Privacy and Security

How private is your data on the XR communication services?

Data on our new services is held in an encrypted partition on a server in Switzerland (which has excellent data protection laws). Should we receive the statutory 24 hours notice of a data access request, we only have to shut down the server to make the disk about as much use to the authorities as a brick.

Having said that, data on a public channel in Mattermost, a public forum on UK Forums, or a shared folder on UK Cloud should be considered public - if anyone in XR can access it, then you should assume there is a mole in the organisation, who can pass it on to the authorities.

All data on any server is accessible to the system administrator of the server. This is why we do not recommend using third party servers for anything in the least bit sensitive. The system administrators of all the XR servers (a handful in total) are all long standing XR members who are trusted by the movement.

Mattermost

The system administrators of the Mattermost server (none of whom are in the UK) ask that you do not share specific details of illegal activity on Mattermost. It is conceivable that the authorities would be able to obtain an injunction to access the server in Switzerland, which would mean it would be closed down, and that would be very inconvenient for the global movement.

Data in a private channel in Mattermost can only be accessed by members of the channel. Only other members of the channel can join new people, so that is the highest level of privacy available to you.

You may notice that private channels created by the XR UK Hub have xrukadmin as a member. This is the login of the Hub on Mattermost, and allows the Hub to add and remove members, rename the channel, etc. This function is there to save you work, so that people can be automatically added to your channels when you invite them, and so you can remove people, and rename or delete channels from the Hub easily, without having to repeat your actions in the 3 different services.

The UK system administrators have access to this login, so they could, in theory, see everything you say in the channel. If you have something too private to reveal to the UK system administrators, then create a new private channel in Mattermost, rather than via the Hub. Of course, you will then be totally responsible for administering that channel, adding new people in, removing people you do not want in it, renaming it (in Mattermost), etc.

Please do not remove xrukadmin from a team or channel that has been created by the Hub without letting the system administrators know right away that you have done so - if the Hub thinks it can access a team or channel, but it can't, that will cause error messages for your users.

UK Forums

Data in private forums on UK Forums can only be accessed by Forum group members (and the UK Forums administrators). You can check who is in the forum group by accessing the Forum Groups option on the main menu, and finding the relevant group. You can remove people from the group by removing them from your organisation on the Hub (preferred), or in UK Forums (but the Hub may add them back again if you don't remove them there too).

UK Cloud

Data in private group folders in UK Cloud can be accessed by group members (and the UK Cloud administrators), and by anyone you share it with. Again, you can remove people from your organisation (and therefore access to your group) on the Hub.

What if I want to leave XR and remove all my data

If you wish to leave XR altogether, you can ask the Hub Admins (via Hub Help Desk or by emailing tech@rebellion.earth) to delete your data.

They will then remove you from the Hub, Mattermost, Forums and Cloud. All your posts to Mattermost and Forums will be deleted. Any shares of files, calendars or Decks you made on the UK Cloud will be removed. If you don't want that to happen, you can ask to have your account deactivated - all your posts and shares will remin, but your account will no longer allow login.

You will still be on Action Network (to receive emails from XR). You can remove yourself from the mailing lists (there is a link on every email), or you can ask to be removed there as well in Data Team Reception or by emailing tech@rebellion.earth.

You may still have logins on other sites (e.g. Volunteer Website), and you can contact them to be removed.

Why are there private working groups?

This is quoted from a post by the global security expert:

Something that comes up often is "Why are there private working groups? Why can't we all work in the open?" My own experiences in several large online communities, is that having private areas facilitates thriving, safer communities. A 'regime of openness', on the other hand, tends to seed decay, even paranoia and distrust. While that may seem counter-intuitive, there are a great many reasons why this is so:

Privacy is not Secrecy

First of all, we need to challenge the misbelief that Privacy and Secrecy are one and the same. They are not. To quote a beautiful work of literature, A Cypherpunk's Manifesto (EN), 1993:

"Privacy is the power to selectively reveal oneself to the world."

There are things we would tell a sibling we would not a parent; that we would tell a friend that we would not tell a relative or boss. Privacy is the glue of a happy and healthy society, it is how we establish and manage our socio-emotional and physical boundaries.

If I walk up to a couple in the park and demand a summary of what they just talked about, to be included in their conversation, and they refuse, we wouldn't say they are being 'secretive'. Rather, they are asserting their basic human right to privacy.

So it follows that we should certainly not distrust those that seek and affirm privacy, rather those that rally against it, those that demand openness. Further, it should be no surprise that those suspicious of allowances for privacy are often from privileged socio-economic backgrounds.

It must be up to individuals when they choose to be open. This is only something that a de facto of privacy, alongside a basic right to anonymity, can provide.

Whole community poisoning

Private working groups also protect against a very real threat to online communities: Whole community poisoning. Should a troll or infiltrator, or organised group of such, come to Mattermost or Forums and be able to openly join every one of the dozens of teams on this server, every one of the channels and working groups, they can quickly ruin the social and cultural domains this server affords. Having private working groups and/or areas affords us Circles of Trust:

Circles of trust

Allowing members of private channels to manage those same domains encourages a sense of ownership, of trust. In essence, it embodies a decentralisation of trust, in that it is not centrally managed by a vetting process (like a Police file) but rather by transient (a table at a bar) or permanent (a village) communities themselves, through their own experiences (and ever branching degrees of separation).

Like all animals, we meet people, get to know them, and let them closer.

Issues with Google Docs

From the global security expert again (slightly edited to refer to UK comms services).

Green and Black Cross, seasoned professionals in the support of activists in need in the UK, have made a public statement that they will no longer support XR UK. In their statement, one difficult to read, they specifically cite the use of Google (alongside WhatsApp and Facebook messenger) as a risk to rebels, opening them up for deep exposure to Police.

We believe that the way XR stores personal data is inadequately secure (for example, in Google documents and forms). This means that personal data belonging to LOs is likely to be accessed by police.

We believe that the communication channels XR uses for legal observers are inadequately secure (for example, WhatsApp and Facebook messenger groups, public Facebook events and email lists with no bcc). This also means that communication through these channels is likely to be accessed by police.

To summarise: we endanger each other, and ourselves, when we work with surveillance capitalists. So lets stop doing it.

Google is a completely unsafe partner for civil disobedience and activism in general. We can't have a regenerative culture and partner with them. Green and Black Cross are veterans in this space, and we ought to heed their concerns.

Any list of contacts in a Google Doc threatens those in less privileged operational environments, where police request information from Google, which they openly provide, to incarcerate that/those individual(s). It would be great to see us take this to heart and understand that it is uncaring and mutually harmful to continue to use Google products, not to mention WhatsApp.

While a UK XR Rebel (for instance) may find it unusual/paranoid/specious to have such concern, it is a projection of privilege to assume the same jurisdictional/legal environment exists for all, where brave rebels working in difficult conditions are first surveilled (by statecraft, federal police) and then they are jailed, beaten and/or shot. Many of our rebels work in such environments. In the spirit of regeneration and mutual support, it is time for our ethics to be reflected in our communication infrastructure.

Solutions

  1. Use Nextcloud to store and view documents on UK Cloud.

    When someone posts a link to a Google Doc, gently remind them that use of Google is provably unsafe, that we need to make the effort to copy its contents out to a document in our community owned cloud. It is not just the content of the document that matters. Even with harmless content the ability to build up a profile of usage and users to infer activity by combining that with other data is a major privacy issue and potential security flaw.

  2. Use Mattermost, Signal or Wire instead of WhatsApp.

    Owned by Facebook, WhatsApp produces a vast treasure-trove of meta-data and has a notoriously suspect record for data-privacy.

  3. Get off Gmail and other commercial email services.

    Instead use the privacy respecting ProtonMail or Tutanota.

  4. Stop using Facebook and other commercial social media for anything strategic or sensitive.

    This should be done using SignalWire, UK Forums or Mattermost.

A Note on Usernames, Passwords, and Profiles

This document discusses what to include in your profile within the XRUK online services, what makes a good username, and how to choose a password.

In all three of the XRUK services -- UKCloud, UKForum, and Mattermost Chat -- users have a profile that stores their personal information. You can edit some items in your profile, and some of them will be visible to other members. The three key pieces of information in your profile are your username, password and e-mail address.

If you join the new services by responding to an invitation from the UKHub you will automatically start with the same username and password on all three services. Your account on each of them will be tied to the same email address that received the invitation.

Initial Setup

On UKForum and UKCloud you cannot change your username once your account is created so it is important that you choose a good one. If you already have an account on XR Global Mattermost and you want to use a different username or password, then you must change it on your Mattermost Account Settings before accepting an invitation from the hub. The email address already on Mattermost must match the one in your invitation, so if necessary change that on Mattermost before starting as well.

If you want to use a different email address to the one at which you were sent the invitation, then request a new invitation with the correct address from your Group Admin.

When you accept an invitation to first join the new services an account will be created for you on each of the three with the same username, password and email.

Usernames

XR is an open, above ground, organisation so you should always be prepared to own your own activity and put your real full name in your user profile where others can see it, and use your firstname and initials as a username.

Usernames must be unique in each system, so although you are encouraged to use a username that is recognisably related to your real name rather than something that conceals your identity, this may not always be possible.

As an aside, the global Mattermost which we share, covers some countries where there may be substantial personal risks to being identifiable -- so you may well meet some fellow rebels there who are hiding their identities for reasons of personal safety.

There is a minimum length requirement of 6 characters for usernames. They must consist of lowercase alphabetic characters and digits only. Beyond that the longer you make it the more typing you, and others contacting you, will have to do, and the more of a mess it will look on screen.

Passwords

When it comes to choosing a password, choose something which you can remember -- e.g. the initial letters of a phrase or line from a song that will stick with you, with some letters transposed to digit (o->0, I -> 1, to->2 etc) and a couple of uppercase and punctuation characters. The minimum length for a password is 8 chars and it should include both upper and lower case letters plus at least one digit and one symbol.

Do check that it is easy to type on all the keyboards you use -- mobile phones can make it a pain having to switch case, or switch between letters and digits, so you might want to have those grouped together in the password.

Don't rely on your device (or the cloud) remembering it for you -- there will come a day when you will need to actually type it because something has gone wrong.

Finally try to pick a password that you don't use elsewhere -- even if only by appending -xr to one of your standard passwords -- that will ensure that if your bank login gets stolen your XRUK ones are still ok and vice versa.

Profiles

On all the services, you can set up a profile including your Full Name and a small picture called an 'avatar' which helps to visually identify you to other users.

Always add your full real name to your profile, and maybe a bit of information about which part of the country you are in -- city or county at least.

By default, your avatar will consist of your initial or initials on a coloured disc. Even if there are lots users with the initials JS they will get different coloured discs to make them unique.

These work ok, but you can easily find a suitable picture (of yourself or something else) to represent you, and upload that in your profile. It will be resized and cropped to a circular shape. When choosing a picture go for something simple and well defined -- avatars are shown quite small on some pages and your beautiful picture may become a plain brown blob when reduced.

Using the same avatar picture across all services provides a very quick and easy visualidentification for other users to recognise you as the same person.

Although your profile includes your email address this is not shown to other users (apart from system admins). If you want to make your email and phone number available to fellow rebels, then include them in the text of your profile.

Conclusions

More information on the specific things you can adjust in your profile settings (and where to find them) are in subsequent documents.

They key takeaways are:

  • choose a username that helps rebels identify you when you meet them in real life

  • use a password that you will be able to remember even after months of letting it be filled in automatically as a line of blobs

  • fill in your full name and your roles in XR on your profiles

  • upload a picture to use as an avatar so people recognise you visually on the services.