Asking for a friend. How do you all avoid US government harassment for hosting legal content that advocates civil disobedience? Are there web hosting providers that will tell the US agencies to take a flying leap?
They are a peaceful, non-violent group whose members take political action for reversing the climate crisis, supporting equity for oppressed and indigenous peoples, and so forth. They break laws that are morally unjust, such as those from the civil rights era.
The group has been identified and is being monitored by certain US agencies, and they don't want their website hosting to be monitored or seized.
Tricky question. I’d start by maybe not using a hosting provider in the US, but which jurisdiction is likely not to comply with a US guvmint takedown order? Russia maybe. Take a look at what Snowden uses, or the Intercept, or the Guardian (ie. “enemies of the state”). Ask the ACLU or EFF. Or use a distributed hosting mechanism that does not a have a single point of failure. Or do not use the website to host the info; use it to serve contact info, and use another mechanism to distribute the info, e.g. supposedly Telegram is a thorn in the US agencies’ side (or so they say), or Tor (though Tor does not seem to provide anonymity it can hide the info that is being transmitted, I think) or Signal or (maybe?) Keybase groups. But I’m no expert! The above is based on somewhat interested reading.
If I was your friend, I'd find a way to have coffee or lunch with people behind the Qubes OS operating system and see if they can provide some general insights on hardening their information systems. I fear that what your friend wants to achieve (secure communication with his intended audience while keeping nosy organizations with unlimited resources out) is rather difficult if not impossible.
@stevepiercy, I suggest contacting riseup dot net. I have no personal connection to them, but from years back when I looked into it, it seemed like avoiding government harassment for the kind of groups like your friend's was exactly their raison d'etre, i.e. no logs being kept, VPNs, etc.
If not them, they probably would be a good source for further exploration outside of a public forum.
By the way, this forum is hosted on a server in Canada, but the provider is a US corporation. It’s running only open source software, but who knows what kind of funky back doors exist.
Web hosting is the main concern. We use Cloudflare to provide some protection against attacks. So far in our search for a trustworthy host, we have found that their intent (marketing) and terms and conditions (legal) are contradictory. A non-US based host is an option.
We lack the resources to stop every attack, but we have sufficient resources to deter all but the most determined attackers.
Groups and messaging are beyond the scope of web hosting. That said, I love Discourse (this forum's software). It's good for content that we don't care whether it ever gets disclosed. We're trying out Signal and Keybase for secure and encrypted messaging, Groups/Teams, and file encryption and sharing. Signal requires an exchange of phone numbers and takes over as the default messaging app. Keybase allows the user to specify what personal information is used to establish an identity. Signal has a better UI, but Keybase's features are deeper and more useful.
I would look into the whole stack. Regarding hosting - from reading public sources about how "illegal" sites have been taken down: sometimes it has been in the form of seizing the domain name, DNS hijacking if you will. Not all too sure if transferring the domain name to a foreign registrar and using DNSSEC would help there.
Spammers and other uncouth types seem to have used server farms provided by "bullet proof hosting" companies in Russia, the Ukraine and other former Soviet republics. Looks like a generally useful tactic, other than the fact that it immediately marks your friend's organization as something worthy of exploring in more depth.
Maybe P2P techonologies and old fashioned PGP encrypted email could put up some roadblocks against unintended eavesdropping as well. Same principle applies there: your friend may be able to achieve some temporary privacy in exchange for being targeted individually by methods which collect data before it is encrypted (e.g such as described above).
