A Lazy Coward`s Guide to Fighting Fascism

The myth of the anonymous Internet - and it has always been a myth - is slowly fading as the average Internet user watches their protections and rights to be ignored wholly forgotten in the mad rush for capital-building information. While forensics have been able to piece together identifying markers from online activity for decades, the cost of doing that work has gone down substantially in recent totalitarian regimes. In the United States, the fourth amendment has generally held that your privacy, digital or otherwise, cannot be invaded without judicial intervention. Just cause has turned into “just ’cause” overnight with the very public dismantling of checks and balances. Private tech companies no longer worry about rolling over for fascism causing their stock to drop. Humans are no longer their customers. Speculative bubbles are more profitable and if they never have to put the money back into the pot - rather, just hand it back and forth to one another and tip their hats like playground pantomime - they are all the more happy. So why bother saving face when you can get special treatment by playing ball with dictators? That hurdle has classically been the most difficult one to overcome when doing Internet sleuthing and it has eroded entirely.

Palantir and its precursors, along with government programs like PRISM, work their way into boards and halls of tech giants. They use kickbacks, permitting, and all sorts of bribery to make sure that the biggest-named players are all in on the grift of faux security in modern tech. But tech is less secure than it has ever been. It may prevent low-rent script kiddies from scamming your Roblox account, but everything you do on most of your devices can be laid bare in seconds if someone merely decides to look.

Again, this is not new. Logging has been fundamental to computer network interaction since its inception. Things needed for reliable communication over an infrastructure made to carry flustered Trans-Atlantic accents from Pennsylvania-65000 to Klondike-5555 were already being stored so these digital bridges could be created. Endpoints had to be known. Routes had to be known. Owing to this, there was little anonymity in computing from the start. Anonymity was added, intentionally and otherwise. Log files take up space, so anonymity is bolstered simply by not storing this information past the active session. But compression got extremely good, extremely fast. Especially for text. Logs became less and less a storage concern and more one of privacy well before AOL shipped its first disk. For a while, privacy was a top tier feature in online communication. At least, behind the scenes. People love to identify themselves. It’s almost like we are all apes made of existential dread and routine. Because we are. As the net became more ubiquitous, people started realizing the importance of privacy. Not for illicit acts, though certainly those were in the mix. But for every day activities that were becoming more common online. Communication with friends, family, doctors, colleagues. These all needed some protection from prying eyes. Encryption technologies became an arms race against bad actors trying to hijack communications to steal what information they could. At the same time, however, companies began realizing how much of the data flow they controlled and how much that data could be used to create targeting for themselves. Then, they realized people would still pay for services even if ads where part of that service. In some old newsroom storage closet, William Randolph Hearst’s portrait smiled. So began the two-faced deceit of IT security.

All of this is just a long-winded intro to say this: No corporate entity ever has your best interests in mind when making decisions. Only profit. Or reduction of loss. When paramilitary police forces decide to dox you, the ’safe, secure, encrypted’ services you use from publicly traded for-profits mean absolutely nothing. They have your data. They will give it over to the cops. It’s the most financially beneficial stance (on paper), and that’s the only stance they will ever take.

So what is there to do? Break out paper cups and semaphore flags? How can you go to a protest and keep your digital life from becoming Exhibits A-Q should a stormtrooper decide you look enough like his ex or his abusive dad or just that kid he beat up in high school so it’s your day to get zip-tied and paddy-waggoned? Not all is bleak, nor do you have to pull a Full Amish when you head down to the future kettle where the first amendment is “protected” until it’s not. You can do quite a bit to harden your personal security - which in turn makes those around you more secure. It’s work, but what isn’t these days? Work, I guess.

Leave your phone at home

This is one of those pieces of advice that often gets eye-rolled by activists and organizers. But before you dismiss it, hear me out. I’m not saying ‘don’t take a phone.’ I’m saying leave the phone you use as your primary device at home. It is very easy and very cheap to pick up a second phone for recording - one of the most important functions of a phone at any protest - and communication. You can use an anonymous pre-paid carrier phone for emergencies, an old phone you’ve wiped, or grab a cheap used unlocked phone off of any number of marketplaces. Considering the despicable desposability cycle of modern phones, you can probably find a few free ones with some calls to friends and family. A few things to keep in mind:

• Fully factory reset any phone you receive or purchase. If possible, do this offline using tools from the manufacturer.
• If an alternative, hardened OS such as GrapheneOS is available for your device, consider using that instead of stock Android or the manufacturer’s bloatware.
• Try to find a phone that uses a physical SIM card. eSIMs are convenient, but are tied to the device and usually tied to the sales records of the device. A physical SIM lets you swap to another carrier or a prepaid number with ease.
• Keep apps to the bare minimum. When possible, use app stores that do not tie to an account. F-Droid is a good option. Obtainium is very popular as well.
• DISABLE BIOMETRICS. Apart from being way less secure than they purport, biometrics can be used to illegally compel you to unlock your device. Face scans are NOT legally protected. Fingerprint scans can be obtained through force. Set up a complex PIN or password and don’t fall for the false security of biometric login.
• Don’t sync accounts, contact lists, texts, etc. Don’t use e-mail applications. Check e-mail through a private browser session. This is a pain because you have to manually enter security info every single time, but it means that there’s no forensic footprint left on your phone once the session is closed.
• If you need to stream or capture to a cloud service, add a second, anonymized account for doing so. You can always re-share from your primary account later, but there’s no reason to link your activities to verifiable identification.
• Remove data from your phone when you get home. Back it up on a secure drive and remove it from the device. Again, there’s no reason to provide a free map of your whereabouts for potential prosecutors.
• Use a VPN (with manual credentials, not apps). A VPN can help protect you from local scanners, a more and more popular tool for oppressors, as well as provide an extra layer of cover from your carrier snooping on their behalf. Generally, use a VPN from a country with sound data protection laws like the Netherlands if possible.
• Utilize wifi hotspots over cellular data when possible. Many areas have free wifi if you look for it. Combined with a VPN, getting your exact activity trail becomes much, much harder.
• Only give the phone number for the device (if applicable) to a few people you trust. An army willing to use a 5 year old to draw people out of a house will absolutely put pressure on people close to you. People can’t give up your info if they don’t know it, so keep the list as small as you can.
• Use your protest phone for protesting. Keep it on Airplane Mode or turned off. Take it off Airplane Mode AFTER arriving at the protest. Put it in Airplane Mode BEFORE you leave the protest. Cell tower pings can be used to create a very accurate map of your path to and from. Again, don’t give them anything for free.
• If you simply cannot use a dedicated phone and cannot leave your phone at home, consider paring down apps, creating a second profile with very little information and using that when you’re at gatherings, using a VPN, disabling ALL AI tools, turning off tracking metrics (such as “send us data to improve your experience while using the app!” settings), signing out of social media accounts, and following the biometric and VPN suggestions above.

Be comfortable being bored

Excepting a secured phone (if necessary), don’t bring any connected devices with you. No iPad. No Switch. No Steam Deck. No ROG Steam Deck But Worse. If you have one of those handheld retro devices from Anbernic or anything with bluetooth, wifi, or mobile data, just leave it at home. Tablets, smart watches, even many MP3 players - anything that can connect with a wireless service of some type can be scanned and identified and linked to you if found on your person after an arrest. If you’re going to a protest, you’re going to protest. Not to scroll feeds or find epic mounts. Being uncomfortable with being bored is no reason to tag yourself like a migratory whale pod.

Don’t give up your entire identity at home

In your day-to-day life, more and more of your online identity is being added to your digital fingerprint. Platforms can predict, with astounding accuracy, what your next website visit will be. They can pick you out of a haystack of haystacks of users in seconds. Every cookie you accept, every permission you grant…they’ll be watching you.

Use a VPN on your home network. You don’t need to go so far as to tunnel to another country for your day to day use, but just adding one more layer of obfuscation helps. Obscurity is not security, but it’s better than nothing. Use secure communication when available. Set your browser to always use https, in example. Switch off of known problematic messaging apps like Discord to more secure options like Signal. Don’t use AI processing on anything. In fact, turn off AI everywhere you can. If you’re using Windows, [url-”https://www.howtogeek.com/how-to-rip-out-copilot-from-windows-11/” target=”new”]uninstall and prevent CoPilot from reinstalling [/url](note - this can change on a whim and they are pushing CoPilot hard, so your best bet is to leave Windows or go back to Windows 10 and use a debloating tool). Switch your search engine to a non-AI backed search such as DuckDuck Go’s No AI service. Remove AI tools from your browser if you use Chrome or Chromium based browsers or Firefox. (Note, beginning with Firefox 148, a single kill switch will be introduced under Settings -> AI Controls -> Block AI Enhancements, but it has not rolled out globally at the time of this writing).

Don’t use social media to discuss your activities at protests. You can obviously be loud and proud about your views, but any insight into the inner workings of direct action will be use to subvert it. There is no virtue signalling in protest. There’s no reason to share intel with the enemy during an active war. Save your mementos in a safe, encrypted location. Once everyone swears they were always against all of this, which they will, feel free to make a wall of dissent. But during active operations, no need to identify locations, organization, or the faces of others for internet points.

Keep your systems secure. Self-hosting can be a great way to withdraw from the onslaught of platform rot, but it can also open you up to attacks. Automated attacks are becoming more sophisticated, or in the case of AI based attacks, more frequent to the point of overwhelming systems. Not smarter, just more waves crashing against the beach. Protect yourself by understanding edge security. Make sure your router is not compromised and is up to date on its firmware. Make sure to keep an eye on security bulletins for software you host and quickly update it if a confirmed security hole is disclosed. This is obviously for more technical folks, but anyone can learn how to lock down their home network in a couple of days worth of YouTube videos and old forum posts.

Stop using Spyware as a Service

The Superbowl ad for Ring really shook the tree in terms of the general public’s understanding of just how perverse and pervasive private spying has become. Convenience has, for at least the last two decades, come at the cost of security. We hand over our details willingly to save a few steps while logging in or to scream into our personal void and have it play back our favorite comfort songs. Ditching digital servants is a minor inconvenience that feels like oppression to so many who are now used to the ease of it all. I promise, it’s really not that hard to pick a playlist by hand. Drop digital assistants from your phone. Doubly so if they’re AI-backed. Get rid of Echos and Smart Speakers and cloud-connected doorbell cameras and app-based light managers and all that BS. You can find replacements that leave all of your data in your personal network for nearly everything. So if you really need the convenience or are in a position where you need these things for accessibility, there are options. Home Assistant is a robust, multi-protocol service which can be locked down, but still control your existing closed-source hardware, in example.

Don’t use sign-in aggregators when you can avoid it. “Sign in with Google” sure feels like a convenient wonder. But what it really is is a single point of access for anyone who is able to get your Google device from you. Like the cops or TSA (cops) or ICE (somehow even more cop cops). Instead, consider an encrypted password manager with a strong master password (not biometric!) and individual site password. Avoid saving the password manager backups on cloud storage and instead, sync them to a folder on your network or an external endpoint you control. Again, passwords are protected by the 4th amendment. Your fingerprint is not.

Stop sharing videos with tracking data. YouTube, TikTok (dear god, stop using this garbage), and many other video hosting sites have a share button that tracks you and then tracks further shares by others who are NOT you. Strip your URLs before sharing them. Use only the required query string data (example - on YouTube, shares usually include an si=(code) element. When you share, remove everything except for the required video ID. When using the fully qualified www.youtube.com, this usually means deleting everything after and including the first ampersand. When using a shortened youtu.be link, this usually means deleting everything after and including the first question mark.
Example:

https://www.youtube.com/watch?v=EOxERcvYE9g&si=XXXXXXXXXXXXXX
or
https://youtu.be/EOxERcvYE9g?si=XXXXXXXXXXXXXX

Become

https://www.youtube.com/watch?v=EOxERcvYE9g
or
https://youtu.be/EOxERcvYE9g

respectively.

Don’t use photo filter apps, AI enhancement apps, or anything that requires personal data to produce some social token. “It’s fun, everyone’s doing it and I want to see mine!” Nobody is going to care about this shit in a week. Remember BitStrip avatars? Garbage, prepackaged flash art that was reassembled after you handed over the keys to your personal profile? Nobody actually liked anyone else’s but their own. Which means nobody actually liked them. You’d give them enough info to fake a MasterCard support call and get the most dated, ugly garbage to hang on your digital sash. Stop.

The future of capitalism and the future of humanity cannot coexist. We’re living in that tumultuous between-time, when neither side has laid full claim to the next stage of development and both sides are still under the illusion of a false pact. The average person still thinks technology is a service, not a siphon. The average CEO still thinks that there is more wealth to be pumped from a dry populace. One side will crack and separating your affairs now will do nothing but benefit you, regardless of how the whole thing shakes out. Services are built to incubate product. YOU are the product. Your data. Your eyes. Your time. They sell your own atrophied ability back to you in a neatly packaged, completely standardized, wholly unowned-by-you way. Put up as many roadblocks to them getting all of you for nothing as you can.

Some other videos and resources I’ve enjoyed (GDPR protected. Click Play Video to view):

TL;DR: Go to https://exiftool.org to get the goods!

Did you know that a picture is worth a thousand words? Thanks to inflation, that’s closer to 33,000 words today. But good luck finding a buyer in this economy.

Photography, a French hobby from the early 19th century - you may have heard of it, has gone from a science afforded only by the elite to being so ubiquitous there are likely pictures of you picking your nose openly available on any of thousands of police surveillance systems installed across the world. What used to require special papers and chemicals and glass now requires a half second of attention from the danger rectangle nearly everyone carries. I don’t mean the ART of photography. That’s art. That’s the eye and composition of human wonder. The process of photography, though, is about as mundane as shoes or pizza parties in lieu of compensation or work-life balance.

In this procession to mundanity, a word worth at least 1/8th of a picture, the processes behind its majicks have been lost on the photographer. In the time of shared butthole rags in outhouses and oil being an annoyance to water diviners, photographers had to be chemists. They had to deposit opaque materials in solution on glass or treated paper. They had to know for how long each stage of development took based on the subject of the photograph. They had to set and enlarge and repeat from negatives. It was a meditative process as much as a scientific one. Today, we can simply double-press a button (poor people’s phones still have buttons. Apple folks probably just speak some incantation and do a little somatic gesture) to bring up an instant FotoMat booth in the palms of our hands.

That’s not to say the lay person knew the photographic process before digital cameras made it a New York rooftop party talking point. The commodification of photography moved processing to a central, abstracted location a century prior. So not thinking about anything but the shot itself has been, for the lifetime of anyone reading this, the norm. And that’s not a bad thing. Not every snap, candid, or interesting dog poo needs to be meticulously developed. Most are simply mementos or memory aids or embarrassment fodder to show to first dates. So when digital photography became something anyone could carry in their pocket, learning the inner workings was never on the list of things people wanted to do with it. Mostly they wanted to take photos of the food they were eating or their genitals. Sometimes both at the same time. What a beautiful world.

Digital imaging brings with it a host of advantages. Ease, access, instant…ness. And a digital file can carry more than just the image. But unlike a hastily snapped Polaroid of your grundle, the data isn’t limited to an unreadable date scrawled in sharpie or a quick description of the scene on the back of a print. The file’s data is normally completely invisible. Because it’s invisible, it’s also often out of mind. The average phone photog isn’t thinking of their precise location being associated with a picture as more than anything but a future convenience. If at all. They aren’t thinking about what data the app they are using adds to the photo - likely from a place of functionality on the part of the developers who made it. Metadata - the information stored in the file along side the stream of bits that make up the image - is extremely useful for quickly categorizing, grouping, searching, and filtering images. The type of data stored varies from camera to camera, from app to app. It can be edited and updated by your photo processing software. Every time the file is piped through something, it generally adds a little more. That seems great, right?

And usually it is pretty great. Especially during the creative process of editing or for organization of your collection. But what happens when you share that photo online? If you’re like me, nothing. It just sort of sits there and nobody likes it and you eat a Cadbury about it. But a couple decades ago, someone who gets paid to create giant buckets for categorizing people for targeted advertising realized that this was another metric they could use to do just that. And in service, applications and cameras began adding more data to that invisible catalog. Advertiser profiles can include information about where you’ve been based on your photo stream without ever having to ask you to enable GPS for their app. Analytical algorithms have made that a much bigger issue as they can start making connections between things at a rate humans can’t even comprehend. They can identify that a specific subject of photography lives at a precise location based on multiple photos with the same coordinates. They can use your editing software to determine if you’re open to subscriptions or if you’re a professional versus an amateur. Large language models can use the information to steal your style by creating a fingerprint that quickly munges all of your work into a bucket to be drawn from should some sad moron decide to fake you in particular. In a world of big data solutions, the free fuel your images provide to corporate data pools can and will be used against you. EXIF was created, like most things perverted through a scanner dimly by our current surveillance state, from a place of good intent. It was meant to do all the things it does that are useful. Like fire. Like leaded gasoline. Like asbestos. The thinking around something, particularly in computer science, generally stops when the goal of the usecase is met. The thinking of bad actors, however, does not.

“So what? They’ve already got my ad profile,” I don’t hear you say because I’m alone in a room with a keyboard right now. Yes, but we have crossed a threshold in recent years of draconian overreach by monitoring bodies. AdSense having a fingerprint of you may not matter right now. But if you say something the government doesn’t like? If you take a photo of an unrelated Waffle House plate while helping a loved one get to a state that allows healthcare? If you exercise your constitutional rights in a regime that illegally demands you do not? You’ve now outed yourself and who knows how many others. This isn’t a game of personal risk anymore. The computation behind these KKKeystone Kop tactics is enormous. And often wrong, but in ways that are never trivial. And digital forensics can create a pretty compelling case from metadata if they really want to place you and a photo taken by you together in front of a jury. When living becomes criminal, unfortunately, we must all “avoid getting caught” just existing. So it’s a good time to start using some tools that make the whole thing less of a free square for Peter Thiel’s Palantir Pals.

There are a number of options for editing or removing metadata on photos. Some editing software allows you to do it directly. But my preferred method is EXIFTool by Phil Harvey.

Not that Phil Harvey. But an equally British one. A Master of Nuclear Physics and avid birder, Mr. Harvey created EXIFTool. A fantastic, multiplatform tool that quickly removes the metadata tying your digital fingerprint to a photo. On the website for the tool, you can find a number of links to external resources concerning EXIF data as well as a full set of instructions for a number of different platforms and applications. I won’t rewrite the site here, but I do suggest clicking the previous link and giving it a read. And a download. There is zero reason to hand over identifying information to corporations who trade in you as a product. Nor to dictatorial governments, dying to kill. This is not, in any way, a means to subvert criminality. Risk is risk. But removing EXIF data DOES make directly linking you to a photo much harder. And moreover, it makes linking people who AREN’T you to YOU much harder. The relationships we don’t know we build in a digital world are uncountable. We connect with people by simply being in proximity under the covers of the global surveillance networks created under the lie of ’safety’ for the other thing. Being responsible with data is a social imperative as our individualistic facades are melted away and we are all made aware that we are fuel. Be a good neighbor and scrub your photos before sharing them.

There are a few caveats, but overall the benefit of removing EXIF data (something I’m still getting into the muscle memory of doing - there’s hypocrisy on this very blog) outweighs the minor inconveniences. Some applications use EXIF data to do rotation. That is, they will retain the image stream as unrotated and apply a rotation tag, honored by most viewing software. So removing the data may result in an image being in an incorrect orientation. For color-managed images, EXIF can contain color attributes which help them to be displayed correctly. All of this is surmountable, but with extra work on our part. A small price to pay, but something to be very aware of if you’re posting things quickly. The more you remove metadata from what you post, more dead ends you introduce to crawling algorithms trying to link every single atom of data to every single other one.