatsApp’s E2EE is noted but its ownership is distrusted.

Perceived Errors and Gaps in the Guide

  • iCloud section is called factually wrong or outdated for not mentioning Apple’s Advanced Data Protection and its end‑to‑end encrypted backups.
  • DuckDuckGo’s inclusion raises eyebrows because of its Bing back‑end.
  • Overall split: some see the guide as a useful 101 for non‑technical people; others argue that several recommendations (Proton, VPN‑over‑Tor, Firefox, carrying phones) are so questionable that the rest of the advice is suspect.