Digital Activism Tactics: TweetStorms Reviewed

Standard

In late 2010, digital activists on Twitter began experimenting with a new form of protest, the “TweetStorm.” I updated this from my old post because there have been a few changes to Twitter, and both Facebook and Google+ have now adopted hashtags, making this an even more attractive concept. Where you read “tweet” below, take that to include status updates on FaceBook, Twitter, and elsewhere.

What is a TweetStorm?

It’s a coordinated action by many users to tweet about a single issue at the same time, generating a “storm” of tweets.

How does it work?

Anyone can call for a TweetStorm, you just need to decide:

  1. What will be in the tweet[s] (the text and what hashtags, any special user to target, eg @whitehouse – but use extreme restraint, or risk alienating* a user who can help!

    TIP: Choose a new, unique hashtag, but everyone has to keep it secret until right before the event

  2. What time it has to be sent (essential to choose a time you know lots of supporters are usually online)

    TIP: Create an online event that people can sign up for, or make a one-off campaign on thunderclap.it

What next?

  • You have to tell people about the TweetStorm, and ask them to get involved by supporting it by sending out a tweet or setting up a scheduled tweet (see below) and by spreading the idea to their followers!

    TIP:  Contact your most active followers  privately, to ask if they will take part and help to recruit others

  • Then, you all either keep the TweetStorm text somewhere handy (Facebook event, blog post, pastebin, etc) and tweet at the appointed time, or schedule the tweets to go out at the set time.

How do I schedule a tweet?

TweetDeck includes a schedule tweet feature, and there are some scheduling services available through mobile or online applications, such as Buffer or Hootsuite.

How do I know what time to send the tweet if I am in a different time zone?

Check times in various time zones here: http://www.worldtimeserver.com/ or here: http://www.worldtimezones.com/

And that is about all there is to it.

TIP: If you plan to use TweetStorms as an ongoing tactic, keep some stats, give people feedback, and THANK THEM for taking part

Summary

  1. Write the tweet(s) and/or choose a unique hashtag and pick some optional @username(s) to target
  2. Recruit your friends using DM, email, FaceBook, Twitter, Google+ etc. Coach them if necessary
  3. Remember to set up your schedule if you need to
  4. Pass the information along – you may want to warn your followers
  5. Post increasingly frequent reminders as the time approaches, but keep the new hashtag secret

Are TweetStorms Effective?

tweet-in-a-bottleEarly analysis indicated that TweetStorms were highly effective. Whether that was the result of serendipity or serious effort remained to be proven in those early days. With the benefit of hindsight we can see that Twitter changed their Terms of Service so that sending “unsolicited” tweets, or using certain hashtags, could get your account suspended. Added to that, as Twitter grew and the user interface changed, many people found it increasingly difficult to maintain the level of close, co-operative contact with their network, which a TweetStorm depends on to be successful.

However, we can say:

  1. TweetStorms do work, and only thanks to the coordinated actions of concerned individuals.
  2. TweetStorms are not necessarily successful in isolation; they are an important adjunct to the conversations, petitions, emails, letters and postcards and other campaign actions.
  3. On Twitter, it is now very difficult to target Trending Topics, so targeted TweetStorms are a good alternative to trending.
  4. They the draw attention of other users, which can help strengthen a cause.
  5. TweetStorms are NOT spam. Spam is useless or irrelevant information sent to random or unrelated targets.
  6. TweetStorms are not meant as entertainment, rather as serious activism for spreading awareness, but you can make them fun, too. They are designed to attract attention from all corners, not only “@UN” or “@StateDept” for example.
  7. TweetStorms show allies the cause remains strong.
  8. They also show potential enemies that supporters of the cause are united. Maintaining secrecy of the tag and targets to the last minute also catches opponents by surprise, robbing them of the chance to spoil your plan.
  9. TweetStorms are democratic in nature: anyone can choose the message, who it targets, and when.
  10. TweetStorms are relatively easy – with potential high returns for minimal effort and zero outlay

Last Word

As activists, it is important to not only take part in TweetStorms, but to actively encourage others to join. Activism doesn’t stop at the ‘send’ button.

* Aside: When I started TweetStorms, to draw attention to human rights issues in Iran, Amnesty International was a target for more than one campaign. They were not at all happy to see their timeline flooded with our messages (there was no “mentions” column on Twitter back then) and blocked my account. Later, they began using the TweetStorm tactic themselves! And no, they didn’t unblock my account.

The original guides to the TweetStorm idea in several languages are available on these links:

TweetStorm-Arabic

TweetStorm-China

TweetStorm-Deutsch

TweetStorm-English

TweetStorm-Español

TweetStorm-Française

TweetStorm-Farsi

TweetStorm-Italia

TweetStorm-Japan

TweetStorm-Nederland

TweetStorm-Portugal

Related articles

Advertisements

Online Security: Verification and Validation

Standard

An overview of key points for activists to bear in mind for online security, or tactics to bring into play in case of an online incursion by members of anyone’s so-called “Cyber Army” – updated version of my December 2011 post “Battle Hardening Against Cyber Soldiers” for Cyber Security Awareness Month.

cyber-defences-security-370x229

When it comes to online security, your first responsibility is to yourself, and that has never been more clear than now, with the daily diet of revelations about the allegedly massive scale of global government spying and surveillance finally raising awareness. Of at least equal importance, is the need to stay alert to the risks your actions might create for others in your online network. Every time you share, tag, mention or otherwise connect someone else to your content, you are highlighting your relationship in the context of that content. A simple typing error, a hastily copied story, or unbridled haste to share without fact-checking, can alter that context dramatically, and potentially with rather more serious consequences that any of us previously imagined. Increase your personal security first, using the same logic as those flight safety rules about oxygen masks. Here’s a handy article from the New Scientist, about how to try and evade the NSA dragnet, to help you get started.

Being part of an online network means you need to be able to justify each of your online relationships, and pay attention to any unexpected changes. Harsh as it might seem, treat all former contacts, who reappear after an absence, with neutral (not hostile) caution. Accounts do get hacked, and occasionally, people do get recruited to “the other team” or put under pressure to reveal passwords. If you didn’t put a challenge/response protocol* in place with your trusted contact before they dropped off the grid, so you could verify their identity when they reappear at some future point, then you have to assume there is a 50% chance they are not the person you once knew until they can prove themselves to your satisfaction. Similarly, do not feel obliged to “follow back” or accept every friend request unless you feel confident about doing so. Set some standards for yourself about why and how you plan to grow your network. If you are simply feeling insecure, ego-driven, or lonely, be honest with yourself about your motivations, and try to keep them in check so that they don’t compromise your security.

*Establish a challenge/response protocol with your trusted contacts. This is an agreed question you can ask the other person and an agreed response they must give. Like a password reminder.

Tip: Do NOT use any of your existing password reminder Q&A’s

New accounts, especially breathlessly dramatic ones, should also be treated with measured caution. Wait for verification of all news, especially any that will have serious or long-term repercussions. We learned this the hard way when a very plausible fraud appeared on Twitter in the middle of protest and declared that bit.ly shortened links were blocked in Iran. The ensuing panic and last-minute changes caused a lot of people a great deal of unnecessary extra effort, and some of the suggested alternative link shortening sites are no longer operational, meaning that archived content which includes links using these now defunct services are effectively dead.

Breaking News” reports always seem to demand an urgent response, where in fact they should be treated as “unconfirmed news“. As we all know, a lie is halfway around the social network world before the truth has got its pants on. So, as always, wait and verify, verify, verify. Remember that even the most experienced social media users and big name mass media outlets like the BBC, MBC, CNN etc have all been fooled by fake news, or been too quick to rush to headlines without checking facts; at times, they are even revealed to be responsible for it . If you do happen to post a report in good faith, which later turns out to be false, you should be willing to spend at least as much time retracting it and letting everyone know, than the time you spent sharing it.

Mark unconfirmed status updates as UNCONFIRMED or UNCONF. Do not remove text that identifies news as unconfirmed when re-tweeting or re-posting.

did-the-world-s-nastiest-virus-try-to-self-destruct--49a5bfa353Be cautious with private message requests or emails containing sensational news, documents, image, videos etc. asking you to share news. Suggest to whoever sent it that they post it themselves and you (might) share their update. If they claim to be unable to use or create a social network account, suggest they use liveleak.com, where you can share images, documents, videos and post text updated using an alias. Run a search for the information being privately shared with you, to see if it can be verified, or if anyone is posting warnings about it.

Watch out for people re-using images from unrelated events. Use Google or Tin Eye to search for images by url or by uploading them. Try using Storyful’s Multisearch tool to help you verify news and look for more sources. What other tools do you know of? Add the best to your favorites, and share them often.

Check for images having been altered using special analysis tools like Image Metadata Manager or JPEGSnoop or the fotoforensics.com website.

As far as possible, try to stay transparent in your methods and analysis, and let your network help you by reaching out for help verifying reports, checking facts, or translating content.

ISERI Protests 12 Jan 2011 AlJAzeera cameraman hassledFake videos seem to be all the rage these days, while innocent cameramen are being murderedkidnapped or harassed, and citizen journalists – or indeed, anyone carrying a smart phone or camera – face increasing pressure from police and authorities. 

Here is my current list of suggestions, ideas and wishes for video checking and verification:

  1. Time and Date – video camera clocks can be changed of course, but we used to encourage activists in Iran or elsewhere to show us that day’s newspaper, social media status updates on a screen, or a live TV broadcast in the background of their video.
  2. Incentifying crowdsourced verification by rewarding the crowd. Not necessarily restricted to financial rewards, there are many different ways to motivate using more humanitarian methods, media coverage, thanking helpers with mentions, gamified social media decals etc – see this video for an example (at 10m42s) : 
    Digital Humanitarians: Patrick Meier at TEDxTraverseCity 2013
  3. Patience. There is often no good reason for the rush to post unverified news. This sense of urgency was more relevant four or five years ago, when mainstream media was thumbing its nose at “irrelevant, pointless” social media and users felt driven to prove their worth and expose the slow-footed traditional press. Now social media has gained almost universal acceptance, we should adjust the idea of competition to be first to break “all” news – at the cost of validity – and only apply it where it adds value, such as disaster relief.
  4. Details. We need to encourage those posting video to take the time to add important details – names, dates, locations, background facts, and tagging – for example, while also blurring faces of vulnerable subjects.
  5. Communication – it’s a 2-way street. We need to understand the importance of leaving comments of encouragement, feedback, guidance. At present, too much video is being posted and consumed in a communication vacuum.
  6. Archiving. Too many videos get pulled offline, and any video exposing serious abuse by authorities is at risk of being censored either formally or informally. There are sites that will save text or image content, but I don’t know of any reliable, consistent, centralised effort to preserve video or audio. It’s left to quick-thinking people to save these items privately.
  7. Translation. Really, this should be first on the list. The lack of organised, consistent volunteer efforts to crowdsource translation beggars belief. If you know anyone who can build an app for this, I have a rough design outline that’s been gathering dust for the past 4 years.
  8. Gratuitous violence and shock tactics are on the increase (and being pushed by Facebook and major news outlets when it suits them) and little good has come of it, if any.  People are being traumatised, becoming immune to it, or turning away. This is very damaging to the prospects of crowdsourced verification, because the gore factor is a deterrent to many potential helpers. I resist sharing the 18+ content being posted as relevant to human rights abuse, in the hope that, if we don’t encourage the trend by reacting, rewarding, or promoting, it will fall out of favour.
  9. We need an open source tool for video that works like JPEG Snoop, to extract information about the video, camera, settings, GPS etc.

Your comments and suggestions are very welcome on these subjects – drop me an email through the contact form or leave a comment below.

Take responsibility for your online safety and security

  • Change to a strong password and keep changing it, if not daily then as often as you can.
  • Scan your computer to check for intrusions, keyloggers, rootkits, malware, and trojans and keep your security software up to date.
  • Make sure that your recovery details for websites like Twitter, FaceBook & blogs etc are accurate and up to date.
  • Protect the email accounts you use to register with websites and services.
  • Use https to access websites and services, so that when you do connect, the information you send is encrypted.
  • Copy and paste login names and passwords rather than type them.
  • Do not store unencrypted user names and passwords on your computer.
  • Protect files on your computer or on external storage devices or removable storage like flash drives, SD cards or USB sticks using encryption, such as TrueCrypt.
  • Use a password on all your devices.

Be alert for apparently innocent requests for information about your own or anyone else’s details, such as location, online activity, other connections, friends or contacts.

We Don’t Talk

Standard

An anonymous statement was posted today with a link to NSA files which it is claimed, prove that the NSA is spying on people. Not only on American people, but citizens of over 35 different countries. My first thought, and I assume that of many others, was “how is this news?”. Do any of you really imagine that governments are not spying on us; what do you think all the biometric passport and identity card registrations are intended for? These schemes – passports in the “developed” world, ID cards in the rest (generously funded by stronger economies) – are presented as a means to “protect” our identity and to ensure freedom, democracy and the rule of law. It strikes me as like being told to have sex to protect your virginity.

Digression: My second thought, the one that crops up routinely these days, was “why do we always fall into the trap of talking about Anonymous as if it were a tangible entity, and not a concept?” For example “Anonymous releases  NSA files..” instead of “Files were released anonymously..” That is a trap I fall into regularly, and a fight I  know I am never going to win, so I don’t even try.

In the UK, there were and always will be concerns about these adventures which trespass into our private lives. Accordingly, beginning several years ago, we experienced a series of incidents, which were delivered to us as “data breach” revelations in the media, where government staff or contractors had somehow “lost” laptops, CDs, etc., which contained the records of millions of people or even entire families. Before too long, we could expect detailed information on every household in the UK to have been included on one or more of the “lost lists”. As far as I can recall, no one lost their job or was punished in relation to any of these events, and little news was published about what was being done to recover the missing items or data. What a fine strategy those “data breaches” would be for creating an independent database containing information on every person in the UK!

We also see reports in the media including the same major technology and service companies implicated in the NSA data gathering exercise – Apple, Amazon, Google – evading business tax. Between them, these companies also happen to collect data belonging to millions of individuals on identity, finance, movement or location, interactions and relationships. Is this corporate tax avoidance or a discount for services rendered?

Let us not forget the banks and financial institutions that are too big to fail or be adequately punished for misdeeds and “miscalculations“, the governments and super-governments that are too entrenched to be accountable, and the media’s own scandals, manipulation and scare mongering. What your bank doesn’t know about you these days isn’t worth knowing. But it’s worth something to agencies that like to spy on you. The new data centre for Lloyd’s Bank is constructed like a supervillain’s fortress.

Lloyds Banking Group's new IT data centre

Lloyds Banking Group’s new IT data centre

It has more safeguards and failsafes than any similar structure I have ever heard of. That is good news, as long as all they are concerned with is looking after their clients’ money and securing their data. What difference does data centre security make if the bank is willing, or can be coerced under some new law, to simply hand over the data?

Taken together, this paints a rather horrific image: a collage of corruption, criminality, and mismanagement on a “big brother” canvas. These days I see a growing divide, with ordinary citizens showing an interest in alternative currency systems like Bitcoin or bringing back bartering on the one hand, and institutions selling us out on privacy while frothing at the mouth and waging war on (other people’s) corruption and money laundering on the other.

Many of my recent conversations have broached these topics, and the consensus is that people in general are not, as the media tells us, too lazy and self-serving to take action, but rather are trapped in a demotivating pattern of unquestioning acceptance and compliance. The manufactured obsession with new-newer-newest devices and social media, with the latter a long-term offender with regard to suspicionsprivacy scares and scandals, has spawned a self-perpetuating meme-based ecosystem.

teen_sleep

Social media tells us that smartphones or selfies are phenomena, and without question we embrace them, thereby creating and sustaining them. Generally, the feeling is that people need to disengage from the brainwashing, shun the presstitutes, and start to have meaningful, authentic conversations again, to reconnect with the world and their own thoughts, ideas and opinions. It is increasingly evident that a better sleeping pattern wouldn’t go amiss, either.

What do you think? I do actually want to know, yet I have so little confidence that you will respond, beyond the less than one percent of those who read and click “like”. I feel the distance between us more sharply each day, as we drift on these social media currents. Most days, I can barely see the coastline of our conversation.

Google+ exploit could be bad news for Iran and Syria internet users

Standard

google-plus-exploit

The key point that caused me to write this post has not changed – this issue can have serious negative implications for users in countries like Syria and Iran.

UPDATE 2: It had originally been reported that criminals had created a fake Google website by abusing security certificates. The BBC updated their news report at 22:00 on 4 January to say “criminals could have created a website that purported to be part of the Google+ social media network”.  Note: As Google Inc is now branding a bunch of its services as the Google+ social media network, this refers to *.google.xxx, for example https://mail.google.com.

TurkTrust has said there was only one of the 2 certificates in use and they see no implication of any malicious usage. The information does seem to confirm that the client was using the *.google.com certificate for man-in-the-middle intercepts. I suggest reading the full discussion and content of the embedded links on the the Mozilla security list for more technical details, and the Mozilla Security Blog post for a non-technical overview and explanation.

UPDATE 1: TurkTrust has issued a Press Release concerning the security advisory by Microsoft, Google and other Internet browser producers published on the 3rd of January 2012, GMT 18:00 hours.

Related links:

The company maintains that the situation has no impact on customers at all and says it will continue to provide updates. I have commented in my original post about the coincidental similarities that seemed to exist between this issue and the DigiNotar scandal, so I was not at all comfortable to learn that the flawed system was given a clean bill of health in November 2011 after an audit by KPMG in the Netherlands, DigiNotar’s turf. I could write at length about the circumstances which led to this recent breach of trust and my remaining questions, but I don’t want to bore you senseless about it. I am much more concerned that our efforts are focused on alerting activists in countries with repressive regimes to the potential risks such events pose to their online  and offline security.

Web browser makers have rushed to fix a security lapse that cyber thieves abused [was used – see Update 2] to impersonate Google+.

Chrome has been updated, Firefox will be updated 8 January 2013, and Internet Explorer has issued an update which will be applied automatically for users of Windows 8/RT/Server 2012. Anyone using older versions of Windows will need to use Windows Update. Since Opera requires a successful revocation check in order to show a site as secure, Opera explained that  users were immediately protected, and there was no urgent need to update. As usual, Apple has not commented on when or if they will take action to protect Safari and iOS users.

By using the fake credentials, criminals created a website that pretended to be part of the Google+ social media network. [See Update 2] The loophole exploited ID credentials that browsers use to ensure a website is who it claims to be.

So someone was attempting to perform a man-in-the-middle attack against secure communications intended for Google, but there is no information about who that is or where they are based. [See Update 1]

The fake ID credentials have been traced back to August 2011, when Turkish Certificate Authority (CA) TurkTrust mistakenly issued two “master keys” – higher level certificates used to certify website validity. The issue was not discovered by Google until late on 24 December 2012. Google issued two updates on 25 and 26 December and alerted other browser vendors.

You may recall that August 2011 saw a report from Google about man in the middle attacks linked to the DigiNotar CA which they said mainly affected users in Iran.

So the dates coincide, as does the methodology and the target site, except this time TurkTrust is much closer to Iran and Syria (on many levels, not only geographically) whereas DigiNotar was in the Netherlands.

Google’s post notes that Google “may also decide to take additional action after further discussion and careful consideration,” which hints that the Chrome team are considering the exclusion of  TurkTrust’s root certificates. Mozilla will temporarily revoke  it from 8 January when the patch is released. However, if this CA is removed, it could force many sites in countries like Syria and Iran to use national, not-trusted and completely compromised CA’s like ParsSign.

Do you understand by country censorship on Twitter; does it change anything for you?

Standard

Aha!
Just wondering what would happen, if I posted my comments on Twitter like this, embedded in an image. If my message was in contravention of some complaint that would cause my tweet to be censored under normal circumstances (if it was a text tweet). Would my image be censored; would it buy me some time before the message was spotted, for an objection to be raised or a rule applied, and the tweet filtered? An interesting idea to play with.

I’m really interested in your thoughts on this change. If you answered “No” or “Not really” please see the links below to learn more. I hope you’ll post in the comments or send a reply to @lissnup about this. For example:

  • will this make any difference to you as a Twitter user?
  • will users stick it out and find inventive work-arounds?
  • will you change any of your user habits?
  • would you look for an alternative micro-blogging platform to share status updates?
  • are free services more susceptible to unwelcome changes or restrictions?
  • would you “pay for a say” in how a social network is designed and managed?
  • are you “locked-in” to Twitter by your existing habits, network, reputation, etc?
  • Google’s announced combining all privacy policies etc – do you see a connection?
  • Internet users and ISPs are facing increasing legislative challenges (ie ACTA, SOPA/PIPA) – do you see a connection?