The importance of digital security and privacy cannot be overstated.
From human rights advocates, journalists and activists to the average user, the possibility of your communications being monitored, or the threat of your personal identity or location being exposed, pose a considerable risk, especially if you are working with sensitive information or issues. A digital security strategy that is thorough and covers all angles is essential, as it will only be as strong as its weakest link. You don't want to simply lock the door to your house when all the windows are open!
What is digital security and privacy?
Signs that information rights or digital security have been compromised might include:
- Passwords that change mysteriously
- Private messages that appear to have been read by someone other than the intended recipient
- Websites that have become inaccessible from certain countries
- Officials revealing knowledge about private correspondence, including dates, names or topics discussed
- Mobile phone conversations that individuals believe have been monitored
Do I need to be concerned about this?
Such scenarios would compromise your projects or expose you or your contacts to persecution, then you should be concerned. The knowledge and software needed to carry out such attacks on your digital privacy are often available on the internet. If the attacker has sufficient access to internet or mobile phone infrastructure in your country, the technology required is quite simple.
Government agencies, lnternet Service Providers (ISPs) and mobile phone companies have privileged access to this infrastructure, but office mates, neighbours and internet cafe operators may also have some access.
What security issues are covered in this section?
Web-based tools and mobile phones are emphasised; but there are many other technologies that may also leave you vulnerable to censorship, surveillance, and persecution. Although they are not discussed here, regularly updating your computer's operating system, reliable anti-malware software, and consistent back-up procedures are the most important basic precautions.
If you have reason to believe that your computers or data-storage devices, including your back-ups, are at risk of being lost, stolen or confiscated, or that your organisation may be subject to targeted internet surveillance (or if this is commonplace in the regions where you operate), then you should refer to Tactical Tech's Security in-a-Box toolkit.
5 Key points for digital security on the web
1. Be anonymous
Anonymity software such as Tor is useful when you do not want to reveal which websites you have visited. Tor bounces your connection between several random volunteer computers in order to prevent even your ISP or government-level observers from knowing what you are doing on the internet. However, do not use Tor when sending or receiving sensitive information to or from insecure websites. Unless you are connected to a website that supports HTTPS, it is possible for one of the volunteer computers to monitor the content as it loads. Tor is quite secure, but for the time being it slows down your internet connection.
You can use secure web-based proxies, censorship circumvention tools or anonymity software such as Tor to hide your identity from the websites you visit or to bypass Internet filters. These tools are useful when you need to access websites that are blocked; for example for research, or in order to submit updates to web-based platforms such as Facebook.
2. Communicate through secure and/or encrypted channels
Just as the person delivering your mail – or any person with access to your mailbox - could potentially sneak a look at your personal letters, someone could monitor your internet communication while you log in to an insecure website.
To protect against this kind of attack, most popular web-based email, social networking, blogging, mapping, and video platforms offer secure connections, called HTTPS. You can check whether you have a secure connection to a webpage by looking for 'https://' (rather than just 'http://') at the beginning of your browser's address bar. Many web-based tools, however, do not use HTTPS to protect any information, other than your password, that you submit to or get from their websites. As a result, if someone monitors your connection for long enough, they will learn what you have stored on that site. Your best defence against this is to look for web-based tools that use HTTPS for all pages.
Similarly, you can complement a secure channel with an additional layer of protection – encryption. Encryption is a protocol by which the message will be scrambled and unreadable by anyone except the intended recipient. Protocols like PGP (Pretty Good Privacy) are now available as free and easy-to-install plugins for many major mail clients like Thunderbird and Outlook. This protocol uses a combination of advanced cryptographic systems to not only scramble your message but also authenticate your identity to the recipient.
3. Have a strong password
Most web-based resources depend on a single password to protect your account. If a malicious individual or organisation learns this password, it doesn't matter whether you trust the site administrators, or how carefully you have tested your privacy: you will immediately lose your confidentiality and anonymity. Use our password checker to test the strength of your password.
- A password should be difficult for a computer program to guess.
- Make it long & complex: The longer a password is, and the wider the range of characters it uses (upper & lower case, numbers, punctuation), the less likely it is that a computer program would be able to guess it in a reasonable amount of time. You should try to create passwords that include ten or more characters. Some people use passwords that contain more than one word, with or without spaces between them, which are often called passphrases.
- A password should be difficult for others to figure out.
- Make it practical: If you have to write your password down because you can't remember it, you may end up facing a whole new category of threats that could leave you vulnerable to anybody with a clear view of your desk or temporary access to your home, your wallet, or even the trash bin outside your office. Check the Remembering secure passwords of security-in-a-box or consider section using a secure password database such as KeePass. Do not share your password with anyone.
- Don't make it personal: Your password should not be related to you personally. Don't choose a word or phrase based on information such as your name, social security number, telephone number, child's name, pet's name, birth date, or anything else that a person could learn by doing a little research about you.
- A password should be chosen so as to minimise damage if someone does learn it.
- Make it unique: Avoid using the same password for more than one account. Otherwise, anyone who learns that password will gain access to even more of your sensitive information.
- Keep it fresh: Change your password on a regular basis, preferably at least once every three months.
4. Keep regular backups.
Each new method of storing or transferring digital information tends to introduce several new ways in which the information in question can be lost, taken or destroyed. Years of work can disappear in an instant as a result of theft, momentary carelessness, the confiscation of computer hardware, or simply because digital storage technology is inherently fragile. There is a common saying among computer support professionals: "it's not a question of if you will lose your data; it's a question of when." So, when this happens to you, it is extremely important that you already have an up-to-date backup and a well-tested means of restoring it.
Although it is one of the most basic elements of secure computing, formulating an effective backup policy is not as simple as it sounds. It can be a significant planning hurdle for a number of reasons: the need to store original data and backups in different physical locations; the importance of keeping backups confidential; and the challenge of coordinating among different people who share information with one another using their own portable storage devices. For more detailed information, consult the chapter on digital backups in our Security-in-a-Box toolkit.
5. Cover your traces.
When using public web-based tools, such as Blogger, Facebook, and Twitter for mobilisation or coordination, remember that the information you store on such platforms becomes, to some extent, the property of the operators, and that many of these tools expose more information than you might think.
When you entrust a sensitive project to operators of any online tool, read their privacy policies or user agreements. Remember that even the most enlightened policy leaves your information under the direct control of the platform's administrators, who would be able to divulge, sell or misplace that information without your permission or knowledge. Even if you terminate your account, many of these sites do not actually delete the content you have posted or the personal information you have provided.
Unless it is important that you use a particular commercial service, either because of its accessibility or because doing so helps you blend in with lower-profile users, consider some of the rights-progressive alternatives: Blip.tv instead of YouTube; riseup.net rather than Gmail. If you have the technical resources, you can also run your own web-based services.
If you use commercial platforms, take precautions to protect yourself from malicious individuals who know how to dig up private information on such services. This is particularly true of social network site platforms such as Facebook and MySpace. Develop a thorough understanding of the privacy features that are built into these platforms, and think about the kinds of information that you might unintentionally reveal about yourself or your organisation; for example, your real name, where you live, the places to which you travel and details about upcoming events or meetings. If monitored over a long time, such information can also provide a picture of your habits and working practices.
One helpful technique is to create multiple accounts on any web-based service that you use, allowing you to use different accounts or profiles for different projects, and to maintain test accounts that you can use to 'spy' on yourself. Your privacy is better protected if you you are able to check, in different ways, what is revealed about your account; for example, through web searches or people who hold special access privileges. Me & My Shadow is a free diagnostic tool that allows you to interactively visualise how many pieces of personal information you are revealing when you use the internet.
Internet Security and Privacy Resources
- was created by Tactical Tech and Front Line to meet the digital security and privacy needs of advocates and human rights defenders.
- by Front Line provides useful information about assessing and addressing digital threats.
- by Tactical Tech features an entire section on mobile phone privacy and security.
- Global Voices created this guide to support rights advocates who want to reveal the truth and express themselves online but who may put themselves at risk by doing so.
- Tor is designed to increase the anonymity of your activities on the internet and it can also be used to bypass internet filtering. You can download it on to your computer or run it from a USB stick.
How-to Info-Activism guide Tool Profiles