Mitigating risk: determining your threat model and take healthy precautions when using social media in your work

10 posts / 0 new
Last post
Mitigating risk: determining your threat model and take healthy precautions when using social media in your work

Part of using social media strategically, is using it safely. How do you use social media without putting your staff and your constituents at risk? Share your experiences and ideas on:

  • How to determine your risk;
  • Steps to take to mitigate that risk

Share your experiences, thoughts, ideas and questions by adding a comment below or replying to existing comments!

For help on how to participate in this conversation, please check out these online instructions.

Social media during activity: dealing with pictures and names

The Womens Peacemakers Program (WPP) is currently slowly expanding its presence on social media. Important for us is to be visible, especially during our activities in the field, but we do not want to compromise our integrity or safety of our partners and trainees. This requires a delicate balance...

During one of our activities, we made the commitment not to publish pictures, quotes or names without the full approval of the participants. Though this required much time and resources, it forced us to reflect on what we post and to be more selective in what we post online. In addition, these conscious decisions were shared with the participants and became part of their awareness raising regarding the use of social media. Therefore, it had a good spill over effect.

This was ad-hoc solution for that specific activity. We are currently working on more structural guidelines for mitigating risks on social media. Would be great if people could share the guidelines they use and how they communicate on social media while remaining their integrity regarding people and organisations they work with.

Creating Safe Event Spaces

Creating safe event spaces is important to get the most out of an event, to promote better privacy practices in the human rights commmunity, and make participants more likely to share. Two ways to go about this can be introducing Chatham House rules, and carefully considering how participants at an event feel about documentation is a great step to creating a safe space. Even if everyone at an event is fine with having their picture taken and posted online, starting a conversation about the security and privacy implications of documentation is a smart thing to do.

Another tactic that requires more individual interaction is to encourage participants to write NO PHOTO on their name tags if they do not want to be photographed. Also introducing ObscuraCam, the Guardian Projects Android app that allows for faces to be blurred before a picture is posted is a good way to share tools and continue the conversation about what privacy in the age of incessant documentation means to each of us.

- Alix Dunn, the engine room

Sharing compelling images w/o risking the privacy of partners

This thread on creating safe event spaces is important, especially (as Alix mentions above) "in the age of incessant documentation." This exchange highlights a dilemma that many human rights organizations find themselves in: in order to get the attention of supports (and donors) they need compelling visuals of their work and impact - and at the same time, they want to respect the privacy and security of the people that they work with. How can they do both?

Thank you, Alix, for sharing the ideas above. It would be great to hear more ideas from others as to how they have engaged their networks in conversations around privacy, and how they have created safe event spaces.

I am also eager to hear from others about how they have addressed this dilemma, of needing images but not wanting to put their partners in harm's way. I'm sure there are lots of creative ways that have been used to share visuals that are compelling and meaningful, without sharing actual photos of people's faces.

For resources on keeping human rights defenders, you can visit our conversation summary on that topic - there is a great list of resources towards the bottom of the summary.

- Kristin Antin, New Tactics Online Community Builder

Professional Standards for Protection Work

I wanted to highlight a very important document that I believe is important for this conversation. I just participated last week in the US launch event of the second edition of the Professional Standards for Protection work, published by the International Committee of the Red Cross. I would recommend everyone who works in this space to take a look at this report. Most importantly, the second edition expanded to address issues of new technologies, including information already available on the internet, and its implications for informed consent. This is very relevant for someone like me, who increasingly turns to social media to collect evidence of potential human rights violations. The many videos coming out of Syria are probably the best example. Even if vidoes are already public, doesn't mean I can do whatever I want with it. Me using these videos to identify a specific crime and connecting it to calls for criminal persecution changes the context, and might put the filmer or people in the video at increased risk. So we should take these risks into consideration when using social media content for human rights resarch and advocacy, and weigh against the expected increase in protection before using it.

Resource: Trace My Shadow - tips & tools for using social media

Excellent point, Christoph - and thanks for sharing that resource.

Another resource that might help human rights practitioners in better understanding the risks that come with the use of social media (for them and others) is the Me and My Shadow project by Tactical Tech. Specifically, the Trace My Shadow feature allows you to select the devices and/or services you want to use, and it will pull up tips and tools for how to use them safely. For example, under Facebook, when I click on Groups, I find this information:

Facebook Groups
The list of online groups that a user has subscribed to, such as groups within social networks. These groups might give away information on your cultural, political, religious views or sexual preferences

Tips when joining a group on Facebook
On the whole, people may assume that you support or agree with what the group is saying or doing, which could make you vulnerable, for example, if you are seen to align yourself with particular political groups. Also, if you join a group with a large number of members that you don't know, this can compromise any privacy or security settings that you have applied to your account. Think about what information you are giving away before joining. Are you using your photo and real name so strangers can identify you?

Firesheep is a Firefox extension that enables you to find out about security flaws in websites that require users to log in.

The Priv3 Firefox Extension
The Priv3 Firefox extension stops social networking sites from tracking your online behaviour when you are logged in.

What other tools are out there to help human rights practitioners make wise (and safe) decision about how and when to use social media?

Resources for protection when using social media

Christoph and Kristin,

Thanks for sharing those useful resources.

In our work with human rights organizations and others at risk in Venezuela, where the context is restrictive but certainly not as extreme as in Syria, we have found difficulties in making all members of those organizations, on the one hand, to understand that such restrictions are real and they take many forms, including harassment, threats, intimidation, tapping of calls and e mail messages, and, on the other hand, that the measures to offset risks must be put in practice without exceptions and consistently.  We have seen this inconsistent use of safety precautions often, particularly by those who might not be in the "frontlines" -and even in some who are...   

In our training workshops on advocacy, planning, project writing, etc, we have started to include, even if this is not part of the main issue of the workshop, a short session on risks, and personal, organizational and digital security.   

In this sense, these resources you have shared and others that might come to your mind, are really welcome.  Thanks!

I believe your point to be

I believe your point to be very important. I've been unconfortable on how sometimes citezen reports, including tweets, photos and videos are sometimes used bu organizations, activists and very frecuently the media; possibly exposing the person in ways they didn't expect. I counld't compleatly spell out why ti seemed sketchy in so many ocations until I read your post Christoph.

Beyond the organization, supporters

It's unfortunate, but in some contexts not only organizations and activists need to consider safety in their use of social media, supporters who interact with them too. Just following or retweeting certain accounts could have consequences for social media users; in those situations they need to evaluate and mitigate their risks, which are different to those of an organization.

People might decide to target you for your online speech or associations as might be true if it happened in the streets, people are often unaware of how easy is to find out what they have posted or who do they interact with and may have done differently if they knew. 

    Two recent Venezuelan examples:

The first involves our work at Red Eleccion Ciudadana a network of venezuelan NGOs coordinating around the election. This April we received many videos of people  voting under illegal supervision, to make sure they vote for a specific candidate. One of the clearer videos showing this was uploaded to a personal youtube account and send to us. The video went viral on twitter and after a day and a half the user deleted his account, taking down the video with it, the person was more than likely pressured to delete it, and didn't expect people to find out he was recording as it was clearly done covertly.

The other example would be government employees that would hide their political preference at work, exercising their right to show their political affiliations and opinions in social media, in IM avatars and status messages, etc. without considering that coworkers could see their public profiles; this had real consequences in recent weeks for some government employees. Have they understood the risks better some might have expressed their political opinions differently or with anonymous accounts; maybe they would stand for their rights but it would have been a more conscious choice.


 - Andres Azpurua, Venezuela Inteligente


A few ideas to mitigate some risks on social media to complement most lists

  • Make sure geolocation is turned off by default in your tweets, Facebook posts, etc. It's very easy to send that info by mistake if it's the default and an awful lot can be learned about you by checking what places you visit, your routine, even where you live or work can be easily inferred if your posts have location. Not to mention make careful use of foursquare.
  • Check your photos don't have geolocation either, it can be a nifty thing to have, but chances are that the services you use won't delete location data from your phone's pictures, you could be giving a way sensible information (here is a telling example of it happening to a journalist).
  • Review whats publicly visible on your profiles from time to time, I'm always surprised of things I find. 
  • Don't trust really sensitive information on social networks, not on "private" twitter accounts, neither via direct messaging.

These particularly for anonymous accounts

  • Don't affiliate the account to an identifiable email address
  • Scrub metadata on photos and files
  • Consider how a photo's or video's content could be used to identify you. 
  • Double check always for htttps:// over http:// on social networking sites
  • Use a VPN on your phone, we can't be always be sure that all communication between the apps you use and servers is secure.  
    Use it your computer too for added security and peace of mind.
    Remember that everything sent unencrypted is like a postcard that any intermediary can read (network administrators, ISPs or government)