Information Security for Human Rights Defenders
Understanding and organizing your information
It’s important to approach information security in a thoughtful, organized way.
Consider the different types of information that you hold and seek to better understand both their value to your work and the harms to you and others that could result from an attacker accessing them. Put in place additional measures to protect those assets representing the greatest value or potential harms.
The reality is that it will not be possible to protect all your information from every possible way it could be compromised, and so you must prioritise. You should proceed systematically on the basis of risk. You should consider both the value of information to your work and the potential harms to you and others that could arise if it is compromised or lost.
You can also consider how likely it is that the value will be realised or that a given harm will occur. This provides a rational basis for prioritising where you should focus your attention.
Follow the guidance and exercises in the Holistic Security Guide, chapter 2.4 on Understanding and Cataloguing your Information
Types of Information
Our information can be stored and communicated in many ways: on paper, on our computers, on mobile phones, on the internet, on file servers, various internet services and social networking outlets. Taken together, this information comprises one of the most important assets any of us (or any organisation) has.
As with any asset, we are best served when we are sure that this asset is properly cared for so it doesn’t accidentally or maliciously get lost, corrupted, compromised, stolen or misused. In caring for our own security, we need to care for the security of our information.
Types of human rights information we manage includes:
- The outcome of the work we are doing (Reports, Database of human rights violations, Images, voice and video recordings).
- Operational information that helps us do our work:
- Text messages during an action
- Files
- Progress reports
- Other office information and communications including Financial, Human resources, Strategic organisational documents
- Personal information that identifies who we are both as members of an organisation, as well as other personal or professional affiliations
- Data generated by our use of digital devices as we work, or ‘meta-data’, which can be used to track our movements or monitor our relationships.
Common threats to information
- Data Loss - Due to poor computer hygiene, malware infections, power cuts or ageing hardware, computers and other devices occasionally cease to function causing us to lose our data.
- Compromised accounts - Sometimes, our passwords or ‘secret questions’ are not very difficult to break, or we are subjected to phishing attacks (which can be random or targeted for us especially) and unknowingly hand them over to a third party, who gains access to our email or social media accounts
- Device inspection at checkpoints - Sometimes we may have our devices temporarily confiscated while crossing borders or military checkpoints, where the data may be copied or the computer may be infected with spyware or have a hardware keylogger attached.
- Device confiscation or theft - Computers and mobile phones are common targets for thieves. Furthermore, if we face acute risk, our offices and homes may be raided by State or non-State actors and computers, mobile phones, hard drives, USB keys and servers could be ‘confiscated’ or stolen for analysis.
- Information handover - Internet service providers and the providers of the email and social networking sites that we use can also hand over our data to certain authorities if a legal request is made to do so. While they protect our data from some, they are more willing to hand it over to others, and this situation is constantly changing in accordance with business and political interests.
- Targeted malware - This is a growing industry: some State authorities and other groups invest in software which is designed to trick us into downloading it and later granting the attacker access to much or all of the data on our devices.
- Surveillance and monitoring - Data brokers, internet service providers, email providers and many other companies subject the general population to surveillance by gathering and aggregating details of our online activities. While in some cases this has the aim of merely targeting us with advertisements, it can also be used to identify particular minorities to which we may belong as a target for deeper surveillance.
Mitigation techniques for common threats to information
Threat | Mitigation techniques and links to guidance |
---|---|
Data loss |
|
Compromised accounts | |
Device inspection at checkpoints |
|
Device confiscation or theft |
|
Information handover | Host your information with a company you trust, who will not turn over information to your opponents (via subpoena, request, etc). |
Targeted malware |
|
Surveillance and monitoring | Use a VPN and/or Tor browser. |