How Did DHS Get Info About Portland Protests?
Photo by Tony (hamstik) on How Did DHS Get Info About Portland Protests?

A recent story in the Washington Post reports on documents leaked from the Department of Homeland Security that show the agency was watching the conversations of protesters in Portland as the agency built its massive presence against the rebellion there.

The report describes the messages as “likely Portland-based encrypted messaging app users discuss TTPs [tactics, techniques and procedures] to evade law enforcement when being pursued.” It also states that the information came from “a Telegram chat room,” which it described as “an instant messaging service.”

One of the quoted messages simply shows that protesters were trying to stay ahead of police and avoid arrest:

“We went down the side street and it seemed to deter them from following us, they retreated,” one unidentified user said about an earlier encounter with Portland police. “Seems they’re less inclined to go into residential neighborhoods which makes sense.”

What’s gotten little attention in this story is exactly how DHS got access to these Telegram messages. Without having access to the original documents and likely even more classified information, I see three distinct possibilities. In order from least to most likely:
1) Completely compromise of the Telegram application infrastructure
2) An attack on a protester’s phone
3) Undercover agents in the group

1: Complete Compromise of the Telegram Application Infrastructure

This is both the least likely and overall most dangerous possibility. Adding a backdoor to the Telegram application or compromising their servers to intercept messages is not out of the realm of possibility by any measure, but it would be a massive undertaking even for any intelligence agency when other measures exist that are harder to track and less likely to expose the intelligence community’s tools.

Unfortunately, potential flaws could exist in the Telegram system. The encryption scheme the app uses, MTproto2, has not been sufficiently audited: independent third-party experts have not verified that it is secure. Beyond that, Telegram messages are end-to-end encrypted by default: Someone who attacks Telegram’s servers could theoretically get access to them. You as a Telegram user have to go through more steps to turn on end-to-end encryption. (Signal, on the other hand, has this turned on by default.)

While the uprisings against police terror are a real threat to the system, I do not believe they are viewed as enough of a challenge for the intelligence agencies to show their cards and attack Telegram at this time. You don’t give your “enemy” information on how you cracked their codes: The US government cracked some Soviet encryption schemes used during World War II and didn’t make that information public until 1995.

2: Attack on a Protester’s Phone

This is somewhat more likely than the first scenario. By taking over the phone of someone involved in the demonstrations, DHS could theoretically have real-time access to everything on their screen.

Consider what’s on your phone’s screen at any given moment: Facebook, email, web browsing, text messages and more. An attacker with access to someone’s phone and everything on it would be able to see all of these things. It wouldn’t matter how secure the passcode on the device is.

Companies like the NSO Group sell advanced spyware that can exist on your phone without showing up to anyone but the most advanced forensic analysts. Their software takes advantage of undisclosed security issues to install software on your phone. All it takes is clicking a link to a document, or just visiting a website.

This is why I say that if your phone has been out of your sight and in the hands of law enforcement, at the very least you need to erase everything and start fresh; ideally – if you have the means – you should purchase a new phone to replace it.

This possibility still has the caveat from the first one: Are the Portland mobilizations worth “wasting” one of these vulnerabilities on?

3: Undercover Agents in the Group

This is the most likely scenario. Signal intelligence (or SIGINT) is an important tool for intelligence agencies. Human intelligence (HUMINT) goes back to the first spies. Pretend you’re someone you aren’t, convince others you are who you say you are, and gather information. Not easy, but pretty simple and effective.

In 2007, I was mobilizing for an anti-war protest against then-President George W Bush in Connecticut. It wasn’t a secret: we had open volunteer meetings to prepare for it. We had a permit for the space. We distributed flyers with our information on it. One night during our weekly volunteer session, two new guys showed up wearing casual jeans, t-shirts and jack boots. They started asking about the plans for the day, which we explained.

We began talking about the right-wing Screaming Eagles who were planning a counter-protest with motorcycles to drown us out. The two new guys started suggesting we throw rocks at them – an escalation we were not going to take part in. Between their insistence on instigating violence and a few other things they said & did, it became very clear they were police agents. (Side note: they ended up showing up to the protest and asking what they could do to help. We had them hold the banner for hours.)

If that demonstration had been in 2020 instead of 2007, they would have likely tried to get on our private chats for the day of the action.

This is what I believe to be the most likely thing: Someone had bad operational security (OPSEC) and let a police agent into the group. Pretty simple, actually. There’s a long history of agents infiltration movements. The agent gets access to communications and contact information and relays that back to the agency they work for.

In this situation, it wouldn’t matter if the conversation were happening over Telegram, Signal or in-person in a room without cell phones. The agent would have access to all the same information. No amount of password protection and encryption would help.

Don’t be paranoid, but be cautious

Who’s in your Signal or Telegram group? Who’s in the room when you’re making plans?

Millions of people across the US have joined protests over the past few months. Many thousands have gotten involved in organizing from big cities to small towns. Our movements should welcome them all with open arms! Vulgar vanguardism will keep movements small and exclusive to the most “woke.”

At the same time, organizers must be on alert and cautious about who is in the inner circles. This is a delicate balance, of course. We don’t want to alienate those who want to learn and build, but in the midst of a rebellion we also must have trusted groups. There is no step-by-step checklist for this; as organizers we must always consider the risks vs the benefits of our actions, and this includes who we bring into organizing.