Thank you, Wojtek, and everyone else for so many great information security tips! From now on, I will use internet cafes that let me use my own laptop!
My question for you all is - what email services do you recommend to have one's internet communication as secure as possible? Also, what email services are not the best options for human rights defenders?
Recommended Email Service: My Personal and Professional Opinion
Hi Kristin,
I have been using VaultletMail (which is a part of the "VaultletSuite 2 Go") on a daily basis for the last 5 years to protect both my personal and professional communications. I also use it as my main email system because I couldn't find what I wanted so I created it. And I continue to improve and update the software on a daily basis. So you could say that I'm intimately familiar and comfortable with how it's been designed and implemented :-)
What do I like about VaultletMail? It's inherently multi-lingual, is built on an Open Source stack and runs on many, if not most, flavors of Windows, OS X and Linux. It is easy to learn, adopt and use on a daily basis for non-technologists and is free for use by HRDs, activists, members of NGOs, journalists and academic institutions.
It's also included and documented in the Security in a Box project (http://security.ngoinabox.org/en/vaultletsuite_main) and presents itself to its users in English, Spanish, Russian and French. There is also exists the possibility and interest in having the interface translated into a number of other languages useful to HRDs in the near future.
Full disclosure: While the source code is owned by my company, VaultletSoft, it does come with a "source code for peer review license" similar to the one used by PGP. The VaultletSuite 2 Go service is also hosted in the U.S. I mention this because I have decided to release a completely free and Open Source version in late 2010 that NGOs and others can build and host for free in the jurisdiction of their choice.
The Open Source version of the VaultletSuite 2 Go is currently called "Project Autonomy" whose goals and statement of purpose can be found here: http://www.valeso.org/ . If you are interested in collaborating on with me on "Project Autonomy", please let me know, there's plenty of room for all kinds of skills, interests and contributors.
Thank you all for your very helpful list of resources and experience with Skype, cafes, on-line chats, etc. This will be going to the hrds we work with. And so helpful to our work as well. In gratitude,
from my point of view there are few factors to consider when you make a decision which email server you should use:
secure connection: does email server offers secure connection (for web-mail: https; and for email client: SSL or TLS enhanced versions of standard protocols like POP3, IMAP & SMPT). and secure connection should be use for all communication with the server, not only for login in.
location of the server: which jurisdiction it falls under? and what relevance does it have to the work of the user. authorities local to the server may always put pressure on the server owners to reveal the information that is on it or is communicated through it.
trust in administrators and owners of the server: both in the more abstract sense of "do you share the same values" but also in their technical abilities to protect the server against "hacking in". and of course one need to look carefully in the history of the practices of handling the information by the owners of the server.
needle in a haystack effect: sometimes you may consider a great server located in the good environment but you will be the only person who will use it from your country/community. sometimes it makes sense to blend in the crowd. of course without compromising above elements.
in 'security in a box' we recommend two excellent servers who's developers we know personally and trust relationship easier. both of them are located in US which may be ok for some people and completely not ok for others. both of them offers secure connection and both of the are not very widely used by majority of internet users:
www.riseup.net - if you are looking for the substitute with a server that is used by many people mail.google.com would be good choice now. i do not want to get into discussion "should we trust google". but seeing it from the point of view of blending in the crowd and with taking additional precautions (see below) this is a good choice now.
www.vaultletsoft.com - Rick wrote about it. basically it offers another layer of encryption. sort of encryption trick that you encrypt your email before it is being send from your computer. and only person who can decrypt it is the recipient of the message. if you are looking for substitute to this option i suggest using gmail with GPG/PGP encryption software (for example Thunderbird + Enigmail + GPG). it is not super easy but offers very strong protection of the content of communication. again, by using this option one may put him/her self into risk because usage of those tools may be considered as a manifestation of bad intentions by local authorities.
there are also many other servers but to make it simple i will stop here with the listing of the servers.
than there you need to be sure that all the way to recipient your email is secure. you can protect your side. you can learn about tools, good practices, etc. but how about the recipient side of your email communication? you need to make sure that recipient understands this as well. you need to somehow almost educate the recipient. point to the right tools and practices. this is not easy.
let me add some general tips on the end of this already long message to inspire thinking on how to increase the security of the email communication:
wipe traces of work on the computer
use good password skills
use circumvention tools
maybe choose anonymous login name
analyse what you write, develop code system
never reply to, forward or even open spam and spoofing email
use several email accounts. e.g. for private communication and for signing up to Internet services
use BCC field when sending to a group of addresses
and of course make sure you have no spy ware and there is nobody snooping over the shoulder :-)
Wojtek Bogusz Information Security; Front Line - The International Foundation for the Protection of Human Rights Defenders; www.frontlinedefenders.org
How do we create effective protocols, emergency plans, and security policies?
How do we integrate these protocols, plans and policies into an organization? How can we effectively train staff on security policies? How do you manage these plans and policies?
How can defenders utilize institutionalized policy mechanisms, advocacy mechanisms and protection mechanisms to create a safer environment (hold perpetrators accountable, develop standards, etc)?
Please share your thoughts and ideas by replying to this 'theme-comment'
Note: This dialogue is PUBLIC. Do not share any private or sensitive information. For advice on a specific situation, please contact a participant privately.
How do we create effective protocols, emergency plans, and secur
The starting premise is that humnan rights work is a risky venture and at the organisational level this fact should be affirmed right at the point of recruitment.
my personal experience of over a decade is that one crucial question in interviews has been, you are aware of the sensitivity and risk involved with working with us have you discussed this with your family and are you comfortable with the fact that at times you might be exposed to risk owing to your association with this organisation.
i premise this to the fact that with the growth of human right we have had instances where employees come under risk only to blame the organisation without appreciating the fact that human rights work requires self committment and is not just any other wage paying job.
with staff fully appreciating security at this point makes it easy to collectively generate protocools, emmergency plans and security policies.
ownership by the team to internal mechanism is critical for success in implementation.
How do we create effective protocols, emergency plans and secur
Hello Sam, Yes, I agree, that employees should be affirmed right at the being that there are risks involved and that the organisation has got a security policy that the employees have got to commit themselves to. A clause on the contract should mention it.
In the New Protection Manual for HRD by Protection International, Part II deals with organisational security which implies also individual co-responsibility. Organisations are made of people. A related question is raised at the end of the NPMHRD about ‘Security and Free Time" [pdf] where the question of ‘how much can an organisation interfere with private life’ is raised. Many cases of aggressions against HRD happen in the space between home and office.
Learn to defend ourselves psychologically, physically, & legally
Ali, a wonderful New Tactics intern, did a great job of writing up easy-to-follow steps to learn self-defense for activists. She read the Self-Care and Self-Defense Manual for Feminists Activists and wrote this summary.
Ali Nardone wrote:
Self defense can be defined as a set of physical, psychological, and verbal techniques that can be used to defend oneself in situations where one may be a target of verbal assault, physical abuse, or rape. It also involves knowing how to avoiding certain situations where we know we may be hurt. Self defense skills are important knowledge for any activist, and the "Self-Care and Self-Defense Manual for Feminist Activists" (developed by Marina Bernal, Artemisa, and Elige), contains step by step instructions on how we can implement these skills in our everyday activist work. There are three types of self defense: psychological, physical, and legal.
In her post, Ali highlights the three principles of psychological self defense, the eight steps to follow if you feel you are in danger of being physically attacked, and the important things to know about legal defense. Read her post to get an intro to the manual...and then read the manual!
What other resources are out there that relate to self-defense for activists?
This is a brilliant resource, and one I turn to again and again for reference in our trainings. I love that they see self-defence on so many levels and see it as an integral concept for human rights defenders security.
One of the things that I've run into in using the term self-defence in the hrd security context, is that this can be perceived negatively -- which was a surprise for me until I finally realized that it is a gendered term. For some, the idea of 'self-defence' immediately conjures up images of violence -- the use of aggressive martial arts techniques, a la Chuck Norris and nunchucks flying. I recently spoke with a very experienced woman human rights defender who was told that self-defence techniques should not be taught because they were aggressive. Even if this is not obviously the resistance, the perception remains that only a professional should teach self-defence techniques continues to make it seem like a special art and a mystery.
Of course, self-defence is nothing of the sort. Every single human rights defender is defending themselves, and others, every single day. They are using so many amazing techniques, tactics and strategies. Women human rights defenders in particular, as women, know what it means to defend themselves on so many levels. One of the best ways to talk about self-defence in this context is simply to ask women human rights defenders -- what have you done to protect yourself in your life when you were attacked physically and/or verbally? This question, among a group of women, will automatically trigger a barrage of fascinating and very practical stories -- because the reality of women's lives, and the lives of many LGBTIQQ defenders, as well as others, is that we face attacks in our lives, and we automatically, instinctively defend ourselves.
So, I would really like to see more practical self-defence trainings that help human rights defenders uncover and recognize their own internal resources to defend themselves.
Self-defence, when taught well, is about discovering your own power, your own voice. It is also about understanding violence. There are specific techniques you can learn, of course. But the best ones are the ones you already know. One of the best points my self-defence instructor taught us (an Aikido Sensei for 20+ years) was this -- in a crisis, the best use of self-defence is not having to use it at all -- there is no shame in 'running away'. Avoiding conflict can be a powerful tactic, among many others.
Great discussion! In a number of countries human rights organizations have come together to create joint initiatives focused on defender protection. They can be an important source of
joint training
relocation and emergency funds
national and international advocacy
They can also be a useful bridge between the international community and grassroots defenders who often lack the global networks of urban activists.
Such an organization requires human and material resources from national groups and financial support from the funding community, which could have been devoted to other activities. However if the body emerges from the needs of defenders and has a clear mission, it can play an important role. Such groups have emerged in Latin America and East Africa , and I'm sure they are in many other regions as well. It would be great to hear from some of those groups, and those who work with them, about their experiences.
Thanks for adding this idea of creating joint initiatives/networks on a local or national level for defenders, Matthew! Though I am not familiar with specific examples of such networks, I have an idea for how these kinds of networks can be utilized by defenders to assist in the protection of defenders on the ground:
Otpor! (“Resistance!” in Serbo-Croatian) prepared “Plan B” demonstrations outside of police stations to respond immediately to arrests during protest events in Serbia. Whenever the police arrested activists in their demonstrations, Otpor! would instantaneously launch a second operation, mobilizing more people to show up at the police stations and protest the arrest. The events at the police station became media showpieces, calling attention to the injustice of the arrests and the illegitimacy of the regime. They also provided moral support and encouragement to the arrested activists, turning them into local and national heroes, rather than forgotten victims. Otpor! thus turned the regime’s policy of arrests to its own advantage and continued to build a movement.
This tactic is a great example of how defenders can protect fellow defenders by organizing themselves and putting pressure on officials. The 'people' that Otpor! called to come to the police stations were fellow defenders and supporters. It was part of plan - part of the strategy. They were expecting these calls, and when they received it, they knew exactly what to do.
Using phones & social media to share critical info
We know that as human rights defenders, we must be very careful about how we use social media and our mobile phones. Facebook, Twitter, and using mobile phones can compromise the safety of defender. However, in certain circumstances, they can be that critical link to share information to an organized network. Chris Mishek, in a post titled Egyptian activists’ use of mobile phones to alert their networks of harassment or arrest by police, wrote about several examples of how Egyptian activists have used Twitter, Facebook and mobile phones to protect defenders:
chrismishek wrote:
Activists, bloggers, journalists and students in Egypt are using their mobile phones to alert their networks if they are in danger or have been arrested using SMS text messaging and the micro-blogging service Twitter. Egyptian activists who have informed their network of arrest by police have proved this to be an effective means of getting the word out quickly of their detention so that fellow activists can pressure the government for a quick release, or mount a longer-term campaign in the result of formal charges.
When American student James Karl Buck was in Mahallah on April 10, 2008 covering the continuing textile strike he was arrested by police along with his Egyptian translator. On the way to the police station Buck alerted his contacts using Twitter by posting the word “Arrested.” When Egyptian journalist and blogger Hossam el-Hamalawy got word via twitter of Buck’s arrest he started posting updates on Buck’s status, further spreading the word. While Buck was released within 24 hours, his translator Mohammed Maree was detained for more than 3 months. Maree said he had been beaten and electrically shocked throughout his detention by Egyptian authorities. While Maree was detained, Buck petitioned US and Egyptian authorities for his release and used Twitter, blog posts and websites to spread information.
Another famous tweeting incident in Egypt involved the Egyptian opposition group Kefaya and blogger Malek Mustafa. At a Cairo protest, Mustafa was arrested and being driven away by police. Different activists had used SMS and Twitter to track the path of the police car, and another activist on his home computer was able to post the Twitter messages on Kefaya’s homepage. Using this information Kefaya activists were able to surround the police car and get Mustafa released.
Another tactic activists have used in Egypt is publishing dedicated hotline numbers set up by Egyptian human rights organizations and phone numbers of volunteer human rights lawyers prior to demonstrations. Activists published these numbers on their blogs and facebook pages prior to the April 6, 2008 strike in order for protestors to have a place to call using their mobile phones if they were harassed or arrested. Prior to other demonstrations these numbers have been recirculated by bloggers and activists using the internet and Twitter.
In New York City, a project called Holla Back was created to collect video and information on street harrassment via mobile phone. I'm not exactly sure how this would fit into a security strategy, but I thought it sounded like an interesting project.
What other ways can the use of mobile phones and organized networks protect defenders? Or, are these tactics too dangerous?
Cell phones are an important tool for the work of most HRDs, but they are also easily compromised: I’m told the technology needed to listen in on other people’s cell phone calls is readily available. How can HRDs keep their cell phone calls from becoming a security liability?
In my accompaniment work our protocol was to call in at least once a day to check in with teammates. The check-in call lets co-workers know where you are, and that nothing has happened to you. We also had a protocol in place for what to do if someone in the field failed to call in as expected: the protocol listed who to call for more information, who should be notified if we believed that a team was in crisis, and names of people or organizations that may be able to provide us with support.
Other than checking in to say that we were OK, however, we always had to be careful about what information we shared, which usually kept our check-in calls short. Any information about where you are, where you are going, who is with you, or what you have observed can be a potential security liability.
I would encourage HRDs to develop code words for talking about situations they may encounter in the field. Always assume that people who oppose can hear your phone conversations. Consider a code that uses phrases from everyday conversation so that a coded conversation doesn’t stand out from a normal exchange. Practice using the code, but practice in person rather than over the phone, so that you don’t give away clues that you are using a code to a potential eavesdropper.
Codes can be broken. Perhaps more important than using a code is refraining from saying too much over the phone. Develop an itinerary and leave it with a co-worker before you go somewhere, that way you can just say “I’m here” when you arrive. Don’t mention other people who are with you or whom you have seen. Take notes if necessary, but save the longer discussions for when you can have the conversation in person.
I agree with your comments about the importance of using code words and saving vital conversations for face-to-face encounters (wherever possible).
Here's where I'll split hairs a bit with you though: Cell phones are more than easily compromised, they are insecureby design. To make matters worse, the telcos on whose networks they depend are often implicitly, if not explicitly, affiliated/allied with the State against whose interests an HRD may be working.
HRDs and activists using them should assume that everything they say (or text!) is public information. Further, they reveal far more about you than you might think.
I don't know a lot about cellphones, so I was surprised to read in your presentation that the exact position of GPS cell phones can be located by others.
I'm assuming that most standard (low-end) cellphones like the ones we use in our accompaniment work would not have this capacity, and that if your phone was GPS enabled it would say so prominently on the packaging. Is that correct, or do we need to be taking the battery out of our cellphones when we don't want to broadcast our location?
I agree with your distinction that cell pones are insecure by design, not just by accident. In Colombia we quickly learned that the military knew the content of our cellphone conversations, and we assume that other armed actors are able to intercept our calls as well.
Rick, Nils and others - this is a very interesting threads on the insecurity of mobile phones. Have either of you heard of the Guardian Project?
The Guardian Project aims to create easy to use apps, open-source firmware MODs, and customized, commercial mobile phones that can be used and deployed around the world, by any person looking to protect their communications from unjust intrusion....This project gives power to regular people to own and control their mobile phones without being afraid they are their own worsed enemy.
Here is a quote from their website on how this phone application can be helpful for human rights defenders:
"An undercover human rights researcher traveling through a remote region without mobile data service is able to use their Guardian phone to document local conditions (via camera phone or audio recording) while seeming to just be making phone calls or checking a text message. Data captures is stored encrypted on the device or a removable SD card. If the researcher is detained by a local militia force, they can easily wipe the device, or if unable to, be assured that all data is securely encrypted, and near impossible to crack without significant computing resources. In addition, the names and phone numbers of people they have been in contact with are not revealed to the local forces, safeguarding those who they intended to help in the first place."
Thank you all for sharing such great information on tech security! This Guardian Project seems amazing. I am eager to read the CREA self-defense manual - so thanks to Ali and Kristin for that posting.
I have a question regarding insecure email accounts such as hotmail and yahoo. As I understand, these are not encrypted accounts and much easier to hack into or monitor than gmail, riseup, or hushmail. However, many activists with whom we work still use hotmail and yahoo accounts. Is this cause for concern? If so, what is the best way to communicate this concern without being prescriptive? Is email ever really secure?
Thanks again everybody for this fantastic dialogue. I have learned so much already.
hi Saira, IMHO yes, it is a "cause for concert" when activists are using insecure (no encryption of the connection) email account, managed by companies with bad record in security and history of cooperation with oppressive governments for handling the sensitive communications.
but yours are very important questions: "what is the best way to communicate this concern without being prescriptive?" i suppose the way to approach it is to make people realise what is the nature of the risk. here in this dialogue we (or at least I) may sound a bit "short" and therefore "prescriptive". as we are (or at least I am) trying to summarise the points. but i believe that if you can explain the problem well and with the compassion people naturally tend to look for a solution. of course you may not have this luxury of time to explain things. what shall you do than? give up on your security standards? i do not think so. i tend to point to the toolkit that we wrote (and other resources) and insist on keeping the standards (e.g. asking that HRD to open email account on other, more secure server).
another question you raised is "Is email ever really secure?". it was written already on this page, it is a very long page by now :-) , that 100% security does not exist. but the security is a process. with each step you make your communication become more secure. if you understand the value of your information and the nature of the digital threads you will be able to choose how many steps you should take. and the steps are described in many good guides. i think it is possible to make email communication very secure - but it requires some investments: time, learning, preparation, being very careful and always questioning security of each action you take.
Wojtek Bogusz Information Security; Front Line - The International Foundation for the Protection of Human Rights Defenders; www.frontlinedefenders.org
The Case for Being Pro/Prescriptive: Health and Well Being
Hi Saira,
As usual, Wojtek's responses are well thought out and reasonable ;-) And I really like his comments about continually taking steps forward, one at a time, on a never-ending path towards being more, yet never quite 100%, secure.
Just to play devil's advocate, I'd like to rephrase one of your questions from "what is the best way to communicate this concern without being prescriptive?" to "what is the best way to change this undesirable behavior?"
I like to use the preventative health care metaphors when discussing computer security, as most people are familiar them: How did we as adults develope the good habits of washing our hands and brushing our teeth? Why do we (usually) lock the door to out homes and/or cars? Why do most of us not drink and drive? We learned these behaviors from others, like our parents, teachers, family and friends, who knew that by doing these things we would be healthier and safer.
We do these things not only because they're good for us, but also because somewhere along the way after being educated as to the advantages of doing these things, people who cared about us reminded, nudged, pecked, cajoled and scolded us along the way. Those of us who still didn't "get with the program" (change our behaviors) were leaned on by somebody with enough power to say to us: "do these things that are good for you or else _______________ will, or will not, happen.
Now, in the case of supporting activists with insecure email accounts, we're not just talking about doing things that are good or desirable for one individual - we're talking about potentially dangerous behavior that can quite literally affect the safety and well being of many other people in addition to materially affecting the outcomes of the projects we're supporting. Why do I use the word "dangerous"? Because we're all in this together (as in a boat), and the weakest link is usually the first attack point of choice.
So there's nothing wrong with proscribing the use of Hotmail and Yahoo mail accounts, while simultaneously offering free alternatives like Gmail, Riseup, VaultletMail, Enigmail, etc. There's simply no excuse for not doing something that's as free as these solutions and as easy as Gmail and Riseup. In fact, once you have patiently educated them you are completely within your rights to begin reminding, nudging, pecking, cajoling, scolding and outright censuring whomever doesn't do the Right Thing(tm).
Of course, it would be easier if you could get somebody else to play the heavy for you: I once led a workshop where both the group leaders and rank and file activists where in the same room at the same time. When somebody in the rank and file complained about leaving their beloved insecure bulk webmail account behind in exchange for a free and protected transmission Gmail account, one of the leaders stood up in front of everybody and said something along the lines of "you will not place us at risk by continuing to use that email account. From this day forward, we will all use Gmail and VaultletMail accounts, according to the kind of information we're handling."
I am grateful for all of the tech experts on this dialogue. Each new technology brings its many benefits but also adds to our work as we have to develop new security protocols.
With a dialogue focused on security, I think it can be easy to overlook the possible benefits of communicating in an unsecure fashion. As we look to hide and encrypt and code our communication, for good reason, we might forget to think about times when it makes us safer for others to hear our conversation, Are there times when being open about location, for example, actually makes people safer. Although our default conversation is usually about hiding our communication in order to be more secure, we should also remember to ask ourselves, "is there a benefit to others hearing/reading this communication?" Asking ourselves, for example, would we and our partners be safer if our location was known to the armed groups in this instance?
security should be based on openness rather than obscurity
hi Michele, very true. sometimes making a case public, known to local, national and international community may decrease the risk. interestingly the analogy goes also into ICT design. i think Gunner (a.k.a. Allan ;-) wrote about it somewhere on this page. the strategy of openness is used in free and open source software movement. where security is not based on "obscurity" but rather on believe that making software source open will allow many people to improve it in much more efficient way. it may seem risky at first, and it probably is for the new projects with small community. but as the projects get momentum, community that is interested in it gets larger this becomes an incredibly strong asset. and actually a prerequisite of good (real) security.
Wojtek Bogusz Information Security; Front Line - The International Foundation for the Protection of Human Rights Defenders; www.frontlinedefenders.org
If nothing else, engaging in ongoing insecure communication (where appropriate) can help to provide an image of "business as usual", or normalcy, to those who might be monitoring such things.
Believe me, as a technologist, I completely understand your comments about "more work... to develop new security protocols.". Because there is so much going on "out there" in terms of security, activism, human rights and software development (among other interesting and important things), that at times I feel like I'm drinking from a firehose. And that's when I go for a ride on my bike or take a walk in the woods before I jump back into it :-)
East & Horn of Africa Human Rights Defenders Project/Network
The group in East Africa is called East & Horn of Africa Human Rights Defenders Project/Network:
EHAHRDP offers technical, legal, psycho-social and financial support to human rights defenders facing immediate risk in their home countries. A thorough assessment of each case is made gathering information about eminent risks and most effective avenues of mitigation. This can be issuing a public statement to draw international attention on a case or in high risk cases the temporary evacuation of the defender from his/her country. Considering the prevalence of threats on HRDs in the countries of the sub-region, the protection programme has been able to assist over 100 HRDs throughout the sub-region.
Another resource that may be helpful in tracking human rights concerns is Reuters' Alertnet. You can choose the types of alerts you receive, on a weekly, daily and I think even of the minute updates. You can choose geographically and topically.
HRD Safety and security in the public and private spheres
I would like to add to the dimensions of this extensive informative discussion that being a human rights defender extends/mixes/exists/ crosses over into both so-called public and private spheres, in a state and non-state context. Depending on the country environment and situations human right defenders in both spheres can be confronted with risks to safety and security that may be considered more ‘passive’ in the private sphere versus ‘active’ in the public sphere, but can be/are still effective for the violator’s goal of silencing HRDers and removing their support from those whose human rights are being violated.
For example, the reality of state actor torture has been discussed, torture that happens in the so-called public sphere, however, non-state actor torture is also inflicted in the private or domestic sphere and the perpetrators can and do operate in both spheres. For those who work defending the human rights of persons so victimized in the private sphere, the HRDer’s risks can be invisibilized even though these risks can be a result of state actor’s intentional and purposeful actions. For instance, a state actor may use their public sphere positional power to discredit a private professional HRDer in order to attempt to stop the HRDer’s involvement in disclosing the occurrence of such a human rights violation. This abuse of power and corruption is a useful and effective tactic of perpetrators operating in both public and private spheres. It is a risk professional HRD can face. It will not kill, as tragically occurs in many countries, but it can cause much harm not only to the HRD professional but also to those whose human rights they try to defend. It can cause ‘battle fatigue’, cause financial and relational distress, marginalization, social/professional isolation and a spiritual dilemma for the HRDer and sadly cause HRDers to vicariously withdraw their HRs grass root support for persons so victimized.
So, when analysing and mapping the risks not only do violations/corruptions of the Rule of Law occur but also violations/corruption of the ‘Rule of Policy’ such as institutional policies that informs basic dignities of citizen’s ‘every day’ universal rights. Because a pattern of violation and corruption at this level strains the survival/life of the person who has endured non-state actor torture, maybe not directly from the perpetrators who abused positional power in both the public and the private spheres, but from suicidality and other Self-harming responses . When the duality of risks that can occur in both the public and the private spheres are invisibilized, I believe safety and security issues are not dually visibilized.
I just wanted to be sure that everyone here knows that Front Line Defenders offer several ways to contact them for emergency support. The following information is taken from the Front Line website:
Emergency Support
Phone Support: Front Line seeks to provide 24 hour support to human rights defenders at immediate risk. If there is a crisis you can contact Front Line at any hour on the emergency hotline at (+353 1 21 00 489)
The emergency service gives human rights defenders an option to be forwarded to someone speaking Arabic, English, French, Russian or Spanish who will be able to mobilise rapid international support and action .
Urgent actions can include faxed or phoned appeals to the relevant authorities, raising the case through the EU or individual government representatives, practical help with temporary relocation, assistance with medical or legal expenses.
Secure Email Support: Human rights defenders in need of urgent assistance can also email Front Line through a secure and encrypted channel: secure contact form.
Front Line Advocacy:
Front Line is always guided by the wishes of the human rights defender when taking any action. The defender and/or their family members or colleagues are best placed to decide what type of action is most likely to be effective in their specific context.
In most cases expressions of international concern are perceived to have a beneficial effect. Human Rights Defenders often report that even where such concern does not lead to an immediate solution it can result in better treatment because the authorities know that someone is following what is happening with the case.
Torture and ill treatment are most likely to occur in the first days of detention so speedy action can be very important. However, where human rights defenders believe publicity or international attention could be counterproductive, Front Line will be guided by the wishes of the human rights defenders on the ground.
Expressions of international concern and questions about what is happening with a case can also have a long term preventive effect. Human rights defenders report that the authorities are often less likely to repeat the repressive measures if they know they are likely to provoke a reaction. International action can also give moral support and solidarity to human rights defenders and encourages them to continue their work.
What do the rest of us need to do to protect defenders?
How can organizations better support security for human rights defenders? How can we create a stronger network of human rights defenders to make them more visible?
How can funders/donors better support security of defenders?
How can the larger 'protection framework' of international and regional mechanisms do to better protect defenders?
What support practices are working well? What are not working? Share best practices and ideas.
Please share your thoughts and ideas by replying to this 'theme-comment'
Note: This dialogue is PUBLIC. Do not share any private or sensitive information. For advice on a specific situation, please contact a participant privately.
The main thing we stress in security discussions is that each person's actions impact others in any security-relevant network. Each of our digital footprints leads to one another's virtual doors, and data we store, names and terms we mention and search, the sites we visit and the places we access the internet can all adversely impact allies as well as ourselves.
What can organizations do? Be proactive in supporting a security-positive culture, with lots of training and ongoing dialog. Provide hardened Linux machines, with TOR and OTR enabled, and force people off Windows, Macs and proprietary mobiles when security really matters. Security is a set of values to be engendered and shared, not a pizza to be delivered. Understand the risks of data retention, have appropriate policies in place, and FOLLOW THEM. Allocate the ongoing time for staff to operate securely; TOR browsing takes longer than insecure browing, security tools take time to learn and install, security culture is a chronometrically consuming discipline just like a garden is. Both take time to blossom and sustain.
What can funders do? Stay anonymous when necessary. Stay humble. Stay out of the way. We all understand that funders need to demonstrate impact and justify investments to assuage upstream stakeholders and sustain brand, but when possible disassociate yourself from the work of defender grantees unless there is explicit tactical benefit in all directions. Encourage grantees to write security costs and corresponding organizational development into all grant proposals, and then fund it. Let grantees tell you what to say and what not say about their work, and when to say it. Be coachable, not aloof, in supporting your investments. :^)
How can the larger 'protection framework' of international and regional mechanisms do to better protect defenders? Prioritize education equally with infrastructure sourcing. Help ALL users to understand how infrastructure impacts security and effectiveness. Be tactically transparent about the vulnerabilities in layers you provide or support. Keep it all free and open source. There is no such thing as a proprietary security layer. And always know your work is essential, and thus worth putting up with the thankless, underfunded bullsh*t of keeping is sustained.
Overall, the sad and sanity-preserving truth is that only to way to operate with substantial safety online is to assume that any data that ever achieves digital state (and even that which hasn't yet) has the potential to become a matter of public record, whether regionally, nationally or internationally. It sucks that no security or anonymity technology is fully "betrayal proof". When in doubt, leave it out, or at least offline. And like an athlete striving to stay in shape, or an artist always seeking to improve their method, never cease to study your security discipline like a cat studies an inanimate object before pouncing on it. Or least that's what the little critter next to me just demonstrated :^)
Making security tools and systems usable and accessible
Im trying to imagine how all the tools and knowledge that have been generated over the years especially on security and protection of HRDs are usable by small human rights orgs and by individual HRDs given the cost implications of building these security infrastructures and systems. I'm trying to imagine how ngos and hrds operating in hand-to- mouth subsistence can cope given that many can't even afford to purchase brand-new PCs to replace the hand-me- downs from their partners abroad; purchase the licence for the basic software needed for what many would consider as 'more essential' work (I've seen some using pirated softwares); on top of not being able to pay their own salaries. These are the the lived realities of many grassroots activist organisations in many parts of the world especially those in inaccesible areas where access to power supply and technology is erratic . Are there security tools available with minimum or zero costs we could offer them?
This dialogue has made it clear how much technology is available to us and the effort involved in having a security protocol that stays current with the changing ICT landscape. I would suggest two steps organizations can make to be more secure.
1) The security protocol needs to name the person(s) or position(s) responsible for monitoring new technologies and new security protocols and for updating passwords, codes, etc. Without specific plans in place to keep the protocol updated and in line with the times, the work of updating the protocol can easily be forgotten in the urgency of the other demands on our time.
2) If you work for an international NGO, develop relationships with trusted local advisers, and meet regularly with them for their assessment of security risks. This could also be a method for sharing what you are learning about ICT security, if your partners have less access to this type of information.
gunner wrote:
What can organizations do? Be proactive in supporting a security-positive culture, with lots of training and ongoing dialog. Provide hardened Linux machines, with TOR and OTR enabled, and force people off Windows, Macs and proprietary mobiles when security really matters. Security is a set of values to be engendered and shared, not a pizza to be delivered. Understand the risks of data retention, have appropriate policies in place, and FOLLOW THEM. Allocate the ongoing time for staff to operate securely; TOR browsing takes longer than insecure browing, security tools take time to learn and install, security culture is a chronometrically consuming discipline just like a garden is. Both take time to blossom and sustain.
Hi Edna - great question! Yes, there are many great security tools that are "free" for anyone to use that are great resources for human rights defenders. These tools may not cost any money to purchase, but I put "free" in quotations because of course it still takes the time and energy of someone to research, choose, install and configure these tools. Also, many of these tools are not "free" to develop so it is always good to donate money to the development of these tools as much as we can. Lastly, in my attempt to list some helpful tools to look at, I want to emphasize Gunner's comment above that "Security is a set of values to be engendered and shared, not a pizza to be delivered."
Many of the "free" tools are Open Source Software (but not all). For example, this website is based on the content management system (CMS) called Drupal, which is open source software. Drupal is free and public.
To find good, "free" security tools, a good place to start looking is on the Security in a Box website (a project by Tactical Tech). This is a great list of Open Source security tools AND information on how to set it up AND examples of how they can be used. How great is that? Here are some examples of the tools listed:
Of course, none of these are completely unbreakable (nothing is), but they can be very useful. Edna, you also mentioned that often defenders are burdened with having to purchase software for work. I would recommend that you take a look at Open Office (it is like Microsoft Office, but Open and free). Today there are more and more free and open versions of popular software. I hope this is helpful!
there is no free security, but there is a free choice..
hi, there will always be some cost associated with the security. either it is money or time spend to implement it, learn it and use it. it is the same in the non digital world and for the ICT security. but the most important is to realise that the change for better is possible. both if you have founds to spend for it or not. as others wrote here there are free tools to implement, there are also free guides to learn how to use them. guides written for the non experienced users. let me name some:
Protektor Manual a guide on using security related software on Windows, Mac OS and Linux.
despite of the fact that most of those materials are self learning toolkits, of course best is to have someone who can come and conduct risk assessment and needs analysis together with HRD. someone who will take all this materials (and more) add own experience and prepare custom training and implementation process. this is always the best. it is best to have a local person who can visit you, who speak your language, who understand the local political, social and cultural context. that is what we are doing in 'security in a box', cooperating and creating a network of trainers who work in many languages across the world. i think that HRDs and HR organisations but also the international organisation and founders working with them have to gather resources, trusted people who can support them defenders.
on the top of this, i think that international organisations have primary responsibility of keeping the security standards high. it is both in the communication and also in proposing to local partner that projects that they have with the local partners include the trainings in security also trainings of the trainers. in this way each project will educate at least one person who is left behind, who can follow-up on the security side, who will be longer term asset.
Wojtek Bogusz Information Security; Front Line - The International Foundation for the Protection of Human Rights Defenders; www.frontlinedefenders.org
Making security tools and systems usable and accessible
I appreciate the great information on technological solutions that Allen (We're all in this together. Like a lifeboat.) Kristin (Some security tools for HRDs with min cost) and Ali (Secure Communication) have been sharing. I'll definitely mention this dialouge to some of Christian Peacemaker Teams technology support people. It makes a lot of sense to use some of these Open, readily available tools to improve our data security. But I also agree with Edna that it can be a challenge for huamn rights organizations with limited resources to implement these tools. It would be great if funders would provide some additional resources for tech resources, but I think many HR organizations struggle to come up with the funds just to stay afloat. If we feel we have to choose between upgrading our technology and defending human rights, we'll almost certainly choose the latter.
One challenge that many HR organizations face is finding trustworthy Information Technology (IT) support. Computer systems are only going to be as secure as the IT staff who design and maintain them. With CPT's work in Colombia, many times we were forced to choose between buying a plane ticket for an IT support person to come to the project from the United States, or learning to install and maintain security and communications software ourselves. And let's be honest, the skillset and interests that make a person a good human rights worker, often do not overlap well with the skills required to build and support a secure computer system. CPT's Colombia Team has had to work hard to develop these skills internally, to avoid having to invite relatively unknown IT support people into our offices. As a result, our security is pretty good, but we still have to rely, where at all possible, on limiting the amount of sensitive information we record and transmit.
We need to be careful about relying too much on computers systems that are only as secure as the people maintaining them. Sometimes the older, simpler technologies are safer and more secure. I don't take a laptop into the field, I take an inexpensive pad of paper: it never runs out of power, it won't break, and it's easy to shred or burn after it is no longer needed. Meeting in person with associates is almost always preferable to talking over the phone if security issues are going to be involved, and as others have mentioned, sometimes almost any discussion can impact security.
Making security tools and systems usable and accesible
Quoting Nils : “Sometimes the older, simpler technologies are safer and more secure. Instead of typing them up on a laptop, notes from a meeting can be kept in a cheap pad of paper that is burned after it is no longer needed. Meeting in person with associates is almost always preferable to talking over the phone if security issues are going to be involved, and as others have mentioned, sometimes almost any discussion can impact security”.
Maybe it helps if hrds working together, decide what is the ‘top secret information’ (shades can be agreed for the other categories of information, such as internal but not security sensitive and ‘public’ information and/or other/ more categories).
Example, an organisation could decide that: the true ‘top secret’ information is "names of key witnesses unknown to the potential aggressor", knowing that facts are known by the potential aggressor as probably it have contributed to them. Key witnesses are therefore the 'added value/ determining element', so to speak). Names correspond to a percentage of information that can easily either be learnt by heart or secured otherwise.
This doesn’t mean that hrd should not develop capacities in IT. It means: integrating in one’s security plan and management, the vulnerability of IT security (and viceversa, vulnerability of the other means each time IT security is implemented).
Maybe the point is also to avoid habits and one method only. Rather diversify them. It is what is suggested also with itineraries, for example or meeting points, etc. So, the underlying logic of information management would be the general one: 'diversification' of means/habits/methods.
After all, a computer/ a usb flash disk can easily be stolen. As far as I understand there is software able open encrypted information. There are threats that can lead the hrd to speak and give information let alone, the human ‘distraction’.
There are obstacles that can be voluntarily put on the itenarary pf a hrd to force them choose another path...
Parties interested in hrds’ work have not waited for new technologies to get information on hrds or from hrds.
The collective decision should include people/victims that are in the information to be secured.
It is not only a technical procedure but also a procedure to take into account the psychological dimension: what is the risk tolerance of each hrd of a group? What is the organsiational policy about it? Imagine a hrd spoke under threat and was faced not only with the reality of exposing their colleagues and victims but also with a reaction such as ‘I would not have given in’… Guilt feeling and consequent symptoms would probably explode.
There are cases where in one same group you have hrd with a life insurance and those without: now, spontaneous reaction could be that those with insurance go further than the others...not necessarily, as insurance puts limits and conditions to 'covered risks' and therefore, non insured hrd might be expected to break the line...I have had the case in trainings where that was an issue.
The question is also ‘how far can the hrd go’? how is that decided give the possible impact of both loosing/giving information and not giving information?
A computer/usb/paper/photos (whether backed up or not) can easily be forgotten somewhere, stolen or handed to the potential aggressor by force. So I am not only speaking of ‘oral information’. Infiltrators might be in the organsiation...
What is the security policy towards those mentioned in the information stolen/lost?
Are they aware of the faillibility of tools and people or do they have ‘unrealistic expectations’ about whom they consider as their ' knowledgeable intermediaries'
Do hrds have 'unrealistic' expectations as to security measures (IT and not IT)?
These are questions that can be integrated in the reflection towards a security strategy, plan and management.
Great question. Linux is definitely different, but each new version of Linux, especially Ubuntu Linux*, is increasingly easy to use. We ran a laptop lab at the US Social Forum in June and offered nothing but Ubuntu, and no one complained.
But usability is a personal decision. I recommend you "play" with Linux and see what *you* think. You can get CDs or USB memory sticks with which you can start your computer and "test drive" Ubuntu without installing or affecting your existing setup. Glad to explain more.
Linux is worth the challenge, it's profoundly safer for defenders and others who need to be secure and anonymous.
* Linux comes in different configurations, which each have a name, such as Debian, Knoppix, and Ubuntu. Ubuntu is the "distribution" that has the most focus on usability and end user experience.
I was recently approached by a long-time Windows user who wanted to purchase a new laptop who asked my advice about what they should do.
My short suggestion was to either purchase a laptop with Ubuntu Linux or OS X installed on it. This suggestion was met with scepticism and disbelief, and included a response along the lines of "but... that's different from what I'm used to". I persisted, offering to only provide free support if they chose one or the other, but not Windows.
Three months after purchasing an Apple laptop (and nary a last-minute tech support question), I asked this person how they felt about the change away from something they were used to, and got a big surprise: "It's more or less the same, sometimes just as baffling as my old Windows computer, but I no longer even notice the difference."
I've also received similar responses from people who've adopted Ubuntu.
Since most of us are multingual, why can't we be multi-plaform literate?
My conclusion: It's the change that people are averse to, even if it's for the better.
Rick
p.s.: Since I made the switch from RedHat Linux to Ubuntu Linux, I'be been pretty impressed with the sense of collegiality (sp?) that I experienced in the numerous and helpful Ubuntu support forums. And that's not something that the Linux community has always been known for ;-)
Funders that specifically support security for defenders?
gunner wrote:
What can funders do? Stay anonymous when necessary. Stay humble. Stay out of the way. We all understand that funders need to demonstrate impact and justify investments to assuage upstream stakeholders and sustain brand, but when possible disassociate yourself from the work of defender grantees unless there is explicit tactical benefit in all directions. Encourage grantees to write security costs and corresponding organizational development into all grant proposals, and then fund it. Let grantees tell you what to say and what not say about their work, and when to say it. Be coachable, not aloof, in supporting your investments. :^)
I couldn't agree more, Gunner! Are there funders who focus on helping human rights orgs with security that defenders can contact for assistance/training/funding?
I don't have any funders to suggest that aren't already well known to members of these discussions. Open Society Institute are wonderful funders, but they have very disciplined funding guidelines, so you need to be working on stuff in their programmatic focus. Hivos is also a very supportive organization, but again with substantial funding discipline. And depending on where you work, there are other excellent regional funders as well.
My main advice to those seeking funding for security (and technology in general) is to learn to include it as a line item(s) of *every* grant you write. Funders often have constraints that prevent them from straight-funding technology and "infrastructure" costs, but if it's a component of a larger proposal that falls within their funding parameters, that's got a chance.
I believe as NGOs and activists, we need to consistently assert to funders and other supply-side players the *real* technology and security costs incurred in doing the business of social change and social justice. It continues to frustrate me when I hear funders say "we don't fund technology" or "we don't fund infrastructure"; to me it's not a matter of covering optional components, it's a matter of supporting mission critical substrates.
I agree with Gunner and Allen regarding the role of funders; and that 'security conscious' funders should encourage other funders to support security measures, be they tech infrastructure or secure transporation or disguise paraphernalia. I suppose the mention of the latter seems a bit out of place in a discussion on tech security but one of our grant categories at Urgent Action Fund (UAF) is for the protection and security of threatened activists. We have seen a range of security measures from horses for safe transport in rural areas, guard dogs, disguise paraphernalia to awareness raising campaigns for increased visibility and therefore increased security. Of course, these are all context specific.
Unfortunately because this is something that funders don't normally support, many grassroots orgs often don't consider including these items in their budgets. There is also the consideration of security for self, not just the organization, which also often gets neglected.
Then there's the question of sustainability. Just how sustainable are short-term security measures in areas of protracted conflict or extreme surveillance? It seems the more severe the state and its surveillance becomes, the more creative we (as activists/organizers) become in our methods of evading (or, rather, liberating ourselves from) it. But how effective are these methods really?
I'd also like to add that some funders and international organizations could really benefit from being more security conscious. We have unfortunately seen situations wherein it's the big international organization or funder and its behaviour (and lack of awareness regarding security culture) that compromises or jeopardizes the security of the folks at the grassroots level, be they grantees or participants at meetings or conferences. There is a lived reality and different kind of consciousness that comes from being raised in, living in, or experiencing and being subjected to various types of oppressions. Due to various forms of privilege, this reality or consciousness (particularly in the so-called global 'north/west') is not shared and often cannot be understood, imagined or conceptualized. How to bridge this gap and increase honest communication when the power differential (and money) is involved?
There is also the issue of where the money comes from. What types of monitoring and evaluation methods or reporting requirements would foundations be subjected to when receiving money from say, the U.S. government? How can we trust this? I suppose ultimately, if they want to watch you, they will. I've heard this time and time again and find it to be a bit fatalist and realist yet I can't say I don't believe it's true.
I agree with Allan. We struggle to demonstrate the need for "administrative costs" when funders want only to fund "program" costs or activities. Each funder defines these terms differently, but no matter, the difficulty of raising operating costs drives the cost of doing business as you promise to do more with less to pay those doing it.
On a cost-saving side - we work with a terrific organization that has an IT specialist who has traveled to us to train on ICT security techniques, etc. In the past we've paid for his travel (to NY) and provided the space at our offices to hold the trainings. The rest of the costs were covered by him and -- I think -- the referral organization. I'm hesitant to post all the details here, but will gladly put everyone in touch if this is something of interest. I will write more once I hear from him or the organization to know what I can share. The point is, the lack of training may well be the obstacle to using many of the free or lower cost options out there. If training comes pro bono or relatively cheaply, quite a lot can be learned and implemented.
Spot on with the lifeboat analogy! Many of the Internet security trainings I lead are intermingled with team or coalition building workshops. In this context I often emphasize the importance of our ethical obligation to protect not only ourselves, but also our family, friends and colleagues. That's also accompanied by ongoing "Weakest Link" security analysis (that everybody's capable of on one level or another).
Just as we would never intentionally send our children out to buy bread in a "bad neighborhood", nor use postcards to transmit important project information, we also need to be mindful of where we're sending/storing our valuable information, and who has access to it.
It's this kind of human-and-not-technology-centric approach to risk analysis and mitigation that I find to be easily taught and important to cover before we ever get to discussing security tools.
Providing political accompaniment to increase safety
I think it’s important to discuss the ways that networks of outside supporters can contribute to the security of HR defenders.
The goal of accompaniment work that I have done is to create a safe space that will allow communities at risk of violence to organize. In Colombia, teams travel to rural areas, often walking side-by-side with community organizers and human right workers, to provide a physical presence in communities at risk of violence. Communities request our presence because they believe that when “eyes from outside” are watching, armed actors will be more reluctant to act, and the community will be somewhat protected from violence.
Activists from another part of the country or from abroad may not be able to set aside the time and money required to train for and carry out physical accompaniment in rural areas, but many of us can provide what has been termed “political accompaniment”. A letter to a political leader, a public witness highlighting the struggle of a community facing violence, or providing public recognition of the work of human rights activists are all ways of providing political accompaniment. Communities or human rights leaders whose work is recognized receive a real security benefit - the political costs of harming them increases if other people are watching.
What are some ways that all of us can build effective networks to support the security of human rights defenders? What strategies have worked well in raising the political costs of harming HRDs?
Since the mid-1980s, human rights groups and other activist organizations being targeted with repressive abuses have been calling on international NGOs to provide them with direct accompaniment by international field workers. These field workers – usually volunteers – spend twenty-four hours a day with threatened activists, at the premises of threatened organizations, in threatened communities or witnessing public events organized by threatened groups. The international presence serves as a deterrent against the use of violence. In order to ensure this deterrence, these international accompaniment organizations are part of transnational networks poised and ready to mobilize political pressure against perpetrators should their volunteers witness any attacks or should their clients be further threatened.
Another type accompaniment that came up in our dialogue on the use of humor, was that of protecting demonstrators using a red nose and quick wits. Demonstrators have dressed up as clowns to create a barrier between the police and the demonstrators - great idea, right?
I really like Nils' comment about accompaniment serving as a watchdog to raise the political costs of harming defenders. It would be great to hear ideas to Nils' original questions - What are some ways that all of us can build effective networks to support the security of human rights defenders? What strategies have worked well in raising the political costs of harming HRDs?
Other people have more theoretical expertise, but I think a case example of how accompaniment (broadly defined) can provide visibility to HRDs and increase the political costs of harming them might be helpful, and may provoke more discussion.
In addition to physically accompanying HRDs, part of the work of Christian Peacemaker Teams involves bringing delegations of internationals to conflict zones around the world (see http://www.cpt.org/participate/delegation for more information). These short-term (7-14 day) delegations are intended to educate people from the global North about specific conflicts and introduce them to HRDs and their work.
In Colombia one of the human rights organizations CPT accompanies is a federation of farmers and small-scale gold miners, who have been threatened with violent displacement, in part because of increased interest in their land by multinational gold companies. One delegation was hosted in cooperation with the mining federation, which took a small group of delegates from the U.S. and Canada to visit rural Colombian mining communities, meet with many small-scale miners and farmers, and learn first-hand about their struggles.
An important part of CPT delegations is public action. At the end of the mining delegation, after learning first hand of the concerns of the mining communities and community leaders the delegates planned a public witness in the plaza in front of the Gold Museum in Bogota, to draw attention to these concerns. This public witness was carried out with participation from the mining federation and from several other Colombian HR organizations. At the end of the public witness, the delegates led a procession through the streets of Bogota to deliver a letter to the office of the Colombian president, asking for attention to Human Rights in the development of future mining agreements. Copies of the letter were also sent to the political leaders of Canada, Great Britain, South African and the United States; other countries which are involved in the expansion of Colombian gold mining.
I think this kind of accompaniment accomplishes a number of things:
It educates and establishes strong connections between the North American delegates and Colombian HRDs,
It serves to raise the visibility of the HR organizations receiving accompaniment, and
It decreases the isolation of HRDs
These connections may continue bearing fruit as delegates return to their home communities with new information and commitment to advocate for changes in foreign policy or advocate for international pressure on governments which are not protecting Human Rights.
I think all of these benefits serve to increase the HRDs security by increasing the political costs of harming the HRDs whose work has been highlighted by the delegation. What other types of network-building efforts have been successful in increasing the safety of HRDs?
Protection /Prevention: An integrated security strategy
I find that most of the existing responses on 'security/ safety' by HRD advocacy and support groups centre on the 'protection' measures and tend to be more on the 'reactive' side - either to pre-empt the imminent threats or after the incidents such as attacks, arrests, detention had already taken place.The WHRD Coalition has identified a number of these 'protection' measures and AWID is currently conducting a study on the effectiveness of these responses.
Urgent Appeals
Working with / through the various UN and regional human rigts mechanisms most particularly the United Nations Special Rapporteur on the situation of human rights defenders (SR on HRDs).
Temporary relocation. This is about relocating defenders who are facing immediate risk as a result of their human rights work
Trial observation. Having external observers as a form of protection to the defender and to let the judge and prosecutor know that there is international scrutiny. In countries where judges and lawyers do not feel well protected, it provides them with a potential layer of protection.
Legal assistance.
Psycho-social and medical social
Emergency grants and relief programs.
Fellowships - could be tied in with temporary relocation.
Solidarity and monitoring visits.
10. Stress management program.
11. Safe houses.
12. Emergency Hotline
Perhaps it's also timely to examine the relationship beween 'security' and 'protection'? It may seem pretty obvious but there might be some nuances that are worth capturing in this conversation. For isntance, what I find very interesting and impressive in the contributions by colleagues working in the area of ICT and security is the role that this could play on the 'preventive' side which, I think, is still very much underdeveloped in existing 'protection' responses as outlined above. The consciousness-raising amongst HRDs and their organisations about their personal well-being and security as an integral part of their public roles as HRDs is another area where 'preventive' strategy could be further developed and supported.
Accompaniments from one safe place to other safe place by international (s) or influential national (religious leaders, lawyers).
Diffusion of threat by approaching to sources of threat (Someone who has influence over the Source of threat)
Protective presence at HRDs offices, homes by internationals or influential nationals.
Working as intern/volunteer with an UN/other international institution within country or even with national institutions like Human Rights commission or Ombudsman office also deter/reduce the threat
Admission in courses (journalism, law etc) where hrds can stay in boarding or campus where vice chancellor , dean or other university officials regularly monitor hrds situation. These tactics are proved very useful in contexts where threats were from non-state, illegal actors or state/legal actors wanted to perform illegally.
Regular Diplomat's visits of the area also play important role in improving the over all security
Thank you, Wojtek, and everyone else for so many great information security tips! From now on, I will use internet cafes that let me use my own laptop!
My question for you all is - what email services do you recommend to have one's internet communication as secure as possible? Also, what email services are not the best options for human rights defenders?
I use gmail which is nice because it allows me to access my email via SSL (https://mail.google.com/.....). I have also heard that Rise Up is a good email service for defenders, and recommended by Security in a Box. Are there other options? Thanks!
Hi Kristin,
I have been using VaultletMail (which is a part of the "VaultletSuite 2 Go") on a daily basis for the last 5 years to protect both my personal and professional communications. I also use it as my main email system because I couldn't find what I wanted so I created it. And I continue to improve and update the software on a daily basis. So you could say that I'm intimately familiar and comfortable with how it's been designed and implemented :-)
What do I like about VaultletMail? It's inherently multi-lingual, is built on an Open Source stack and runs on many, if not most, flavors of Windows, OS X and Linux. It is easy to learn, adopt and use on a daily basis for non-technologists and is free for use by HRDs, activists, members of NGOs, journalists and academic institutions.
It's also included and documented in the Security in a Box project (http://security.ngoinabox.org/en/vaultletsuite_main) and presents itself to its users in English, Spanish, Russian and French. There is also exists the possibility and interest in having the interface translated into a number of other languages useful to HRDs in the near future.
Full disclosure: While the source code is owned by my company, VaultletSoft, it does come with a "source code for peer review license" similar to the one used by PGP. The VaultletSuite 2 Go service is also hosted in the U.S. I mention this because I have decided to release a completely free and Open Source version in late 2010 that NGOs and others can build and host for free in the jurisdiction of their choice.
The Open Source version of the VaultletSuite 2 Go is currently called "Project Autonomy" whose goals and statement of purpose can be found here: http://www.valeso.org/ . If you are interested in collaborating on with me on "Project Autonomy", please let me know, there's plenty of room for all kinds of skills, interests and contributors.
So that's what I use - You are free to do so also: https://www.vaultletsoft.com/start/downloads.html
Rick
Thank you all for your very helpful list of resources and experience with Skype, cafes, on-line chats, etc. This will be going to the hrds we work with. And so helpful to our work as well. In gratitude,
Sarah
IIE Scholar Rescue Fund
hi Kristin, nice question :-)
from my point of view there are few factors to consider when you make a decision which email server you should use:
in 'security in a box' we recommend two excellent servers who's developers we know personally and trust relationship easier. both of them are located in US which may be ok for some people and completely not ok for others. both of them offers secure connection and both of the are not very widely used by majority of internet users:
www.riseup.net - if you are looking for the substitute with a server that is used by many people mail.google.com would be good choice now. i do not want to get into discussion "should we trust google". but seeing it from the point of view of blending in the crowd and with taking additional precautions (see below) this is a good choice now.
www.vaultletsoft.com - Rick wrote about it. basically it offers another layer of encryption. sort of encryption trick that you encrypt your email before it is being send from your computer. and only person who can decrypt it is the recipient of the message.
if you are looking for substitute to this option i suggest using gmail with GPG/PGP encryption software (for example Thunderbird + Enigmail + GPG). it is not super easy but offers very strong protection of the content of communication. again, by using this option one may put him/her self into risk because usage of those tools may be considered as a manifestation of bad intentions by local authorities.
there are also many other servers but to make it simple i will stop here with the listing of the servers.
than there you need to be sure that all the way to recipient your email is secure. you can protect your side. you can learn about tools, good practices, etc. but how about the recipient side of your email communication? you need to make sure that recipient understands this as well. you need to somehow almost educate the recipient. point to the right tools and practices. this is not easy.
let me add some general tips on the end of this already long message to inspire thinking on how to increase the security of the email communication:
Wojtek Bogusz
Information Security; Front Line - The International Foundation for the Protection of Human Rights Defenders; www.frontlinedefenders.org
Please share your thoughts and ideas by replying to this 'theme-comment'
Note: This dialogue is PUBLIC. Do not share any private or sensitive information. For advice on a specific situation, please contact a participant privately.
The starting premise is that humnan rights work is a risky venture and at the organisational level this fact should be affirmed right at the point of recruitment.
my personal experience of over a decade is that one crucial question in interviews has been, you are aware of the sensitivity and risk involved with working with us have you discussed this with your family and are you comfortable with the fact that at times you might be exposed to risk owing to your association with this organisation.
i premise this to the fact that with the growth of human right we have had instances where employees come under risk only to blame the organisation without appreciating the fact that human rights work requires self committment and is not just any other wage paying job.
with staff fully appreciating security at this point makes it easy to collectively generate protocools, emmergency plans and security policies.
ownership by the team to internal mechanism is critical for success in implementation.
Hello Sam, Yes, I agree, that employees should be affirmed right at the being that there are risks involved and that the organisation has got a security policy that the employees have got to commit themselves to. A clause on the contract should mention it.
In the New Protection Manual for HRD by Protection International, Part II deals with organisational security which implies also individual co-responsibility. Organisations are made of people. A related question is raised at the end of the NPMHRD about ‘Security and Free Time" [pdf] where the question of ‘how much can an organisation interfere with private life’ is raised. Many cases of aggressions against HRD happen in the space between home and office.
Marie
Ali, a wonderful New Tactics intern, did a great job of writing up easy-to-follow steps to learn self-defense for activists. She read the Self-Care and Self-Defense Manual for Feminists Activists and wrote this summary.
In her post, Ali highlights the three principles of psychological self defense, the eight steps to follow if you feel you are in danger of being physically attacked, and the important things to know about legal defense. Read her post to get an intro to the manual...and then read the manual!
What other resources are out there that relate to self-defense for activists?
Kristin,
This is a brilliant resource, and one I turn to again and again for reference in our trainings. I love that they see self-defence on so many levels and see it as an integral concept for human rights defenders security.
One of the things that I've run into in using the term self-defence in the hrd security context, is that this can be perceived negatively -- which was a surprise for me until I finally realized that it is a gendered term. For some, the idea of 'self-defence' immediately conjures up images of violence -- the use of aggressive martial arts techniques, a la Chuck Norris and nunchucks flying. I recently spoke with a very experienced woman human rights defender who was told that self-defence techniques should not be taught because they were aggressive. Even if this is not obviously the resistance, the perception remains that only a professional should teach self-defence techniques continues to make it seem like a special art and a mystery.
Of course, self-defence is nothing of the sort. Every single human rights defender is defending themselves, and others, every single day. They are using so many amazing techniques, tactics and strategies. Women human rights defenders in particular, as women, know what it means to defend themselves on so many levels. One of the best ways to talk about self-defence in this context is simply to ask women human rights defenders -- what have you done to protect yourself in your life when you were attacked physically and/or verbally? This question, among a group of women, will automatically trigger a barrage of fascinating and very practical stories -- because the reality of women's lives, and the lives of many LGBTIQQ defenders, as well as others, is that we face attacks in our lives, and we automatically, instinctively defend ourselves.
So, I would really like to see more practical self-defence trainings that help human rights defenders uncover and recognize their own internal resources to defend themselves.
Self-defence, when taught well, is about discovering your own power, your own voice. It is also about understanding violence. There are specific techniques you can learn, of course. But the best ones are the ones you already know. One of the best points my self-defence instructor taught us (an Aikido Sensei for 20+ years) was this -- in a crisis, the best use of self-defence is not having to use it at all -- there is no shame in 'running away'. Avoiding conflict can be a powerful tactic, among many others.
Great discussion! In a number of countries human rights organizations have come together to create joint initiatives focused on defender protection. They can be an important source of
They can also be a useful bridge between the international community and grassroots defenders who often lack the global networks of urban activists.
Such an organization requires human and material resources from national groups and financial support from the funding community, which could have been devoted to other activities. However if the body emerges from the needs of defenders and has a clear mission, it can play an important role. Such groups have emerged in Latin America and East Africa , and I'm sure they are in many other regions as well. It would be great to hear from some of those groups, and those who work with them, about their experiences.
Thanks for adding this idea of creating joint initiatives/networks on a local or national level for defenders, Matthew! Though I am not familiar with specific examples of such networks, I have an idea for how these kinds of networks can be utilized by defenders to assist in the protection of defenders on the ground:
Otpor! (“Resistance!” in Serbo-Croatian) prepared “Plan B” demonstrations outside of police stations to respond immediately to arrests during protest events in Serbia. Whenever the police arrested activists in their demonstrations, Otpor! would instantaneously launch a second operation, mobilizing more people to show up at the police stations and protest the arrest. The events at the police station became media showpieces, calling attention to the injustice of the arrests and the illegitimacy of the regime. They also provided moral support and encouragement to the arrested activists, turning them into local and national heroes, rather than forgotten victims. Otpor! thus turned the regime’s policy of arrests to its own advantage and continued to build a movement.
This tactic is a great example of how defenders can protect fellow defenders by organizing themselves and putting pressure on officials. The 'people' that Otpor! called to come to the police stations were fellow defenders and supporters. It was part of plan - part of the strategy. They were expecting these calls, and when they received it, they knew exactly what to do.
You can read more about why Otpor chose this tactic, how they implemented it, and what the challenges were in our tactical notebook: Plan B: Using Secondary Protests to Undermine Repression
Please share other examples of how networks of defenders can be mobilized for specfiic protection actions!
We know that as human rights defenders, we must be very careful about how we use social media and our mobile phones. Facebook, Twitter, and using mobile phones can compromise the safety of defender. However, in certain circumstances, they can be that critical link to share information to an organized network. Chris Mishek, in a post titled Egyptian activists’ use of mobile phones to alert their networks of harassment or arrest by police, wrote about several examples of how Egyptian activists have used Twitter, Facebook and mobile phones to protect defenders:
In New York City, a project called Holla Back was created to collect video and information on street harrassment via mobile phone. I'm not exactly sure how this would fit into a security strategy, but I thought it sounded like an interesting project.
What other ways can the use of mobile phones and organized networks protect defenders? Or, are these tactics too dangerous?
Cell phones are an important tool for the work of most HRDs, but they are also easily compromised: I’m told the technology needed to listen in on other people’s cell phone calls is readily available. How can HRDs keep their cell phone calls from becoming a security liability?
In my accompaniment work our protocol was to call in at least once a day to check in with teammates. The check-in call lets co-workers know where you are, and that nothing has happened to you. We also had a protocol in place for what to do if someone in the field failed to call in as expected: the protocol listed who to call for more information, who should be notified if we believed that a team was in crisis, and names of people or organizations that may be able to provide us with support.
Other than checking in to say that we were OK, however, we always had to be careful about what information we shared, which usually kept our check-in calls short. Any information about where you are, where you are going, who is with you, or what you have observed can be a potential security liability.
I would encourage HRDs to develop code words for talking about situations they may encounter in the field. Always assume that people who oppose can hear your phone conversations. Consider a code that uses phrases from everyday conversation so that a coded conversation doesn’t stand out from a normal exchange. Practice using the code, but practice in person rather than over the phone, so that you don’t give away clues that you are using a code to a potential eavesdropper.
Codes can be broken. Perhaps more important than using a code is refraining from saying too much over the phone. Develop an itinerary and leave it with a co-worker before you go somewhere, that way you can just say “I’m here” when you arrive. Don’t mention other people who are with you or whom you have seen. Take notes if necessary, but save the longer discussions for when you can have the conversation in person.
Hi Nils,
I agree with your comments about the importance of using code words and saving vital conversations for face-to-face encounters (wherever possible).
Here's where I'll split hairs a bit with you though: Cell phones are more than easily compromised, they are insecure by design. To make matters worse, the telcos on whose networks they depend are often implicitly, if not explicitly, affiliated/allied with the State against whose interests an HRD may be working.
HRDs and activists using them should assume that everything they say (or text!) is public information. Further, they reveal far more about you than you might think.
To help illustrate all that cell phones reveal about us, I've put together a brief presentation that can be found here: https://www.vaultletsoft.com/ppt/cell-phones-and-activism/
Rick
I don't know a lot about cellphones, so I was surprised to read in your presentation that the exact position of GPS cell phones can be located by others.
I'm assuming that most standard (low-end) cellphones like the ones we use in our accompaniment work would not have this capacity, and that if your phone was GPS enabled it would say so prominently on the packaging. Is that correct, or do we need to be taking the battery out of our cellphones when we don't want to broadcast our location?
I agree with your distinction that cell pones are insecure by design, not just by accident. In Colombia we quickly learned that the military knew the content of our cellphone conversations, and we assume that other armed actors are able to intercept our calls as well.
Rick, Nils and others - this is a very interesting threads on the insecurity of mobile phones. Have either of you heard of the Guardian Project?
The Guardian Project aims to create easy to use apps, open-source firmware MODs, and customized, commercial mobile phones that can be used and deployed around the world, by any person looking to protect their communications from unjust intrusion....This project gives power to regular people to own and control their mobile phones without being afraid they are their own worsed enemy.
Watch Nathan's presentation online.
Here is a quote from their website on how this phone application can be helpful for human rights defenders:
"An undercover human rights researcher traveling through a remote region without mobile data service is able to use their Guardian phone to document local conditions (via camera phone or audio recording) while seeming to just be making phone calls or checking a text message. Data captures is stored encrypted on the device or a removable SD card. If the researcher is detained by a local militia force, they can easily wipe the device, or if unable to, be assured that all data is securely encrypted, and near impossible to crack without significant computing resources. In addition, the names and phone numbers of people they have been in contact with are not revealed to the local forces, safeguarding those who they intended to help in the first place."
The creator of the Guardian Project, Nathan Freitas, participated in our January 2010 dialogue on 'Documenting Violations: Choosing the Right Approach.' Within this dialogue, there is a great thread on mobile phones where he shared a lot of useful information on 'how mobile phones can facilitate the safety/security of documentation' - much of which can be applied to any conversation on security and mobile phones.
Hi Kristin,
While I've heard of the project, I don't know enough to comment on it other than to say that my interest is now definitely and officially piqued!
Thanks for posting the link, I'll be certain to follow it up.
Rick
Thank you all for sharing such great information on tech security! This Guardian Project seems amazing. I am eager to read the CREA self-defense manual - so thanks to Ali and Kristin for that posting.
I have a question regarding insecure email accounts such as hotmail and yahoo. As I understand, these are not encrypted accounts and much easier to hack into or monitor than gmail, riseup, or hushmail. However, many activists with whom we work still use hotmail and yahoo accounts. Is this cause for concern? If so, what is the best way to communicate this concern without being prescriptive? Is email ever really secure?
Thanks again everybody for this fantastic dialogue. I have learned so much already.
Gratefully,
Saira
hi Saira, IMHO yes, it is a "cause for concert" when activists are using insecure (no encryption of the connection) email account, managed by companies with bad record in security and history of cooperation with oppressive governments for handling the sensitive communications.
but yours are very important questions: "what is the best way to communicate this concern without being prescriptive?" i suppose the way to approach it is to make people realise what is the nature of the risk. here in this dialogue we (or at least I) may sound a bit "short" and therefore "prescriptive". as we are (or at least I am) trying to summarise the points. but i believe that if you can explain the problem well and with the compassion people naturally tend to look for a solution. of course you may not have this luxury of time to explain things. what shall you do than? give up on your security standards? i do not think so. i tend to point to the toolkit that we wrote (and other resources) and insist on keeping the standards (e.g. asking that HRD to open email account on other, more secure server).
another question you raised is "Is email ever really secure?". it was written already on this page, it is a very long page by now :-) , that 100% security does not exist. but the security is a process. with each step you make your communication become more secure. if you understand the value of your information and the nature of the digital threads you will be able to choose how many steps you should take. and the steps are described in many good guides. i think it is possible to make email communication very secure - but it requires some investments: time, learning, preparation, being very careful and always questioning security of each action you take.
Wojtek Bogusz
Information Security; Front Line - The International Foundation for the Protection of Human Rights Defenders; www.frontlinedefenders.org
Hi Saira,
As usual, Wojtek's responses are well thought out and reasonable ;-) And I really like his comments about continually taking steps forward, one at a time, on a never-ending path towards being more, yet never quite 100%, secure.
Just to play devil's advocate, I'd like to rephrase one of your questions from "what is the best way to communicate this concern without being prescriptive?" to "what is the best way to change this undesirable behavior?"
I like to use the preventative health care metaphors when discussing computer security, as most people are familiar them: How did we as adults develope the good habits of washing our hands and brushing our teeth? Why do we (usually) lock the door to out homes and/or cars? Why do most of us not drink and drive? We learned these behaviors from others, like our parents, teachers, family and friends, who knew that by doing these things we would be healthier and safer.
We do these things not only because they're good for us, but also because somewhere along the way after being educated as to the advantages of doing these things, people who cared about us reminded, nudged, pecked, cajoled and scolded us along the way. Those of us who still didn't "get with the program" (change our behaviors) were leaned on by somebody with enough power to say to us: "do these things that are good for you or else _______________ will, or will not, happen.
Now, in the case of supporting activists with insecure email accounts, we're not just talking about doing things that are good or desirable for one individual - we're talking about potentially dangerous behavior that can quite literally affect the safety and well being of many other people in addition to materially affecting the outcomes of the projects we're supporting. Why do I use the word "dangerous"? Because we're all in this together (as in a boat), and the weakest link is usually the first attack point of choice.
So there's nothing wrong with proscribing the use of Hotmail and Yahoo mail accounts, while simultaneously offering free alternatives like Gmail, Riseup, VaultletMail, Enigmail, etc. There's simply no excuse for not doing something that's as free as these solutions and as easy as Gmail and Riseup. In fact, once you have patiently educated them you are completely within your rights to begin reminding, nudging, pecking, cajoling, scolding and outright censuring whomever doesn't do the Right Thing(tm).
Of course, it would be easier if you could get somebody else to play the heavy for you: I once led a workshop where both the group leaders and rank and file activists where in the same room at the same time. When somebody in the rank and file complained about leaving their beloved insecure bulk webmail account behind in exchange for a free and protected transmission Gmail account, one of the leaders stood up in front of everybody and said something along the lines of "you will not place us at risk by continuing to use that email account. From this day forward, we will all use Gmail and VaultletMail accounts, according to the kind of information we're handling."
I was so happy that I almost fainted ;-)
It looks like there was a typo in Rick's link; I was able to access his presentation here:
https://www.vaultletsoft.com/ppt/cell-phones-and-activism/
I am grateful for all of the tech experts on this dialogue. Each new technology brings its many benefits but also adds to our work as we have to develop new security protocols.
With a dialogue focused on security, I think it can be easy to overlook the possible benefits of communicating in an unsecure fashion. As we look to hide and encrypt and code our communication, for good reason, we might forget to think about times when it makes us safer for others to hear our conversation, Are there times when being open about location, for example, actually makes people safer. Although our default conversation is usually about hiding our communication in order to be more secure, we should also remember to ask ourselves, "is there a benefit to others hearing/reading this communication?" Asking ourselves, for example, would we and our partners be safer if our location was known to the armed groups in this instance?
hi Michele, very true. sometimes making a case public, known to local, national and international community may decrease the risk. interestingly the analogy goes also into ICT design. i think Gunner (a.k.a. Allan ;-) wrote about it somewhere on this page. the strategy of openness is used in free and open source software movement. where security is not based on "obscurity" but rather on believe that making software source open will allow many people to improve it in much more efficient way. it may seem risky at first, and it probably is for the new projects with small community. but as the projects get momentum, community that is interested in it gets larger this becomes an incredibly strong asset. and actually a prerequisite of good (real) security.
Wojtek Bogusz
Information Security; Front Line - The International Foundation for the Protection of Human Rights Defenders; www.frontlinedefenders.org
Hi Michele,
If nothing else, engaging in ongoing insecure communication (where appropriate) can help to provide an image of "business as usual", or normalcy, to those who might be monitoring such things.
Believe me, as a technologist, I completely understand your comments about "more work... to develop new security protocols.". Because there is so much going on "out there" in terms of security, activism, human rights and software development (among other interesting and important things), that at times I feel like I'm drinking from a firehose. And that's when I go for a ride on my bike or take a walk in the woods before I jump back into it :-)
Speaking of which...
Rick
The group in East Africa is called East & Horn of Africa Human Rights Defenders Project/Network:
EHAHRDP offers technical, legal, psycho-social and financial support to human rights defenders facing immediate risk in their home countries. A thorough assessment of each case is made gathering information about eminent risks and most effective avenues of mitigation. This can be issuing a public statement to draw international attention on a case or in high risk cases the temporary evacuation of the defender from his/her country. Considering the prevalence of threats on HRDs in the countries of the sub-region, the protection programme has been able to assist over 100 HRDs throughout the sub-region.
This project has developed a Resource Book for Human Rights Defenders. It would be great to hear about other networks that defenders can use as a resource!
Another resource that may be helpful in tracking human rights concerns is Reuters' Alertnet. You can choose the types of alerts you receive, on a weekly, daily and I think even of the minute updates. You can choose geographically and topically.
http://www.alertnet.org/
- Sarah
I would like to add to the dimensions of this extensive informative discussion that being a human rights defender extends/mixes/exists/ crosses over into both so-called public and private spheres, in a state and non-state context. Depending on the country environment and situations human right defenders in both spheres can be confronted with risks to safety and security that may be considered more ‘passive’ in the private sphere versus ‘active’ in the public sphere, but can be/are still effective for the violator’s goal of silencing HRDers and removing their support from those whose human rights are being violated.
For example, the reality of state actor torture has been discussed, torture that happens in the so-called public sphere, however, non-state actor torture is also inflicted in the private or domestic sphere and the perpetrators can and do operate in both spheres. For those who work defending the human rights of persons so victimized in the private sphere, the HRDer’s risks can be invisibilized even though these risks can be a result of state actor’s intentional and purposeful actions. For instance, a state actor may use their public sphere positional power to discredit a private professional HRDer in order to attempt to stop the HRDer’s involvement in disclosing the occurrence of such a human rights violation. This abuse of power and corruption is a useful and effective tactic of perpetrators operating in both public and private spheres. It is a risk professional HRD can face. It will not kill, as tragically occurs in many countries, but it can cause much harm not only to the HRD professional but also to those whose human rights they try to defend. It can cause ‘battle fatigue’, cause financial and relational distress, marginalization, social/professional isolation and a spiritual dilemma for the HRDer and sadly cause HRDers to vicariously withdraw their HRs grass root support for persons so victimized.
So, when analysing and mapping the risks not only do violations/corruptions of the Rule of Law occur but also violations/corruption of the ‘Rule of Policy’ such as institutional policies that informs basic dignities of citizen’s ‘every day’ universal rights. Because a pattern of violation and corruption at this level strains the survival/life of the person who has endured non-state actor torture, maybe not directly from the perpetrators who abused positional power in both the public and the private spheres, but from suicidality and other Self-harming responses . When the duality of risks that can occur in both the public and the private spheres are invisibilized, I believe safety and security issues are not dually visibilized.
Thanks for the discourse.
Respectfully,
Jeanne Sarson, Canada
Hello all,
I just wanted to be sure that everyone here knows that Front Line Defenders offer several ways to contact them for emergency support. The following information is taken from the Front Line website:
Emergency Support
Phone Support: Front Line seeks to provide 24 hour support to human rights defenders at immediate risk. If there is a crisis you can contact Front Line at any hour on the emergency hotline at (+353 1 21 00 489)
Call Front Line emergency hotline number over Skype at any hour (skype user name: front-line-emergency)
The emergency service gives human rights defenders an option to be forwarded to someone speaking Arabic, English, French, Russian or Spanish who will be able to mobilise rapid international support and action .
Urgent actions can include faxed or phoned appeals to the relevant authorities, raising the case through the EU or individual government representatives, practical help with temporary relocation, assistance with medical or legal expenses.
Secure Email Support: Human rights defenders in need of urgent assistance can also email Front Line through a secure and encrypted channel: secure contact form.
Front Line Advocacy:
Front Line is always guided by the wishes of the human rights defender when taking any action. The defender and/or their family members or colleagues are best placed to decide what type of action is most likely to be effective in their specific context.
In most cases expressions of international concern are perceived to have a beneficial effect. Human Rights Defenders often report that even where such concern does not lead to an immediate solution it can result in better treatment because the authorities know that someone is following what is happening with the case.
Torture and ill treatment are most likely to occur in the first days of detention so speedy action can be very important. However, where human rights defenders believe publicity or international attention could be counterproductive, Front Line will be guided by the wishes of the human rights defenders on the ground.
Expressions of international concern and questions about what is happening with a case can also have a long term preventive effect. Human rights defenders report that the authorities are often less likely to repeat the repressive measures if they know they are likely to provoke a reaction. International action can also give moral support and solidarity to human rights defenders and encourages them to continue their work.
Please share your thoughts and ideas by replying to this 'theme-comment'
Note: This dialogue is PUBLIC. Do not share any private or sensitive information. For advice on a specific situation, please contact a participant privately.
The main thing we stress in security discussions is that each person's actions impact others in any security-relevant network. Each of our digital footprints leads to one another's virtual doors, and data we store, names and terms we mention and search, the sites we visit and the places we access the internet can all adversely impact allies as well as ourselves.
Overall, the sad and sanity-preserving truth is that only to way to operate with substantial safety online is to assume that any data that ever achieves digital state (and even that which hasn't yet) has the potential to become a matter of public record, whether regionally, nationally or internationally. It sucks that no security or anonymity technology is fully "betrayal proof". When in doubt, leave it out, or at least offline. And like an athlete striving to stay in shape, or an artist always seeking to improve their method, never cease to study your security discipline like a cat studies an inanimate object before pouncing on it. Or least that's what the little critter next to me just demonstrated :^)
Im trying to imagine how all the tools and knowledge that have been generated over the years especially on security and protection of HRDs are usable by small human rights orgs and by individual HRDs given the cost implications of building these security infrastructures and systems. I'm trying to imagine how ngos and hrds operating in hand-to- mouth subsistence can cope given that many can't even afford to purchase brand-new PCs to replace the hand-me- downs from their partners abroad; purchase the licence for the basic software needed for what many would consider as 'more essential' work (I've seen some using pirated softwares); on top of not being able to pay their own salaries. These are the the lived realities of many grassroots activist organisations in many parts of the world especially those in inaccesible areas where access to power supply and technology is erratic . Are there security tools available with minimum or zero costs we could offer them?
Hi All,
This dialogue has made it clear how much technology is available to us and the effort involved in having a security protocol that stays current with the changing ICT landscape. I would suggest two steps organizations can make to be more secure.
1) The security protocol needs to name the person(s) or position(s) responsible for monitoring new technologies and new security protocols and for updating passwords, codes, etc. Without specific plans in place to keep the protocol updated and in line with the times, the work of updating the protocol can easily be forgotten in the urgency of the other demands on our time.
2) If you work for an international NGO, develop relationships with trusted local advisers, and meet regularly with them for their assessment of security risks. This could also be a method for sharing what you are learning about ICT security, if your partners have less access to this type of information.
Hi Edna - great question! Yes, there are many great security tools that are "free" for anyone to use that are great resources for human rights defenders. These tools may not cost any money to purchase, but I put "free" in quotations because of course it still takes the time and energy of someone to research, choose, install and configure these tools. Also, many of these tools are not "free" to develop so it is always good to donate money to the development of these tools as much as we can. Lastly, in my attempt to list some helpful tools to look at, I want to emphasize Gunner's comment above that "Security is a set of values to be engendered and shared, not a pizza to be delivered."
Many of the "free" tools are Open Source Software (but not all). For example, this website is based on the content management system (CMS) called Drupal, which is open source software. Drupal is free and public.
To find good, "free" security tools, a good place to start looking is on the Security in a Box website (a project by Tactical Tech). This is a great list of Open Source security tools AND information on how to set it up AND examples of how they can be used. How great is that? Here are some examples of the tools listed:
Of course, none of these are completely unbreakable (nothing is), but they can be very useful. Edna, you also mentioned that often defenders are burdened with having to purchase software for work. I would recommend that you take a look at Open Office (it is like Microsoft Office, but Open and free). Today there are more and more free and open versions of popular software. I hope this is helpful!
hi, there will always be some cost associated with the security. either it is money or time spend to implement it, learn it and use it. it is the same in the non digital world and for the ICT security. but the most important is to realise that the change for better is possible. both if you have founds to spend for it or not. as others wrote here there are free tools to implement, there are also free guides to learn how to use them. guides written for the non experienced users. let me name some:
despite of the fact that most of those materials are self learning toolkits, of course best is to have someone who can come and conduct risk assessment and needs analysis together with HRD. someone who will take all this materials (and more) add own experience and prepare custom training and implementation process. this is always the best. it is best to have a local person who can visit you, who speak your language, who understand the local political, social and cultural context. that is what we are doing in 'security in a box', cooperating and creating a network of trainers who work in many languages across the world. i think that HRDs and HR organisations but also the international organisation and founders working with them have to gather resources, trusted people who can support them defenders.
on the top of this, i think that international organisations have primary responsibility of keeping the security standards high. it is both in the communication and also in proposing to local partner that projects that they have with the local partners include the trainings in security also trainings of the trainers. in this way each project will educate at least one person who is left behind, who can follow-up on the security side, who will be longer term asset.
Wojtek Bogusz
Information Security; Front Line - The International Foundation for the Protection of Human Rights Defenders; www.frontlinedefenders.org
I appreciate the great information on technological solutions that Allen (We're all in this together. Like a lifeboat.) Kristin (Some security tools for HRDs with min cost) and Ali (Secure Communication) have been sharing. I'll definitely mention this dialouge to some of Christian Peacemaker Teams technology support people. It makes a lot of sense to use some of these Open, readily available tools to improve our data security. But I also agree with Edna that it can be a challenge for huamn rights organizations with limited resources to implement these tools. It would be great if funders would provide some additional resources for tech resources, but I think many HR organizations struggle to come up with the funds just to stay afloat. If we feel we have to choose between upgrading our technology and defending human rights, we'll almost certainly choose the latter.
One challenge that many HR organizations face is finding trustworthy Information Technology (IT) support. Computer systems are only going to be as secure as the IT staff who design and maintain them. With CPT's work in Colombia, many times we were forced to choose between buying a plane ticket for an IT support person to come to the project from the United States, or learning to install and maintain security and communications software ourselves. And let's be honest, the skillset and interests that make a person a good human rights worker, often do not overlap well with the skills required to build and support a secure computer system. CPT's Colombia Team has had to work hard to develop these skills internally, to avoid having to invite relatively unknown IT support people into our offices. As a result, our security is pretty good, but we still have to rely, where at all possible, on limiting the amount of sensitive information we record and transmit.
We need to be careful about relying too much on computers systems that are only as secure as the people maintaining them. Sometimes the older, simpler technologies are safer and more secure. I don't take a laptop into the field, I take an inexpensive pad of paper: it never runs out of power, it won't break, and it's easy to shred or burn after it is no longer needed. Meeting in person with associates is almost always preferable to talking over the phone if security issues are going to be involved, and as others have mentioned, sometimes almost any discussion can impact security.
Quoting Nils : “Sometimes the older, simpler technologies are safer and more secure. Instead of typing them up on a laptop, notes from a meeting can be kept in a cheap pad of paper that is burned after it is no longer needed. Meeting in person with associates is almost always preferable to talking over the phone if security issues are going to be involved, and as others have mentioned, sometimes almost any discussion can impact security”.
Maybe it helps if hrds working together, decide what is the ‘top secret information’ (shades can be agreed for the other categories of information, such as internal but not security sensitive and ‘public’ information and/or other/ more categories).
Example, an organisation could decide that: the true ‘top secret’ information is "names of key witnesses unknown to the potential aggressor", knowing that facts are known by the potential aggressor as probably it have contributed to them. Key witnesses are therefore the 'added value/ determining element', so to speak). Names correspond to a percentage of information that can easily either be learnt by heart or secured otherwise.
This doesn’t mean that hrd should not develop capacities in IT. It means: integrating in one’s security plan and management, the vulnerability of IT security (and viceversa, vulnerability of the other means each time IT security is implemented).
Maybe the point is also to avoid habits and one method only. Rather diversify them. It is what is suggested also with itineraries, for example or meeting points, etc. So, the underlying logic of information management would be the general one: 'diversification' of means/habits/methods.
After all, a computer/ a usb flash disk can easily be stolen. As far as I understand there is software able open encrypted information. There are threats that can lead the hrd to speak and give information let alone, the human ‘distraction’.
There are obstacles that can be voluntarily put on the itenarary pf a hrd to force them choose another path...
Parties interested in hrds’ work have not waited for new technologies to get information on hrds or from hrds.
The collective decision should include people/victims that are in the information to be secured.
It is not only a technical procedure but also a procedure to take into account the psychological dimension: what is the risk tolerance of each hrd of a group? What is the organsiational policy about it? Imagine a hrd spoke under threat and was faced not only with the reality of exposing their colleagues and victims but also with a reaction such as ‘I would not have given in’… Guilt feeling and consequent symptoms would probably explode.
There are cases where in one same group you have hrd with a life insurance and those without: now, spontaneous reaction could be that those with insurance go further than the others...not necessarily, as insurance puts limits and conditions to 'covered risks' and therefore, non insured hrd might be expected to break the line...I have had the case in trainings where that was an issue.
The question is also ‘how far can the hrd go’? how is that decided give the possible impact of both loosing/giving information and not giving information?
A computer/usb/paper/photos (whether backed up or not) can easily be forgotten somewhere, stolen or handed to the potential aggressor by force. So I am not only speaking of ‘oral information’. Infiltrators might be in the organsiation...
What is the security policy towards those mentioned in the information stolen/lost?
Are they aware of the faillibility of tools and people or do they have ‘unrealistic expectations’ about whom they consider as their ' knowledgeable intermediaries'
Do hrds have 'unrealistic' expectations as to security measures (IT and not IT)?
These are questions that can be integrated in the reflection towards a security strategy, plan and management.
Marie
Dear Allen,
The concern I have is mostly that Linux is considered 'complicated'. what do you think?
Thanks
Marie
Hey,
Great question. Linux is definitely different, but each new version of Linux, especially Ubuntu Linux*, is increasingly easy to use. We ran a laptop lab at the US Social Forum in June and offered nothing but Ubuntu, and no one complained.
But usability is a personal decision. I recommend you "play" with Linux and see what *you* think. You can get CDs or USB memory sticks with which you can start your computer and "test drive" Ubuntu without installing or affecting your existing setup. Glad to explain more.
Linux is worth the challenge, it's profoundly safer for defenders and others who need to be secure and anonymous.
* Linux comes in different configurations, which each have a name, such as Debian, Knoppix, and Ubuntu. Ubuntu is the "distribution" that has the most focus on usability and end user experience.
Thanks Allen. Your answer got me enthusiastic to the point that by mistake I wrote under subject: Using Allen...I corrected it as you can see.
Marie
Hi Marie,
I was recently approached by a long-time Windows user who wanted to purchase a new laptop who asked my advice about what they should do.
My short suggestion was to either purchase a laptop with Ubuntu Linux or OS X installed on it. This suggestion was met with scepticism and disbelief, and included a response along the lines of "but... that's different from what I'm used to". I persisted, offering to only provide free support if they chose one or the other, but not Windows.
Three months after purchasing an Apple laptop (and nary a last-minute tech support question), I asked this person how they felt about the change away from something they were used to, and got a big surprise: "It's more or less the same, sometimes just as baffling as my old Windows computer, but I no longer even notice the difference."
I've also received similar responses from people who've adopted Ubuntu.
Since most of us are multingual, why can't we be multi-plaform literate?
My conclusion: It's the change that people are averse to, even if it's for the better.
Rick
p.s.: Since I made the switch from RedHat Linux to Ubuntu Linux, I'be been pretty impressed with the sense of collegiality (sp?) that I experienced in the numerous and helpful Ubuntu support forums. And that's not something that the Linux community has always been known for ;-)
I couldn't agree more, Gunner! Are there funders who focus on helping human rights orgs with security that defenders can contact for assistance/training/funding?
I don't have any funders to suggest that aren't already well known to members of these discussions. Open Society Institute are wonderful funders, but they have very disciplined funding guidelines, so you need to be working on stuff in their programmatic focus. Hivos is also a very supportive organization, but again with substantial funding discipline. And depending on where you work, there are other excellent regional funders as well.
My main advice to those seeking funding for security (and technology in general) is to learn to include it as a line item(s) of *every* grant you write. Funders often have constraints that prevent them from straight-funding technology and "infrastructure" costs, but if it's a component of a larger proposal that falls within their funding parameters, that's got a chance.
I believe as NGOs and activists, we need to consistently assert to funders and other supply-side players the *real* technology and security costs incurred in doing the business of social change and social justice. It continues to frustrate me when I hear funders say "we don't fund technology" or "we don't fund infrastructure"; to me it's not a matter of covering optional components, it's a matter of supporting mission critical substrates.
I agree with Gunner and Allen regarding the role of funders; and that 'security conscious' funders should encourage other funders to support security measures, be they tech infrastructure or secure transporation or disguise paraphernalia. I suppose the mention of the latter seems a bit out of place in a discussion on tech security but one of our grant categories at Urgent Action Fund (UAF) is for the protection and security of threatened activists. We have seen a range of security measures from horses for safe transport in rural areas, guard dogs, disguise paraphernalia to awareness raising campaigns for increased visibility and therefore increased security. Of course, these are all context specific.
Unfortunately because this is something that funders don't normally support, many grassroots orgs often don't consider including these items in their budgets. There is also the consideration of security for self, not just the organization, which also often gets neglected.
Then there's the question of sustainability. Just how sustainable are short-term security measures in areas of protracted conflict or extreme surveillance? It seems the more severe the state and its surveillance becomes, the more creative we (as activists/organizers) become in our methods of evading (or, rather, liberating ourselves from) it. But how effective are these methods really?
I'd also like to add that some funders and international organizations could really benefit from being more security conscious. We have unfortunately seen situations wherein it's the big international organization or funder and its behaviour (and lack of awareness regarding security culture) that compromises or jeopardizes the security of the folks at the grassroots level, be they grantees or participants at meetings or conferences. There is a lived reality and different kind of consciousness that comes from being raised in, living in, or experiencing and being subjected to various types of oppressions. Due to various forms of privilege, this reality or consciousness (particularly in the so-called global 'north/west') is not shared and often cannot be understood, imagined or conceptualized. How to bridge this gap and increase honest communication when the power differential (and money) is involved?
There is also the issue of where the money comes from. What types of monitoring and evaluation methods or reporting requirements would foundations be subjected to when receiving money from say, the U.S. government? How can we trust this? I suppose ultimately, if they want to watch you, they will. I've heard this time and time again and find it to be a bit fatalist and realist yet I can't say I don't believe it's true.
I agree with Allan. We struggle to demonstrate the need for "administrative costs" when funders want only to fund "program" costs or activities. Each funder defines these terms differently, but no matter, the difficulty of raising operating costs drives the cost of doing business as you promise to do more with less to pay those doing it.
On a cost-saving side - we work with a terrific organization that has an IT specialist who has traveled to us to train on ICT security techniques, etc. In the past we've paid for his travel (to NY) and provided the space at our offices to hold the trainings. The rest of the costs were covered by him and -- I think -- the referral organization. I'm hesitant to post all the details here, but will gladly put everyone in touch if this is something of interest. I will write more once I hear from him or the organization to know what I can share. The point is, the lack of training may well be the obstacle to using many of the free or lower cost options out there. If training comes pro bono or relatively cheaply, quite a lot can be learned and implemented.
Hi Allen,
Spot on with the lifeboat analogy! Many of the Internet security trainings I lead are intermingled with team or coalition building workshops. In this context I often emphasize the importance of our ethical obligation to protect not only ourselves, but also our family, friends and colleagues. That's also accompanied by ongoing "Weakest Link" security analysis (that everybody's capable of on one level or another).
Just as we would never intentionally send our children out to buy bread in a "bad neighborhood", nor use postcards to transmit important project information, we also need to be mindful of where we're sending/storing our valuable information, and who has access to it.
It's this kind of human-and-not-technology-centric approach to risk analysis and mitigation that I find to be easily taught and important to cover before we ever get to discussing security tools.
Rick
I think it’s important to discuss the ways that networks of outside supporters can contribute to the security of HR defenders.
The goal of accompaniment work that I have done is to create a safe space that will allow communities at risk of violence to organize. In Colombia, teams travel to rural areas, often walking side-by-side with community organizers and human right workers, to provide a physical presence in communities at risk of violence. Communities request our presence because they believe that when “eyes from outside” are watching, armed actors will be more reluctant to act, and the community will be somewhat protected from violence.
Activists from another part of the country or from abroad may not be able to set aside the time and money required to train for and carry out physical accompaniment in rural areas, but many of us can provide what has been termed “political accompaniment”. A letter to a political leader, a public witness highlighting the struggle of a community facing violence, or providing public recognition of the work of human rights activists are all ways of providing political accompaniment. Communities or human rights leaders whose work is recognized receive a real security benefit - the political costs of harming them increases if other people are watching.
What are some ways that all of us can build effective networks to support the security of human rights defenders? What strategies have worked well in raising the political costs of harming HRDs?
A few resources and ideas to add to this thread about accompaniment of human rights defenders...
New Tactics has written a tactical notebook titled Side by Side: Protecting and encouraging threatened activists with unarmed international accompaniment:
Since the mid-1980s, human rights groups and other activist organizations being targeted with repressive abuses have been calling on international NGOs to provide them with direct accompaniment by international field workers. These field workers – usually volunteers – spend twenty-four hours a day with threatened activists, at the premises of threatened organizations, in threatened communities or witnessing public events organized by threatened groups. The international presence serves as a deterrent against the use of violence. In order to ensure this deterrence, these international accompaniment organizations are part of transnational networks poised and ready to mobilize political pressure against perpetrators should their volunteers witness any attacks or should their clients be further threatened.
We've also hosted a tactical dialogue on unarmed accompaniment that included Nils, Michele and many other accompaniers.
Another type accompaniment that came up in our dialogue on the use of humor, was that of protecting demonstrators using a red nose and quick wits. Demonstrators have dressed up as clowns to create a barrier between the police and the demonstrators - great idea, right?
I really like Nils' comment about accompaniment serving as a watchdog to raise the political costs of harming defenders. It would be great to hear ideas to Nils' original questions - What are some ways that all of us can build effective networks to support the security of human rights defenders? What strategies have worked well in raising the political costs of harming HRDs?
Other people have more theoretical expertise, but I think a case example of how accompaniment (broadly defined) can provide visibility to HRDs and increase the political costs of harming them might be helpful, and may provoke more discussion.
In addition to physically accompanying HRDs, part of the work of Christian Peacemaker Teams involves bringing delegations of internationals to conflict zones around the world (see http://www.cpt.org/participate/delegation for more information). These short-term (7-14 day) delegations are intended to educate people from the global North about specific conflicts and introduce them to HRDs and their work.
In Colombia one of the human rights organizations CPT accompanies is a federation of farmers and small-scale gold miners, who have been threatened with violent displacement, in part because of increased interest in their land by multinational gold companies. One delegation was hosted in cooperation with the mining federation, which took a small group of delegates from the U.S. and Canada to visit rural Colombian mining communities, meet with many small-scale miners and farmers, and learn first-hand about their struggles.
An important part of CPT delegations is public action. At the end of the mining delegation, after learning first hand of the concerns of the mining communities and community leaders the delegates planned a public witness in the plaza in front of the Gold Museum in Bogota, to draw attention to these concerns. This public witness was carried out with participation from the mining federation and from several other Colombian HR organizations. At the end of the public witness, the delegates led a procession through the streets of Bogota to deliver a letter to the office of the Colombian president, asking for attention to Human Rights in the development of future mining agreements. Copies of the letter were also sent to the political leaders of Canada, Great Britain, South African and the United States; other countries which are involved in the expansion of Colombian gold mining.
I think this kind of accompaniment accomplishes a number of things:
These connections may continue bearing fruit as delegates return to their home communities with new information and commitment to advocate for changes in foreign policy or advocate for international pressure on governments which are not protecting Human Rights.
I think all of these benefits serve to increase the HRDs security by increasing the political costs of harming the HRDs whose work has been highlighted by the delegation. What other types of network-building efforts have been successful in increasing the safety of HRDs?
I find that most of the existing responses on 'security/ safety' by HRD advocacy and support groups centre on the 'protection' measures and tend to be more on the 'reactive' side - either to pre-empt the imminent threats or after the incidents such as attacks, arrests, detention had already taken place.The WHRD Coalition has identified a number of these 'protection' measures and AWID is currently conducting a study on the effectiveness of these responses.
10. Stress management program.
11. Safe houses.
12. Emergency Hotline
Perhaps it's also timely to examine the relationship beween 'security' and 'protection'? It may seem pretty obvious but there might be some nuances that are worth capturing in this conversation. For isntance, what I find very interesting and impressive in the contributions by colleagues working in the area of ICT and security is the role that this could play on the 'preventive' side which, I think, is still very much underdeveloped in existing 'protection' responses as outlined above. The consciousness-raising amongst HRDs and their organisations about their personal well-being and security as an integral part of their public roles as HRDs is another area where 'preventive' strategy could be further developed and supported.
Hi Edna,
Few more measures,
Accompaniments from one safe place to other safe place by international (s) or influential national (religious leaders, lawyers).
Diffusion of threat by approaching to sources of threat (Someone who has influence over the Source of threat)
Protective presence at HRDs offices, homes by internationals or influential nationals.
Working as intern/volunteer with an UN/other international institution within country or even with national institutions like Human Rights commission or Ombudsman office also deter/reduce the threat
Admission in courses (journalism, law etc) where hrds can stay in boarding or campus where vice chancellor , dean or other university officials regularly monitor hrds situation. These tactics are proved very useful in contexts where threats were from non-state, illegal actors or state/legal actors wanted to perform illegally.
Regular Diplomat's visits of the area also play important role in improving the over all security
Pages