Digital security, online privacy
Security for nonprofits Gunner
1. How to educate people on basic security technology. 2. Users don't have a sense of what information is sensative. 3. Don't know enough about it. Work with a lot of youth. 4. Build websites and don't know what information is vulnerable.
Facilitate technical gatherings. Facilitate human rights technology gatherings. Security, privacy, documentation, communication all fall under human rights tech. It is a pervasive topic and few people have a frame for talking about it. Constructive set of frames besides fearmongering.
Tor allows you to browse the web anonymously. Internet doesn't know where that request came from.
Two crises, people on NGO side don't speak any of this. And tech folks are so in the weeds, they have no language for talking with the NGO's. They are not doing it in benevolent ways. We're trying to bust open the market for security training. Not enough system administrators and security mentors. Security auditing; not enough auditors. We're trying to stay grounded in the nonprofit needs. Has to be relevant to attendees at CA Tech Fest.
It's not about the technology. Two other bigger factors in thinking through security for organizations: human factor (organizational culture and norms) and individual factor. I feel bad for dentists, they tell everyone to floss and such a few percent of people floss. Security falls into that same category; know they should do it but don't do it. Have to start from organizational culture. Raise commitment to security through accountability.
Explain to people how their bad practices are going to get other people hurt. Multiple nonprofits in the central valley who have put personal data on undocumented folks in Google Docs. Unethical protocol to put personal information in a corporate store. Nobody thinks that's private data anymore. Think before you put data in the cloud. Convey accountability. Dialog; just start them talking about it.
Process. Technology needs to be updated. If you as an organization need someone to keep an eye on security bugs and someone owns updating. Process for addressing it. Anything else like firewalls are worthless. Staying ahead of security is impossible. Minimize and reduce risk with processes.
Backup. Astounding to us how few nonprofits have backup. Backup checklist. If your site does get compromised, how are you going to restore it? Wordpress allows you to export the entire site and then redeploy it relatively easily. Try to get people to think about these processes.
Another example is getting people to think about laptops and phones when they leave the office. At Aspiration, phones should have no organizational information on it. No emails. Police can pull all information in ten seconds to a police drive. Heaven forbid you're organizing a protest across state lines. Think about the organizational process that sets organizational norms around encrypting phones, passwords on phones, etc. A lot of people have local copies of their entire server. Processes don't mean everyone is going to follow them, but it does start people thinking about norms and practices.
Encrypted hard drive when shut down is about as close to a brick as you're going to get. If it's encrypted, all sorts of interesting law kicks that makes it harder for them to access that information.
Tools. Not an easy solution. But good to think about best practices. Tor broswer; download and install on any computer. Learn how to use it. Learn when it works and when it doesn't. We all know we're being studyied for our search results. Becoming a smarter activists, do all of your searching in Tor browser. You don't want to practice the tools you need in crisis when you're in crisis. You want to know how to use it before then.
Off the Record Messaging (OTR). I can use all the evil corporate tools and the message is scrambled when going through the corporate infrastructure.
Encrypt email. Not easy, but doable. Ultimate act of solidarity. Start sending encrypted email all the time. You can't just use encryption for suspicious activity.
Start with the human factors and org factors, start with policies, and then incrementally adopt the tools.
Most telling thing about Snowden is that all end points are compromised. Don't ever make the mistake of thinking that anything you do is secure. Keep the cost of surveilling higher by encrypting. Yahoo refuses to encrypt web traffic by default. Google to their credit tries to encrypt things. Idea that we are trying to keep the cost of surveillance high, that is the ultimate thing we as activists. Firefox phone aspires to have privacy baked into it with a new operating system. User centric paradymn, not a corporate centric paradym. So everything is encrypted; which doesn't make it secure, but makes it harder to access.
Apps are one of the biggest mistakes activists have made. Wrote client software back in the day. Hotmail was the first webscale software as a service. Along comes Apple and the iTunes store and we went two or three giant steps back. Rather than getting our functionality through the browser, we have to get Apple's approval to run a piece of software from their store? Apple iTunes store bans all free and open source software. Apps validate a corporate control paradymn of asking the man for permission to put code on your machine and apps then spy on you. If at all possible, do everything through browser based web. Apps require permission to use audio, and other hardware.
Nathan Freedas wrote Orbot. Anonymity on the phone is an unsolved problem. Two complete operating systems on a phone. Baseband layer on the phone, complete separate microprocessor, etc. completely controllable. Sell out move to own an iPhone. Have to be able to take the battery out.
Security in NGO's. Most critical piece of data the NSA wants: social graph. All the places were you have an ID and someone else has an ID is more uniquely identifying than your fingerprint. If you get off the grid and then come back, you only have to make 2 phone calls to be identified: your mom and your best friend. Nobody else would call those two people. In a pool of 16,000 people, it only took 4 pings to figure out who you were based on your movement.
Apps magnify risk exposure. Guardian Project: most important project. Social justice analysis: service to causes. Suppose you are filming a human rights violation, you can film it, before you upload it to YouTube, you can tell it who to blurr out. So you can blur out everyone except for the authority figures. They made Obscuracam core functionality in YouTube. They're solving real world use cases.
What we need to be humble to: which of us has data that is dangerous to our allies. We can't know the permutative implications of how our data is being used. HTTPS Everywhere: defaults to encrypted version of website if it exists. Act of solidarity to have SSl and force encryption on your site. Assume your site is compromised. Riseup deletes server logs after 3 minutes. No subpoenable data. And encrypted servers.
Piwick stores the analytics data locally. Websites are basically a public place. Don't have a lot of supporter data. Put supporter data on a separate server from your CMS. Do you have the financial resouces to do that? Yeah, you should.
Activists feel guilt if they do anything proactive. Schneier analysis doesn't sell. Organic movement got people to worry in the 1970's about what we're putting into the body. Got people to think not just about what was going into their body, but where it was coming from. Want people to have a similar self awareness about security. Kind of like dietary planning; I'm going to eat what I can find next week when I'm hungry. Get them the general rules they need to be secure themselves. Security analysis is always being done in a way that is not empowering.
Shrinking the attack surface is a win.
Problem with this strategy is surveillance will cost more and it will get more money, but we can't let them have this information without a fight.
For the organizations dealing with vulnerable populations, do you really need that data? Can you use a QR code? Can they keep their personal information on their phone? Assume every bite on your web server is public data. There are so many known exploits. To presume fundraising is a justification for collecting so much data, is wrong. I can tell you 5 domains that if taken offline, progressive movement would be halted. If you're an idiot if you don't have a script that gets a local copy of your supporter data once a week. Copying an encrypted blob to Amazon. Much better to use YouTube because the government is not going to shut down Flickr unless they really have to because people use these services to look at cute cats. Nobody plans for plan B let alone plan C. More and more people are using Salesforce and they will screw nonprofits over so quickly when the time comes. Have to have a plan for when they take that offline.
Wish there was a timelapse showing the consequences of having shared all these photos and things about themselves since they were young. If they were just posting photos of themselves that'd be one thing. You messing up someone else's future.
Unsolved: attorney client privledge. At the point that you are using Gmail, third party priciple says your attorney client privledge is subverted. When you put stuff on Google Apps, they can change the terms at any point and you give them permission to read all your stuff.
Imagine Raytheon buys Google.
Laws for search and seziure tends to have state level implications. No proper nounds in sensative emails. Assume everything you communicate electronically is public record. A lot like talking about safe sex in the 80's.
Checklists for protecting your personal information.