Information Security for Human Rights Defenders: Difference between revisions

From TCU Wiki
Kristin1 (talk | contribs)
Kristin1 (talk | contribs)
→‎Secure storage: updated links
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
The content below is used with permission from the '''Holistic Security Guide''', specifically chapter 2.4 on [https://holistic-security.tacticaltech.org/chapters/explore/2-4-understanding-and-cataloguing-our-information.html Understanding and Cataloguing your Information].
== Understanding and organizing your information ==
== Understanding and organizing your information ==
[[File:Info at rest grid example.png|thumb|Info at rest, example table from Holistic Security Guide]]
It’s important to approach information security in a thoughtful, organized way.
It’s important to approach information security in a thoughtful, organized way.


Line 11: Line 14:


=== Types of Information ===
=== Types of Information ===
[[File:Types of information.png|thumb|Types of information]]
Our information can be stored and communicated in many ways: on paper, on our computers, on mobile phones, on the internet, on file servers, various internet services and social networking outlets. Taken together, this information comprises one of the most important assets any of us (or any organisation) has.
Our information can be stored and communicated in many ways: on paper, on our computers, on mobile phones, on the internet, on file servers, various internet services and social networking outlets. Taken together, this information comprises one of the most important assets any of us (or any organisation) has.


Line 17: Line 21:
Types of human rights information we manage includes:
Types of human rights information we manage includes:


# The outcome of the work we are doing (Reports, Database of human rights violations, Images, voice and video recordings).
# '''The outcome of the work we are doing''' (Reports, Database of human rights violations, Images, voice and video recordings).
# Operational information that helps us do our work:
# '''Operational information that helps us do our work''':
## Text messages during an action
## Text messages during an action
## Files
## Files
## Progress reports
## Progress reports
## Other office information and communications including Financial, Human resources, Strategic organisational documents
## Other office information and communications including Financial, Human resources, Strategic organisational documents
# Personal information that identifies who we are both as members of an organisation, as well as other personal or professional affiliations
# '''Personal information that identifies who we are''' both as members of an organisation, as well as other personal or professional affiliations
# Data generated by our use of digital devices as we work, or ‘meta-data’, which can be used to track our movements or monitor our relationships.
# '''Data generated by our use of digital devices as we work''', or ‘meta-data’, which can be used to track our movements or monitor our relationships.


== Common threats to information ==
== Common threats to information ==
 
[[File:Threat.png|thumb|Threats]]
# '''Data Loss''' - Due to poor computer hygiene, malware infections, power cuts or ageing hardware, computers and other devices occasionally cease to function causing us to lose our data.
# '''Data Loss''' - Due to poor computer hygiene, malware infections, power cuts or ageing hardware, computers and other devices occasionally cease to function causing us to lose our data.
# '''Compromised accounts''' - Sometimes, our passwords or ‘secret questions’ are not very difficult to break, or we are subjected to phishing attacks (which can be random or targeted for us especially) and unknowingly hand them over to a third party, who gains access to our email or social media accounts
# '''Compromised accounts''' - Sometimes, our passwords or ‘secret questions’ are not very difficult to break, or we are subjected to phishing attacks (which can be random or targeted for us especially) and unknowingly hand them over to a third party, who gains access to our email or social media accounts
Line 78: Line 82:


== Information security good practices for human rights defenders ==
== Information security good practices for human rights defenders ==
We can summarize and consolidate the information above into three key security practices that can help protect the important information of human rights defenders. [[File:Secure-access.png|thumb|Secure access]]


=== Secure access ===
=== Secure access ===
[[File:Secure-access.png|thumb]]
 
* [[Safe internet browsing using VPN and Tor browser|Use a VPN and/or Tor browser.]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Protect yourselves against (spear) phishing attacks.]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use two factor authentication for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use unique, complex passwords for all accounts]]
* [[Protect your accounts using strong passwords, pw managers, 2fa|Use a password manager to create, store and protect those passwords]]
 
[[File:Secure-devices.png|thumb|Secure devices]]


=== Secure devices ===
=== Secure devices ===
* [[How to mitigate your risk of being subject to Pegasus surveillance|Restart your device regularly to disrupt spyware]].
* [[Secure your devices|Use anti virus]]
* [[Secure your devices#Full disk encryption|Encrypt your devices.]]
* [[How to collect and store information in a secure way|Have your sensitive information stored safely in the cloud and off of your device.]]
[[File:Secure-storage.png|thumb|Secure storage]]


=== Secure storage ===
=== Secure storage ===
[[Trusted hosting companies in the human rights community|Host your information with a company you trust]], who will not turn over information to your opponents (via subpoena, request, etc).

Latest revision as of 15:52, 23 May 2024

The content below is used with permission from the Holistic Security Guide, specifically chapter 2.4 on Understanding and Cataloguing your Information.

Understanding and organizing your information

Info at rest, example table from Holistic Security Guide

It’s important to approach information security in a thoughtful, organized way.

Consider the different types of information that you hold and seek to better understand both their value to your work and the harms to you and others that could result from an attacker accessing them. Put in place additional measures to protect those assets representing the greatest value or potential harms.

The reality is that it will not be possible to protect all your information from every possible way it could be compromised, and so you must prioritise. You should proceed systematically on the basis of risk. You should consider both the value of information to your work and the potential harms to you and others that could arise if it is compromised or lost.

You can also consider how likely it is that the value will be realised or that a given harm will occur. This provides a rational basis for prioritising where you should focus your attention.

Follow the guidance and exercises in the Holistic Security Guide, chapter 2.4 on Understanding and Cataloguing your Information

Types of Information

Types of information

Our information can be stored and communicated in many ways: on paper, on our computers, on mobile phones, on the internet, on file servers, various internet services and social networking outlets. Taken together, this information comprises one of the most important assets any of us (or any organisation) has.

As with any asset, we are best served when we are sure that this asset is properly cared for so it doesn’t accidentally or maliciously get lost, corrupted, compromised, stolen or misused. In caring for our own security, we need to care for the security of our information.

Types of human rights information we manage includes:

  1. The outcome of the work we are doing (Reports, Database of human rights violations, Images, voice and video recordings).
  2. Operational information that helps us do our work:
    1. Text messages during an action
    2. Files
    3. Progress reports
    4. Other office information and communications including Financial, Human resources, Strategic organisational documents
  3. Personal information that identifies who we are both as members of an organisation, as well as other personal or professional affiliations
  4. Data generated by our use of digital devices as we work, or ‘meta-data’, which can be used to track our movements or monitor our relationships.

Common threats to information

Threats
  1. Data Loss - Due to poor computer hygiene, malware infections, power cuts or ageing hardware, computers and other devices occasionally cease to function causing us to lose our data.
  2. Compromised accounts - Sometimes, our passwords or ‘secret questions’ are not very difficult to break, or we are subjected to phishing attacks (which can be random or targeted for us especially) and unknowingly hand them over to a third party, who gains access to our email or social media accounts
  3. Device inspection at checkpoints - Sometimes we may have our devices temporarily confiscated while crossing borders or military checkpoints, where the data may be copied or the computer may be infected with spyware or have a hardware keylogger attached.
  4. Device confiscation or theft - Computers and mobile phones are common targets for thieves. Furthermore, if we face acute risk, our offices and homes may be raided by State or non-State actors and computers, mobile phones, hard drives, USB keys and servers could be ‘confiscated’ or stolen for analysis.
  5. Information handover - Internet service providers and the providers of the email and social networking sites that we use can also hand over our data to certain authorities if a legal request is made to do so. While they protect our data from some, they are more willing to hand it over to others, and this situation is constantly changing in accordance with business and political interests.
  6. Targeted malware - This is a growing industry: some State authorities and other groups invest in software which is designed to trick us into downloading it and later granting the attacker access to much or all of the data on our devices.
  7. Surveillance and monitoring - Data brokers, internet service providers, email providers and many other companies subject the general population to surveillance by gathering and aggregating details of our online activities. While in some cases this has the aim of merely targeting us with advertisements, it can also be used to identify particular minorities to which we may belong as a target for deeper surveillance.

Mitigation techniques for common threats to information

Threat Mitigation techniques and links to guidance
Data loss
Compromised accounts
Device inspection at checkpoints
Device confiscation or theft
Information handover Host your information with a company you trust, who will not turn over information to your opponents (via subpoena, request, etc).
Targeted malware
Surveillance and monitoring Use a VPN and/or Tor browser.

Information security good practices for human rights defenders

We can summarize and consolidate the information above into three key security practices that can help protect the important information of human rights defenders.

Secure access

Secure access

Secure devices

Secure devices

Secure storage

Secure storage

Host your information with a company you trust, who will not turn over information to your opponents (via subpoena, request, etc).