Community Updates

The following are community updates from the weekly Glitter Meetup. If you need to connect to anyone mentioned below, please reach out. We do practice "consensual introductions," meaning we have to check with the person before doing so. No names are associated with the summary notes. Please contact us if you have any questions related to these notes. team@internetfreedomfestival.org

February 20

Myanmar Digital Rights Forum: https://www.digitalrightsmm.info/

February 13

Today Russian court fined Twitter and Facebook for not moving their servers to Russia: https://www.themoscowtimes.com/2020/02/13/russia-fines-twitter-and-facebook-63000-each-over-data-law-a69280

PBS Frontline just published a documentary about Hong Kong Protests: https://www.pbs.org/wgbh/frontline/film/battle-for-hong-kong/ (but might only allows in Northen America region)

Malaysian gov recently actively arresting and charging/fining people who post/spread false information about coronavirus. Last update was 2 days ago, someone in east Malaysia got fined about MYR5000 and one reporter was arrested and on bail now.

Check this article, written by one of our fellows, about guidelines to create digisec policy and best practices for small scale organization: https://www.opentech.fund/news/guidelines-creating-digital-security-policy/

February 6

VPN users being tortured in Kashmir: https://www.vpncompare.co.uk/vpn-torture-kashmir/

For the Tor users on Fedora/CentOS/RHEL, we now have official packages from the Tor Project https://support.torproject.org/rpm/

People run Tor relays on different Linux based operating systems, but, mostly Debian/Ubuntu could directly install Tor package from the Tor project itself, now, people using Fedora or CentOS or RHEL can also get the latest and greatest version of the Tor directly from Tor itself.

January 16

Our feature guest is Tek, a security researcher working for Amnesty Tech on digital surveillance against Human Right Defenders. He is also a research fellow at the Citizen Lab. Today we are going to talk to him about his article: Targeted Attacks Against Civil Society (https://www.randhome.io/blog/2019/12/02/targeted-attacks-against-civil-society-what-is-new-in-2019/)

What are targeted attacks?

We call targeted attacks, malware of phishing attacks targeting people for the sake of gathering information on them, so there is no intention of getting any money (like cyber-criminal attacks such as ransomware would do), but monitor their activities. This type of attack is not new, first reports about such attacks against civil society date back to 2008 and the report on Ghostnet targeted the Dalai Lama office in India.

Historically, it started with a lot of emails with malware attached to them, either documents using vulnerabilities to install a malware of just a malware pretending to be a document (and sometime opening it). These attacks are still happening, like in Azerbaijan a few years ago https://www.amnesty.org/en/latest/research/2017/03/False-Friends-Spearphishing-of-Dissidents-in-Azerbaijan/

But more and more people started to use documents in the cloud, on Google drive to others. So the attackers started targeting more and more the mailbox with phishing email. These attacks are way more easy because you do not need a malware, just copy a login page on a fake domain and record the password when the user enter it.

Citizen Lab wrote about this change in tactics in 2016 against Tibetan communities https://citizenlab.ca/2016/03/shifting-tactics/ and it is something we see very regularly now, like in Egypt last year https://www.amnesty.org/en/latest/research/2019/03/phishing-attacks-using-third-party-applications-against-egyptian-civil-society-organizations/

And lately we are investigating more and more more advanced attacks done using malware and exploits sold by companies like NSO group. Citizen Lab wrote about it for the first time in 2016 https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ and we have investigated attacks using NSO group recently in Morocco https://www.amnesty.org/en/latest/research/2019/10/Morocco-Human-Rights-Defenders-Targeted-with-NSO-Groups-Spyware/

These attacks are targeting smartphones with very advanced techniques, often using 0-day exploits that costs a lot of money. These attacks are more rare but also very dangerous because they are able to compromise smartphones with little or no user interaction. (There is today a court hearing going on Israel for a petition asking the Israeli MOD to revoke NSO Group export license, see https://www.amnesty.org/en/latest/news/2020/01/israel-court-nso-case-behind-closed-doors/ )

Has 2019 witness more attacks against civil society than in previous years?

Yes, especially because of the discovery of attacks against Uyghurs and the WhatsApp hack by NSO on which we got a lot of information thanks to WhatsApp / FB. But it is hard to say if it is that we know more or if there are more.

We have a lot of knowledge on the attacks in some regions (like Tibetan activists, or Mexico) because of work done there, but there are still areas (like South America) where we have very little knowledge.

So what has changed recently?

First, there are a lot of phishing attacks targeting online accounts and they get more complex in two ways: first they regularly use OAuth authentication. OAuth is a protocol that allows an external application to get access to your Google/Facebook/Outlook account for different reasons, it is for instance the protocol that is used when you login into a website with your FB/Google/Twitter/Other account. What is dangerous with that is that it is pretty different from other phishing attacks, and it is easy for people to fall into it. (read more about it here https://guides.securitywithoutborders.org/guide-to-phishing/oauth-phishing.html )

So we aren't able to know if the attacks have been increasing but we can confirm that the methods are getting more complex

We don't know what we don't know, so it is hard to factually prove that there are more attacks. We are seeing more advanced attacks by groups like NSO, with 0-day and no-click attacks, but the vast majority of attacks are still not very sophisticated and using techniques that have been there for a while and are cheap (like fake google domains)

What are some of the new attacks that you have witnessed during 2019?

On phishing, something we have started to see in 2019 is using phishing kits that are bypassing most forms of Two Factor authentication. Two Factor Authentication is having another authentication method beyond your password, it is often a token given by SMS, by a smartphone app (such as FreeOTP, or Google Authenticator) or a hardware key.

Modern phishing kits are using a technique to relay the request to their fake website to the real platform and this bypass all forms of two factor authentication, except hardware tokens. It is thus important to promote more hardware keys like Yubikey or Solokeys

This is pretty new, but there are now open source phishing kits doing that, and most of the phishing attacks we see today are bypassing most forms of second factor.

And there is like a gap between companies selling very advanced tools (NSO has 500+ employees), and some government paying hackers with average technical skills to send phishing to activists. The first one is more advanced, harder to fight against, but also more rare, and most of the attacks we see are the second case.

You talk about attacks bypassing 2 factor Authorization, and the need to move towards hardware token for 2fa Where can you purchase this hardware? If folks can’t afford it, are there are places where they may be able to get it for free?

There are different organizations doing hardware tokens, the most used are Yubikeys, Solokeys and now Google is making their own Titan keys

Several organizations are providing some to activists for free, we try to bring some when we are doing a security training. You often get some at events like IFF.

Now that we know more about the attacks and their complexity: What entities are leading malware creation/execution?

It really depends on the context of the country, we see some countries like Russia or China developing skills of targeted attacks in the country, they even have often several groups in charge of different types of attacks (companies or activists).

In many other countries, they are not able to do that, and they rely on buying the malware and tools from companies like NSO Group, Hacking Team, FinFisher etc. These companies are mostly based in Europe (often in Italy) or Israel.

And they are often involved in a broader surveillance ecosystem, with companies like NICE (an american company) reselling and installing tools from other manifacturers

what are new threats you see coming in the future?

The trend is :

More phishing attacks
More attacks on smartphones
Development of very sophisticated attacks used in some countries, but most attacks are still going to use techniques that are not very sophisticated (such as phishing or backdoored android applications)

Have you seen cyber attacks against relatives/partners of those who work in this space?

There is one case in Mexico reported by Citizen Lab where they targeted the son of a prominent journalist https://citizenlab.ca/2017/06/reckless-exploit-mexico-nso/

Some HRA uses external sites to 'upload' evidence and content to and then delete/remove it from their own devices. Are there certain places that keep content safe from these attacks?

Uploading sensitive data from a server and removing from the phone can be really useful for instance for crossing borders, or during protests, but if the phone is compromised before, the attackers may be able to monitor the phone activity before it is uploaded and remove from it.

How to get psychologists involved? Have you achived any positive results on this way? Any word of advice?

This attacks are mostly not about digital means of protection but psychological ones. ("How can I distinguish that someone's trying to use me? How can I see what vulnerabilites of mine are most likely to be used by bad guys?") We discovered that digital things (such as 2FA) simply didn't work in some situations and we needed some assistance from psychologists to work with people.

We have seen many cases where attackers used quite low-level attacks but they were combined with very good knowledge of the political context and good social engineering skills. There is definitely more work to be done to understand how to explain phishing and help people react to social engineering and I have not seen many psychologists involved in it, it would definitely be interesting

Is some good work being done and developed to improve security trainings and make them more into adult training, so maybe there are psychologists involved in it (https://level-up.cc/ )

As a UX designer, how can we make this information help the design community build safer, informative tools for HRA's? Designers are typically the first line of defense and play a good role in informing/protecting users of stuff like this!

developing ways to explain these attacks better are definitely needed more. A good example of some work done in that area is the phishing quizz developed by Google https://phishingquiz.withgoogle.com/

There are many different directions to fight against these attacks. One of our approach is to make forensic knowledge more easily available to tech people supporting human right defenders. It is very common to have people think their device is compromised and we did not have any good methodology to check if it really was. So with Security Without Borders, we have developed a guide to help with that https://guides.securitywithoutborders.org/guide-to-quick-forensics/

It is pretty easy on Windows and Mac, but harder on smartphones, so we are trying to find better techniques and tool to do that on smartphone

Regarding to the malware spreading on Telegram during HK Protests. There's anything we can do? Like a bot that can filter those or identify those...?

We have seen malware being shared on chat applications a lot, but mostly privately, HK is the only case where malware was shared on a group chat. It would be definitely possible to develop a telegram bot to monitor chat groups, and it could be an interesting way to identify attacks, but you have to monitor the right groups.

Do you see people reusing different malware/exploits in different campaigns in different countries?

Yes often. There are two different cases for malware, it can be either malware from a company like FinFisher or a malware that is open source or sold on the black market.

Sometimes, we see some private tools shared by groups that are related to different country that we cannot explain.

Exploits we see are very often public exploits, so they are reused because they are available on Internet

January 9

For this Glitter Meetup, we have a feature guest: Tamara, one of the Community Builders of the 2020 IFF. She works on emergency assistance for activists and journalists around the world.

Is harassment online a real problem for women journalists? can you explain a bit about this? Where it happens? Why it happens? And are there any populations or areas of the world this happens more than others, or is it global?

Yes, online harassment is a real problem for journalists, but even more so for female journalists.

As a female journalist she has faced online harassment based on gender many times, may it be from comments under her articles, or from online audiences during panels that she was speaking on, etc. Back then, she thought that perhaps she was doing something wrong or that she should simply not pay attention to this and not be too soft.

Five years ago she started working on emergency assistance, and over 40% of their casework covers journalists. And of course, they face all sorts of threats. Arrest, murder, you name it. But. A lot of times the harassment/ threats/ insults start online. The thing is that journalists often don’t take those seriously. Female journalists in particular often think that this just comes with the job.

The harassers don't discriminate, in every region there are plenty of them. There is a difference however with regards to who the harassers are. So, for example, in Eurasia and MENA regions, we have seen more government and troll factory-based harassers of female journalists, in the US it is more from certain conservative groups, etc. But if we look at the specific areas of coverage. Number one, at least according to some of our data at the emergency assistance program is corruption reporting. Then come issues, such as migration, LGBTQI.

Troll factories are literally offices where people are hired to sit and search online space for content and comment in order to create fuss, or harass someone, etc. In Azerbaijan, for example, troll factories are used to harass female reporters, opposition, but also simply to 'express love for the president and their family'. Being a troll is a paid job sometimes, also in some countries students of state-funded universities or state employees are forced to be trolls for free (or they lose school placement, or their job)

Also, female journalists, especially if they write opinion pieces, are way more often scrutinized with regards to their expertise (e.g. 'do you really have expertise to write about this?') and therefore are being threatened.

One participant added that some of their coworkers often express that they are tired of comments and threats to them just because they are women, specially when they do articles or investigations with the conflict that Colombia still living between guerrillas, drug lords, etc.

Report done by IWMF on the topic: https://www.iwmf.org/attacks-and-harassment/

Many folks here are digital security trainers, or provide digital security support. what advice can they give to women journalist they may be assisting who may be experiencing this. what can be done

First and foremost it is important that female journalists don't normalize online harassment and recognize that there is a threat. The problem with online threats that I have seen in the past five years of my work is that they usually escalate. For example, if at first someone is telling a female journalist that she is a liar and she therefore deserves to die, then eventually a physical attack from this person, or from others who were 'inspired' by this harasser follows.

Now, in terms of what digital security experts can advise. When online harassment happens and even in other instances, female journalists need to first of all take care of their own security. We usually recommend that they talk both to digital and physical security experts.

What tools or sites you recommend to find more info about Online Security for female journalists?

Getting in touch with Frontline Defenders' digital experts, or Access Now, or, smaller digital security and physical security expert groups, such as, for example, people from Tbilisi Shelter in Georgia.

One participant added that FLD, Access Now, etc. are great advices for the majority of human rights defenders and independent journalists but there should be something more specific when it comes to female journalists and online threats.

IWMF, CPJ, Amnesty have some good resources on their sites. But there aren't enough groups that deal with online harassment in general, and especially online harassment against women regionally. For example, in the North Caucasus in Russia where such attacks have happened, and very little to no local support is available.

Are there any gender-specific advices on (say) guidelines, recommendations, anything to read? watch online?

With regards to steps: 1. stop your current work and focus on addressing your security situation 2. if you work full time as a reporter, your management is your first call. If you are a freelancer, speak to your immediate support network (your fellow reporter friends, civil society groups inside your country that help journalists and female journalists in particular) and then speak to groups that support journalists (happy to help connect if needed), such as Acos Alliance, Rory Peck Trust, CPJ, RSF, Freedom House, Frontline Defenders, Civil rights defenders, etc. 3. Develop a security plan. Female journalists often have dependents in their care, such as minors or parents. Make sure your security plan includes them. 4. Your security plan has to cover your digital presence (such as, don't checkin on IG and FB, don't post personal info, contact white pages (or whatever address book alternative in your country) and ask them to take down your address, etc. But it also has to include psycho-social and physical security components. Such as, don't take your usual route to work. Checkin more frequently with your children, etc. (this sounds scary and somewhat unnecessary at times, but it is vital) 5. If the harassment includes exposure of any content with regards to you online, develop a plan re how to eliminate that content (contacting social media platform, mobilizing a support network. in some cases, even take legal action). 6. If things escalate, we usually recommend temporary relocation. as disruptive as it sounds to your life, it is sometimes needed to avoid further escalation.

One participant added a good advice: "other journalists reported shifting how they cover the news to prevent harassment. For example, an online reporter in Taiwan said she focuses on positive news so she won’t get attacked"

A Latina newspaper reporter in the U.S. took a different tack. She said she faced extreme harassment online when she started her job five years ago, so now she is extra-vigilant about showing multiple sides of a story to prevent complaints that may escalate into abuse. On the other hand, a TV journalist in the U.S. said she tries to avoid details in her stories that she knows will upset people. “Yes, it affects the way I do my stories,” she said. “I am more careful.”

It is important to have colleagues to rely on to talk about harassment encountered and to help by, for instance, moderating the comments

Uses Facebook’s word-blocker function on professional page to prevent words like “sexy,” “hot,” or “boobs” from being posted by users

IAWRT Manual: https://www.iawrt.org/sites/default/files/field/pdf/2017/11/IAWRT%20Safety%20Manual.Download.10112017.pdf

CPJ Canada/USA survey: https://cpj.org/blog/2019/09/canada-usa-female-journalist-safety-online-harassment-survey.php

CPJ manual on how to mitigate sexual violence https://cpj.org/2019/09/physical-safety-mitigating-sexual-violence.php

IJNET Guide: https://ijnet.org/en/story/how-newsrooms-can-fight-online-harassment-targeting-female-journalists

GIJN Guide: https://gijn.org/gijn-guide-resources-for-women-journalists/

OSCE Guide: https://www.osce.org/fom/220411?download=true

OSCE Manual: https://www.osce.org/representative-on-freedom-of-media/safety-female-journalists-online

Can you talk a bit about the psychological impact this has?

The psychological impact is huge indeed. From own experience covering mass protests back at home in 2005-2008, as a young female journalist you would get harassed all the time, so you try to wear least revealing clothes, put all of your hair under a hat, always go with a male colleague on reporting assignments, make sure your phone is charged, etc.

From Tamara's experience working with female journalists in the past five years, the most unfortunate psychological effect is that female journalists start self-censoring or that they cease their journalistic activities.

December 19

If you've ever applied (or thought about applying) for OTF Funding? If you want to help improve the OTF funding process, read on! They are trying to improve the process: https://tools.simplysecure.org/survey/index.php?r=survey/index&sid=386482&lang=en

The government (UK) and the US are cooking up the next crypto wars, lots of chat about banning end to end encryption. The debate seems to be a lot more sophisticated this time, and bipartisan, so may actually happen.

December 12

ACSVAW urges the Special Rapporteur on Violence Against Women to visit Hong Kong to examine the seriousness of gender-based violence committed by the HKPF against the protesters; and recommend the Hong Kong Government to establish an Independent Commission of Inquiry to conduct impartial investigations: https://rainlily.org.hk/glosign

Digital Grassroots published their year book and there are several pics from their amazing experience at the IFF. You can read it here : https://drive.google.com/file/d/1NssHtr7jhrHVqDQ1RItZvmRV2s39fJgm/view

The big election is coming on Jan. 11 in Taiwan. Many people see this is a war between China and democracy world. At this point, how to help Hong Kong protester create a big fight and argument in Taiwan because some legislators want to pass "Act on Refugee " to help Hong Kong activists.

November 19

In an entirely unrelated hearing about a finance bill, the court noted that their ruling last year (on Aadhaar) may have incorrectly accepted it as a money bill (which allows budgetary spending only) as the program didn't seem to meet the constraints for a money bill (well, duh!). The review petition got admitted after being on hold for a full year.

November 14

New report on Trans Murders for Oct 2018 to Sept 2019

https://transrespect.org/en/tmm-update-trans-day-of-remembrance-2019/?fbclid=IwAR1MRntg7W-NYaUTGIAKvZeSRHtIQnwBZShvdlugjZJf-e_MODC7vidZf_4

A whole group of SEAsia organizations and individuals came together to release a statement of regional solidarity regarding all the attacks on bloggers, HRDs, journalists within the region: https://www.apc.org/en/pubs/statement-regional-solidarity-against-attacks-digital-rights-activists-southeast-asia

CUHK turns into battleground between protesters and police as clashes rage on across Hong Kong universities ://www.hongkongfp.com/2019/11/12/cuhk-turns-battleground-protesters-police-clashes-rage-across-hong-kong-universities/

Hong Kong protester shot by police with live round in critical condition: https://www.hongkongfp.com/2019/11/11/breaking-hong-kong-police-shoot-protester-live-round-sai-wan-ho/

October 17

Hong Kong Updates

The activist also the co-founder of Civil Human Rights Front, was "attacked with hammers" on his head - https://www.bbc.com/news/world-asia-china-50073583

Apple banned HKmap.live app from Apple Store (which the protesters widely use to track the location of the police during rallies - https://www.bbc.com/news/technology-50009971

US lawmakers pass Human Rights and Democracy Act to protect HK: https://www.bbc.com/news/world-us-canada-50064803

How much does China influence your country or business in your country?

China's Huawei says open to 'no backdoor' agreement with India: https://www.reuters.com/article/us-huawei-india/chinas-huawei-says-open-to-no-backdoor-agreement-with-india-idUSKBN1WT25H

The Zimbabwean government has been over the past 10 years making serious connections and deals with the Chinese government. Zimbabwe has a whole military college that was built by the Chinese for the Zimbabwe Defense Forces, they recently received biometric equipment from China too for facial recognisition though they haven't started to use it. Most mines now are run by the Chinese.

Tunisia has good diplomatic relationships with China. Chinese is one of the optional languages one can learn in high school. China sends regular donations/help to Tunisia. Because of the economic crisis, the Tunisian market relies on Chinese products especially the tech as I guess in many other countries.

https://privacyinternational.org/explainer/3232/research-methodology-pre-installed-android-app-analysis

Direct link to the CCCamp2019 presentation by PI: https://media.privacyinternational.org/videos/watch/9c364e23-df63-40c7-8690-e4f3c3921ba9

October 10

Community Updates

In Argentina Smaldone (the hacker who reported errors in the Smartmatic system, electronic voting system company) was arrested due sharing information on "GorraLeaks" (leaks on the Federal Police). This is also related to the upcoming elections late this month and the alledgly fraud on the primary elections. https://www.tiempoar.com.ar/nota/la-policia-detuvo-a-javier-smaldone-informatico-que-denuncio-a-smartmatic

https://tibet.net/china-pressing-nepal-to-sign-extradition-treaty-to-clamp-down-on-tibetans/

The biometrics system in India and what its used for:

India has patchy registrations of births, so there's a very large percentage of the population that doesn't even know their birth date.

Since birth certificates are not a reliable foundational id, most of us have 10th grade school certificates as id proof instead, but these again are only available to those who went to school. Again excludes a large number.

There are other id systems that are issued merely on the basis of someone vouching for you -- and this is very popular in India.

In such a patchwork system, how do you do state-sponsored welfare while ensuring that welfare isn't misdirected to someone who pretends to be two individuals using two identifiers? Enter biometrics!

Biometrics have been the holy grail for bureaucrats too lazy to use the more foolproof method: door-to-door verification. There have been attempts to find a way to make it work from the early 2000s.

India is a federal union, similar to the United States. That means states have primary jurisdiction over individuals and the central government mostly regulates national issues. There are (or were) only three national id databases in India: for income tax, elections and passports.

So there was no scope for a national id since primary id is issued by a state, similar to the DMV in the US. But a separate idea was born in the aftermath of the Kargil war with Pakistan in the 1990s. A national database of citizens so that infiltrators/terrorists/anti-nationals could be identified.

This surveillance database project got repackaged as a targeted welfare distribution project over the period of a decade, so that by 2009 Aadhaar was conceived as a welfare project. But the surveillance origins never went away.

If you are critical of the government and you are poor, it could be a way for them to deny you access to social services

What is the desired outcome of the activists fighting against its wide use?

The petitions in the Supreme Court pleaded for the project to be shut down and all data deleted. The court upheld the project in 2018.

Many activists realise that Aadhaar is the first nationally valid identity document issued to the vast majority of Indians and this is important. Therefore, it should not be shut down, but it should instead be made to work like an actual identity document. However this is going to require considerable work as the design is entirely premised on its origins as a surveillance project.

Any facts or things we should know

The amount of fake news and propaganda coming from official sources is mind boggling. If you hear something positive about Aadhaar, there may be a kernel of truth in it somewhere, but everything around it is likely propaganda.

October 3

Highschool student was shot with live, today the HK gov announce face mask ban -- https://www.bbc.com/news/world-asia-china-49918889

In Peru, the Congress was suspended and there were some resignations from high office politicians. https://www.nytimes.com/2019/09/30/world/americas/peru-vizcarra-congress.html

Indonesia protests: https://www.aljazeera.com/news/2019/09/driving-latest-protests-indonesia-190926090413270.html

https://news.yahoo.com/fresh-clashes-indonesia-protesters-adopt-034211376.html

Indonesian journalist in HK, shot on her eye by rubber bullet: https://www.bbc.com/news/world-asia-china-49910636

Kenya is currently having a court trial for Huduma Namba, their biometric id scheme: https://www.livelaw.in/interviews/kenyan-court-niims-huduma-namba-scs-aadhaar-challenge-v-anand-148657

The Supreme Court of Jamaica shut down their biometric identity program, citing the dissenting judgement from Justice Chandrachud in India.

From Russia, the New Emperor's DPI is getting some live traffic in test deployments, some people try to observe/research some of its features regarding banning Telegram, Tor and ordinary websites.

September 19

Twitter recently released a 1.6 GB archive of tweets that it determined had been spread by the government of the People’s Republic of China (PRC) as part of an information operations (IO) campaign to attack and discredit ongoing protests in Hong Kong. IFTF’s Digital Intelligence Lab analyzed the data to examine key influencers, common messaging themes, strategies, and oddities in the data.

https://medium.com/digintel/welcome-to-the-party-a-data-analysis-of-chinese-information-operations-6d48ee186939

https://scroll.in/latest/936936/gates-foundation-award-to-modi-will-demoralise-indias-civil-society-say-south-asians-in-us

TvT (Trans respect versus Transphobia worldwide of Transgender Europe) research project that do 2 pieces of research (1) Transgender Murder Monitoring, and (2) Legal and Social Mapping of country situations for Transgender and Gender Diverse communities. transrespect.org/en/ | https://tgeu.org/

This is digital safety guide for Indian activists. https://github.com/kaarana/digital-safety

Rutatrans is a project that is mapping along with some NGO and activists safe places for trans people in latinamerica. The project is an app, you can find more info about it here http://rutatrans.org/

September 12

Dmitry Bogatov (Tor relay operator who was detained for a ~year in Russia) is finally in US, seeking for asylum & he already got job permit.

September 5

Access Now and Keep It On coalition sent an open letter to HK administration on selective Internet shutdowns and state sponsor DDoS attacks on major forum and news portals: https://www.accessnow.org/internet-shutdowns-will-harm-hong-kong/

Check out the Hong Kong protests timeline and police brutality incidents: https://hkrev.info/

August 29

HKISPA strongly oppose selective blocking /censorship in Hong Kong: https://www.hkispa.org.hk/139-urgent-statement-of-hkispa-on-selective-blocking-of-internet-services.html

Suspicious sniffers Programmer discovers thousands of phone numbers, addresses, and geolocations apparently leaked by Russia’s ‘SORM’ surveillance tech https://meduza.io/en/feature/2019/08/27/suspicious-sniffers

- This was shared during Chaos Constructions festival at St.Petersburg, Russia last weekend

That was a story of, likely, "Lawful interception" devices (something like PRISM project that Snowden have described) in Russia leaking actually intercepted traffic. One of key differences of Lawful Interception in Russia (also known as SORM) is that it intercepts everything and sorts out what is relevant and what is not on its own. As far as I know, it's done a bit differently in EU. So those devices were leaking actual user traffic to everyone interested, including webpages visited, email addresses and, sometimes, geo-coordinates. And the cherry on the top of the story was that one of the "leaky" devices was in Sarov, nuclear research center of Russia. I worked with the journalist to make that article suitable for the general audience and, I hope, we've succeeded

August 22

Community Updates:

The economic situation is Zimbabwe is now at another level, demonstrators were beaten up last week, there are now serious level of digital & physical surveillance, cases of abductions are on an increase too. So most hrds are now living on the edge & on the run.

Vietnamese authorities are ramping up the pressure on Facebook, trying to add some verification steps so they can better monitor FB accounts.

Internet shutdown and gov deployed more than 1,000 troops to West Papua as protests continue to rage over the arrests of Papuan students.

August 8

We discussed some aspects about Southeast Asia:

So what countries do we think are the worst in surveillance and censorship in southeast Asia, besides China?

According to the past OONI tests, it's Indonesia. Should put more eyes in Vietnam and Cambodia, because we don't have many digital rights activists around those.

Are there any surveillance and censorship trends you are witnessing in the area?

cyber/ICT law. It's actually a chain effects in SE Asia. One of the country started to amend ICT law, the rest will trying to pick up. First Malaysia, then Cambodian gov trying to amend their cyber law and put something in, then SG now has this falsehood information law, then Vietnam has new cybersecurity law.

The Asian community has a lot to teach us just because they have been dealing with this stuff so much more longer and intensely because of China.

What countries do we think are the strongest in terms of digital rights.

Myanmar is good! Digital Rights organizations are growing. Indonesia as well actually, Philippines too, but Philippines too huge, they still need a lot more works.

August 1

Updates

In Moscow, 77 people asked for medical help last Saturday, over 1,300 people detained, protest leaders arrested for up to 30 days and computers and other digital media grabbed during night searches.
Notes about the protests in Russia: https://ifex.org/location/russia/

Resources for being safe during protests:

Digital Security Tips for Protesters: https://www.eff.org/deeplinks/2016/11/digital-security-tips-for-protesters
CyberSecurity during protests: https://theintercept.com/2017/04/21/cybersecurity-for-the-people-how-to-protect-your-privacy-at-a-protest/
https://docs.google.com/spreadsheets/d/153LDVGstMnB0gd8hB_6_ZIVFj4_E3FGOz1KK1HdtM0s/edit#gid=0
https://protestos.org/index.html
https://ssd.eff.org/en/module/attending-protest
How to Protest Without Sacrificing Your Digital Privacy

https://www.vice.com/en_us/article/gv59jb/guide-protect-digital-privacy-during-protest

Umbrella's Protest section:
- iOS:

https://itunes.apple.com/us/app/umbrella-security/id1453715310

- Android:

https://play.google.com/store/apps/details?id=org.secfirst.umbrella

July 18

Eva Galperin is the featured guest of this Glitter Meetup. She leads the conversations on Stalkware. Seh has convinced three companies to detect and report stalkerware and spouseware: Kaspersky, LookOut, and Malwarebytes.

Eva Galperin work: Eva work at the EFF: https://www.eff.org/about/staff/eva-galperin Some articles interviewing eva bout this and most recent citizenlab report on stalkerware: https://www.wired.com/story/eva-galperin-stalkerware-kaspersky-antivirus/ https://boingboing.net/2019/04/03/the-good-fight.html https://citizenlab.ca/2019/06/the-predator-in-your-pocket-a-multidisciplinary-assessment-of-the-stalkerware-application-industry/

What is Stalkerware and what is the state of the current industry?

Stalkerware is commercial software that is advertised to people who wish to covertly spy on other people's devices. Often these people are involved in abusive relationships with their targets. Sometimes they live together or used to live together. So stalkerware is sometimes predicated on physical access to the devices, having the username and password for the device, or being able to coverly jailbreak it.

Currently there are several companies that make this kind of software, especially for mobile devices. It runs on both iOS and Android. And there are dozens of resellers. Some of these companies are based in the US, but others are based in India and the Netherlands.

The particular variety of software I'm concerned about is in violation of the terms of use for the Google Play and iTunes stores, but it sometimes ends up in there anyway.

For using Stalkerware tech on iOS, should the phone be jailbroken as a rule?

A lot of the iOS stalkerware requires a jailbroken device, or it simply requires the AppleID and password and then scrapes iCloud backups.

And Android devices are already fine with sideloading.

Is there ever a valid use case? Since the software can be marketed as a security tool that allows you to monitor for possible un-approved access of your own phone, how can we go after the people/companies writing these software?

Tracking other devices has a use case. Tracking them in a way that is designed to fool the user into thinking that nothing is going on does not.

The key to dealing with duel use stuff is to make sure that the software has a single place where you can go to see who has access to your device and what devices have been using that access.

Where should we focus our efforts on fighting Stalkerware tech?

Covert spying. There are a lot of laws that these companies, their resellers, and their buyers are breaking.

The big problem with covert spying is also that it is especially terrifying to the victim, because they don't understand the limits of their abuser's power.

Most staklerware, once it's installed, can see all of the messages in all of your apps.

How is the future of Stalkware companies and laws?

Hopefully, this year companies will detect and report starkerware and spouseware. Then it will not matter which AV you install. It will tell you if you have spouseware or stalkerware on your device.

In the US, wiretapping is a pretty big deal, and even children have some degree of privacy rights, even from their parents.

In the meantime, the biggest problem is just finding people who can work with individuals and groups on the ground. Eva is trying to work at the policy level to make it harder for this kind of abusive behavior to take place, but individuals being targeted have a very hard time telling the difference between device compromise, account compromise, and information leaks. To them is all "my phone is hacked."

If you're suspecting your partner of using stalkerware, how does one even begin to mitigate this? what are the signs to look out for on the phone?

Usually, if you're concerned about malicious software on your device (unless you're worried about a state actor), you install anti-virus software and run it. This is not perfect, but it will detect a lot of crimeware.

Do you think this work could lead sometime to advance in finding indicators of compromise in other kind of spyware? I.E the same thing but sponsored by govs?

Yes. See LookOut's StealthMango report. Today's stalkerware is tomorrow's nation-state tooling.

Is there a reliable tool / guide to detect stalkerware in the wild? Does Google Play Protect detect them too?

Right now, I'd just recommend downloading AV from one of the three companies that has come on board. It's not foolproof, but it catches a lot of it.

Google can't even keep the products out of their own Play Store reliably.

What can the IF community do on this front? is it more advocacy? more awareness/education? It feels like the technical fight is always a cat and mouse game.

The technical fight is exhausting and annoying, but there is still a lot that can be done to increase the difficulty and cost of this kind of spying. We haven't even started the cat and mouse game yet.

There is a lot of advocacy work that can be done in getting software developers and makers of wearables and IoT devices to start thinking about domestic abuse as part of their threat model.

It's such a multi-pronged fight, that there is plenty for everyone to do.

Resources on Stalkerwares: Actual screenshots of GooglePlay and Stalkerware Apps: https://twitter.com/virqdroid/status/1151111407284473861 News related to Stalkerwares: https://www.cnet.com/news/google-removes-stalkerware-apps-after-researchers-discover-trackers-on-play-store/ LookOut report: https://www.lookout.com/info/stealth-mango-report-ty

July 11

Community News

Updates & Projects: Digital Whistleblowing Fund for European Projects: https://www.hermescenter.org/digital-whistleblowing-fund-call-for-applications-round-2/

Featured Guests

Carlos Rey-Moreno, and currently I'm coordintating the work that APC does around policy and regulation to enable community networks and small operators within the current LocNet project: https://www.apc.org/en/project/connecting-unconnected-supporting-community-networks-and-other-community-based-connectivity. I'm also one of the co-founders and director of Zenzeleni Networks (https://www.youtube.com/watch?v=R9u-hfxAeBo) a CN in rural South Africa, and have been working and researching on the topic for more than ten years, specially in Africa.

Cynthia el khoury, currently working with Carlos on APC's connecting the unconnected project as gender and women's engagement coordinator. Also a trauma resolution practitioner and healing justice activist. Has an extensive background in community health.

What is a community network?

A 'community network is telecommunication infrastructure deployed, maintained and operated by people who use that infrastructure to meet (some of) their communication needs. Having said that, community networks vary enormously among them in their scale, the technologies they use, the services they provide, their governance structure, and also the motivation behind starting one.

The reasons why they are used also vary, they go from providing services in places where there is none (or gets disrupted often, i.e. via internet shutdowns); to provide affordable services in places where people can't pay existing ones; to motivations related to technological autonomy and sovereignty. All in all, they are a people's alternative to mainstream approaches of control and decision making of the telecommunications infrastructure and the information that flows through it.

Community networks are also alternatives that grant communities agency. They enable various forms of connections and community exchanges. In some parts of the world, CNs are being utilized to conserve heritage, explore taboo dialogues and consolidate relationships. They are also revealing themselves as entry points to sensitive conversations around consent, sexualities and bodily rights. There is this misconception that community networks exist only in the "global south" while they are also in the UK and Spain.

Community Network Resources: APC study on Global South and the reason to establish community networks, their impact and technology: https://www.apc.org/en/connectivitystrategies APC published the GISWatch 2018 on Community Networks: https://www.giswatch.org/community-networks APC Community Networking Monthly Newsletter: https://www.apc.org/en/community-networks-and-local-access-monthly-newsletter Recent report from ISOC on Community Networks in Latin America: https://www.internetsociety.org/resources/doc/2018/community-networks-in-latin-america/ Recent report with ISOC on innovation spectrum: https://www.internetsociety.org/resources/doc/2019/innovations-in-spectrum-management/ Zenzeleni Networks is a Community Network in rural South Africa: https://www.youtube.com/watch?v=R9u-hfxAeBo LocNet project is APCs work around policy and regulation to enable community networks and small operators: https://www.apc.org/en/project/connecting-unconnected-supporting-community-networks-and-other-community-based-connectivity. Colnodo's community networks: https://redinc.colnodo.apc.org/ Librerouter: https://librerouter.org/ Libremesh: https://libremesh.org/ Rhizomatica: https://www.rhizomatica.org/hermes/

Training Opportunities: ISOC offers an online introductory training on community wireless networks: https://www.internetsociety.org/learning/wireless-community-networks/ In Mexico there is a Diploma that is available every year: https://techiocomunitario.net/ that is in the procress to be extended to other countries. ITU-LAC offered this year an online course titled "Programa de formación de promotores técnicos en comunidades indígenas para la generación, desarrollo y mantenimiento de tecnologías de redes de comunicación y radiodifusión": https://docs.wixstatic.com/ugd/68af39_5e894afc0f8e4b4790888b079bafc295.pdf?fbclid=IwAR3FYjdz8a6P4CG8WZ_XDPekqGtFjdeiPcgPTnDOjj3XckJAnD0_-Panigs Events like battlemesh (https://battlemesh.org/BattleMeshV12), currnetly taking place in France, DWEB (https://dwebcamp.org/), where i am attending next week along with peers from our community networks projects. the regional summits on community networks are also good learning opportunities too...

There are resources, more than one may think, sometimes embedded in calls for proposals from different donors. APC tries to crowdsource them all and include them in its monthly newsletter: https://www.apc.org/en/community-networks-and-local-access-monthly-newsletter

in different countries there are different frequencies that can be used for wireless communications, but not all of them are "free" to use... either the government or the military control them, or they have sold them to companies for big money.

https://translate.google.com/translate?sl=es&tl=en&u=https%3A%2F%2Fwww.mintic.gov.co%2Fportal%2F604%2Fw3-article-100457.html

"We will determine the technical, legal, economic and social viability of a self-sustainable model for rural social community networks, empowering communities actively through organizational and learning processes in which they can participate in its design, implementation, and operation. and appropriation of the model, "said ICT Minister Sylvia Constain."

https://www.mintic.gov.co/portal/604/w3-article-100457.html

What are the first steps for folks that want to create their own Community Network?

In general you need some capital for the equipment, relaible electricity, and, most importantly, an inclusive and participatory plan for people to join your efforts. Then if you want to provide internet services, you would need an internet connection to share. The more remote you are, the more difficult, and expensive, it is to get reliable electricity and internet.

The first skill is that It is also as important for a community to keep in mind that relationships and community values are the most valuable bit of a community network. When a community wants to start a community network, there needs to be clear and transparent communications of roles and an understand of how and why the network is being build.

Community networks can pose a great way for so many different forms of freedoms that a community can access. like setting your own internet principles, not sharing data with third parties, preventing online violence and other areas that are now so much harder to engage in on other networks.

As one community networks member from Detroit beautifully put it at IFF "you can teach community technology, but you can't a techie community" and that is one of the most important skill to have and harvest.

Technologies have evolved a lot to become almost plug and play, so you can learn slowly. There are many people around who would be super happy to support you with issues that come your way.

In terms of obstacle, beside the technical part, sometime its also administrative issue from the local authority.

Good examples of where community networks have been successful

Colnodo is a great example. Colnodo is a project of three pilots, all of them in rural areas. The challenges there have been more politician than technical because there are no regulation for that. In all the cases, they help the communities to build their own infrastructure. This year, after many months of advocacy, they made an agreement with the ICT Ministry of Colombia with the purpose of determine the variables to be taken into account for the definition of a community model of sustainable rural telecommunications in remote and uncovered areas of the country.

Mesh networks are only one way of creating community networks, and that although during a big part of their recent history, most community networks were built as wireless mesh networks, now it's not the case any more. Now there are CNs deploying fiber, there are CNs deploying GSM and LTE networks, even community networks using WiFi use complementary topologies to mesh.

At the end of the day, mesh is just a way of the WiFi routers interconnecting (meshing) with each other. This is different to the traditional way WiFi operates where, for two devices to communicate with each other, they need to go through a router, same goes for routeres communicating with each other. There is some sort of hierarchy to it in the traditional way WiFi operates that was eliminated when WiFi mesh routers started to be avaible. It is much easier to extend the infrastructure with mesh routers, although it comes with other limitations.

Some communities deploy various kinds/types of networks depending on the geography of the space. It is also good to always keep in mind the sustainability of the network before deciding on the kind.

Community Networks may seem hard to maintain and develop in a long term vision. How can we keep Community Networks evolving?

There are many people out there, like us, willing to help. So it is also important to understand from interested folks what is actually putting them off so we can try to make it easier for those who want to start a Community Network. We all need to come together and share experiences, fears, doubts etc.

Often times, community networks might seem intimidating for folks who especially do not have a "technical" "education". so that might lead some of us to go into a procrastination mode.

What helps is to get ourselves into a mindset of "i want to start a Community Network" and then find the ways to start!

Sometimes from the inside it is difficult to understand what is missing. So we need your help to understand what would help initiate a person, a group or a community into community networks.

In most countries deploying telecommunications infrastructure and providing electronic services requires licenses, or at the least telling the telecoms regulator that you are doing so.

It is easier and cheaper to build wireless networks. For this most CNs use WiFi because it can be used for free. In some countries other sepctrum, like the one for GSM or LTE networks, can be used as well, but it is not the norm (although we are fighting for this :-D).

There are some examples of CNs building fibre networks, primarily in Europe (https://b4rn.org.uk/, http://guifi.net/), but this requires a level of investment and cooperation that is out of the scope of many rural communities in the Global South.

It is also as important for a community to keep in my that relationships and community values are the most valuable bit of a community network. When a community wants to start a community network, there needs to be clear and transparent communications of roles and an understand of how and why the network is being build. Community networks can pose a great way for so many different forms of freedoms that a community can access. Like setting your own internet principles, not sharing data with third parties, preventing online violence and other areas that are now so much harder to engage in on other networks.

As one community networks member from Detroit beautifully put it at IFF "you can teach community technology, but you can't a techie community" and that is a crucial advantage that we have over regular market providers.

Let's talk about Regulation and Policies inside Community Networks and technology.

It might be daunting for people the idea of providing themselves with their own telecommunications infrastructure. Big operators have made a great job on seeding the idea of how difficult it is to do so, but actually it is not that difficult. And the only way you realize this is by actually getting your hands dirty. Starting small, familiarizing yourself with it, and build complexity as you go. There are software and hardware that allows you to "mesh" in a pretty plug-and-play way, some of them even developed by the Community Network community, like the Librerouter and Libremesh.

How is Briar or Relaynet different than a Community Network?

if it's infrastructure that you or your group have full control then it could be consider a Community Network.

The importance of the participation of civil society in the spectrum management discussions and and how can be used for non profit initiatives

Sometimes part of that spectrum is not totally assigned, sometimes that spectrum is assigned but not used in certain areas, because there's no commercial interest for it. That leaves most of the Community Networks end up using WiFi, which is not bad, as it has allowed most of the development of the CN movement, but no the most efficient way.

So, convincing governments for social used of social use of those frequencies is critical... Rhizomatica managed to get some in Mexico, and now Colnodo is in the same path in Colombia, but is not the norm.

What trends do you see in coming years regarding CNs?

There is an increasing interest on community networks from many groups (this chat is just a proof of it) as, a) it is becoming obvious that the mainstream connectivity models won't reach everyone affordably, and b) there is an increasing concern over the lack of autonomy and sovereignty we have over our own communications (and the underlying telecommunications infrsatructure). Although for many years this wasn't very fancy, many digital rights advocates are understanding its importance and wanting to know more, and in this sense community networks do bring an alternative in both cases. I hope that that growing interest translates into more community-owned infrastructure on the ground.

There is also a growing sense of movement around it, with different people contributing to solve the different challenges that CN face: making technology easier to deploy maintain and operate, creating apps and tools relevant for the communities themselves, removing policy and regulatory barriers for their deployment, creating processes and mechanisms to address inequalities and exclusion within the movement and within the CNs themselves.

We also feel that there might be cross exchanges with other movements like land rights, environmental justice, bodily and healing justice and other human rights defenders.