How to avoid social media monitoring: A Guide for Climate Activists

The defense and protection of the environment continues to come at a high cost for activists and human rights defenders. In 2021, the murders of environment and land defenders hit a record high. This year, a report by Global Witness found that more than 1,700 environmental activists have been murdered in the past decade.

While the issue of surveillance of human rights defenders has received attention, evidence of the surveillance of environmental activists keeps mounting, with recent examples from Australia and COP27 still making headlines.

Against this background, PI surveyed climate activists to ascertain the types of technologies and devices they use to conduct their work, and whether they have experienced surveillance of their devices and online activities.

• All respondents stated that tech was essential to their activism, with 93% stating they use a computer/laptop and 83% stating they used their mobile phone to conduct their work.
• Almost all of the activists surveyed, that is 90%, said they use social media for their activism.
• When asked if they felt they had been subject to surveillance, 59% felt they had been subject to tech-based surveillance, all of which stated they believed this was surveillance of their online activity, such as social media platforms.

In light of these findings, we wanted to provide some information that can be used by climate activists to avoid social media monitoring, so that you are free to defend the environment.

Restricting the amount of personal information you share online

Social media plays a key role in bringing like-minded people together, organising and achieving change. Unsurprisingly, 90% of our survey respondents flagged the use of social media in the context of their environmental activism.

Social media activity, while undoubtedly useful for activism, is not without risk - activity on social media platforms may leave a footprint that other actors may seek to follow or exploit.

Social media monitoring refers to the monitoring, gathering and analysis of information shared on social media platforms, such as Facebook, Twitter, Instagram, and Reddit. Such monitoring may include trawling content posted to public or private groups or pages. It may also involve “scraping”, which involves grabbing all the data from a social media platform, including content you post and data about your behaviour (such as what you like and share). Through scraping and other tools, social media monitoring permits the collection and analysis of a large pool of social media data, which can be used to generate profiles and predictions about users.

Good Practices

The way you interact with social media sites can expose a lot about you, sometimes even unknowingly and if you do not amend your privacy settings in a certain way, your data is more vulnerable to social media monitoring. There are general good practices to adopt and settings to implement across your social media accounts that can protect your privacy and make it harder for third parties to snoop on your activities.

A number of respondents to our survey shared with us the steps they follow to protect their online interactions. Among other measures, 76% stated that they rely on multi-factor or two-factor authentication, and 62% stated that they review privacy settings on the platforms they use.

The following good practice measures are applicable across all social media sites whether it is Twitter, Facebook, or Instagram.

Security:

• Enable two-factor authentication (also known as 2FA) provides an extra security step in order to access your account. This way, when you connect, your social media account will verify your identity by requesting a code in addition to your username and password.
• If you log into your account from other devices (public/shared), make sure you log out every time.
• If the app you’re using enables file-sharing, be vigilant before downloading anything sent to you (such as a file or document that requires to be opened on your phone) or clicking links sent by people you don’t know or trust.

Privacy settings:

• Take some time every now and then to review the privacy settings of the social media platforms or apps that you use. In particular, ensure that you review whether the platforms or apps you use share data with third-parties, and exercise your discretion when giving permission for such data to be shared. See specific guidance on third-party data-sharing for Facebook here.
• Enable settings that restrict allowing people to tag you in photos without your consent.
• Enable privacy mode where available and don’t accept follow requests from unknown accounts.

Avoid sharing more than necessary information Data minimisation:

• Don’t post photos of other people without their consent, and be wary when posting photos of children on social media.
• Don’t post sensitive information, such as…, in your photos or captions.
• Don’t reveal your location and make sure the location is not revealed by background details. Similarly, make sure you review - and as necessary, delete or amend - data that may have been uploaded with your pictures.
• Don’t use hashtags that may reveal private data (or the location).
• Be wary when posting photos of children on social media.

You can also see our specific guides for best practice for Twitter, Instagram, and Facebook.

Securing your online communications and the use of messaging apps

Messaging apps have become a key part of the way we communicate with each other some of these apps include Facebook Messenger, Whatsapp, Signal, Telegram, and Viber. For environmental activists these apps may be used to create group chats to coordinate advocacy tactics, ranging from stand-alone actions to organising mass gatherings and protests. Therefore, it is important that activists are using apps whose security is commensurate with the reliance activists place on them. There are two important factors to consider when deciding which app you should use to conduct your activism:

1. Whether the app offers end-to-end encryption that protects the content of your communication; and
2. Whether it collects any information beyond the content of the message, such as location, who you communicate with and other details referred to as ‘metadata’.

When using some messaging apps, you may also want to consider whether they require your phone number to use it. To reduce the number of steps during sign up, most messaging apps rely on a phone number. While this is useful for more widespread pickup, this may be less than ideal for people not wanting to give out their personal number. There are ways to avoid this, such as registering for the messaging app using the number of an alternative SIM card you possess.

End-to-End Encryption (E2EE)

Encryption is a way of securing digital communications using mathematical algorithms that protect the content of a communication while in transmission so that it cannot be read by anyone apart from the sender and the intended recipient(s) or modified by third parties while in transit. When E2EE is deployed, service providers cannot intercept the content or read the messages as they remain encrypted even as passing through the service providers’ servers. Therefore, E2EE protects the confidentiality and integrity of the content of the transmitted information by encrypting it at the origin and decrypting it at its destination, which is extremely important for activists for several reasons, including limiting the trace of coordination of protests.

The use of E2EE for communications should always be preferred over text messages (SMS). SMS messages are completely unencrypted meaning they can be easily read, manipulated in transit, or spoofed. They may also be stored by your telecommunications provider, which may be subject to access requests from governments and law enforcement.

However, encrypted messaging doesn’t necessarily protect you against someone getting access to your phone in order to read your messages. Because of this, for sensitive conversations, it may be sensible to use an app that offers disappearing/timed/vanishing messages to stop the long-term storage of messages for example, Signal. It’s also important to note, that any recipient in a conversation can take a screenshot or otherwise retain the message. Also, the app will display a notice that message deletion is taking place, and shows placeholders for manually deleted messages.

Please note that Mobile Phone Extraction (MPE) - which is used by some police forces and border guards - has been shown to be able to retrieve deleted messages from e.g. WhatsApp. It is unclear whether self-destructing messages are also recoverable by MPE technology. If you’d like to learn more about police use of MPE you can read our advice here.

Metadata

Metadata is another relevant consideration in choosing an app, as different apps apply different approaches to the storage and retention of metadata.

Metadata can be as revealing as the content of your messages. Metadata is all information about a communication, apart from the content of the communication itself. For example, for a mobile phone call, this includes information on what number you called, where you were when you called them, what time you called, and how long that call lasted.

Signal uses E2EE not only to encrypt the contents of messages, but also to obscure all metadata even from itself, storing only when an account was created and when it last connected to the service. In contrast, both WhatsApp and Telegram store, and can access, far more metadata, including IP addresses, profile photos, “social graphs”, and more.

Exercising better control of the information shared on your messaging app

Regardless of whether or not you choose an end-to-end encrypted messaging app, you can take additional steps to secure the information you share in the app.

Chat back-up
Some apps may offer chat back-up as an option. While back-up may be desirable for many people in order to prevent their messages being lost, back-ups on the Cloud may potentially pose a threat to users’ privacy as anyone with access to your Apple (if backed up on iCloud) or Google account (if backed up on Android) could access it.

If you choose not to keep a back-up, this should mean that your messages only exist within the app, which minimises the attack surface.

Minimise your profile information

Messaging apps will usually enable you to keep a profile, which may include a photo, a status or an ‘about’ section.

If you intend to communicate with people you don’t trust, this information might reveal things about you that you’d rather keep private. As a rule of thumb, you may want to select the most private option offered.

In most cases, limiting the visibility of these details to “your contacts” may be a good option, but if you intend to use the messaging app to connect with people you don’t know,it may be worth keeping any profile settings to a minimum or empty.

You can read our full guide for best practice on WhatsApp here.

Limiting your online footprint

VPN

Browsing the web for protest-related materials, among other activities, can create a digital footprint implicating you in a particular protest, movement and/or act of dissent. As governments continue to exert control over access to the Web - including blocking websites and surveiling people’s online activity - people are increasingly turning to VPNs to access social media and information online.

We know from our survey that environmental activists are also turning to VPN as a technical precaution, with 52% of the survey respondents stating that they use VPN.

A VPN - Virtual Private Network - redirects your Internet traffic via one or more servers before giving it access to the wider Internet. A VPN adds an extra layer of encryption between your device and the VPN exit, hiding the content and metadata of your traffic, and true destination of your Internet browsing, from your internet service provider (ISP). It also hides your device’s IP address from websites and apps by routing your traffic via a third country, which can bypass country-based blocks.

As a climate activist, a VPN could be useful for the following reasons:

• A VPN allows for access to blocked or other sites, including those used to disseminate details about a protest.
• A VPN hides your true IP address from social media, websites and apps, offering a degree of anonymity from the platforms themselves.
• A VPN obscures your Web traffic from your ISP, and protects your real IP address from being discovered in a government request to a platform, or a hack/leak of a platform.

If you’re considering to use VPN, ensure that VPN is legal in your country, and check whether it is subject to any regulations.

When choosing VPN, do bear in mind that you’re switching who you trust to see the true source and destination of your Internet traffic, from your phone company, internet service provider or WiFi service to the VPN provider. As many other tech solutions, VPN is not infallible. For instance, VPN traffic has to access the Internet from a server at some point, and these servers are ripe for observation by nation states and other malicious actors. Similarly, like all technologies, VPNs can go wrong. This could mean not routing traffic, or not routing certain types of traffic which could still allow you to be identified by a sufficiently motivated attacker - sometimes without your knowledge.

When choosing a VPN it is important to note the jurisdiction of the VPN provider. Look for VPNs located in countries with strong data protection and privacy laws in place.

We need to be free to defend the environment

As is now well known, engaging in environmental activism is an activity that is fraught with risks. This guide is an attempt to provide environmental activism with basic tools to protect themselves - but even then, it only scratches the surface of what is truly needed to enable environmental activists to carry out their crucial work safely.

A lack of resources, as well as insufficient or lack of training, were the two biggest obstacles cited by our survey respondents to protect themselves and their devices. As a result, it is no surprise that almost two thirds of our survey respondents revealed that they were self-taught in terms of measures used to protect their devices.