The commercial sale of legal, recreational marijuana in the United States poses some interesting legal problems. Marijuana is completely legal under the laws of some states, but still a Schedule I substance according to federal law. Though the strange detente that has emerged over the past several years has kept things awkwardly civil, the federal government would be legally justified in cracking down on growers, purveyors. . . and consumers.
Even if you have no interest in using marijuana, or believe it should be completely criminalized, there are lessons to be learned here. Whether they realize it or not, the participants in this industry are currently operating in a potentially adversarial environment. For most of us OPSEC is academic; it is instructive to consider cases where the threat is quantifiable.
Threat Model: MEDIUM. The primary threat actor is the federal government of the United States. With tremendous reach and resources and the legal footing to do so, the government could arrest, prosecute, and imprison patrons of marijuana dispensaries. However, as more states expand marijuana legalization/decriminalization and public opinion softens, the situation becomes far more complicated and more of a political “hot potato”. The likelihood of mass arrests of marijuana users is unlikely, but until it is legal at the federal level, exercising some level of caution seems prudent.
Scope: This post deals with simple security and privacy measures that customers of legal, commercial dispensaries can take to protect themselves. I do not purport to know anything about face-to-face purchases on the black market, and don’t attempt to make any recommendations there. This post also offers no advice to dispensaries themselves (other than, “respect your customers’ privacy!”) even though there are tremendous risks inherent in a cash-only industry.
Assumptions: Though I have visited a marijuana dispensary, I am not a marijuana consumer. All of the advice here is based upon outside observation, online research, and information gleaned from individuals who have patronized marijuana dispensaries.
The security measures below are what I would do, were I to partake in the marijuana economy.
With careful planning and careful dispensary selection it is possible to purchase marijuana more or less anonymously. You pass your cash over the counter, your product is passed back to you, and you walk out. Taking these transactions into the digital spaces creates all manner of problems.
Researching Dispensaries: When you are researching dispensaries, you should take measures to obfuscate your IP address and prevent correlation of your searches with your other internet activity. At a minimum I recommend using a Virtual Private Network (VPN). I have written exhaustively on the use of VPNs. If you don’t have one, I recommend Private Internet Access. In full disclosure, I am an affiliate of PIA, but also trust and use their service on all of my devices.
Stay tuned: I will be updating my guides to using PIA on all device types in the near future. I will also be updating my guides for setting up Firefox for secure and private browsing.
One other thing: you should also refuse to visit dispensaries who do not provide a valid HTTPS certificate for every single page on their site. HTTPS encrypts your connection from your device, all the way to the site’s server. If a dispensary or company doesn’t provider this, they don’t care about you and you shouldn’t support them financially.
Online Pre-Orders: Some dispensaries allow or encourage you to pre-order marijuana via their website. I did quick DuckDuckGo search for one dispensary each in Alaska, California, Colorado, Nevada, and Washington. All but one (the first Alaska dispensary I found, which didn’t have its own website) encouraged online pre-orders. Due to the tightly controlled nature of these business, providing true and accurate information is almost certainly required. I strongly recommend against online pre-orders.
Online Accounts: If you do feel compelled to create an online account, do so with an email address that is not associated with your “normal” email address. Create a free ProtonMail account exclusively for that purpose, and don’t tie it to other aspects of you life. DO NOT provide your real phone number. Use a good, strong password and if possible, two factor authentication. Provide the absolute minimum required information.
Social Media Activity: It may seem strange, but I am probably even more unfamiliar with social media participation than I am with marijuana purchasing. Still I have no doubts whatsoever that individuals are compelled to follow, like, Tweet at, and otherwise engage with dispensaries. I would avoid this. I would also avoid signing up for mailing lists, newsletters, or special offers via text or email.
ALWAYS Pay in Cash: This is perhaps the single most important item on this list. ALWAYS pay in cash rather than with a credit card or other form of electronic payment. A credit card transaction creates a permanent record that will be impossible to erase. If you use your credit card to purchase marijuana (or anything else) you have forever, irrevocably tied your name to that activity.
I realize that credit cards may not be accepted at dispensaries. Though this creates problems for these businesses by making them “cash only”, it is a GOOD thing for consumers’ privacy. However, you should get your cash before you show up and avoid using on-site ATMs. You should also avoid using payment apps or any other form of electronic payment.
Getting To the Dispensary
Park Somewhere Else: If you are driving to a marijuana dispensary, you should park down the street or in an obviously different parking lot. Automated license plate readers (ALPR) are constantly scanning parking lots, taking photographs of license plates. These photos are uploaded into a database that is searchable by license plate number. This simple search function can reveal everywhere your vehicle has ever been observed. The search can also be turned around; locations (like dispensaries) can be searched to show every car that has ever been recorded in that location by ALPR. Seriously – park on the street a block or two away. Park in a grocery store parking lot, or McDonald’s parking lot, or anywhere other that the dispensary itself.
Uber Somewhere Else: The same thing goes with ride-sharing services. These services keep detailed records of your trips. If you use Uber you have no doubt noticed that you can review all of your trips in the app. So can Uber. These trips are completely undeniable; they are tied to your desired destination, and inextricably correlated with your cell phone and your credit card. It is not a stretch to imagine that Uber could be legally compelled to hand this information over to the government. Just as with parking (if you drive yourself) you should provide a destination a block or two away from the dispensary itself. The same goes for your departure from the dispensary; walk a block or two and then hail your Uber.
Personally Identifying Information
Rewards/Loyalty Programs: No. When you sign up for a rewards program, you must do so in your true name, as verifiable by your government-issued ID. This tracks your purchases. The security of the database that stores this information is far from certain. The federal government currently retains the right to come and take that information by force. Additionally, signing up for rewards programs may require your name and phone number. This further identifies you, and texts/emails sent to your phone expose your participation in the marijuana economy to additional third parties. Keep in mind that rewards programs benefit the retailer far more than they benefit you.
Providing Identification: This is one of the more difficult sections here. There are few hard and fast rules, and you will have to do some research. There are a couple of important considerations. First, some dispensaries may visually inspect your ID, others may scan it. Ostensibly, this doesn’t necessarily mean that your information is being recorded and saved; ID scanners can simply verify that the ID is valid. Some local jurisdictions require that IDs be scanned.
Complicating the matter, some dispensaries that do scan IDs do not create records about customers. . . but some do. Some are very open about this. Others are not. If scanned, I would have serious concerns that my information was being recorded and stored regardless of what I was told. I would do some research and choose a privacy-respecting dispensary.
Your Appearance On Camera: If you’ve done everything else right up to this point, it should be very difficult to prove that you have purchased marijuana from a dispensary. There is, however, one last thing: security cameras. Due to the cash-only nature of dispensaries, they are under heavy surveillance. I would recommend (at a minimum) wearing a baseball cap and sunglasses every. Single. Time I visited a dispensary. It won’t make you invisible, but it might make your identification difficult, especially if you keep your head down.
I have also written about tattoos before. At that time tattoo-recognition software was in its infancy. In the intervening years it has almost certainly made leaps and bounds. Tattoos are distinctive and can be used as an unquestionable physical identifier. If you have visible tattoos you should cover them prior to visiting the dispensary. This might be slightly uncomfortable in the summer, but I believe it will be well worth it.
The intent of this article is not to promote illegal activity. I doubt that very many marijuana users would view these steps as necessary (as evidenced by the wide promotion of loyalty programs and online dispensary accounts), or go to the trouble. If you don’t use marijuana, consider how these techniques might be used in other legal, but sensitive/politically-charged aspects of your life. They won’t make you invisible to a focused, well-funded investigation, but they’ll probably keep you out a general dragnet, be it by the police, the news media, or a special interest group.