The Best Email Aliasing Providers in 2024
2 June 2024 | 3:32 pm

Email aliasing is one of the most underrated privacy techniques that has yet to go mainstream. For the privacy-conscious user, it offers a degree of separation between all your accounts, making it harder for data brokers to correlate your various accounts across different services by not using the same email address to sign up. For security, the same technique can also help defeat credential stuffing while obscuring your true email address, which is the central hub where all your identities can be managed (and the email address itself is literally half of the login information a would-be attacker would need to attempt to login). Your inbox is a critical thing to protect since a breach can offer information about additional accounts you have (via the emails already sitting in your inbox like updates, notifications, sign-in verifications, etc) as well as allowing an attacker to simply hit “reset password” on websites where you already have an account and thus take them over. As for mainstream users, the biggest advantage is probably the ability to manage spam more effectively – particularly from companies who refuse to respect opt-out links – from a single inbox, rather than having one inbox for professional use, then logging out and back into another for online shopping, then another for personal or newsletters, and so forth or simply having to give up and hope the spam filters don’t falsely flag anything important (or let junk though). Email aliasing makes effectively managing and controlling your inbox incredibly easy. With that in mind, this week, let’s examine some popular email aliasing services that the privacy community has to offer.

Usual Disclaimer: I have an affiliate link for SimpleLogin that gives me credit on my account if you use it. As always, it would be appreciated should you decide to go with them to help support the project. If you’re uncomfortable doing so, a standard link is provided as well.

To be quite frank, my main two recommendations are incredibly similar in their functionality and user-friendliness. Both allow you to make alias email addresses that forward to your inbox of choice – multiple inboxes, even. Both support PGP encryption if you so desire, both allow use of custom domains or several existing domains, and both are source-available and even allow you to self-host your own implementation if you’d like. The main differences come down to price for the features you want and your opinion of Proton (more on that in the SimpleLogin section). With that said, let’s discuss those differences.

Addy.io

Image courtesty of addy.io

Price: Free, Lite ($1/month), and Pro ($4/month or $36/year)

Addy is a solid offering but unfortunately there a few significant shortcomings that should be noted. First, I don’t believe the free plan is feasible for most users, mainly because it doesn’t allow you to start new emails from an alias or even reply to emails you receive. Even with a paid plan it’s vital to note that Addy still has a daily reply/send limit (20 for Lite and 100 for Pro) as well as a monthly bandwidth limit on the Free and Lite plans (10MB/100M). In other words, if you send a lot of emails – or a lot of large emails, such as attachments – you may quickly run out of bandwidth and find yourself unable to send or receive emails.

However, compared to SimpleLogin, Addy’s strength lies in the free and Lite plans. Even on the free plan, Addy offers unlimited aliases while SimpleLogin offers only 10. Addy also allows PGP encryption at all levels while SimpleLogin restricts this to their Premium plan. Addy’s Lite plan also includes one custom domain and five inboxes you can forward to for a mere $12/year compared to SimpleLogin’s $30 Premium plan, which you would need to unlock those same features. If you’re on a tight budget but you still want a large number of alias email addresses and you’re okay with the limited number of replies and bandwidth, Addy is a solid offering. I would only recommend the Pro plan for people who would prefer not to use SimpleLogin because of their relationship with Proton – for example, people who use Proton as their main inbox and prefer not to have all their eggs in one basket.

SimpleLogin

Image courtesy of SimpleLogin

Price: Free, Premium ($4/month or $30/year)

SimpleLogin has long been the most popular choice in the privacy space. At first glance, there are several reasons why. For starters, unlimited bandwidth and replies, even on the free plan. This means that you will never have to worry about not getting an email because you got too many and even the free plan will allow you to reply to an email you receive (though starting a new email chain will require the Premium plan). For another, SimpleLogin’s Premium plan is cheaper than Addy’s Pro plan ($30/year vs $36/year, respectively) while simultaneously offering more (unlimited custom domains vs twenty, unlimited inboxes vs thirty, fifty directories/usernames vs eleven usernames, and SimpleLogin offers subdomains while Addy does not). For those able and willing to spend a few bucks, SimpleLogin’s Premium plan is an obvious choice over Addy’s Pro plan.

That said, there are two caveats to note here. First, as noted in the Addy section, Addy’s Lite plan has a superior offering to SimpleLogin’s Free plan for most popular features. If you’re on a tight budget, Addy’s Lite plan may make more sense than the SimpleLogin Pro plan in some cases. Second, and most important, SimpleLogin was acquired a few years ago by Proton. So far, this has not negatively impacted SimpleLogin at all; they continue to offer an independent service that’s interoperable with any given email provider. If anything, this partnership has greatly benefited Proton as it seems that much of the work on Proton’s new Password Manager seems to have been fueled by the SimpleLogin team, which has resulted in rapid development and an impressively competitive product, not to mention the seamless integration of SimpleLogin into Proton’s suite which has made using aliases effortless for users. That said, even those who trust and use Proton may feel uncomfortable putting all their eggs in a single basket. As such, it might make sense for certain threat models to use Addy instead of SimpleLogin simply to avoid centralizing too heavily on one single company or service.

Honorable Mentions

Whenever possible, I prefer to give users a variety of choices rather than just two. Luckily, we do have some additional options that are popular in the privacy space. It is worth noting that in my opinion, these services are inferior to Addy and SimpleLogin for reasons stated below. I am offering these simply to give readers more choices. Do I think they’re bad choices? No, or else I wouldn’t list them here, but I would recommend checking out the two main options first and only resorting to these if the others don’t meet your needs for some reason.

  • DuckDuckGo Email Protection – From the makers of the popular private metasearch engine (and web browser), DuckDuckGo Email Protection offers some excellent features, such as unlimited aliases, tracker remover, automatic HTTPS upgrades, and more, all at no cost to the user. You can sign-up and manage your aliases from any browser on any OS and even reply to emails you receive (it doesn’t appear you can start a fresh email chain), though of course it functions more smoothly with the extension or browser. It should be noted – as stated on my website – that I have lost nearly all faith in DuckDuckGo, at least as a search engine and a browser. At this time I would be open to considering their email aliasing and data removal offerings, but I would proceed with caution given their track record.

  • Firefox Relay – Firefox Relay is Mozilla’s offering to help protect users. Like DuckDuckGo, Relay strips email trackers and allows for replies to incoming emails (though you can’t initiate a new conversation). Unlike DuckDuckgo, Relay is a freemium offering – the free plan is quite limited, allowing only for five aliases without blocking trackers. At the Premium tier, Relay also offers a phone number that can you use which forwards to your existing phone number, however I’m told that you can only reply to the latest message you received – for example, if you get a text from Bob and then later you get a text from Alice, your reply will be sent to Alice as she was the most recent person to message you. You cannot choose to reply to Bob. )This information was given to me over a year ago and may be outdated now.) While Mozilla is another company with their share of scandals, Relay has been around for a few years now with no major concerns coming to light. Because of the phone number limitations, I wouldn’t recommend it as a Voice-over-IP service, but the email protection makes it a service worth considering.

  • StartMail – StartMail is a private – but not encrypted – email provider. StartMail does not offer a free plan, opting for the philosophy that “if a product is free, you are the product,” thus they would rather charge all users to sustain their product than have to resort to advertising, data mining, and other morally questionable funding sources. What makes StartMail popular in the privacy community is that unlimited email aliasing is built into every plan. In the past year or so since acquiring SimpleLogin, Proton has integrated a similar functionality, but this still requires an Unlimited plan with Proton ($10/month, nearly double StartMail’s $5) to match the same functionality. An important note, however, is that – as I said – StartMail is not what I would consider an encrypted email provider. Decryption takes place server-side in order to be more convenient to users, which means that while you are logged in, your emails are visible to the server and thus to StartMail and anyone else who may have access to that server. This runs counter to how my recommended providers – Proton and Tuta – handle encrypting and decrypting content. While one could make a valid argument that even with my recommended providers you are trusting both providers not to be scanning, data mining, or making copies of your content, I find assurance that at least once the emails are in the vault my inbox is protected from additional intrusion. StartMail cannot make this same guarantee yet still requires the same level of trust, arguably moreso as StartMail is not source-available while Proton and Tuta are.

Conclusion

Whoever you choose to use, email aliasing is a technique I hope to see catch on more. Techniques like email aliasing are the kind of privacy tool I love to share: it has benefits for both privacy and security while offering tangible conveniences that even mainstream users can appreciate and get immediate value from. If you aren’t using email aliasing yet, but sure to check out one of these services to see if it’s right for you. If you are, maybe share this article with a friend or family member who isn’t and see if you can start that conversation. Next time your email gets caught up in a data breach, make sure the impact is minimal with one of these services.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...


Is Privacy Worth It?
18 May 2024 | 6:08 pm

When I announced I would be closing my communities earlier this year, a curious thing happened: a surprising number of regulars replied with some variation of “I think this is my exit.” While some were specifically talking about Matrix, claiming that mine was the only room they were really active in and therefore they saw no point to having a Matrix account anymore, at least one specifically announced they would be quitting privacy entirely, save for a few basic techniques like using a password manager and being mindful of what to post online. While I didn’t expect the number of people responding that way, I was expecting that response from one or two people. If you check any given privacy forum – especially the ones with a heavy overlap of mainstream users such as Reddit – you’ll find no shortage of people asking “is all this work worth it?” and/or announcing that they’re giving up privacy because it’s too much work. So what gives? Is privacy worth the work?

The short answer, which I’m sure will come as no surprise to most of my readers, is “of course it is.” The more nuanced follow up, however, is that it’s only worth the work if you’re putting in the right amount of work.

Threat modeling is a foundational topic in the privacy community. Privacy Guides has a page about this, which was partially inspired by my own page on the topic, which was heavily drawn from EFF’s page. Techlore also has a video, Firewalls Don’t Stop Dragons talks about it in his book, and I’m sure many others have weighed in in various forms. Despite the abundance of discussion and variety of available formats and perspectives to explain it, many still struggle. Probably about half of the consulting requests I receive are requests to help better define and nail down a real threat model. An improper threat model – or lack of one entirely – will lead to an inconsistent and often unnecessary amount of action on the user’s end. The problem with the digital world is that because it is abstract, it can be hard to get a proper gauge of the realities of the situation.

Imagine it this way: let’s say every time you stepped outside your front door, you decided you want to be safe, so you dressed head-to-toe in full combat gear, complete with bulky full-body kevlar, a helmet, safety glasses, steel-toed boots, and gloves. I can stop the scenario here: even for those of us living in the roughest places, that’s a silly visual because it’s overkill. To be a little detailed, it also goes back to that word I used: “you want to be safe.” Safe from what? The sun? Then just put on some sunscreen and a hat. The cold? Put on a jacket. Danger? Keep your eyes up, headphones out (or low), and be aware of your surroundings.

Yet, many of us do the equivalent of overdressing in our digital lives because, as I said, we don’t always see it right away. Most people can instantly tell when they might be putting on too many items of clothing. Even something as simple as a jacket – when you feel the weight and restriction of movement – makes you pause enough to go “how cold is it really outside?” With the digital world, it can be much harder to notice the added weight, at least for a while. This makes it easier to overdress and not notice for a long time – or to dress up in full armor except for going barefoot (like I said, inconsistent action). In the past, I’ve compared some of the easier cybersecurity strategies with locking your front door: it’s technically inconvenient but we accept that inconvenience because the dramatic increase in security and safety outweighs it. This is comparable to things like using a password manager and 2FA or making the upfront switching cost to another service. Unfortunately with the more dramatic changes, it often takes several measures at once or a period of time – or both – before you begin to notice the increased digital weight. In many cases, when I have the opportunity to speak to people who aren’t yet at the point of giving up but are feeling overwhelmed, it doesn’t take long to learn that they never properly threat modeled, usually citing a lack of understanding how to. Once they understand the concept, they quickly start to realize where they can safely dial back to something less stressful without risking themselves and where they should instead focus more attention to improve. You don’t need the entire suit of body armor, you just need to put on a jacket.

The result of an incorrect threat model is extreme: burnout, isolation, loneliness, and stress. A classic story that always come to mind for me is the Redditor who claimed that they had successfully removed all DRM and propriety software from their home: no Netflix, no YouTube, etc. This person claimed to be actively dating, but decried the difficulty they were having meeting women. They went on to note that they required everyone who communicated with them to move off the dating app to a PGP-based encrypted messenger and to verify keys out-of-band. This person divulged little else about their life, but I have a hard time believing that it was safe for them to use online dating but not safe to relax some of their other choices as a compromise. They had allowed their privacy lifestyle to become so unnecessarily extreme that it alienated them and caused them to miss out on life.

This is what most people are asking when they ask if privacy is worth it. “Do I have to be alone? Do I have to miss out on meeting new people? On friends? On love? On my dream job? On watching my distant loved ones go through life?” My answer for most people is that if that’s what it’s costing you, you’re doing too much. I think sometimes giving up these services can be a shock at first, and I suspect that might be a cause of stress to some. In those cases, users will have to get creative. In the absence of a social news feed, I rely on RSS. As an introvert I don’t feel the need to get out of the house often or have a lot of friends but I do still frequently attend meetups, concerts, and see friends to get my socialization. As my friends and family have come to respect my lifestyle, they make a point of sending me videos, pictures, and other content that they also posted online so that I don’t miss out. In other cases, perhaps a service is necessary and one can simply rethink their usage and relationship to it. If you really need Facebook for a certain group or event invites, do you need the app on your phone? Perhaps you can just log in once a day via the website to check for notifications and then log right off.

This, of course, is going back to threat modeling. “What are you trying to protect and from who?” What’s the risk of using Facebook once per day for a few minutes to check notifications? How can you minimize those risks? Is that risk now acceptable to you after making those changes? The vast majority of people I speak to don’t have high threat models by their own admission. Simply using Facebook once a day in a hardened browser with a VPN is plenty to protect their privacy – they never have to post, it doesn’t track their location 24/7, and the browser will defeat most other tracking attempts. Coupled with the basic cybersecurity advice – like strong passwords and 2FA – and for the overwhelming majority of people, this is an acceptable compromise. Of course, in this example you’ll still need to give Facebook some real information about you as they become increasingly demanding of that stuff, but threat modeling applies here, too. What are the risks? Someone knowing that you have a Facebook account? Are you in any groups you’d rather people not know you were in? For most people, these are acceptable risks. At that point you just need to be disciplined: log off immediately after checking notifications, never post, don’t put the app on your phone, etc.

To be clear, as I’ve said many times before, I do encourage people to do as much as they can. If you don’t need Facebook at all – as I don’t – then don’t sign up. Moral arguments aside, your data can’t be breached if they don’t have it in the first place. (This of course doesn’t address off-site tracking but that’s a different discussion.) Even if your threat model is low, it can’t hurt to purchase a data removal service just in case or to use a VPN if you can afford one. It’s easier to be proactive than reactive and every little bit adds up. However, we must be careful not to go overboard with this stuff and let privacy negatively impact our lives, and that starts with a good threat model. A good threat model helps you make the right decisions. When you go “money is tight, I’m not sure I want to pay for a VPN,” a threat model helps you go “that’s okay, not having a VPN fits your threat model, here’s some other ways you can work around it.” On the other hand, a good threat model also gives you the peace of mind to say “I know I don’t need to switch to Linux, but I want to and it won’t negatively impact my life, so let’s go download that.”

Privacy is very much worth it, but as I’ve said numerous times, privacy is a spectrum, not a “yes or no.” How much privacy you need varies from person to person, and thus “worth it” will also vary. By threat modeling and finding the right amount you need, you can allocate the resources you have correctly and find the right balance to make it worthwhile for you. But whether you’re looking to do the bare minimum or trying to go as far as possible, make sure you’re balancing your privacy journey with all other areas of your life to get the most out of it. There’s more to life than just privacy, and protecting those other things also makes it worthwhile.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...


Protecting Your Privacy at a Protest in 2024
11 May 2024 | 5:18 pm

Things are a little crazy here in the US right now – as is our perpetual state of existence these days – so I thought now might be a good time to revisit my 2020 blog post about protesting, surveillance, privacy and security. For the cynics in the crowd, I want to make it clear that I am not supporting rioting, looting, or violence. This is a post about exercising your Constitutional right (in America and many other countries) to peacefully assemble and demonstrate over any given issue. I am vehemently opposed to the idea that you can be identified and tagged – 100% without human action – simply for exercising that right. Even if I disagree with the issue or the stance on it, as the famous quote goes (roughly): “I disagree with what you say, but I will defend to the death your right to say it.”

We are already in a world of 24/7 connectivity, and that coverage only expands and deepens with each passing day. While facial recognition tech and geofence warrants are not new, since I originally wrote this blog post these things have been kicked into hyperspeed and rolled out in greater numbers and with increasing frequency at all levels of government. And that’s to say nothing about the rise of AI, which – while sometimes faulty – is capable of parsing through vast amounts of data at (literally) inhuman speeds and noticing trends no human possibly could. These changes in effective surveillance coverage, previously unknown surveillance techniques, and the ability to automatically store, parse, and analyze it all is setting the stage for a new level of dystopian capabilities previously limited (mostly) to the realm of sci-fi and nation-state targeting. And now, with the reversal of Roe v Wade, I am unfortunately able to pull the “I told you so” card and point to concrete, Western-world proof that what was perfectly legal today may be a felony worthy of prison time tomorrow. So with that context, let’s talk about how you can legally express your voice without ending up on “a list.”

Finding and Attending the Protest

For most of us, social media will be our main avenue to learn about upcoming protests. That’s fine, but I recommend you don’t actually mark yourself as attending the protest. Several years ago during the Keystone XL protests, law enforcement was accused of using Facebook check-ins to target protesters. The veracity of this claim is debated, but why risk it? Feel free to keep checking the page before the protest to learn of any updates or changes, but don’t publicly mark yourself as attending. Police don’t need a warrant to look at a public list of attendees on a Facebook event.

Getting to a protest can also present challenges. Protests often take place at locations that are politically relevant and heavily monitored such as capitol buildings or police stations. If you’re in a large city (as the capitols usually are), you can pretty much guarantee that the city is using automatic license plate readers to track your vehicle as you travel in real-time. There’s also likely a patchwork of CCTV cameras and – at least for this specific event – drones and Stingrays. (I recommend visiting the EFF’s Atlas of Surveillance to get a better picture of what your local law enforcement might be capable of.) If possible, I would recommend using public transit instead. This of course, isn’t foolproof as many public transit services also have cameras and records, but we’ll come to that shortly. You could also order a cab and pay in cash, but even cabs sometimes have cameras installed for security reasons.

Whatever method you take, I recommend arriving near but not at the location. If you drive or get a ride, park or get dropped off a few blocks away. In the unlikely event that public transit stops at the exact location, get off at the stop before or after. Same thing once you’re ready to leave. Move a few blocks away then get picked up. If you’re extra cautious, consider using a different location than you did before. Not only will this possibly mean less traffic to deal with, but it will help avoid creating an obvious pattern and will hopefully put you further away from the more heavily-surveilled areas as you arrive and depart, making you just slightly harder to trace. Also if you have to pay for parking and can’t use cash, consider picking up a Vanilla gift card in cash so it can’t be easily connected to your debit or credit card.

Biometric Recognition

One silver lining from the COVID-19 pandemic is that wearing face masks in public is not only acceptable but relatively common, especially in large crowds like a protest (especially in liberal ones). That’s great, but it’s not foolproof. Because of the rise of face masks, many facial recognition technologies were forced to learn how to identify faces with only a partial face visible so that – as an example – people can still unlock their phones in public conveniently. The eyes themselves are also a critical part of facial recognition capabilities, even prior to this. I have it on good authority that the least-suspicious-yet-most-effective way to beat facial recognition is aviator sunglasses and a baseball cap. Try to get your hands on a hat that doesn’t actually reveal anything about you and is very common. For example, I am not a sports fan, but I do live in Texas. As such, a hat with a Houston Astros or Dallas Cowboys logo would not only be a red herring for me, but you can throw a rock on any given day downtown and probably find one or both of those logos within five feet of where it lands as a bumper sticker, shirt, backpack, wallet, etc. Either way, get these items far in advance. It’s easier to pull up purchases from a week ago or earlier that day and correlate them to you. If you made the purchase months ago, that makes things trickier. In fact, if you’re reading this right now and thinking “I’m not interested in protesting right now but I could see myself going if it was an issue I care about,” this is your cue to buy such a hat this weekend.

If you have tattoos, wear long sleeves or clothing that covers them. Think smart. If you’re protesting in the summer, wearing a coat is kind of suspicious. Wearing a long-sleeve shirt is less suspicious. Remove any earrings. Even your walk can give you away, though full disclosure I’m not sure how commonly gait recognition is deployed. I read once somewhere (unfortunately I can’t recall where) that the best defense against this is to wear baggy clothes. These will help obscure your gait, but keep in mind that if they’re too baggy it could interfere with your ability to get away quickly if violence breaks out (and I highly recommend that you bail as soon as the first rock or punch gets thrown even if you had nothing to do with it). Julian Assange also famously put a rock in his shoe to disrupt his gait at one point, however that can be immediately painful and potentially harmful after a while, so I’m not sure the benefits outweigh the risks on that technique.

Cell Phones

Of course, in modern society, we must discuss cell phones. There are a number of reasons that people may wish to bring a cell phone to a protest: the ability to document reality on the ground via video and photos, a contact list in case they get into trouble, the ability to send and receive real-time updates via social media or messaging, and maybe transit capabilities (ridesharing or public transit ticketing apps, for example). However, there are also a significant number of threats, too: your device may get lost, stolen, or damaged. Police may confiscate it. And of course, the Stingrays I mentioned earlier.

The common advice is simply to leave the phone at home. This is the absolute best-case scenario. If you go this route, I recommend writing an important phone number on your body in permanent marker so that it’s harder to rub off if you sweat, ideally somewhere where it won’t be obviously visible as it won’t wash off for a few days. For example, you may want to have the phone number of a close friend who offered to pick you up after the protest or a lawyer in case you get arrested and you may wish to write it on your upper arm where it’s covered by a shirt. It’s a little paranoid, but I’d rather have it and not need it than need it and not have it.

If you do wish to have a phone, the best option is a burner phone. However, at the time of this writing, inflation is kneecapping everyone so the idea of asking someone to go drop even one hundred dollars on a phone for a few hours is pretty ridiculous. If you do have that kind of flexible income, then this is definitely the best plan. Get a cheap Android phone paid for in cash and don’t sign in. Check this page for settings you can modify to make the phone a little more private and secure, and download any apps you need from F-Droid, Aurora Store, or directly from the official website as an APK to avoid needing to link an account to the device. If you couple this with a new anonymous SIM card from a budget-friendly Mobile Virtual Network Operator (MVNO) like Mint Mobile or Visible Wireless, you should have all the capabilities you need (such as recording and instant cloud sync as a backup in case the device gets damaged, lost, or confiscated) with a nearly completely anonymous phone. It is worth noting that cheap Androids tend to have the worst privacy and security: they tend to come preloaded with “bloatware” – apps you don’t need and can’t remove – and some manufacturers are missing the ability to disable 2G, which is a prerequisite to defend against Stingrays. However, since this phone is anonymous and you’re using as few apps as possible, I think this is probably a safe trade-off for most people (assuming you factory reset and discard the phone immediately after the protest). Note: I recommend against getting a dumb phone. Dumb phones may not offer adequate protection against Stingrays and seizure such as VPNs, secure messaging apps, and other settings.

For those who want to have a phone at the protest but cannot afford a burner, you have several options. One is to simply turn it off when you arrive. This is an acceptable option if you don’t plan to record anything (by the time you boot and unlock your phone, it may be too late), though be aware that there will be a metadata record of your device being turned off a specific time and place and then being turned on later. You can also put your phone into airplane mode so that you can still quickly record, but again, there will be a metadata trail of this, too. In this scenario, you should also be aware of “BFU” mode, or “Before First Unlock.” The simple explanation is that if you restart your phone, before you unlock it for the first time with your PIN or passowrd, that is the most secure state your phone can possibly be in. You haven’t unlocked it yet, therefore everything is encrypted as much as possible. With iPhones, you can still swipe up from the bottom of the phone and activate the camera to record in this mode. Androids do not have this capability to my knowledge (at least I was unable to replicate it on my own Android). If your phone gets confiscated, try to turn it off before handing it over to put it back in BFU mode for maximum security (more on that later.) Be sure to visit this page to ensure you’ve locked down your phone as much as possible to protect against Stingrays and other threats.

If Detained or Arrested

So what happens if something goes wrong and the cops do detain you? I am not a lawyer, but after extensive research, here’s a few things I think every American should know:

Arrest means you are in police custody. They can place you in handcuffs, transport you (say to jail), and more. At this point, you have a variety of rights such as the right to remain silent and the right to have an attorney. If you cannot afford an attorney, you have the right to have one provided to you by the state. You may or may not be entitled to any phone calls. The call does not have to be to an attorney, but if it is the police are not permitted to record or otherwise monitor the call. If it is not to an attorney, assume the call is being recorded. At this point, you may be court-ordered to unlock a device such as a phone or computer, but you are not required to tell them the password. They may also legally confiscate it and simply attempt to hack it. This is why I recommended putting your phone in BFU state earlier.

Detainment means you are not under arrest, but you are not free to leave. At this point in time, you are not entitled to an attorney provided by the state, but you are entitled to stay silent, to have an attorney present if you can afford one or have one, and to refuse a search without a warrant. Whether or not your devices are protected from search at this point is still a gray area with many conflicting rulings. You may decide to refuse to unlock your phone, however that may risk being detained longer or escalating the situation to an arrest. It’s worth noting that there have been instances of police unlocking devices using Face ID without consent. The legality of this, as I said, is still being decided. However, because handing over your password or PIN is definitively not required (at least not without a court order), I recommend that prior to attending the protest, you replace your phone with biometrics with a strong PIN or password instead. This will, at a bare minimum, protect your devices from non-consensual searches and abuse.

In general you are never required to answer any questions without an attorney present, regardless of whether you’re arrested or not. You are never required to tell the police any passwords to unlock your phone, computer, tablet, or any device although – as noted before – you may be required to unlock the device if you’re under arrest. Keep in mind that police are allowed to confiscate your device and copy the data (hence why encryption is necessary). I have been detained at protests. In my experience, it is generally recommended to answer some questions such as identifying yourself and saying why you were in attendance. If you feel uncomfortable or the questions start getting accusatory, definitely request a lawyer. One of my non-privacy related interests is true crime, and I can’t tell you how many cases I’ve learned of where innocent people thought they were making themselves look good and doing themselves a favor by not requesting a lawyer (cause they had nothing to hide) and it ended up coming back to bite them.

As I said before, I am not a lawyer. I do keep very up to date with my rights, but things change, laws vary from place to place, and I have no legal background whatsoever. I have written all of this with the best faith, but I encourage you to contact an actual lawyer if you have concerns and questions in this area. Do your own research. I highly recommend EFF’s Surveillance Self Defense portal, especially their article on attending protests. EFF is comprised of actual, experienced lawyers, so I trust their judgment and information. I actually got a lot of the information in this blog post from there.

If you choose to exercise your first amendment rights, please do so peacefully and keep yourself safe. You should never be tagged on a list for peacefully exercising your rights, and you should not be marked for further surveillance or future retribution either. Keep yourself protected, and good luck!

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...



More News from this Feed See Full Web Site