| Privacy Tools Guide

layout: default title: “Set Up Secure Communication for Labor Strike Organizing” description: “A practical guide for developers and power users setting up secure communication infrastructure for labor strike organizing. Covers encrypted” date: 2026-03-16 last_modified_at: 2026-03-16 author: theluckystrike permalink: /how-to-set-up-secure-communication-for-labor-strike-organizing/ categories: [guides, security] reviewed: true score: 9 voice-checked: true intent-checked: true tags: [privacy-tools-guide] —

To set up secure labor strike communication, deploy Signal for primary encrypted messaging with disappearing messages enabled, Session Messenger for decentralized backup, and self-hosted Jitsi Meet for group calls. Layer in encrypted email through ProtonMail, use a separate device or virtual machine, implement dead man’s switches for credential management, and establish clear operational security protocols before coordinating sensitive strike activities.

Threat Modeling for Strike Communications

Before deploying any communication tools, establish a clear threat model. Strike communications face specific risks:

Employer surveillance — Management may monitor workplace devices, networks, and communications
Legal discovery — Communications may be subpoenaed during labor disputes
Infiltration — Bad actors may attempt to join organizing efforts to gather intelligence
Device seizure — Phones and computers may be confiscated during pickets or arrests
Service disruption — Employers or authorities may attempt to block or jam communication channels

Your threat model determines which tools and configurations are appropriate. No solution provides absolute security, but layered defenses significantly reduce your attack surface.

Mapping Threats to Countermeasures

Threat	Primary Countermeasure	Secondary Countermeasure
Employer network monitoring	Avoid workplace WiFi; use mobile data	VPN for all organizing traffic
Device seizure	Full-disk encryption; remote wipe enabled	Disappearing messages on all channels
Legal subpoena	No plaintext records; Signal sealed sender	Briar for offline mesh coordination
Infiltration	Verify safety numbers; vet new members out-of-band	Compartmentalize by function
Service disruption	Pre-configured Briar pairs; offline fallback plan	Designated physical runners

Revisit your threat model before each major action phase. Threats escalate as organizing becomes more visible.

Prerequisites

Before you begin, make sure you have the following ready:

A computer running macOS, Linux, or Windows
Terminal or command-line access
Administrator or sudo privileges (for system-level changes)
A stable internet connection for downloading tools

Step 1: Core Communication Stack

Primary Channel: Signal

Signal provides the strongest balance of security and usability for real-time coordination. Its implementation of the Signal protocol offers:

End-to-end encryption by default
Sealed sender technology hiding metadata from servers
Disappearing messages for sensitive discussions
Registration lock preventing SIM-swap-based account takeover

For strike organizing, configure Signal with these settings:

Enable disappearing messages (24-72 hours recommended)
Enable screen lock requiring biometric or PIN access
Enable registration lock in settings
Use group chats rather than broadcast lists for coordination
Verify safety numbers with core organizing committee members

Secondary Channel: Session Messenger

Session provides an alternative that operates without phone numbers, routing traffic through onion nodes for metadata resistance. This matters when phone numbers could link participants to their real identities.

Session operates on the Signal protocol but routes through LokiNET, providing:

No phone number requirement for account creation
Decentralized onion routing hiding communication metadata
Local-only message storage with no server-side history

Deploy Session as a backup channel when Signal becomes unavailable or when participants need additional anonymity.

Offline Coordination: Briar

When internet access becomes restricted—whether through network blocks, shutdowns, or physical displacement—Briar provides mesh networking via Bluetooth and Wi-Fi Direct. Devices can synchronize messages when within range without any internet connection.

Briar deployment strategy:

Install Briar on Android devices (iOS version in development)
Establish trusted device pairs before operational need arises
Create dedicated “contact groups” for different organizing functions
Designate runners who can physically carry messages between locations

Step 2: Self-Hosted Infrastructure

For organizations wanting greater control, self-hosted options provide infrastructure independence.

Matrix with Element

Matrix offers federated messaging with end-to-end encryption capability. Deploy Synapse homeserver for organizational control:

# docker-compose.yml for Synapse
version: '3'
services:
  synapse:
    image: matrixdotorg/synapse:latest
    container_name: synapse
    volumes:
      - ./synapse:/data
    ports:
      - "8008:8008"
      - "8448:8448"
    environment:
      - SYNAPSE_SERVER_NAME=organize.yourdomain.org
      - SYNAPSE_REPORT_STATS=no
    restart: unless-stopped

Generate configuration with:

docker run -it --rm -v ./synapse:/data \
  -e SYNAPSE_SERVER_NAME=organize.yourdomain.org \
  matrixdotorg/synapse:latest generate

Configure Element client for sensitive rooms:

Enable end-to-end encryption in room settings
Set history visibility to “members only since joining”
Disable guest access entirely
Implement key rotation via admin API:

POST /_matrix/client/r0/admin/rooms/{room_id}/state/m.room.encryption
{
  "algorithm": "m.megolm.v1.aes-sha2",
  "rotation_period_ms": 604800000,
  "rotation_period_msgs": 100
}

Encrypted Video: Jitsi Self-Hosted

For video coordination meetings, self-hosted Jitsi provides encrypted calls without relying on third-party services:

# Jitsi docker deployment
version: '3'
services:
  jitsi:
    image: jitsi/web
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./jitsi:/config
      - ./jitsi/transcripts:/var/lib/jitsi/transcripts
    environment:
      - ENABLE_AUTH=1
      - ENABLE_LOBBY=1
      - ENABLE_END_TO_END_ENCRYPTION=1

Configure lobby mode to require explicit admission for sensitive meetings.

Step 3: Choose Devices for Organizing

Hardware choices matter as much as software. Where budget allows, use dedicated devices for organizing — phones and laptops that never touch employer-managed accounts, networks, or MDM systems.

Recommended Device Configuration

Phones:

Enable full-disk encryption (enabled by default on modern Android and iOS)
Use a strong alphanumeric passcode, not a 6-digit PIN or biometrics for high-risk situations (biometrics can be legally compelled in some jurisdictions)
Install only the apps required for organizing
Enable Find My Device with remote wipe authorized

Laptops:

Enable FileVault (macOS) or LUKS (Linux) full-disk encryption
Create a separate user account exclusively for organizing work
Configure the firewall to block all inbound connections
Use a privacy screen filter in public spaces

Step 4: Operational Security Practices

Technical tools require operational discipline to be effective.

Device Security

Use dedicated devices for organizing communications when possible
Enable full-disk encryption
Configure secure boot with custom keys
Use alphanumeric PINs rather than biometrics for sensitive situations (biometrics can be compelled)
Enable Find My Device / remote wipe capability

Network Considerations

Use VPN when accessing organizing communications over employer or public networks
Avoid organizing discussions on workplace WiFi
Consider Tor Browser for accessing communication services in high-risk environments
Disable WiFi auto-join to prevent inadvertent network connections

Communication Discipline

Use code words for sensitive operational details
Rotate encryption keys periodically
Verify identities through out-of-band channels
Assume all non-encrypted communications may be intercepted
Delete sensitive messages after action items are completed

Step 5: Compartmentalization Strategy

Not every organizer needs access to every channel. Compartmentalizing information limits damage from infiltration or device seizure.

Recommended structure:

Public channel (Signal group, open to all members): Announcements, public picket schedules, general updates
Core committee channel (Signal, verified safety numbers): Tactical decisions, vote counts, legal strategy
Operations channel (Session or Matrix, tighter access controls): Specific action coordination, time-sensitive logistics
Emergency channel (Briar, pre-paired): Fallback when internet-based channels are unavailable

Assign different people as administrators for each tier. If one tier is compromised, the others remain intact.

Step 6: Backup and Recovery

Establish recovery procedures before operational need:

Signal: Print backup code and store in secure offline location
Matrix: Export 4S recovery key, store offline
Session: Record recovery phrase in secure location
All: Designate trusted contacts for emergency access

Step 7: Handling Key Management and Credential Handoff

Strike organizing requires planning for leadership transitions. If an organizer is removed, resigns, or is unavailable, access to shared channels must transfer smoothly without exposing credentials.

Signal groups: Signal group admin rights can be transferred by any current admin. Designate at least two admins per group — never a single point of failure.

Matrix homeserver: Store the admin credentials in a shared password manager (Bitwarden or Vaultwarden self-hosted) accessible to two or more trusted organizers with hardware key 2FA.

Jitsi and other self-hosted services: Document server credentials and SSH keys in an encrypted file stored offline with a designated backup administrator. Use a break-glass procedure: the backup credentials envelope is opened only when the primary admin is unavailable.

Troubleshooting

Configuration changes not taking effect

Restart the relevant service or application after making changes. Some settings require a full system reboot. Verify the configuration file path is correct and the syntax is valid.

Permission denied errors

Run the command with sudo for system-level operations, or check that your user account has the necessary permissions. On macOS, you may need to grant terminal access in System Settings > Privacy & Security.

Connection or network-related failures

Check your internet connection and firewall settings. If using a VPN, try disconnecting temporarily to isolate the issue. Verify that the target server or service is accessible from your network.

Frequently Asked Questions

Is Signal safe if management subpoenas our records? Signal stores minimal metadata and no message content on its servers. With disappearing messages enabled, there is nothing to produce in discovery. Signal has responded to government subpoenas with only account creation date and last connection date — no message content.

What if an infiltrator joins our Signal group? This is an operational risk, not a technical one. Verify new member identities through in-person contact or trusted referrals before granting access to sensitive channels. Compartmentalization limits what any single infiltrator can see. Rotate groups and channels if you suspect compromise.

Should we use encrypted email instead of Signal? Email is better for asynchronous, document-heavy communication — attaching legal notices, sharing union authorization forms, or communicating with legal counsel. Signal is better for real-time coordination. Use both: ProtonMail for documentation, Signal for day-to-day coordination.

Can the employer monitor Signal on a company-issued phone? Yes, through MDM software that can log keystrokes or take screenshots at the OS level, regardless of app-level encryption. Never use company-issued devices for organizing communications. Use your personal device on mobile data, not workplace WiFi.