Information Security for Human Rights Defenders
Understanding and organizing your information
It’s important to approach information security in a thoughtful, organized way.
Consider the different types of information that you hold and seek to better understand both their value to your work and the harms to you and others that could result from an attacker accessing them. Put in place additional measures to protect those assets representing the greatest value or potential harms.
The reality is that it will not be possible to protect all your information from every possible way it could be compromised, and so you must prioritise. You should proceed systematically on the basis of risk. You should consider both the value of information to your work and the potential harms to you and others that could arise if it is compromised or lost.
You can also consider how likely it is that the value will be realised or that a given harm will occur. This provides a rational basis for prioritising where you should focus your attention.
Follow the guidance and exercises in the Holistic Security Guide, chapter 2.4 on Understanding and Cataloguing your Information
Types of Information
Our information can be stored and communicated in many ways: on paper, on our computers, on mobile phones, on the internet, on file servers, various internet services and social networking outlets. Taken together, this information comprises one of the most important assets any of us (or any organisation) has.
As with any asset, we are best served when we are sure that this asset is properly cared for so it doesn’t accidentally or maliciously get lost, corrupted, compromised, stolen or misused. In caring for our own security, we need to care for the security of our information.
Types of human rights information we manage includes:
- The outcome of the work we are doing (Reports, Database of human rights violations, Images, voice and video recordings).
- Operational information that helps us do our work:
- Text messages during an action
- Files
- Progress reports
- Other office information and communications including Financial, Human resources, Strategic organisational documents
- Personal information that identifies who we are both as members of an organisation, as well as other personal or professional affiliations
- Data generated by our use of digital devices as we work, or ‘meta-data’, which can be used to track our movements or monitor our relationships.
Common threats to information
Data Loss - Due to poor computer hygiene, malware infections, power cuts or ageing hardware, computers and other devices occasionally cease to function causing us to lose our data.
Compromised accounts - Sometimes, our passwords or ‘secret questions’ are not very difficult to break, or we are subjected to phishing attacks (which can be random or targeted for us especially) and unknowingly hand them over to a third party, who gains access to our email or social media accounts
Device inspection at checkpoints - Sometimes we may have our devices temporarily confiscated while crossing borders or military checkpoints, where the data may be copied or the computer may be infected with spyware or have a hardware keylogger attached.
Device confiscation or theft - Computers and mobile phones are common targets for thieves. Furthermore, if we face acute risk, our offices and homes may be raided by State or non-State actors and computers, mobile phones, hard drives, USB keys and servers could be ‘confiscated’ or stolen for analysis.
Mitigation techniques for common threats to information
Threat | Mitigation technique | ||
---|---|---|---|
Data loss | Have your information securely in the cloud or on a server.
Have a backup process. |
||
Compromised accounts | Use two factor authentication for all accounts
Use unique, complex passwords for all accounts Use a password manager to create, store and protect those passwords |
||
Device inspection at checkpoints | Have your sensitive information stored safely in the cloud and off of your device.
Hide or delete any apps that would provide access to this information (you can restore that app later). |
||
Device confiscation or theft | Encrypt your devices.
Same advice as with “device inspection” threat. |
||