Security and Privacy Online for Activists
facilitated by Jordan Ramos of Aspiration/GIIP
Three potentially catastrophic security risks as an activist
- Government: they have near infinite resources to be able to record your activity, create profiles on you of exactly who you are and what you do;
- There are intergovernment attacks, e.g. the U.S. vs China; doesn't particularly affect activists
- Corporate or interorganizational attacks: people who are direct enemies to your work might try to sabotage it, e.g. by intercepting sensitive data, leaking it, altering it so that it's slanderous and make you look bad; happens frequently
- Small-scale: petty hackers, usually independent agents, main goal is to get data that is valuable to them, e.g. things they can sell, credit card numbers, passwords; they want to either be able to get onto your computer and control as much as possible, or take as much as possible to benefit themselves financially. Most are not organized; sometimes there are hacker organizations but they tend to be very loose, not specific; not trying to destroy you specifically.
Working with sensitive communities, e.g. undocumented immigrants, makes you more of a target; if you have a list of contacts in Google Docs, ICE will get their hands on it. Important to maintain security in order to protect the communities you want to work with.
Methods for security
- Data level, e.g. your computer
- If you're connected to the internet and someone has a backdoor to your system, they will be able to access your files and read anything that's there; caveat with some backdoor viruses, even if you think your internet is off they can activate it remotely without your knowledge. Turn on your webcam or microphone without your knowledge, eavesdrop on conversations. E.g. Finfisher/Finspy--take complete control of your entire computer, record keystrokes, etc.
- To protect yourself against risks:
- Don't be the weakest link. You're only as secure as the least secure part of your system. If you're sending someone emails over http, and neither you nor them takes any measure to use HTTPS/SSL, because email is encrypted while it goes across the wire (verifies that the end server is who they say they are.)
- If someone access a website or sends email using http, their data is totally visible
- OTR chat: same end-to-end encryption; your instant message is encrypted before it goes out using keys, decrypted at the end.
- If you're using HTTP with OTR, the message AND the connection are encrypted
- proxy settings: messages/data goes from your computer through other servers so your
- HTTPS: connection is scrambled when it goes out until it reaches the endpoint
- every character has a four-bit numerical binary encoding (0000, 0001, 0011, 0057, etc)
- encryption multiples each four-bit numerical binary encoding by a huge number, which is your encryption key; in order to decrypt it, you need to divide the large number
- two different sets of keys: private and public. You only have to share your public key; while the public key lets you encrypt a message to a person, it doesn't give you the data you need to decrypt a message sent to them--their private key.
- Public and private keys are relevant to communications since it involves two sets of keys
- When you encrypt a filesystem or individual files, you don't need two keys, don't need a public key; it's local, you're the only person using it. You give it a passphrase in order to reveal the private key, which you're never actually shown.
- TrueCrypt = encrypted folders; anything you drag in is automatically encrypted and reasonably safe
- If you're more paranoid, you can harden your laptop; involve encrypting your hard drive. Doesn't protect you from connection attacks, but protects the data on your computer when it's off; someone can't use your computer or access the files without your computer.
Q & A
What's the arc of your conversation as Aspiration about security? How do you take someone through risk assessment?
- It's a major challenge; if people don't perceive a risk they won't change their behavior.
- If it's framed in a way that you're only as strong as the weakest link, then people might be more interested; if they have allies that work in sensitive material or risky behavior, chances are they're not going to be as willing to share information with you if you're not secure; you can't fully engage with them without compromising their movement as a whole.
How do you make it easy for average organizations to be more secure?
- Recommend easy software solutions to enhance security:
- Security-in-a-box from Tactical Tech: hands-on how-to guides for setting up encryption, be secure, make sure mobile devices are secure
- Guardian Project: open source mobile security software, e.g. encrypted VoIP
- go with Internet service providers that a) take proper security measures and b) will fight for you.
- Checking for malware: ClamAV, ClamXAV, AVG, Gibberbot (for Android phones)
- CSipSimple (Android, Adium, Pidgin), Jitsi: VoIP client and Ostel = VoIP telephone server: provides each person with a numerical code so you can verify you have the same code and it's actually encrypted, not tampered with
- Little Snitch (Mac) or other equivalents: