Service providers other than mobile network operators can provide information about you to an adversary.
State institutions can provide any information they have about you, including your address, tax records, health information, etc.
Physical and digital stores can provide information about purchases made through the store, including:
- Given a name: the items purchased under that name, as well as the date of the purchases.
- Given an item or category of items: the names of the people who purchased the item, as well as the date of the purchases.
Additionally, physical stores can provide:
- CCTV footage from cameras operated by the store.
- Testimony from store employees, for example about the physical appearance of a person who made a particular purchase.
Banks can provide:
- Your bank account activity, including the date, location and amount of any purchase or withdrawal you make with a card.
- CCTV footage from cameras on Automated Teller Machines (ATMs).
Internet service providers can provide:
- If you follow digital best practices and use Tor: metadata about your Internet activity, such as when you use Internet.
- If you don't use Tor: your Internet activity, including the list of websites you visit.
Websites, email providers, and other online services can provide:
- The content of unencrypted communications you make through the service (e.g. social media posts, unencrypted emails).
- Metadata about encrypted communications you make through the service (e.g. the sender, recipient, and date of encrypted emails).
Used in tactics: Incrimination
Mitigations
| Name | Description |
|---|---|
| Anonymous purchases | If you need to purchase an item in a store, you can purchase it anonymously to make it harder for an adversary to use the collaboration of the store to link your identity to the item. |
| Digital best practices | You can follow digital best practices to make it harder for service providers to provide useful information to an adversary. For example, you can:
|
| Encryption | You can encrypt “in-motion” data to make it harder for service providers to provide useful information to an adversary. |
Used in repressive operations
| Name | Description |
|---|---|
| Case against Peppy and Krystal | A fireworks store provided investigators with records showing that Peppy had purchased fireworks from the store three days before the protest[3]. |
| Repression of Lafarge factory sabotage | Investigators gave the serial number of a camera to the camera manufacturer, and the manufacturer gave them the name of the store where the camera was sold[4]. This helped investigators identify a person they accused of taking photos with the camera. |
| Repression against Zündlumpen | One clue against a suspected editor of the newspaper is that she used her bank account to order things that could be used for printing — her bank records were presumably obtained by investigators with the collaboration of the bank[5]. |
| Bure criminal association case | Investigators used the collaboration of banks to obtain the bank records of organizations fighting against Cigéo[6]. The bank records of one organization included a 500€ transfer entitled “participation manif 18 fev” (“contribution to the February 18 demonstration”), in reference to a demonstration in which people attacked a building associated with Cigéo. The owner of a supermarket in a town about 20 km from Bure told investigators that he had seen customers buying an unusually large amount of denatured alcohol (15 liters), and gave the receipt to the investigators. |