Security Guide for Mobile Activists: Checklist and Tips

From MobileActive Wiki

Security Issues of Mobile Phone Use for Activism

While there are many benefits to using mobile phones for those engaged in all types of advocacy work, it is important to be aware of the digital trails that are created by the possession and use of mobile phones. The following is an overview of the security issues mobile activists should consider in their work. MobileActive does not condone any illegal or violent actions but understand that many democracy and human rights activists around the world operate in sometimes repressive and dangerous situations. While mobile phones offer oppertunities for human rights and social justice organizing, they also expose NGOs, citizen groups, and activists to certain risks. This document is meant to outline those risks and suggest simple security measures for campaigners involved in legitimate social justice, human rights, and activist work.

A note: The mobile industry is evolving rapidly so the actual technology deployed in particular countries by mobile operators and governments is changing constantly and hence security issues require constant vigilance and attention.

Records on the phone

There are a number of records that are kept on a mobile phone by default:

• Call logs – calls made and received: Who to, date, time, duration
• SMS - text messages sent and received
• Photos – album of pictures you have taken
• Contact information and other stored data

Call Logs: Depending on the model of phone, it is possible to turn off the automatic logging of calls. Don’t forget that Caller ID means that when you call someone from a mobile phone, the receiver of the call can see what number is calling them and this information is then stored on their phone, even if the call is not answered.

SMS: text messages sent and received are stored in the phone by default. If the authorities are taking investigations very seriously, these records may be obtained from the mobile operator. Deleting messages manually is a simple security measure.

Photos: Using your camera phone at an event? It is a good idea to upload photos straight to a remote server from the phone and then delete them.

Contacts and other stored data: All contact information stored on a mobile phone is available should the phone be confiscated, is lost, or stolen. Consider what data you store on your phone, especially when you work in dangerous or oppressive situations.

Simple Security Measures

Make it routine to delete the information on your phone. Check the settings on the phone to see if can be set to not store call logs and outgoing SMS.

Remote Surveillance

Location

There are two ways that the location of mobile phones can be tracked: LBS and GPS. The knowledge that you were or were not in a particular place can be either positive or negative depending on the circumstances.

a. Location Based Services (LBS)

Your mobile is a tracking device all the time that it is turned on. For a mobile phone to be able to communicate with the network, it keeps track of the actual mast that you are connected to. A phone cell is made up of several masts and this information is used by operators to locate the approximate location (within an area of a few city blocks) of the actual phone. This is occurring all the time your phone is turned on whether it is used to make calls or not.

A growing number of commercial services use this data for tracking of goods and people. These records can be held for some time by the operator. Providers of these services are supposed to send a regular SMS so that the owner of the phone is made aware that tracking is active on the phone (in the UK, though not necessarily in other countries.)

Simple Action

Consider turning the phone off at certain times. Move the phone to places that it can be established you are not at so that activity on the phone is not necessarily linked to you.

b. Global Positioning System (GPS)

In the USA, Federal authorities have mandated that mobile operators implement location tracking for all phones in the wireless E911 program to trace cell phone calls to a location within 100 meters or less. The idea is for police, fire, and ambulance services to use the positioning system to track down cell phone callers in an emergency. Of course this information can be used for all sorts of other purposes as well.

Simple Action

Buy a phone without GPS.

Monitoring/surveillance of communications

To undertake surveillance of phone conversations and SMS text messages, governments have to work with the mobile operators, unlike the internet where people can more easily access and intercept data.

An EU agreement in December 2005 requires that commercial traffic logs of all phone calls, text messages, emails and instances of internet use are stored by telecoms companies for a minimum of six months and up to two years. Even details of calls that are connected but go unanswered will be archived. Software used includes so-called SMS Content Surveillance. Content filter software installed at the message routing point in the network (SMS-C), for example, can filter for specific words and alert the authorities.

Other surveillance might be used in other countries, so be sure you understand the environment you are operating in.

Simple Actions

• Buy a SIM card just for the specific project and dispose of it afterwards.
• If you suspect that messages are monitored use agreed innocuous words in your messages
• Exchange an agreed upon code to show that you are still in control of the phone

Phone as Radio Microphone

Software can be installed remotely without you knowing and then the phone used as a mike/bugging device. A commercial version that can listen to conversations in the region of the phone is also available for purchase although it does not include remote installation. However if someone had access to your phone it could be installed.

Simple Action

• If your conversation is sensitive, don’t discuss it on the phone.
• Consider taking the battery out of any phones in your vicinity when you operate in a dangerous environment.

Pre-Paid Or Account

If the account you have with a phone company is a monthly account, a record of all calls made and received with the operator is recorded and can be accessed long afterwards. Records held include billing, used services, where you were when making or receiving calls, and numbers called and received.

It is possible in many countries to obtain a pre-paid SIM card without providing any personal information. For added security, it may be advisable to pay with cash and choose an outlet not covered by CCTV.

Additional Resources on Security Issues

[http://www.activistsecurity.org/ Security for Activists A Practical Security Handbook for Activists and Campaigns]

[http://www.freebeagles.org/articles/mobile_phones.html A Guide to Mobile Phones - A short guide to using mobile phones safely and securely for activists.]

Mobile Security Checklist

• Use a pre-paid SIM card
• Buy a SIM card just for the specific project and dispose of it afterwards.
• Make it routine to delete the information on your phone. Check the settings on the phone to see if can be set to not store call logs and outgoing SMS.
• If your conversation is sensitive, don’t discuss it on the phone and consider taking the battery out of any phones in your vicinity.
• Consider turning the phone off at certain times in your journey. Move the phone to places that it can be established you are not at so that all activity on the phone is not linked to you.
• If you suspect that messages are monitored use agreed innocuous words in your messages

Document Author: Mike Grenville [1] Date: January 2006

This work is licensed under the Creative Commons Attribution-NonCommercial 2.5 License.