As it happens, the main country case studies for my dissertation are Egypt and the Sudan. I’ll have to write a whole lot more given the unprecedented events that have taken place in both countries since January 25th. As many iRevolution readers know, my dissertation analyzes how access to new information and communication technologies changes the balance of power between repressive regimes and popular resistance movements. This means I’m paying close attention to how these regimes leverage tools like Facebook.
The purpose of this blog post is not to help repressive regimes use Facebook better, but rather to warn activists about the risks they face when using Facebook. Granted, many activists already know about these risks, but those I’ve been in touch with over the past few weeks simply had no idea. So what follows is a brief account of how repressive regimes in North Africa have recently used Facebook to further their own ends. I also include some specific steps that activists might take to be safer—that said, I’m no expert and would very much welcome feedback so I can pass this on to colleagues.
We’ve seen how Facebook was used in Tunisia, Egypt and the Sudan to schedule and organize the recent protests. What we’ve also seen, however, is sophistication and learning on the part of repressive regimes—this is nothing new and perfectly expected with plenty of precedents. The government in Tunis was able to hack into every single Facebook account before the company intervened. In Egypt, the police used Facebook to track down protesters’ names before rounding them up. Again, this is nothing new and certainly not unprecedented. What is new, however, is how Sudan’s President Bashir leveraged Facebook to crack down on recent protests.
The Sudanese government reportedly set up a Facebook group calling for protests on a given date at a specific place. Thousands of activists promptly subscribed to this group. The government then deliberately changed the time of the protests on the day of to create confusion and stationed police at the rendez-vous point where they promptly arrested several dozen protestors in one swoop. There are also credible reports that many of those arrested were then tortured to reveal their Facebook (and email) passwords.
And that’s not all. Earlier this week, Bashir called on his supporters to use Facebook to push back against his opposition. According to this article from the Sudan Tribune, the state’s official news agency also “cited Bashir as instructing authorities to pay more attention towards extending electricity to the countryside so that the younger citizens can use computers and internet to combat opposition through social networking sites such as Facebook.”
So what are activists to do? If they use false names, they run the risk of getting their accounts shut down without warning. Using a false identity won’t prevent you from falling for the kind of mouse trap that the Bashir government set with their fabricated Facebook page. Using https won’t help either with this kind of trap and I understand that some regimes can block https access anyway. So what to do if you are in a precarious situation with a sophisticated repressive regime on your back and if, like 99% of the world’s population, you are not an expert in computer security?
1. Back-up your Facebook account: Account –> Account Settings –> Download your information –> Learn more. Click on the Download button.
2. Remove all sensitive content from your Facebook page including links to activist friends, but keep your real name and profile picture. Why? So if you do get arrested and are forced to give up your password, you actually have something to give to your aggressors and remain credible during the interrogation.
3. Create a new Facebook account with a false name, email address and no picture and minimize incriminating content. Yes, I realize this may get you shut down by Facebook but is that as bad as getting tortured?
4. Create an account on Crabgrass. This social networking platform is reportedly more secure and can be used anonymously. A number of activists have apparently switched from Facebook to Crabgrass.
6. If you can do all of the above while using Tor, more power to you. Tor allows you to browse the web anonymously, and this is really important when doing the above. So I highly recommend taking the time to download and install Tor before you do any of the other steps above.
5. Try to validate the authenticity of a Facebook group that calls for a protest (or any in-person event for that matter) before going to said protest. As the Sudan case shows, governments may increasingly use this tactic to arrest activists and thwart demonstrations.
6. Remember that your activist friends may have had their Facebook accounts compromised. So when you receive a Facebook message or a note on your wall from a friend about meeting up in person, try to validate the account user’s identity before meeting in person.
If you have additional recommendations on how to use Facebook safely, or other examples of how repressive regimes have leveraged Facebook, please do add them in the comments section below for others to read and learn. Thank you.
iRevolutions 
There’s some excellent advice in here, thank you.
Do you know anything about the dangers of hostile Tor exit nodes? I’ve heard a lot of people worrying about this but do not know of how serious a risk they represent. I get asked a lot if Tor is safe and always reply that I don’t know enough to judge but that one should always assume that even the safest system is open to compromise. Perhaps you know of independent research into this?
That’s a good question, Tim. I don’t know but would recommend contacting the people at Tor directly to ask: “Jacob Appelbaum” .
What kind of hostile exit do you mean?
If you mean an exit node which records all traffic transiting to the public Net, then you cannot really do anything about that. All you can do to mitigate that risk is to use SSL-enabled services or put no personally identifying information on non-SSL protected services. If your browser complains about mismatching or invalid SSL certificates, then there is a chance that the exit node you are using is up to something, like trying a man-in-the-middle attack. If you are sufficiently paranoid, delete all of the CA certificates from your browser and verify all SSL connections by hand (assuming that you know what to look for already, that is).
If you mean Tor nodes that try man-in-the-middle attacks, play games with DNS (for example, a bad exit node running its own copy of BIND with faked zone records), or try to inject JavaScript or bad HTML into your traffic, all you can really do is lock your browser down sufficiently to avoid exploitation, keep an eye open for anomalies or inconsistencies, and make use of Vidalia’s “New Identity” option to pick a new exit node.
You may also wish to consider getting an account with a VPN provider which allows connections on port 80 (like AirVPN.org), connecting to the VPN provider over Tor, and then running all of your traffic through the VPN connection. Your network latency will spike but it will prevent bad exit nodes from doing more than recording a lot of encrypted traffic.
Thank you – I meant the first of these and wrote about it but forgot to return here and link to it here: http://beyondclicktivism.com/2011/02/14/online-idiocy-kills/
Your extra advice about locking down browser, using VPN, etc is excellent and I’ll add a comment on my post advising people to look at this. Thanks
Pingback: Tweets that mention How to Use Facebook if You Are a Repressive Regime | iRevolution -- Topsy.com
Good point! I’ve asked. I’ll share my answer when I get it.
This is a great post; however, I have one question. What is your source for the report that more activists are using crapgrass instead of Facebook?
Thanks for your kind note. My source: non-random sample of activists. But there’s a language issue: I did not imply that more activists are now using Crabgrass over FB as an absolute number, but rather that an increasing number are using Crabgrass.
Hello Patrick,
great post and excellent blog.
I’m doing a PhD at the University of Westminster, London, exploring the use of Facebook made by popolo viola (purple people), an anti-Berlusconi movement that is gathering million of protesters in the italian streets.
Just one question: would you consider crabgrass as an efficient tool for activists in the western countries too?
Hi Lorenzo, thanks for your email and great to hear about your research focus. Yes, Crabgras can be an efficient tool for activists in Western countries as well.
Pingback: Digital Resistance: Between Digital Activism and Civil Resistance | iRevolution « MediaBlawg = MediaLawBlog
Pingback: Recent Linkage 7 « Signifying Media
Thank you for the great article . But What about other anonymity providers , like Ultra Surf and Hot Spot Shield ?
Pingback: Il rovescio della medaglia: i social usati dal regime
Pingback: paint paint paint « Making Art with Fabric
Pingback: #CCK11 ambienti di apprendimento personali e reti « serenaturri's Blog
Pingback: Facebook Security for African Activists and their Friends | I Am Gay - South Africa (+Africa) Free Network
Pingback: Clay Shirky @ SXSW – Social Media, revolutions and politics | Delib Blog
Pingback: Facebook Inc.’s Murky Responsibilities « Politics and the New Media
Pingback: Morgenschau: u.a. Deutsche Facebook-Lobbyistin, Politik in Social Media und digitales Afrika
Im worried that #2 and #2 contradict each other. Using your real name and including a real photo of yourself may be handy in case of arrest/interrogation, but also increases the chances of arrest or interrogation. So what should activists do? Realistically, I think the most you can hope for is that people will clear their accounts of sensitive contact information before going to a protest or other venue where likelihood of arrest is high and will keep all sensitive information off of the site entirely (even if it’s set to the max privacy).
Pingback: Facebook Inc.’s Murky Responsibilities « Yianni's Test Blog
Pingback: La censura di Internet nei paesi africani « GeoPoliticaMente
Pingback: Meles Zenawi of Ethiopia, the worst internet offender | Ethiopia
Pingback: Attivismo on line, le mille censure dei governi africani | VOCI GLOBALI
Pingback: Réseaux sociaux et révolutions arabes | Netpolitique
Pingback: Regimes Can Exploit Social Media Too « rationalinsurgent
Pingback: The Best of iRevolution: Four Years of Blogging | iRevolution
Pingback: MI24: 04/19/12 Social Media and Revolution | JMParada
Hi Patrick,
If possible please reveal your source (or point me to a link) for the claim that Bashir set up fake Facebook pages and then arrested those who arrived to protest. Thanks!
Peter (AccessNow)
Pingback: Before It's News
Pingback: ursecurity.org |
Pingback: Will Sudan Pull a Mubarak? | Electronic Frontier Foundation
Pingback: Liens de février 2011 | SkyMinds.Net
Pingback: How Do The Affordances Of A Networked Media Culture (Hyperlinks, Multimedia, Sharing Etc.) Enhance Online Communication? | HILARY
Pingback: Attivismo online, le mille censure dei governi africani | Voci Globali