Privacy and Security
How private is your data on the XR communication services?
Data on our new services is held in an encrypted partition on a server in Switzerland (which has excellent data protection laws). Should we receive the statutory 24 hours notice of a data access request, we only have to shut down the server to make the disk about as much use to the authorities as a brick.
Having said that, data on a public channel in Mattermost, a public forum on UK Forums, or a shared folder on UK Cloud should be considered public -- if anyone in XR can access it, then you should assume there is a mole in the organisation, who can pass it on to the authorities.
All data on any server is accessible to the system administrator of the server. This is why we do not recommend using third party servers for anything in the least bit sensitive. The system administrators of all the XR servers (a handful in total) are all long standing XR members who are trusted by the movement.
Mattermost
The system administrators of the Mattermost server (none of whom are in the UK) ask that you do not share sensitive details of illegal activity on Mattermost.
Quote from the XR Global FAQ
The XR Mattermost is a service in use by hundreds of groups, for team chat, group updates and organising. As the service is shared, we need to make sure no one team or group makes this service any more of a target for our adversaries than it already is. If an adversary (including an insider or federal investigator) knows high-value information is stored on this server, they will focus on ways to reach it, including possible legal interventions. As such, the less sensitive and high-value information that is shared on Mattermost, the better for all of us, and it will keep ticking along just fine.
But what is meant by 'sensitive information'? Here is a non-exhaustive list of examples:
- Home addresses, personal phone numbers and full names of action coordinators
- Full names of rebels signing up for an action
- Credit card and bank details
- Car license plate numbers of rebels
- Login details for group social media accounts
- Leaks from truth tellers
- Date, time, place and participants of a planned clandestine action
Details such as above are best shared off-platform, on an end-to-end encrypted service like Signal, Wire or Session. For sensitive documents, use the end-to-end-encrypted XR Cryptpad. Use MM for chat and for organising (action planning should be in private teams and/or channels), but when the info gets hot, "I'll Signal you those details". This also ensures that if an adversary manages to get their hands on one account, they don't have all the pieces of the puzzle to sabotage an action, nor pair up individuals with a particular action plan, nor put faces to words with intent to commit crime (etc).
We want to be arrested for what we do, not what we plan to do, lest of all for a few ideas we're throwing around.
This best-practice approach is referred to in Operations and Information Security as air-gapping as it puts space between mission-critical information and/or infrastructure. It's a great group and mission-centric habit to get into, and is broadly used in gov agencies, military and corporate sectors. It's a trick they don't want us activists to know and use!
Data in a private channel in Mattermost can only be accessed by members of the channel. Only other members of the channel can join new people, so that is the highest level of privacy available to you.
You may notice that private channels created by the XR UK Hub have xrukadmin as a member. This is the login of the Hub on Mattermost, and allows the Hub to add and remove members, rename the channel, etc. This function is there to save you work, so that people can be automatically added to your channels when you invite them, and so you can remove people, and rename or delete channels from the Hub easily, without having to repeat your actions in the 3 different services.
The UK system administrators have access to this login, so they could, in theory, see everything you say in the channel. If you have something too private to reveal to the UK system administrators, then create a new private channel in Mattermost, rather than via the Hub. Of course, you will then be totally responsible for administering that channel, adding new people in, removing people you do not want in it, renaming it (in Mattermost), etc.
Please do not remove xrukadmin from a team or channel that has been created by the Hub without letting the system administrators know right away that you have done so -- if the Hub thinks it can access a team or channel, but it can't, that will cause error messages for your users.
UK Forums
Data in private forums on UK Forums can only be accessed by Forum group members (and the UK Forums administrators). You can check who is in the forum group by accessing the Forum Groups option on the main menu, and finding the relevant group. You can remove people from the group by removing them from your organisation on the Hub (preferred), or in UK Forums (but the Hub may add them back again if you don't remove them there too).
UK Cloud
Data in private group folders in UK Cloud can be accessed by group members (and the UK Cloud administrators), and by anyone you share it with. Again, you can remove people from your organisation (and therefore access to your group) on the Hub.
Appendix 1: Why are there private working groups
This is quoted from a post by the global security expert (with minor formatting edits).
Something that comes up often is "Why are there private working groups? Why can't we all work in the open?" My own experiences in several large online communities, is that having private areas facilitates thriving, safer communities. A 'regime of openness', on the other hand, tends to seed decay, even paranoia and distrust. While that may seem counter-intuitive, there are a great many reasons why this is so:
Privacy is not Secrecy
First of all, we need to challenge the misbelief that Privacy and Secrecy are one and the same. They are not. To quote a beautiful work of literature, A Cypherpunk's Manifesto (EN), 1993
"Privacy is the power to selectively reveal oneself to the world."
There are things we would tell a sibling we would not a parent; that we would tell a friend that we would not tell a relative or boss. Privacy is the glue of a happy and healthy society, it is how we establish and manage our socio-emotional and physical boundaries.
If I walk up to a couple in the park and demand a summary of what they just talked about, to be included in their conversation, and they refuse, we wouldn't say they are being 'secretive'. Rather, they are asserting their basic human right to privacy.
So it follows that we should certainly not distrust those that seek and affirm privacy, rather those that rally against it, those that demand openness. Further, it should be no surprise that those suspicious of allowances for privacy are often from privileged socio-economic backgrounds.
It must be up to individuals when they choose to be open. This is only something that a de facto of privacy, alongside a basic right to anonymity, can provide.
Whole community poisoning
Private working groups also protect against a very real threat to online communities: Whole community poisoning. Should a troll or infiltrator, or organised group of such, come to Mattermost or Forums and be able to openly join every one of the dozens of teams on this server, every one of the channels and working groups, they can quickly ruin the social and cultural domains this server affords. Having private working groups and/or areas affords us Circles of Trust:
Circles of trust
Allowing members of private channels to manage those same domains encourages a sense of ownership, of trust. In essence, it embodies a decentralisation of trust, in that it is not centrally managed by a vetting process (like a Police file) but rather by transient (a table at a bar) or permanent (a village) communities themselves, through their own experiences (and ever branching degrees of separation).
Like all animals, we meet people, get to know them, and let them closer.
Appendix 2: We need to talk about Google Docs
From the global security expert again (slightly edited to refer to XR UK comm's services).
Green and Black Cross, seasoned professionals in the support of activists in need in the UK, have made a public statement that they will no longer support XR UK. In their statement, one difficult to read, they specifically cite the use of Google (alongside WhatsApp and Facebook messenger) as a risk to rebels, opening them up for deep exposure to Police.
We believe that the way XR stores personal data is inadequately secure (for example, in Google documents and forms). This means that personal data belonging to LOs is likely to be accessed by police.
We believe that the communication channels XR uses for legal observers are inadequately secure (for example, WhatsApp and Facebook messenger groups, public Facebook events and email lists with no bcc). This also means that communication through these channels is likely to be accessed by police.
Their statement raises an old issue here on Organise.Earth [Ed: The server hosting the global Mattermost], one that is a primary motivation for the server existing in the first place: we endanger each other, and ourselves, when we work with surveillance capitalists. So let us stop doing it.
Google is a completely unsafe partner for civil disobedience, activism in general. We can't have a 'regenerative culture' and partner with that corporation. Green and Black Cross are veterans in this space, and we ought to heed their concerns. I share their concerns having assisted at-risk individuals and groups for years with their infrastructure, to keep them off-police-record and safe in their work.
Lists of NCs in a Google Doc - any list of contacts - threatens those in less privileged operational environments, where police request information from Google, which they openly provide, to incarcerate that/those individual(s). It would be great to see us take this to heart and understand that it is uncaring and mutually harmful to continue to use Google products, not to mention WhatsApp (a meta-data harvest), as Green and Black Cross make so clear.
While an XR NL or XR SE (for instance) may find it unusual/paranoid/specious to have such concern, it is a 'projection of privilege' to assume the same jurisdictional/legal environment exists for all, where brave rebels working in difficult conditions are first surveilled (by statecraft, federal police) and then they are jailed, beaten and/or shot. Many of our rebels work in such environments. In the spirit of regeneration and mutual support, it is time for our ethics to be reflected in our communication infrastructure.
Solutions
Use Nextcloud to store and view documents on UK
Cloud.
The only reason not to is if you absolutely must have online editing or
real-time collaborative editing -- ask yourself is there a different way
of working?
The tech team is working hard to make available a Google Docs like interface to enable people to edit documents collaboratively. A view only version is already available, and we are working on porting an editing version to our server.
While functional, do not expect this to be as slick as Google Docs, which has all the massive resources of Google behind it, and has probably cost millions to develop! Remember that the cost of using google is that everything becomes easily available to both commercial and state interests.
In the meantime, only use google docs for things for which you absolutely must have real-time collaborative editing. [So long as your computer is secure]{.underline} you can use the Nextcloud desktop sync app to edit a local copy of documents you are working on and have them automatically updated into UKCloud.
When someone posts a link to a Google Doc, gently remind them that use of Google is provably unsafe, that we need to make the effort to copy its contents out to a document in our community owned cloud. It is not just the content of the document that matters. Even with harmless content the ability to build up a profile of usage and users to infer activity by combining that with other data is a major privacy issue and potential security flaw.
Use Mattermost, Signal or Wire instead of WhatsApp. Owned by Facebook, WhatsApp produces a vast treasure-trove of meta-data and has a notoriously suspect record for data-privacy.
Get off Gmail and other commercial email services. Let us help each other get off GMail. No more sending around sensitive documents in GMail accounts. Use the privacy respecting ProtonMail or Tutanota instead.
Stop using Facebook and other commercial social media for anything strategic or sensitive. This should be done using Signal or Wire, or on UK Forums or Mattermost .
A Note on Usernames, Passwords, and Profiles
This document discusses what to include in your profile within the XRUK online services, what makes a good username, and how to choose a password.
In all three of the XRUK services -- UKCloud, UKForum, and Mattermost Chat -- users have a profile that stores their personal information. You can edit some items in your profile, and some of them will be visible to other members. The three key pieces of information in your profile are your username, password and e-mail address.
If you join the new services by responding to an invitation from the UKHub you will automatically start with the same username and password on all three services. Your account on each of them will be tied to the same email address that received the invitation.
Initial Setup
On UKForum and UKCloud you cannot change your username once your account is created so it is important that you choose a good one. If you already have an account on XR Global Mattermost and you want to use a different username or password, then you must change it on your Mattermost Account Settings before accepting an invitation from the hub. The email address already on Mattermost must match the one in your invitation, so if necessary change that on Mattermost before starting as well.
If you want to use a different email address to the one at which you were sent the invitation, then request a new invitation with the correct address from your Group Admin.
When you accept an invitation to first join the new services an account will be created for you on each of the three with the same username, password and email.
Usernames
You are encouraged to create a username that is recognisably related to you - some rebels are happy to use their Local Group as part of their username - like tom-bangor
- others may align with their Working Group - like rose-creatives
. However, should you wish to remain anonymous, you are free to choose one that totally conceals your identity.
As an aside, the global Mattermost which we share, covers some countries where there may be substantial personal risks to being identifiable -- so you may well meet some fellow rebels there who are hiding their identities for reasons of personal safety.
There is a minimum length requirement of 6 characters for usernames. They must consist of lowercase alphabetic characters and digits only. Beyond that the longer you make it the more typing you, and others contacting you, will have to do, and the more of a mess it will look on screen.
Passwords
When it comes to choosing a password, choose something which you can remember -- e.g. the initial letters of a phrase or line from a song that will stick with you, with some letters transposed to digit (o->0, I -> 1, to->2 etc) and a couple of uppercase and punctuation characters. The minimum length for a password is 8 chars and it should include both upper and lower case letters plus at least one digit and one symbol.
Do check that it is easy to type on all the keyboards you use -- mobile phones can make it a pain having to switch case, or switch between letters and digits, so you might want to have those grouped together in the password.
Don't rely on your device (or the cloud) remembering it for you -- there will come a day when you will need to actually type it because something has gone wrong. Ideally, keep all your passwords in a secure password manager (rather than giving them all to Google or Apple to remember).
Finally try to pick a password that you don't use elsewhere -- even if only by appending -xr to one of your standard passwords -- that will ensure that if your bank login gets stolen your XRUK ones are still ok and vice versa.
Profiles
On all the services, you can set up a profile including your Full Name and a small picture called an 'avatar' which helps to visually identify you to other users.
Always add your full real name to your profile, and maybe a bit of information about which part of the country you are in -- city or county at least.
By default, your avatar will consist of your initial or initials on a coloured disc. Even if there are lots users with the initials JS they will get different coloured discs to make them unique.
These work ok, but you can easily find a suitable picture (of yourself or something else) to represent you, and upload that in your profile. It will be resized and cropped to a circular shape. When choosing a picture go for something simple and well defined -- avatars are shown quite small on some pages and your beautiful picture may become a plain brown blob when reduced.
Using the same avatar picture across all services provides a very quick and easy visualidentification for other users to recognise you as the same person.
Although your profile includes your email address this is not shown to other users (apart from system admins). If you want to make your email and phone number available to fellow rebels, then include them in the text of your profile.
Conclusions
More information on the specific things you can adjust in your profile settings (and where to find them) are in subsequent documents.
They key takeaways are:
-
choose a username that helps rebels identify you when you meet them in real life
-
use a password that you will be able to remember even after months of letting it be filled in automatically as a line of blobs
-
fill in your full name and your roles in XR on your profiles
-
upload a picture to use as an avatar so people recognise you visually on the services.