Digital security and privacy is crucially important.
For human rights advocates, journalists and activists as well as ordinary citizens, the possibility of your communications being monitored, or the threat of your personal identity or location being exposed, pose a considerable risk, especially if you are working with sensitive information or issues. A thorough digital security strategy is essential, as it will only be as strong as its weakest link. You don't want to simply lock the door to your house when all the windows are open!
Signs that digital security has been compromised can include:
- Passwords that change mysteriously
- Private messages that appear to have been read by someone else
- Websites that have become inaccessible from certain countries
- Officials revealing knowledge about private correspondence, including dates, names or topics discussed
- Signs that mobile phone conversations have been monitored
Do I need to be concerned about this?
Yes. Such scenarios could compromise your projects or expose you or your contacts to censorship, surveillance or persecution, The technology required to compromise someone's digital security is quite simple.
Regularly updating your computer's operating system, installing reliable anti-malware software, and doing regular back-ups are the most important basic precautions to take.
If you have reason to believe that your computers or data-storage devices, including your back-ups, are at risk of being lost, stolen or confiscated, or that your organisation may be subject to targeted internet surveillance (or if this is commonplace in the regions where you operate), then you should refer to Tactical Tech's Security in-a-Box toolkit for more detailed advice.
Five key points for digital security on the internet
1. Be anonymous
Anonymity software such as Tor is useful when you do not want to reveal which websites you have visited. Tor bounces your connection between several random volunteer computers in order to prevent even your ISP (Internet Service Provider) or government-level observers from knowing what you are doing on the internet. However, do not use Tor when sending or receiving sensitive information to or from insecure websites. Unless you are connected to a website that supports HTTPS, it is possible for one of the volunteer computers to monitor the content as it loads.
You can also use Tor to hide your identity from the websites you visit or to bypass Internet filters. These tools are useful when you need to access websites that are blocked; for example for research, or in order to submit updates to web-based platforms such as Facebook.
2. Communicate through secure and/or encrypted channels
Just as the person delivering your mail – or any person with access to your mailbox - could potentially take a look at your personal letters, someone could monitor your internet communication while you log in to an insecure website.
2.1 Secure connections
To protect against this kind of attack, most popular web-based email, social networking, blogging, mapping, and video platforms offer secure connections, called HTTPS. You can check whether you have a secure connection to a webpage by looking for 'https://' (rather than just 'http://') at the beginning of your browser's address bar. Many web-based tools, however, do NOT use HTTPS to protect any information, other than your password, that you submit to or get from their websites.
As a result, if someone monitors your connection for long enough, they will learn what you have stored on that site. Your best defence against this is to use web-based tools that use HTTPS for all pages.
You can complement a secure channel with an additional layer of protection – encryption. Encryption scrambles your message and makes it unreadable by anyone except the intended recipient. Protocols like PGP (Pretty Good Privacy) are now available as free and easy-to-install plugins for many major mail clients like Thunderbird and Outlook. PGP uses a combination of advanced cryptographic systems to not only scramble your message but also authenticate your identity to the recipient.
3. Have a strong password
Use our password checker to test the strength of your passwords.
- A password should be difficult for a computer program to guess.
- Make it long & complex: The longer a password is, and the wider the range of characters it uses (upper & lower case, numbers, punctuation), the less likely it is that a computer program would be able to guess it in a reasonable amount of time. You should try to create passwords that include ten or more characters. Some people use passwords that contain more than one word, with or without spaces between them, which are often called passphrases.
A password should be difficult for others to figure out.
- Make it practical: If you have to write your password down because you can't remember it, you may end up facing a whole new category of threats that could leave you vulnerable to anybody with a clear view of your desk or temporary access to your home, your wallet, or even the trash bin outside your office. Check the Remembering secure passwords of security-in-a-box or consider section using a secure password database such as KeePass. Do not share your password with anyone.
- Don't make it personal: Your password should not be related to you personally. Don't choose a word or phrase based on information such as your name, social security number, telephone number, child's name, pet's name, birth date, or anything else that a person could learn by doing a little research about you.
A password should be chosen so as to minimise damage if someone does learn it.
- Make it unique: Avoid using the same password for more than one account. Otherwise, anyone who learns that password will gain access to even more of your sensitive information.
- Keep it fresh: Change your password on a regular basis, preferably at least once every three months.
4. Keep regular backups
Each new method of storing or transferring digital information tends to introduce several new ways in which the information in question can be lost, taken or destroyed. Years of work can disappear in an instant as a result of theft, momentary carelessness, the confiscation of computer hardware, or simply because digital storage technology is inherently fragile. There is a common saying among computer support professionals: "it's not a question of if you will lose your data; it's a question of when." So, when this happens to you, it is extremely important that you already have an up-to-date backup and a well-tested means of restoring it.
Although it is one of the most basic elements of secure computing, formulating an effective backup policy is not as simple as it sounds. It can be a significant planning hurdle for a number of reasons: the need to store original data and backups in different physical locations; the importance of keeping backups confidential; and the challenge of coordinating among different people who share information with one another using their own portable storage devices. For more detailed information, consult the chapter on digital backups in our Security-in-a-Box toolkit.
5. Cover your traces
When using public online tools like Facebook, and Twitter for mobilisation or coordination, remember that the information you store on such platforms becomes, to some extent, the property of the operators, and that many of these tools expose more information than you might think.
When you entrust a sensitive project to operators of any online tool, read their privacy policies or user agreements. Remember that even the most enlightened policy leaves your information under the direct control of the platform's administrators, who would be able to share, sell or misplace that information without your permission or knowledge. Even if you terminate your account, many of these sites do not actually delete the content you have posted or the personal information you have provided.
Unless it is important that you use a particular commercial service, either because of its accessibility or because doing so helps you blend in with lower-profile users, consider some of the rights-progressive alternatives: Blip.tv instead of YouTube; riseup.net rather than Gmail. If you have the technical resources, you can also run your own web-based services.
If you use commercial platforms, take precautions to protect yourself from malicious individuals who know how to dig up private information on such services. This is particularly true of social network site platforms such as Facebook and MySpace. Develop a thorough understanding of the privacy features that are built into these platforms, and think about the kinds of information that you might unintentionally reveal about yourself or your organisation; for example, your real name, where you live, the places to which you travel and details about upcoming events or meetings. If monitored over a long time, such information can also provide a picture of your habits and working practices.
One helpful technique is to create multiple accounts on any web-based service that you use, allowing you to use different accounts or profiles for different projects, and to maintain test accounts that you can use to 'spy' on yourself. Your privacy is better protected if you you are able to check, in different ways, what is revealed about your account; for example, through web searches or people who hold special access privileges. Me & My Shadow allows you to interactively visualise how many pieces of personal information you are revealing when you use the internet.
Internet Security and Privacy Resources
Security in-a-box was created by Tactical Tech and Front Line to meet the digital security and privacy needs of advocates and human rights defenders.
Digital Security and Privacy for Human Rights Defenders by Front Line provides useful information about assessing and addressing digital threats.
Mobiles in-a-box by Tactical Tech features an entire section on mobile phone privacy and security.
Anonymous Blogging with Wordpress & Tor. Global Voices created this guide to support rights advocates who want to reveal the truth and express themselves online but who may put themselves at risk by doing so.
Be anonymous online and circumvent censorship. Tor is designed to increase the anonymity of your activities on the internet and it can also be used to bypass internet filtering. You can download it on to your computer or run it from a USB stick.