Smash All Phones

How to protect yourself from

the snitch in your pocket
Tech savvy folks have a name for one of the safer ways to transfer data without the risk of snoops dipping
into the information being sent while it’s in transit: the sneakernet. Save data onto a portable drive, and
walk it over to where it needs to go (wearing sneakers, of course!).

Recently I received two USB drives by sneakernet from my lawyer. I had been arrested at a protest
months earlier, and despite my original plans to the contrary, had my unencrypted android smartphone on
me during the arrest. Many articles and zines address electronic safety and precautions you can take to
keep data safe while communications are being sent or received1. The purpose of this article is to inform
you of the kind of data cops can easily take from your phone if they have physical access to it, and what
you can do to mitigate that, so you can keep yourself and loved ones safe in a wider range of scenarios.

The USB drives I received contained all the data the cops took from my phone using a system created by
a company called Cellebrite2. Cellebrite contracts with individual police departments, cities, companies,
and militaries around the world. Among the products they sell are machines to which cell phones can be
connected. They have “field models” which can be carried around in police cars, advertising their ability
to “directly extract passwords, disable or bypass user locks and decode data from more than 1,500 mobile
applications in minutes” so as to “increase conviction rates with accuracy and speed.” According to the
information on the drives, my phone was connected for about 45 minutes to extract its information.

I had only had my phone for 5 months at the time it was taken from me, but because it was signed in to a
Gmail account that had been active for 11 years, the information they were able to gain was enormous.

Below is a list of all the information I received in one massive easy-to-search and sort spreadsheet. They
also gave me an almost 8,000 page document with the same information.

• A list of all contacts, including phone numbers and emails that contacted me that were not stored
in my phone, with a count of how many times I called, messaged, or emailed them or was called,
messaged, or emailed by them
• How many emails I received, sent, and drafted to specific email addresses and how many shared
calendar events I had with those email addresses. How many incoming/outgoing/missed calls from
each number and if they were in my contacts and how long total calls were between me and a
number. Whether they were in my contacts, and if so what nickname I call them in my phone.
• How many SMS texts received/sent/drafted to a number. The content of all texts, even if and
whether they were deleted, including drafts.
• Whatsapp contacts and their "username" (ie, the phone number attached to their account) and how
many chats/calls between me and them.
• All apps and when they were installed/deleted/last used/"purchased", and what permissions they
had

1 See resources at the end of this article.

2 [Link]
 • Audio files that were stored in Google drive, any podcasts, voice memos, and ringtones.
Timestamps for their creation/ deletion/ modification/ last access.
• All calendar events, attendees invited, location tags, etc.
• Traditional call log info you might expect
• Date and time of cell towers my phone had ever connected to3 and their location, conveniently
linked to Google maps. A world map marking all cell towers accessed by my phone.
• "Chats" from Signal4, WhatsApp, SMS, Google Hangouts5, TextSecure, GroupMe, Google Docs; a
list of all participants in those chats; text body content; whether it was read or unread, timestamp
for sent and read; if it was starred; if it was deleted; all attachments. These chats were also from
years ago, way longer ago than when I even had a smartphone.
• All information for all my contacts, including whether the contact was deleted or not
• web browser cookies
• Any document ever opened on my phone, including text documents, attachments, Google docs,
and those created by apps
• Emails and email drafts, including all sending information, entire text content, and up to 16
attachments.
• Images/photos/videos along with their created/accessed timestamp and any metadata
• 96 random tweets from one of my twitter accounts, some from as far back as 2013.
• A list of all wifi networks that my phone ever connected to, their passwords, hardware identifiers,
and when I connected to them
• The last 5 times my phone was turned on, including twice 2 months after I lost access to it.
• Web history and Web and Playstore search history
• A list of every word ever typed into my phone and how many times that word was typed,
including email addresses as words, including words I added to the dictionary so they wouldn’t be
continued to be autocorrected to something else.
• What they call my "timeline": every action (texts, calls, emails, web history, app usage including
maps searches, connections to wifi networks or new cell towers, etc) with timestamp to be easily
sorted.

Co-defendants of mine who also had their phones taken have told me that the data they received back also
included:
• Facebook Messenger chats/drafts
• data from phone before it was factory reset6

3 When a cell phone is on (and sometimes when you think it’s off!), it is constantly looking for signal from a cell tower. So
as long as your phone has service, it is in communication with a cell tower. If signal strength from 3 cell towers is known,
your location can be determined highly accurately (sometimes within a few meters). For more on this, see “The Problem
with Mobile Phones”, in further reading.
4 At the time of the arrest I did not know about disappearing messages on Signal, although I do not know if this would have
changed the outcome of what could be obtained with physical access to my phone. Remember that Signal is designed to
keep anyone from reading your messages in transit and to avoid people pretending to be someone else, not to keep
someone who physically has your phone from obtaining the messages.
5 There were bits of time when I had used Google hangouts with OffTheRecord (“OTR”) encryption (not to be confused
with the option in Google to not save “conversation history”, which Google then still has access to). All OTR messages
were still encrypted and just showed up in my cell data as jibberish, because they had not been stored or accessed by my
phone.
6 A factory reset does not wipe and rewrite over the phone drive enough times that data from before isn’t recoverable.
Emotional Fallout
This wasn’t as bad as it could have been, but was worse than I’d been hoping for. I knew that the
government could get all this information, but when I was able to see all my personal data together like
this in one big spreadsheet, I felt an existential dread that I didn’t have words for, because not enough
people have been able to feel it yet. What did I have of myself, to myself? The dystopian realization set in
that my powerful enemies have so much of my identity: my fingerprints, my retinas, the appearance of my
face, intimate emails to and from my friends and lovers through more than a decade, the late night
political debates over chat apps that helped shape my values and convictions, documents framing out my
life goals, the words and writing patterns I use, the groups that I’m part of that organize via email, how I
relate to those groups, the responsibilities I take on in those groups, applications strangers had written to
live in my home... The invasiveness felt total and it all hit me at once in a visceral tsunami.

My immediate reaction was to think that nothing was worth this level of intrusion. But I realized that any
reason I might be targeted for this kind of privacy violation stemmed from my participation in projects so
important to the continuing development of my values, and figuring out how to live my life to align with
those values, that I could never regret engaging with them. If you are reading this, it is very likely that
these are risks you do or should take seriously. We are fighting against powerful systems of destruction
and death, for new possibilities and alternative visions of how we can be together with each other and the
rest of this earth. To me, those possibilities make this kind of targeting worth it. If you aren’t already, it’s
time to get serious about tech security.

Ten Steps to Consider

This probably makes you want to smash your phone into tiny bits, and by all means, please do. But there
are measures you can take to protect your personal data in situations like these. And remember, it’s not
just your own data, but its information about and between all the contacts stored in your phone as well.
Keep your friends and networks safe.

1. If you have a smart phone, encrypt it, NOW. All my codefendants who had encrypted phones had
no information taken from them except for their phone numbers. This option should be found in
the settings of all android phones. It is very simple, and just requires an extra password when
accessing your phone. The encryption process might take a few hours, so plug in to a safe spot and
leave it for awhile. iPhones are generally encrypted automatically.
2. Don’t bring your phone with you to places or events that have a higher chance of the government
getting your phone! We don’t always know when we’re going to fall into the clutches of our
enemies, but we can take precautions if we know there’s a high risk. If you do get arrested with
your phone, you might want to weigh the option of destroying your phone if you have the chance.
3. Create an email account to only connect to GooglePlay in android phones or iTunes for Apple
phones. Do not ever connect an email account you use regularly to your phone. If you need to,
check your email using a private browser from your phone, rather than through an app.
4. Don’t store your contacts’ physical or mailing addresses in your phones. Think about the name you
use for them in your phone: you may not want to put their full legal name even if you know it. Or
it may be worse off for them if you use an identifying code name that connects them to a certain
phone number or email address. Is it more helpful or risky to call someone by a name that
associates them to a group they work with or the event where you met?
5. Use a private web browser on your phone like Firefox Focus. Orbot is a web browsing app that
allows you to use TOR on an android phone for added anonymity.
6. Don’t use the calendar function on your phone. If you do, don’t invite others to calendar events or
put the physical address of events in the calendar.
 7. It is better to connect to social media through private web browsers than through the apps
themselves. You may want to consider only connecting to social media through computers
instead.7
8. A dumb phone might be preferable in some respects, but remember that there is no encryption
possible on a dumb phone, both with the information stored on the phone itself and
communication in transit. Many dumb phones don’t even have passwords, so no information
(contacts, etc) is even slightly secure.
9. Make a pouch to keep your phone in while not in use lined with aluminum foil. It sounds
wingnutty, but your phone cannot connect to cell towers (and thus your location can’t be stored)
through foil. Just remember to put your phone in airplane mode or switch it off so it doesn’t waste
battery searching for cell towers while it’s in the pouch! Alternatively, you can obtain a fancy
case/pouch for your phone called a Faraday cage, which is the same thing just more expensive.
10. If a contact of yours has their phone data collected in this way, you may want to consider changing
your phone number.

Luckily, only one of my email accounts had been synced to my phone, and I live a life where I connect
with people and groups without technology often. Interestingly and mysteriously, there was some
information not present that I expected to be there. And of the many thousands of emails sent and received
in the past 11 years, only several thousand were there. I know I am much more than what my phone can
give to anyone, and we are always growing and changing through our experiences. While the data they
have about me and my communities tells them about my past, I still have control over what information
they can obtain going forward. It is definitely worth fighting against their ability to gather more.

For more information about my case and how this information is being used against me and my co-
defendants, as well as to possibly implicate others in future charges, see [Link]

Resources and further reading

• Threat Modeling is a way to help you find a balance between complete paranoia and having all
your info out in the open: [Link]
• Step-by-step tutorials for setting up and using digital security tools like encryption from the
Tactical Security Collective: [Link]
• Creative and fun way to learn about how you can be tracked and identified online:
[Link]
• The problem with Mobile Phones: [Link]
• A DIY Guide to Feminist Cybersecurity: [Link]
• Cute step-by-step guide on fighting the state with digital security in mind: [Link]/fight/

7 Computers are only safer because you are less apt to have them on your person when being arrested, and therefore it’s
more difficult for the government to have access to them. The hard drives of your personal computers should also be
encrypted for maximum security, especially if you carry a laptop with you often.