DIY Venues Need Better OpSec: A Guide

Underground community spaces must build threat models to survive the age of social media surveillance. Here's how.

|
Mar 17 2017, 2:00pm

Underground venues across the US have faced a rash of evictions after a fire at a warehouse venue in Oakland killed 36 people in December 2016. Many people, including myself, lost friends in that fire. But we need music more than ever to survive, especially as the world spins into chaos. And we know that our friends would want us to keep dancing.

Unfortunately, the reality is that with social media driving party promotion, we're practically sending out invitations to building inspectors and the police. We have to protect ourselves, and we can. Here's how.

HOW WE USED TO DO IT

Promotion in the 90s was flier based. And instead of having addresses or even website URLs, fliers had phone numbers or addresses of ticket vending locations.

If there wasn't a number on the flier, you might get one when you bought the ticket, or you might get directions directly. If you didn't have them by the day of the party, there'd be some recorded information on the partyline. Sometimes, you'd get directions or an address directly to the venue. Or, you'd end up going to a van in a parking lot, where someone would hand you a slip of paper with directions.

But still other times, you'd even get transported from a map point to the actual space—with blindfolds on.

Flyer

Illustration: Shaye Anderson

People went along with these security measures, and these venues survived, partly because it was almost impossible to throw a "legal" party. 

And it still is. But now, not only is it incredibly difficult to find permitted venues that can incubate new and creative music scenes, it's exceedingly difficult to keep secret the addresses of unpermitted venues that fill this void.

HOW YOU AND YOUR FRIENDS ARE GIVING AWAY YOUR SECRETS

The last time I was trying to find the address of a party posted on Facebook, I googled the venue's name. Someone had checked into the venue on Foursquare a few months ago, and the address was still there. Anyone else could do what I did, including the cops.

Of course, this kind of mistake is pretty obvious. But there are so many ways to give away information about venues, including posting a picture online with location data embedded in it, using services such as Twitter with location data enabled, or just parking 60 vehicles with weed leaf bumper stickers in an isolated warehouse district on a Saturday night. Leaving location info online can put a venue in peril.

COPS AND TROLLS

As some artists pointed out on Facebook in the aftermath of the Ghost Ship fire, Facebook and other platforms map out social networks neatly for anyone trying to find such information. It's become common knowledge that police use social media for surveillance, though it's not always obvious how.

After the Oakland fire, people voiced suspicions about law enforcement going through old events to find other venues to target, noting that it was easy to click on an event's attendance list, find attendees, and look for other events they had attended. There's precedent for this. In Los Angeles, for example, an "Electronic Communications Triage Unit" monitors social media for information about illegal parties.

As if that weren't enough, Rolling Stone reported that 4Chan trolls "began mobilizing [online] to file complaints about similar spaces in their respective cities, posting names, addresses and information." It's unclear whether the rash of evictions and inspections late last year had anything to do with this 4Chan organizing, "but that hasn't stopped them from congratulating themselves on seven shutdown spaces across the country."

Whatever the cause, the impact has been devastating on the arts and music community. Multiple venues have been abruptly shuttered in Los Angeles, Baltimore, Denver, and beyond in the wake of the Ghost Ship fire. Artists have arrived at spaces to find doors shuttered and their belongings locked inside; in Denver, residents of DIY space Rhinoceropelis were "locked out, of their homes, in 10 degree, freezing weather." As one artist told The Guardian, "They used the Oakland tragedy to start a war."

WHAT TO DO

Surviving the kind of surveillance and oppression we're going to be up against requires creating security culture in your community, and assessing threats to narrow down what you need to worry about. A lot has been written about the latter, called "threat modeling" by security trainers. Threat modeling is a very important step that everyone should take, but I'm going to focus here on creating security culture, along with some practical tips based on what's already happening.

1) Educate your community—responsibly.

Making people too scared to use Facebook for anything, or convincing people that one weird trick will keep them safe are both almost worse than no security. Do your best to ensure you are actually sharing useful information and being a model for better security. That means:

  • Think critically about information you share that is meant to improve your security. Ask yourself, what's the source? Does the information make sense based on what you know? Is it still current, or has the technology or situation changed? This blog post is a great guide to current digital security guides.
  • Share credible information on social media, and let people know when you see them engage in dangerous behavior. For example, consider making a note in an event saying "Do not post the address of this event anywhere on the internet." Explain why people should not do things like check in using Swarm (the spin-off app of the original Foursquare) or post addresses online.
  • Don't promise anyone that they can have perfect security or privacy. That's not possible. But better security is.
  • Be suspicious of solutions that cost money, and use care in choosing what new tools you use. Try to use free and open-source tools—these can be reviewed by people who aren't making money on them. For example, consider using Signal instead of WhatsApp. While WhatsApp may be more reliable and prettier, Signal is free, open source, and considered the most secure messaging app by security experts.
  • Encourage any cohesive collectives or groups you are a part of to collectively go through the process of threat modeling as a group.

2) Know how the platform you are using works.

I've had this conversation, or variations on it, more times than I can count:

"Wait, how is your friend who I'm not friends with commenting on my post? It's private!?"

"Because you tagged me in it, and friends of anyone tagged can see a post, unless you unchecked that box in your Facebook settings."

It's certainly not always easy to understand privacy settings, and they vary from platform to platform. That being said, Facebook has some pretty useful tools, such as its "privacy basics" page and its "privacy checkup" tool, which you can access in the upper right corner of the Facebook menu bar. Use it.

Common problems that allow information to get to unwanted people are privacy settings on posts and on events. Make your audience for posts friends-only, and be careful with tags, as noted above. You can also create a custom "friends list" from the "Friend lists" link in the left-hand menu that you can then choose as the audience for your posts.

For any site that you use, it's worth sitting down and poking around in its help center so that you can control your privacy. And no matter what settings you use, remember: Anything you share with a social media platform is available to the police if they're willing to do a little work.

Trackers

Illustration: Shaye Anderson

3) Keep information on lockdown.

The example of how parties in the 90s operated isn't meant to be prescriptive, but it should get you thinking creatively about threats to your community and how you could avoid them. Posting the address of a venue on Facebook (or Instagram or Twitter or Tumblr, but especially Facebook) is dangerous. So, how do you get around that? It's up to you to decide.

Keeping information on lockdown also means thinking about all the ways location information could get out. There are many. For example, do people have location information turned on on their phones when they take pictures at underground parties? If so, they're sharing GPS coordinates of the location the photo was taken. You might want to prohibit cameras at your parties or hand out small stickers to cover cameras. (This is a common practice at clubs in Berlin, and it actually improves the event atmosphere and security.) You may want to provide instructions on where people should park. You may want to require carpooling. 

Thinking through all of this is much easier when you do the threat modeling mentioned above.

4) Be prepared to deal with inspectors and the police.

You should know your rights if you do end up being subjected to a visit from the government. (It's worth taking the time to read this brief guide from the ACLU.) However, please always keep your safety in mind: Being calm and polite while asserting your rights is a good idea, as unpleasant as it may be!

Note that you have more rights (under the law, at least) if you are dealing with the police. You can ask to see a warrant, and if cops conduct an unlawful search and base a court case on it you might win.

However, if you are dealing with inspectors, they don't need a warrant. Their search just has to be "reasonable." That shouldn't stop you from asking questions. Ask for details about why they're there. Figure out what agency they are from—asking for a business card or ID is a good way to do this. Determine if there will be a follow-up report or other action.

WHAT NOW?

Maybe it's time to go back to map points and mazes for underground parties. Creating a lot of added work for the government and giving human beings a chance to interact with every party goer would probably help. That being said, it's not realistic to expect that everyone will stop using the internet to advertise. It's also not realistic to expect all of us to survive without dancing. 

We have to figure it out.