Skip to main content

Keeping group chats as secure as possible

For larger chats such as Local Group chats, make it clear that it is not secure and no 'spicy' information should ever be shared. You may want to allow people to add friends etc. So you don't have to follow all advice below. Use your judgement to include relevant recommendations.

Suggestions for increasing security when setting up and administering group chats:

  1. Ideally only add people that you know well or are verified by others (trusted rebels)
  2. Make sure only admins can add new members to the chat.
  3. For Signal remember if you add someone by mistake and remove them, they can still see the info in the header of the chat.
  4. If you are doing spicy actions make sure people use pseudonyms and burner phones if possible, and that those are added to the correct chats (with their normal names and numbers removed).
  5. Make sure there are separate secure chats for action days or spicy actions so that you can delete them afterwards.
  6. Make sure you set disappearing messages. If actions are happening soon, make sure you set disappearing messages to a day or a week. Otherwise 4 weeks should be fine (only Signal can do this automatically however Admins in Mattermost, WhatsApp and Telegram can delete others' messages).
  7. Make sure you keep the group 'invite links' off.
  8. Remember that many chat platforms attach media and files and links separately, so admins should regularly check that old media files and links are deleted.
  9. After the chat is done, and everyone has agreed that the group chat is done with, leave the group and delete the chat off your phone.
  10. Some members may not do this, so once the chat is done with, admins can remove members individually and then delete the chat off phones by deleting the group chat altogether - in this way people are not on lots of different chats that have ended which may cause security issues should someone’s phone be seized.
  11. Use the XR Cloud or CryptPad instead of Google Docs. See Document Management
  12. Use 'air-gapping' - see info below.

Air-gapping

The best thing to do to protect ourselves and XR is to use a process called 'Air-gapping' and is broadly used in government agencies, military and corporate sectors.

Air-gapping simply means we communicate any action planning and organising using one app (Mattermost is good for this) on a private channel or direct messages and then send specific details such as car registrations, credit card numbers and addresses using a different app that is end-to-end encrypted and self-deleting messages (Signal is best). This creates a gap between the planning and those specific details and ensures that if an adversary manages to get their hands on one account, they don't have all the pieces of the puzzle to sabotage an action, nor pair up individuals with a particular action plan, nor put faces to words with intent to commit crime (etc).