I live in a red state, and I have many trans friends. You wouldn't be surprised to hear that most of them are politically active. You probably would be surprised to hear that a chunk of my trans friends have a concealed carry permit, and the ones who can afford to own plate carriers and rifles. Most of these trans friends have expressed that they have become more pragmatic about their safety in response to increasingly harsh political rhetoric against them.
Billboard in Connecticut funded by the fellas at the Better Way 2A podcast, which one of my trans friends recommended me.
Gun control has a troubled history in the US. One staffer acquaintance described gun control as the graveyard of competent Democratic leadership, where many Democrat lawmakers have wasted valuable time failing to reform gun control at a federal level. My friends of more radical diverse political views bring up that the first modern iteration of gun control, the California Mulford Act, was proposed and passed in direct response to the Black Panthers open-carrying legal firearms to deter violence against racial minorities and providing armed escorts to community leaders.
Did you know that the Mulford Act was supported by the NRA?
In recent decades, rhetoric on the left around gun control has been about school shootings and suicide. But with stories of near-Americans getting nabbed by immigration for 15 year old drug charges at naturalization ceremonies and a constant stream of footage of masked cops who are unwilling to identify themselves while on duty, the vibe is shifting on the left about guns. Firearms were once an object that bred violence cherished by old white rednecks. Now, they are the just about the only thing that could prevent you and your family from getting kidnapped by ICE and sent to El Salvador because of a Pro-Palestine Op-Ed in the New York Times. Chunks of America believe Tyranny is Back.
Pretty sure I’ve seen a cardboard cutout of this guy at the range as a target. Someone should tell him COVID’s over.
Whether or not these these concerns are accurate to reality, millions of Americans are coming to terms with the fact that the Second Amendment is there to protect the First and the Fourth. Racial and sexual minorities across the country are becoming first-time gun owners in droves as an expression of resistance against what they perceive as an increasingly hostile state. I would bet that we will see a massive uptick in minority gun ownership by the end of this year.
In the past, legally possessed firearms were a tool that could prevent an authoritarian government from commandeering your car or your farm as punishment for political dissidence. In the information era, what tools could we use to prevent a government from illegally searching and seizing our intangible digital assets and spying on our communications? Let's look into this.
How Much does a Hack Cost?
Breaking into someone's phone to spy on their communications is a tactical decision. The attacking intelligence agency has to weigh the potential risks of executing a digital surveillance operation or cyber attack on an individual with the value of the intelligence they could receive. Even though you don't need an artillery battery to launch a cyber attack, they are not free or easy.
Most people within the NSA hierarchy do not want their work to be wasted, so I would guess that action is only taken when a chance of success is high and the value of the information acquired is not just equal to the cost of an operation, but greatly exceeds it.
I would present two major costs accrued by intelligence agencies based in democratic countries when executing a surveillance campaign:
Cost: Intelligence agencies have a pile of known exploits they can use, but each exploit is expensive. Creating previously unknown exploits (often called 0-days) requires time and domain knowledge for a target software, and hackers aren't cheap. Most of the time, exploits are discovered by the software developers or independent security researchers to then be quickly patched. Sometimes, however, an analyst will notice anomalous traffic or behavior and discover an attacker exploiting an attack they discovered. Also, exploits are only as useful as long as the target system remains vulnerable. Once a patch is written, attackers have a short time before their exploit is rendered useless. This provides an interesting tactical decision, and I would be interested to know if the economics of using an exploit breed a "use it or lose it" mentality in cybercrime gangs and intelligence agencies.
Reputation: The democracies of the world are subject to the demands of its people. With all the power that the NSA has, they are immobilized if public opinion is turned against them. Unfortunately, the autocracies of the world are not held to that standard, which is why you only ever hear of Chinese, Russia, Iranian, or North Korean hacking campaigns in democratic nations. However, every time a researcher discovers an exploit, there is a risk it could be successfully attributed to the NSA or the Mossad, which risks permanent reputation damage.
The NSA burned a lot of its reputation in the Snowden leak, and its very likely that their surveillance capability was decreased by both oversight and changing user behavior in response to the leaks. I would imagine that even the member of the NSA leadership who is most dismissive of privacy concerns wouldn't want to risk another Snowden incident. If each hack had a tenth of a percent chance to start a massive political scandal, how often do you think the fear of that eventuality stops a frivolous or useless operation?
Who Gets Hacked?
Let us introduce some hypothetical targets and try to guess how difficult it would be to maintain a surveillance campaign against them, and how likely they are to have been hacked.
Scenario A - The Normie: You are a normal person with a normal job who is not concerned about privacy.
You have no security habits and don't use secure communications.
Spying on this person is almost trivial. With no protections and no end-to-end encryption, all of this person's communications will get scooped by the passive drag-net surveillance done by many state actors. An attacker only needs to compromise one of a dozen pieces of infrastructure, including cell towers, telecom backbone cables, your phone, your router, or your app store.
Difficulty to Hack: 1/10
Likelihood of a Hack: 8/10
Scenario B - The Chud: You are a normal person with a normal job who desires a baseline of security. Maybe your warhammer group is very international or have unsavory but still First Amendment-protected political opinions. You have nothing to hide, but nothing to show.
You use Signal to communicate over text and voice, and consistently use a VPN on both your phone and laptop. You occasionally use the Tor Network to pirate DS ROMs and old movies.
This target is only using a drop-in replacement for messaging and has an always-on VPN for both their devices. Despite this, they are significantly harder to spy on. The United States government has confirmed that they have historically wiretapped the telecom backbones, which is mitigated by using the End-to-end encryption offered by Signal, as well as the successful proliferation of HTTPS. If an attacker is able to connect to your local WiFi network, perhaps by hacking your router, then they won't be able to decipher any sensitive web traffic because it would be wrapped in a VPN. Even if they hacked Signal's servers, any data recovered would be unintelligible.
Difficulty to Hack: 8/10
Likelihood of a Hack: 3/10
Scenario C - The Engineer: You are an important person in an important sector like defense or research with access to valuable intellectual property. You are trained in OPSEC and use security software.
Just like Scenario B, you use Signal for text and voice, and use VPNs while using the internet. You also take the step of cleaning up your online presence by deleting old unused accounts, activating two-factor authentication for everything, and using a randomly generated password through a password manager. The randomly generated password prevents an attacker from using your password from previous data leaks.
Even though this target faces a greater threat, they have a really solid baseline of security through the relatively minimal change of using VPNs and the Signal app. While cleaning up your online presence probably makes it more difficult for unsophisticated intelligence operations and private companies without preferred or illegal access to proprietary information, the effect on preventing a capable intelligence agency from surveilling you is minimal.
Difficulty to Hack: 8/10
Likelihood of a Hack: 4/10
Scenario D - The Journalist: You are a journalist who just broke a story implicating the President of the United States in a sex trafficking ring. You have deep technical experience and use advanced security software.
You use Signal on a GrapheneOS Android phone to coordinate with contacts and colleagues. You use the Tor Browser for all of your research, even if it takes half a minute to load pages. You have completely DeGoogled and have never accepted a cookie from either a webpage or a Girl Scout.
This is the most difficult target to attack. An attacker would almost certainly have to use multiple zero-day exploits to inject malware into the Journalist's phone or perhaps collaborate with whatever code repository the Journalist is pulling apps from to set up a backdoor. Most malware would be deleted if the target wipes their phone, which would probably happen frequently. Also, since this person is both technically literate and suspicious, they are much more likely to send their phone off to Citizen Lab if anything looks a little off, potentially exposing the campaign.
Difficulty to Hack: 10/10
Likelihood of a Hack: 6/10
Notice that, in this model, even the best defenses can't completely stop surveillance. However, as the level of technical defenses increase, so too does the fiscal and strategic cost of launching a campaign against an individual. If you have the same concerns as The Engineer or The Journalist, but you have the tools and habits The Normie, then you are open season for intelligence agencies, as well as small-fry hacker groups. Real cyberweapons like Israel's NSO Group's Pegasus would obliterate the defenses of even the most security-conscious people, but the deployment of such tools are expensive and risky.
Let's try to draw the connection between being able to defend yourself in the physical world to the digital world. A physical weapon will deter a state from violating your physical rights. In the Information Age, what is the equivalent of conceal carrying a firearm in the cyber domain?
Taking the analogy too literally, someone might say that possessing your own cyberweapon would be equivalent to owning a firearm. However, cyberweapons are incredibly specific attacks that can only be pulled off against a specific version of a specific system under specific systems. It's impossible to build a button that stops all computers.
Instead, I argue that being digitally literate and being safe on the internet is like carrying a firearm. By wrapping yourself in a preventative measure, you make yourself a more difficult target for an attacker. If you follow certain practices and safety measures, you are more difficult to take out. The value proposition of a firearm is deterrence. By signaling you possess a firearm, you are implying that you are both trained and willing to use it. In a scenario where an attacker pulls a gun on an unarmed person, the attacker has an obvious advantage and faces functionally no risk. The risk calculation changes when the defender is armed, transforming the scenario into a much riskier gunfight.
Using end-to-end encryption and VPNs won't save you from the cyber equivalent of SEAL Team 6. That is, using basic protections won't protect from the best cyber warfare operators in the United States. However, even the crayon-brainedest Marine will treat a lightly armed target with much more caution than a target he knows is unarmed, and will look for an alternative to engage besides a firefight. In the cyber domain, basic security and encryption could mean you get passed up as the target of surveillance in favor of an easier source of intelligence.
Why even have Intelligence Agencies?
These colossal agencies are a necessary evil to protect the democracies of the world, Orwellian they may seem. We have it pretty good here in the United States, with no aggressive neighbors and no real separatist movements, which is probably why we are so focused on civil and personal rights compared to our European brothers and sisters. You can be forgiven for believing that spending billions of dollars per year on intelligence is indulgent. However, in my opinion, an intelligence capability that works for the people has downstream effect for economic prosperity. We benefit greatly from the American military hegemony and alliance network built over the last eight decades, enabled by our advanced technology and intelligence capability. Intelligence sharing is a diplomatic exercise, bringing allied countries closer together. Most servicemen have fond memories of working with security partners in East Asia and Europe, so the connection isn't just at the political class of the military. If you are formerly USSR-occupied Estonia and have expansionist Russia breathing down your neck, a surveillance apparatus pointed at your eastern neighbor is a matter of survival. It would make sense to join forces with the Americans to share intelligence. This deepens ties with the world's largest economy and best military and promotes peace in both countries.
Why do Tech People Matter?
Besides providing a recruiting pool for the legitimate cyber operations done by our intelligence agencies, having an educated and technical population is good for democracy and thus prosperity. Open-source tools like Signal and Tor and cheap services like VPNs built on open-source technology can offer security and privacy in surveilled or censored geographies, even if a lot of the technology can be traced to military inventors. If the Chinese government decides that their citizens shouldn't be able to read about democracy, its the Chinese Tech People and their friends abroad who spin up SOCKS proxies to restore the free flow of information. If the DOJ releases a video file as evidence in an important case, it's the American Tech People that dig through the metadata and reveal that the file was tampered with.
Imagine a world where independent vulnerability research doesn't happen outside of governments. The NSA, the Mossad, the People's Liberation Army, the Federal Security Service of Russia, the Islamic Revolutionary Guard Corps of Iran, and MI6 would have effectively free range on all of our communication systems and digital infrastructure. All communications between your friends, family, and colleagues would become transparent. anonymity would be dead, and along with it, accountability.
Surveillance is everywhere, and every country with an educated population has the capacity to surveil their own populace. Israel has used the Pegasus spyware to spy on Serbian, Mexican, Latvian, Dominican, Saudi, and Spanish journalists on behalf of their governments. They've even spied on Israeli journalists. The Saudis likely used Pegasus in the brutal extrajudicial murder of US-based journalist Jamal Khoshoggi. Russia's FSB, the modern incarnation of the Soviet KGB, have surveilled liberals and dissenters in their own country, and have attempted to infiltrate the Russian diaspora media abroad after their disastrous invasion of Ukraine. China uses the most sophisticated censorship platform on the planet to restrict western ideas from infiltrating the country, hacked the phones of their own minority citizens, and spied on Taiwanese and Hong Kong independence supporters. China also had and likely still has unrestricted access to a big chunk of American communication infrastructure. During the Civil Rights era, the US spied on many of its own citizens, including Native and Black activists on McCarthyist suspicions of Communist sympathies. Today, it is nominally illegal for the United States to spy on her own citizens, any digital exchange with a foreign national is fair game for intelligence gathering.
What Can You Do to Stay Safe?
This problem isn't going away soon. I don't trust any president to have my privacy interests at heart. To stay safe:
Practice good Operational Security (OPSEC): Don't post your location live, don't post your children's first names, use a different pseudonym on every web page unless you want to be identified. Take a look at some privacy-focused reddits like r/opsec to get a feel for what this entails.
Use Encryption: Talk your friends and family into using Signal or another End-to-end encrypted app increases the proliferation of encryption. It's hard to switch people over to Signal, but I have found that framing your concerns as "I just like this app better" instead of "this magic app prevents the government from spying on you" is much more successful.
Build your community: Stealing this one from the anarchists, but you should care about your neighbors a whole lot more than whichever 80-year old is in the White House does. Be part of your community, they are the ones who will go to bat for you.
Music I listened to this week
ACE OF SPADES - Noah Orion Russel (of "the WALL OF SOUND" fame)
Sugar on my Tongue - Tyler, the Creator
Chains & Whips - Clipse, Kendrick Lamar, Pusha T, Malice
Going to end up on a watchlist for commenting/supporting, but this is a great piece! I appreciate the combination of skepticism and pragmatism. It hurts to see our country slide into autocracy but privacy tools such as https://www.privacyguides.org/en/ will only be more important