Digital Security Guide.final - law-democracy.org · of surveillance (by both State and ... are...

Myanmar: Digital Security Guide for Journalists

The Centre for Law and Democracy is a non-profit human rights organisation working internationally to provide legal expertise on foundational rights for democracy

- 1 -

Digital Security Guide for Journalists1

October 2017

1. Introduction TheInternetandotherdigitalmeansofcommunicationprovidevastlyenhancedaccess to information and serve as one of the primary vehicles for enjoyingfreedomofexpression.Similarly,forthepracticeofjournalism,thebenefitsoftheInternet and digital communicationsmore broadly are enormous. The Internethasdramaticallyincreasedtheresourcesavailabletojournalistsforresearch,themeansbywhichtheycancontactandcommunicatewithsources,andtheavenuestodistributecontentandengageindiscussionwiththeiraudiences.At the same time, journalistshave faced, andwill continue to face, anumberofthreats in the online world. The digitalisation of communications has broughtwithitnewthreatsforjournalists,suchasmassivelyincreasedpowersandmeansof surveillance (by both State and non-State actors). This can be done, amongother things, through location tracking, datamining and/or the interception ofcommunications. This has proven to be a particular challenge in the content ofprotectingtheidentityofjournalists’confidentialsourcesofinformation.Another risk is growing levels of online harassment, especially on socialmediaplatforms. Online harassment has no precise definition, but has beencharacterised by the Pew Research Center as having one of the following sixelements:beingcalledoffensivenames,beingsubjectedtointentionalattemptstoembarrass you, being physically threatened, being stalked, being harassed for asustainedperiodandbeingsexuallyharassed.2 1DraftedbyPortiaKaregeya,LegalOfficer,CentreforLawandDemocracy.ThisworkislicencedundertheCreativeCommonsAttribution-NonCommercial-ShareAlike3.0UnportedLicence.Youarefreetocopy,distributeanddisplaythisworkandtomakederivativeworks,providedyougivecredittoCentreforLawandDemocracy,donotusethisworkforcommercialpurposesanddistributeanyworksderivedfromthispublicationunderalicenceidenticaltothisone.Toviewacopyofthislicence,visit:http://creativecommons.org/licenses/by-nc-sa/3.0/.2MaeveDuncan,OnlineHarassment,PewReaserchCenter,22October2014,p.5.Availableat:http://www.pewinternet.org/2014/10/22/part-1-experiencing-online-harassment/#demographics-of-online-harassment.



- 2 -

Onlineharassmenthasaparticularlygenderedaspectaswomeningeneraltendtofacegreaterlevelsofharassmentonline,oftenofaviolentandsexualnature.A2014PewResearchCentresurveyofonlineharassmentfoundthatyoungwomenweremorelikelythanotherstoexperiencethemoresevereformsofharassment,in particular online stalking and sexual harassment, aswell as physical threatsandsustainedharassment.3Anotheriterationofthissurveyin2017,cameupwithsimilarresults:whilemenaresomewhatmore likely tobeharassedonline thanwomen,womenarefarmorelikelytobethetargetsofsexualharassmentonline.4Studiesfocusingonjournalistshavealsofoundthatintimidationisexperiencedatroughly equally rates by females and males except when it come to sexualharassmentwhichisexperiencedmoreoftenbyfemales.5TheRepresentativeonFreedomoftheMediaoftheOrganizationforSecurityandCo-operationinEurope(OSCE)hasechoedthissentimentreportingthat“femalejournalists,bloggersandother media actors are disproportionally experiencing gender-related threats,harassmentand intimidationon the Internetwhichhasadirect impacton theirsafetyandfutureonlineactivities.”6InKenya,itwasfoundthatthiscouldresult,inextremecases,inwomenjournalistsceasingtoworkasjournalistsforaperiodoftimeorevenwithdrawingentirelyfromtheInternet.7Toaddresstheseproblems,journalists,ofallgenders,shouldtakestepstoprotectthemselves.This isespeciallythecasegiventhatbothdigitalattacksthemselvesandtheentitiesthatcarrythemoutcanbedifficulttoidentifywithouthighlevelsof technical expertise.8 Ultimately, there is no way to guarantee absoluteprotection froma trulydedicatedattacker–and female journalistsmayhave totakeextrastepstoprotectthemselvesfromcertainformsofonlineharassment–butgooddigitalsecuritypracticecanmakeahugedifference.Thisguideaimstoprovide journalists, in an accessible format,with the tools they need to protecttheirowndigitalsecurity,aswellasthatoftheircolleaguesandsources.

3Ibid.4MaeveDuncan,OnlineHarassment,PewReaserchCenter,11July2017.Availableat:http://www.pewresearch.org/fact-tank/2017/07/11/key-takeaways-online-harassment/.5ElanaNewman,etal.,“Onlineabuseofwomenjournalists:TowardsanEvidence-basedApproachtoPreventionandIntervention”inOSCE,RepresentativeonFreedomoftheMedia,NewChallengestoFreedomofExpression:CounteringOnlineAbuseofFemaleJournalists,2016,p.49.Availableat:http://www.osce.org/fom/220411?download=true.6RecommendationsfollowingtheExpertMeetingNewChallengestoFreedomofExpression:CounteringOnlineAbuseofFemaleJournalists,17September2015,inOSCE,RepresentativeonFreedomoftheMedia,NewChallengestoFreedomofExpression:CounteringOnlineAbuseofFemaleJournalists,2016,p.5.Availableat:http://www.osce.org/fom/220411?download=true.7ARTICLE19andAMWIK,WomenJournalist’sDigitalSecurity[sic],May2016,p.4.Availableat:https://www.article19.org/data/files/medialibrary/38757/Women-Journalist's-Digital-Security-Kenya-2016.pdf.8JenniferR.Henrichsen,etal.,BuildingDigitalSafetyforJournalism:Asurveyofselectedissues,UNESCOSeriesonInternetFreedom,2015,p.14.Availableat:http://unesdoc.unesco.org/images/0023/002323/232358e.pdf.



- 3 -

2. Threat Modelling and Risk Assessment Asafirststepinensuringdigitalsecurity,itisimportantforjournalistsandnewsorganisations to engage in threat modelling and risk assessment of potentialsecurity threats. The objective should be to avoid over- or under-estimatingthreatsand,instead,toidentifyproperlytherisksofsurveillance,harassmentandthe possible capture of one’s digital activities, and to take appropriate steps toguardagainstthem.9

The Electronic Frontier Foundation (EFF) recommends that people ask thefollowingfivequestionswhencreatingathreatmodel:10

1. WhatdoIwanttoprotect?

Considertheinformationandassetsyouhavewhichareofvalueandneedprotecting.Thismayincludeyour location,contact lists,devices,andfilesanddocuments.Also,listandconsiderwhereandhowthisinformationisstored,whohasaccesstoitandthewaysaccesstotheinformationcouldbelimited.

2. WhodoIwanttoprotectitfrom?Thoroughlyconsiderwhichpersonsorentitiesmaywanttotargetyouoryour information. This may include individuals, corporations or Stateactors.

3. HowbadaretheconsequencesifIfail?Considerwhatthegoalsofanydigitalattackersmaybe.Forexample,ifyouarereportingastory forwhichyouhaveobtainedavideo, someonemaywant todelete that video fromyourdevices. Thatmight bemoreor lessimportanttothesuccessofyourstory.

4. HowlikelyisitthatIwillneedtoprotectit?Considerthelikelihoodorriskofanattackactuallyoccurring.Forexample,eventhoughaphonecompanywouldnormallyhaveaccesstoyourphonerecords the likelihood that theywould use those records to harm you islimited.Inotherwords,considerwhichthreatsaremorelikelytohappenandwhichthreatsareoflowprobability.

9DellaKilroy,TheStoryfulPodcast:DigitalSecurity–HowJournalistsandActivistsCanBeProtectedOnline,Storyful,31January2017.Availableat:https://storyful.com/blog/2017/01/31/the-storyful-podcast-digital-security-how-journalists-and-activists-can-be-protected-online/.10EFF,SurveillanceSelf-defense:AssessingYourRisks.Availableat:https://ssd.eff.org/en/module/assessing-your-risks.



- 4 -

5. Howmuch trouble am I willing to go through to try to prevent potential

consequences?Considertheoptionsyouhavetohelpguardagainstdigitalattacksandanytechnical, financial and social constraints that you may face in terms ofimplementing those options. Some threats may just be too difficult toguardagainst.A consideration here will be the capabilities of potential adversaries.Individual hackers, private companies and public actors may all havevarying levels of interest in and capacity to compromise your data. TheStatenormallyhasthegreatestcapabilitiesofall.

Threatmodelling isnotaone-timeprocessbutshouldbepractised ifandwhenthecontextandsituationinwhichthejournalistfindshim-orherselfchanges.11

3. Passwords Many of our digital accounts and services contain a great deal of personalinformationanddatathatmaybevulnerable.Passwordsareanimportantwayoflockingtheseservicestoprotectthemagainstaccessbyoutsiders.

a) StrongPasswords Itisveryimportanttocreatestrongpasswords.Anunfortunatechallengehereisthatwhilepasswordsmaybedifficultforahumantoremember,theycanbeveryeasyforacomputertocrack.Threerecommendedrulesofthumbare:

1. Useamixtureofrandomletters,numbersandspecialcharacters.2. Thelongerthebetter,preferably12charactersormore.3. Refrainfromusingthesamepasswordformultiplesites/services.

When creating passwords, the use of a passphrase made up of three or morerandom words is recommended. These have the advantage of being easier torecallanddifficulttohackduetotheirlength(forexample,cowplantfridgeshoes).Toincreasethelevelofrandomnesstoyourpassphrase,youcanalsousewhatisknown as the Dicewaremethod. This is amethod for picking passphrases thatusesdicetoselectwordsatrandomfroma listcalledtheDicewareWordList.12Each word on the list corresponds to a five-digit number made up of digits 11Ibid.12Dice-IndexedPassphraseWordList.Availableat:http://world.std.com/~reinhold/dicewarewordlist.pdf



- 5 -

betweenoneandsix.Inordertoengageinthismethodofchoosingapassphraseyouneedoneormoredice(simpledicefoundinboardgamesorsoldseparatelyattoyorhobbystoreswilldo).Eitherrollonediefivetimes,rollfivediceonce,oranyothercombinationyoudesire. Onceyouhaveafive-digitnumber,lookitupon the Diceware word list and select the corresponding word as part of yourpassphrase.Repeattheprocesstoselectasmanywordsasyouwishtoputinyourpassphrase,thelongerthebetter.13

b) PasswordManagers Password managers are online tools that allow you to manage the multiplepasswords that most people are bound to have across multiple platforms.Passwordsmanagersrequireyoutocreateamasterpassword(theonlyoneyouhave to remember, so it should be strong), which allows you to enter thepasswordmanagerwhich,inturn,isasortofencryptedvaultwhichcontainsallyour other passwords. Nowadays, passwordmanagers provide various optionssuchassyncingacrossmultipledevices,existingonasingledevicethatlogsintoyouraccountsforyou,ormakingsureyoudonotusethesamepasswordintoomanyplaces.14Someeffectivepasswordmanagersinclude:

• LastPass• KeePass• Dashlane• Roboform8• 1Password

c) Two-FactorAuthentication15 Enablingtwo-factorauthenticationforyouronlineaccountsisoneofthesimplestand best ways to promote online security. Two-factor authentication requiresthat, in addition to a password, one additional ‘factor’ or piece of datamust beprovided before you will be allowed into the account. This normally takes theformof a unique code sent to you via text, email or a particular app. PasswordmanagerssuchasLastPass,notedabove,incorporatetwo-factorauthenticationaspart of their security options. Major online services – including Google, Yahoo,Facebook,TwitterandDropbox–alloffertwo-factorauthentication.Authyisaninterestingtwo-factorauthenticationapplication:

13See:www.diceware.com.14AllanHenry,TheFiveBestPasswordManagers,Lifehacker,22August2017.Availableat:https://lifehacker.com/5529133/five-best-password-managers.15Google,2-StepVerification.Availableat:https://www.google.com/landing/2step/.



- 6 -

Insteadofacodesentviatextoremail,whichcanbevulnerabletohackingor surveillance, the Authy application is downloaded to your device andthen generates two-factor authentication codes automatically, offline,without Internet or cell service, relatively safe from surveillance orhacking.Furthermore,evenifyouloseyourdevice,aslongasyoureinstallAuthy on another device and login to your account you will be able tocontinuetogeneratecodesforalltheservicesyouhaveregisteredtoyourAuthyaccount.Furthermore,allyourAuthy-registeredtwo-factoraccountsarebackeduponanencryptedcloud,sothatyourdatawouldbeprotectedeveniftheAuthyserverswerehacked.

4. Email Encryption Email is themost commonmeansof communicatingdigitally, alongsidevariousformsofsocialmediaandmobileapplications.Asophisticated,highlysecurewaytoprotectemailcommunicationsistoencryptthem.Encryption,whenappliedtoemail and other digital files and communications, digitally encodes theinformationsothatit ismeaninglesstoanyonewhodoesnothavewhatisoftencalleda‘secretkey’,whichdecryptsit.PrettyGoodPrivacy(PGP)isatechnologyforencryptingemailsandfiles,makingitharderforhackerstoaccessthem.Itallowsyoutomakesureyouremailsareonly able to be read by the persons for whom they were intended, with therecipient needing to use a password to decrypt them. PGP also allows you todigitallysignyouremail,providingproofofwhosentit.InstallingPGPisan involvedprocess.TheEFFprovidesdetailed instructions forhowtoinstallPGPforbothWindowsandOSX.

5. Protection from Common Hacking and Phishing Oneofthecommonmethodsthathackersusetoobtainpersonaldataisphishing.A phishing attack usually takes the form of an email which appears to be sentfromanofficialwebsite,suchasabank,thatcontainsalinkwhich,iffollowed,willaskyoutoenterpersonalinformation,suchasapassword.Theemailmayalsoaskyou to download a document or install software. Doing so will lead to theinstallation of malicious software (know as malware) on your device. Theattackerscanthenusethatmalwaretoaccessyourdeviceremotelyandstealyourinformationorspyonyou.Herearesometipstodefendyourselfagainstphishingattacks:



- 7 -

• Donotclickonlinkssenttoyouviaemailthatyouwerenotexpectingtoreceive.Ifyouaresuspicious,usealternativemeanstoverifythattheemailwassentbythesender.Forexample,callyourbankortheindividualwhosupposedlysentyoutheemail.

• Installsoftwareupdatesassoonaspossible.Hackersrelyonsoftwarebugstoengageintheirphishingschemes;keepingsoftwareupdatedlowersthisrisk.

• Irrespectiveofhowprofessionalanemaillooks,donottrustemailsaskingforpersonalinformationunlessyouknowtheyarefromatrustedsource.

• Use password managers with auto fill. When you install a passwordmanager and save your various passwords within it, it will generallyautomatically fillapassword into thosesaveaccounts foryouunlessyouset it to do otherwise. If you follow a link to a page and your passwordmanagerdoesnotautomaticallyfillitin,thatisacluetodoublecheckthesite youarevisiting. Furthermore,pay close attention to theURLsof thelinks you receive. They may have spelling errors or strange top-leveldomains(top-leveldomainreferstothelastpartofawebaddress,suchas‘.com’). For example, “www.transferwise.com” may appear as“www.trasferwise.com” or “www.transferwise.cam”. Note also the subtleand easily missed lack of a dot after ‘www’ in“https://wwwtransferwise.com”. In addition, the ‘L’ in gmail.commay bereplacedwithacapital‘i’totricktheeye,asin‘gmaiI’.

• Open any suspicious documents in Google Drive. This converts thedocument into an image or HTML, which prevents it from installingmalwareonyourdevice.

• AvoidloggingintowebsitesviaFacebook,GoogleorTwitter.Manyonlineservicesoffer theoptionof logging into theserviceviayoursocialmediaaccounts. Illegitimate websites can use this to collect personal data andpasswords.Insteadofdoingthat,createanew,dedicatedaccountforthatwebsite.

Asageneralrule,avoidprovidingunnecessarypersonalinformation.Ifyoumust,providenon-personal (false) information anduse adisposable email address toregister with websites you only want to use a few times. The websitewww.sharklasers.com provides a service that generates disposable emailaddresses.Finally, make sure you are familiar with the privacy settings and securitycapabilitiesofthesocialmediaservicesyouuse.Hereareprivacyguidesforsomeofthemostcommonplatformsusedbyjournalists:

• Facebook• Twitter• Linkedin



- 8 -

6. Secure and Anonymous Internet Browsing IfyourInternetbrowsingisnotsecure,thenitisnotprivate.Cookies,mostsimplydescribed as small pieces of data automatically stored by websites on yourcomputerinordertotrackyouruserpreferences,areafundamentalcomponentofwebbrowsing.Itisnowcommonplaceforcookiesnotonlytostoredataaboutyour user experience but also to track data about your individual onlinebehaviour. The information stored by cookies is highly valued by marketingcompanies which use it to build personalised profiles and better target theiradvertising.Thisdataiscollectedoverlongperiodsoftimeandoftendistributedwithoutyourknowledgeandconsent,meaningthatthereisnowayofknowingifitmayendupinthehandsofactorswhowanttouseyourdatafornefariousends.Public Wi-Fi is particularly insecure. Even if a network is password protected,othersusingthatnetworkmaybeabletospyonyourwebbrowsingand,inthisway,potentiallycollectalargeamountofpersonalinformationaboutyou.Thereareanumberofwaystopromotesecuritywhilebrowsing.Fromamongthemostpopular browsers – namely Chrome, Safari, Internet Explorer and Firefox –Firefox has the best reputation for protecting user rights. The companies incontrolof theotherbrowsersareknowntohavetrackedtheirusers’behaviour.Asaresult,itisrecommendedthatyouuseFirefoxasyourdefaultbrowser.

a) BrowserExtensionsBrowserextensionsarefreeadditionsthatcanbeaddedtoyourInternetbrowserwhich help to protect your browsing from hackers, State surveillance andcorporate advertising. There are a number of extensions that you can add tobrowserstoincreasethelevelofprotection:

• PrivacyBadger:EFFcreated thisbrowseradd-on to stopadvertisersandotherthird-partytrackersfromsecretlytrackingyourbrowsingbehaviour.Whenitdetectsanadvertiserwhoistrackingyou,itautomaticallyblockstheirabilitytoloadcontenttoyourbrowser.ItisavailableforinstallationonChrome,FirefoxandOperabrowsers.

• HTTPS Everywhere: This extension, also created by EFF, makes your

browser automatically encrypt your browsing whenever possible. As aresult,italsooffersgreatprotectionagainstphishingattacks.LikePrivacyBadger,itcanbeaddedtoChrome,FirefoxandOperabrowsers.

• uBlockOrigin:This isanadblockerextensionthatblocksadvertisements

while you browse, taking into account that advertisements are a greatsourceofmalware, virusesandundesired tracking. It canbe installedonChromeandFirefox.



- 9 -

• Disconnet.me: This extension blocks trackers from following your webactivity, allowing for fasterbrowsing. It is available forbothChromeandFirefox.

b) TorBrowser16Evenifonewereusingalloftheabovetools,advancedhackers,StateactorsandInternetserviceproviderswouldstillbeable to findoutyour locationbasedonyour computer’s personal Internet Protocol (IP) address and the informationbeingsentbackand forth toyourcomputer.Noextensioncanprotectyou fromthis. Therefore, if youwish to be totally anonymous as youbrowse, you shouldconsiderusingtheTorBrowser.TheTorbrowseroperatesthroughtheTornetwork,whichensuresthattheoriginof your web communications cannot be tracked by bouncing them around theworldandthroughdifferentlayersofencryption.TheTorbrowserisparticularlyuseful for secure communication between journalists and sources for whomanonymity is of the utmost importance, such as political dissidents orwhistleblowers.TheTorbrowsernotonlyprovidesanonymousbrowsingbutalsoenablesusers to setupandusewebsiteswhichareonly accessible through theTornetwork.However,becauseitusesanonymisation,browsingwithTorcanbeslowerthanwithregularbrowsers.AnimportantcaveatisthatwhileToranonymisesyouractivities,itdoesnotmakeyourcommunicationsprivate.YouwillnotbeprotectedifyouengageinInternetactivitiesthatcanidentifyyou,suchasmakingpostsonorthroughyourFacebookpage,oremailingfromyourpersonalemailaccount.

c) VirtualPrivateNetwork(VPN)ThebestwaytoremainanonymouswhileusingstandardInternetbrowsersistouseavirtualprivatenetwork(VPN)whichencryptsyourwebtrafficandpreventsinterception.WhenyouuseaVPNyourweb requests go throughaVPNserver,whichencryptsyourdatabefore it reaches thewider Internet.Therefore,whenyouaccessawebsite,yourrequestwillappeartobecomingfromtheVPNserver,whichmaybelocatedanywhereintheworld,andnotfromyouractuallocation.In addition to encrypting your data and protecting your personal informationwhenyouusepublicnetworks,usingaVPNcanalsohelpyou toavoid Internetcensorship when you are connecting through a network that blocks certainwebsites.

16EFF,HowHTTPSandTorWorkTogethertoProtectYourAnonymityandPrivacy.Availableat:https://www.eff.org/pages/tor-and-https.



- 10 -

Technicallyproficient individuals cansetup theirownVPNserversusingopen-sourcesoftware,suchasOpenVPN,orusefreeVPNadd-onsthatcanbeaddedtotheirbrowsers.17ManyindividualsalsopayafeetosubscribetoaVPNproviderofwhichthereareverymanyoptions.VPNsoffergreatprotectionagainstsurveillancewhileusingpublicnetworksbuttheydonotprotectyourdatafromtheVPNprovideritself.TheVPNprovidermaybeable to seeyour traffic and there isnothing toprevent aVPNprovider fromcollecting your personal data. It is, therefore, important to chose your VPNcarefully,includingbytakingnoteofthelocationoftheprovider,andfindingoutaboutwhatlawstheyaresubjecttoandtheirprivacypolicies.Thiscanhelpyouunderstandwhich information is likely to be turnedover to State actors by theprovider,shouldarequest for itbemade.AprovidermayalsobeabletoaccessyourIPaddresswhileyouareusingtheservice.WhenyouwishtoavoidrevealingyourIPaddressyoucanusetheTorbrowsertoconnecttoyourVPN.18SomerecommendedVPNprovidersare:

• AirVPN• FeralHosting• CyberghostVPN

InordertoestablishaVPN,youhavetoinstallwhatiscalledaVPNclientonyourcomputerwhichcommunicateswithyourVPNprovider.Once installed,youcansimplyclickonyourclientandallyourInternetactivitywillautomaticallystarttoberoutedthroughyourVPNserver.LikeVPNproviders,youhavetopayforsomeVPNclientsbutmanyarefreeandworkreliably.TheVPNproviderAirVPNcomeswithitsownfreeclient.Otherrecommendedclientsinclude:

• Viscosity• Tunnelblick(freeforMac)• OpenVPN(freeforWindows)

d) Tails Using the Tails operating system is the ultimate anonymity option as it goesbeyondjustthewebbrowser.TailsisaprivacyandsecurityfocusedLinux-basedoperating system that canbe installedat any timeonanycomputer.TheuseofTailscanbeparticularlyhelpfulforactivistsandjournaliststoavoidsurveillanceandtoaccesstheInternetwithoutcompromisingtheirlocationanddata.Tailscan

17PrestonGralla,5greatfreeVPNsforChrome,Firefox,mobile,andbeyond,ITWorld,4August2014.Availableat:https://www.itworld.com/article/2696891/security/5-great-free-vpns-for-chrome--firefox--mobile--and-beyond.html.18EFF,Surveillance-SelfDefense:ChoosingtheVPNthat’sRightforYou.Availableat:https://ssd.eff.org/en/module/choosing-vpn-thats-right-you.



- 11 -

be installed on aUSB orDVD andused on any computerwhether it is a Linux,WindowsorApplebased.AbigadvantageofusingTails,inadditiontoitsportability,isthatitisamnesicsothatitdoesnotstoreanydatabetweenusesandnoidentifyinginformationisleftbehind.Inaddition,allInternetactivityisroutedthroughtheTornetwork,HTTPSEverywhereispreinstalledandaPGPemailclientisalsoincludedtofacilitatethesendingofencryptedemails.Aswithall security tools and software, if youuseTails,make sure thatyouareusing the latestversion.WhileTailsprovidesyouwithgreatersecurity, it isnotcompletely invulnerable.Forexample,Tailsdoesnotautomaticallyencryptyourdocuments and cannot protect you if your computer has already beencompromised.19

7. Device Loss or Seizure You should take precautionary steps to prevent your data being accessed orcompromised in case your device is lost, stolen, or temporarily confiscated. Inadditiontosecuringallyouronlineaccountsandservicesusingstrongpasswordsand two-factor authentication where possible, it is important to encrypt yourcomputer’shard-drive.OSXforMaccomeswithitsownencryptionsoftwarecalledFileVault2.Windows10 also encrypts your hard drive by default but if you have earlier versions ofWindowsyoucandownloadtheencryptionsoftwareBitlocker,20 todothesamething.YoucanalsodecidetoencryptyourfilesmanuallyusingPGP.21Ifyourdeviceisstolenorlost,yourdatacouldbecompletelylost.Toavoidthis,itisrecommendedthatyoubackupyourdataonanexternalhard-drivethatisalsoencrypted.Asa thirdand final lineofdefence,sinceanexternalhard-drivemayalsobestolenorlost,filescanbesavedtoanencryptedcloud.Anumberofcloudstorage services work just like Dropbox and Google Drive but have increasedsecurityastheyhavebuilt-inencryption.Afewsuggestionsinclude:

19NoahKelly,ADIYGuidetoFeministCyberSecurity.Availableat:https://hackblossom.org/cybersecurity/#tails.AfulllistofTails’vulnerabilitiescanbefoundat:https://tails.boum.org/doc/about/warning/index.en.html.20ChrisHoffman,HowtoSetUpBitLockerEncryptiononWindows,How-ToGeek,5October2017.Availableat:https://www.howtogeek.com/192894/how-to-set-up-bitlocker-encryption-on-windows/.21Foramoredetaileddiscussionofhardwareencryption,ausefularticlefromadigitalexpertis:MicahLee,EncryptingYourLaptopLikeyouMeanIt,TheIntercept,27April2015.Availableat:https://theintercept.com/2015/04/27/encrypting-laptop-like-mean/#osx.



- 12 -

• SpiderOak• Tresorit• Mega

You should also consider seriouslywhether someof your information is simplytoo sensitive to record or store digitally regardless of the technology you areusing.Inaddition,alwaysdeleteanycritical informationthatyoudonotneedindigitalformatfromallofyourdevices.If, after being temporarily separated from a device, for example because it isseizedatabordercrossingorelsewhere,youareworriedthatitmighthavebeentamperedwith, it isagood ideatorestorethedevice fromabackup includingareinstallation of the operating system. With a smartphone, depending on thecircumstancesandlevelofriskitwasexposedto,youmightevenconsidergettingridofthephoneandreplacingitwithanewone,towhichyoucanmigrateyourdatafromabackup.

8. Phone Protection Smartphonesmaybecompromisedinmanydifferentways.TheGPSfunctiononsmartphonesthatmanysocialmediaapplicationsusecangiveawayyourlocation.Leaving yourphoneWi-Fi enabled can also leave you vulnerable to attack, as ahackerusing anearbynetwork could collect yourmetadata evenwhenyou arenotactiveonline.Asaresult,itisbesttodisabletheWi-Fiandlocationsettingsonyourphonewheneveryoudonotneedtousethem.The best way to protect the information contained in your smartphone is toencryptitanddownloadthetoolsyouneedtobrowseanonymously.

a) MobileBrowsingPrivacyAs with desktop browsers, it is recommended that you download and use themobilebrowserdevelopedbyMozillaFirefox,availableforbothiOSandAndroiddevices.OnAndroiddevices,theFirefoxmobilebrowseralsoallowsyoutoinstallalloftheprivacyextensionsdiscussedabove.OnAppledevices,theFirefoxmobilebrowsernotonlyblockstrackers,advertisersandminimisessurveillance,butalsoletsyouextenditsprivacyfeaturestootherappsonyourdevice.22Itisbettertousetheofficialmobileapplicationsforwebsiteswhichhavecreatedthemratherthanloggingintothosewebsitesthroughthedefaultbrowseronyourdevice,whichislesssecure. 22NoahKelly,ADIYGuidetoFeministCyberSecurity,explains:“ToenablethesefeaturesinSafari,gotoSafariunderSettings,click'ContentBlockers',andenableFirefoxFocus”.See:https://hackblossom.org/cybersecurity/#mobilebrowsing.



- 13 -

b) SecureMobileMessagingThe top recommended tool for secure messaging via smartphones is the opensource software application called Signal. Signal offers end-to-end encryptedphonecallsandmessagingoftext,videosandpictures.Itcompletelyencryptsthecontentofwhatissentsothatallanyoneconductingsurveillanceonthecellularnetworkcouldseeiswhosentandreceivedthetextandwhenitwassent,butnotwhat was sent. The WhatsApp messaging application also offers end-to-endencryption but the added benefit of Signal is that your messages are alsoencryptedlocallyonthephone,sothatifanyoneelsegainscontrolofyourphonethey would need to decrypt both your application and your phone in order toview any storedmessages. EFF provides instructions on how to install and useSignalonbothAndroid23andiOS24devices.

c) MobileDeviceEncryption

ApositivedevelopmentisthatprivacyconcernshaveledtheproducersofAppleand Android devices to encrypt their devices by default, securing the datacontainedonthephonefromhackers.Inaddition,devicesnowoffergreaterlevelsofsecuritythroughtheuseofpasscodes25orfingerprintTouchID.Mostrecently,Applehasalsodevelopedafacialrecognitionoptiononitsnewestdevicestokeepothers out should your device be lost or stolen. As with passwords, it isrecommendedthatpasscodesbesixcharactersorlonger.TheEFFprovidesanindepthguideonhowtobestencryptyouriPhone,26andtheAndroidblogGreenbotdoesthesameforAndroiddevices.27

9. Other Resources and Digital Guides

• EFF,SurveillanceSelf-Defence

23EFF,Surveillance-SelfDefense:Howto:UseSignalforAndroid.Availableat:https://ssd.eff.org/en/node/93/.24EFF,Surveillance-SelfDefense:Howto:UseSignaloniOS.Availableat:https://ssd.eff.org/en/module/how-use-signal-ios.25Passcodesareastringofcharactersthatfunctionaspasswordsdobutwhicharespecificallydesignedtogainaccesstoamobiledevicesuchasatabletorsmartphone.26EFF,Surveillance-SelfDefense:Howto:EncryptYouriPhone.Availableat:https://ssd.eff.org/en/module/how-encrypt-your-iphone.27PatrickNelson,HowtoturnonAndroidencryptiontoday(nowaitingnecessary),Greenbot,19September2014.Availableat:https://www.greenbot.com/article/2145380/why-and-how-to-encrypt-your-android-device.html.



- 14 -

This guide is a great general resource about online security thatprovides a basic overviewof digital surveillance and how to avoid it,tutorials on how to install helpful tools and software, and detailedguidesaboutspecificsituations.

• Committee to Protect Journalists, CPJJournalist Security Guide: Covering

theNewsinaDangerousandChangingWorld

The ‘Technology Security’ section of this guide provides advice onunderstanding the threats journalists face when protectingcommunicationsandsecuringdata.

• TacticalTechnologyCollectiveandFrontLineDefenders:Securityin-a-Box

–DigitalSecurityToolsandTactics

This digital security guide outlines the basic principles of digitalsecurityandoffersstep-by-stepinstructionstohelpinstallandusethemost essential digital security software and services. It also offerstailored‘CommunityGuides’advisingspecificgroupsofpeopleonhowto protect themselves against digital threats faced uniquely by them.These guides include tailored advice on tools and tactics that arerelevanttotheneedsofthoseparticulargroups(forexample,GuideforLGBTactivistsinSub-SaharanAfrica).

• Privacytools.io

Thiswebsiteprovides informationaboutglobalmasssurveillanceandprovides tools to protect against it such as lists of VPN providers,browsertestingtoolsandadd-ons.

• WeFightCensorship,OnlineSurvivalKit

Thisguide“offerspracticaltools,adviceandtechniquesthatteachyouhowtocircumventcensorshipandtosecureyourcommunicationsanddata” and aims to provide readers “with themeans to resist censors,governments or interests groups that want to control news andinformationandgagdissentingvoices.”

• Digitaldefenders.org,DigitalFirstAidKit

Thisguide“aimstoprovidepreliminarysupport forpeople facing themost common types of digital threats. The Kit offers a set of self-diagnostic tools for human rights defenders, bloggers, activists andjournalists facing attacks themselves, as well as providing guidelinesfordigitalfirstresponderstoassistapersonunderthreat.”



- 15 -

• Hack*Blossom,ADIYGuidetoFeministCybersecurity

Thisguideaims“tobeacomprehensiveandaccessibleintroductiontosome of the most valuable cyber security tools available.” The guideprovides advice on how to maintain anonymity, avoid hacking, andprotectdataonlineandonvarioustypesofdevices.

10. Glossary28 Add-on

“Apieceofsoftwarethatmodifiesanothersoftwareapplication,changinghowitworksorwhatitcando.Oftenadd-onscanaddprivacyorsecurityfeaturestowebbrowsersoremailsoftware.Someadd-onsaremalware,sobecarefultoinstallonlythosethatarereputableandfromofficialsources.”

CommercialVPN

“A commercial Virtual PrivateNetwork is a private service that offers tosecurely relayyour Internet communicationsvia theirownnetwork.Theadvantageofthisisthatallofthedatayousendandreceiveishiddenfromlocalnetworks,soitissaferfromnearbycriminals,oruntrustedlocalISPsor cybercafes.AVPNmaybehosted ina foreign country,which isusefulboth for protecting communications from a local government, andbypassingnationalcensorship.ThedownsideisthatmostofthetrafficisdecryptedatthecommercialVPN'send.ThatmeansyouneedtotrustthecommercialVPN(andthecountrywhereitislocated)nottosnooponyourtraffic.”

Cookies

“Cookies are aweb technology that letwebsites recognizeyourbrowser.Cookies were originally designed to allow sites to offer online shoppingcarts, savepreferencesorkeepyou loggedon to a site.Theyalso enabletracking and profiling so sites can recognize you and learn more aboutwhere you go, which devices you use, andwhat you are interested in –evenifyoudon'thaveanaccountwiththatsite,oraren'tloggedin.”

Cryptography

28ThedefinitionsinthisglossaryarealltakenfromtheElectronicFrontierFoundation’sSurveillanceSelf-DefenceGlossary.Availableat:https://ssd.eff.org/en/glossary.



- 16 -

“Theartofdesigningsecretcodesorciphersthatletyousendandreceivemessages to a recipient without others being able to understand themessage.”

Decrypt

“Makea secretmessageordata intelligible.The ideabehindencryptionistomakemessagesthatcanonlybedecryptedbythepersonorpeoplewhoaremeanttoreceivethem.”

Encrypt

“To applyencryption technology to any sort of information orcommunication. This transforms the information or communicationmathematicallysothatitseemsmeaningless,butcanstillberestoredtoitsoriginalformbyapersonordevicethatpossessestherightsecretkey.Thislimitswhocanaccesstheinformationbecausewithouttherightsecretkey,itshouldbeimpossibletoreversetheencryptionandrecovertheoriginalinformation. Encryption is one of several technologies thatmake up thefieldcalledcryptography”

End-to-endencryption

“End-to-end encryption ensures that a message is turned into a secretmessage by its original sender, and decoded only by its final recipient.Other formsofencryptionmaydependonencryptionperformedbythirdparties.Thatmeansthatthosepartieshavetobetrustedwiththeoriginaltext. End-to-end encryption is generally regarded as safer, because itreducesthenumberofpartieswhomightbeabletointerfereorbreaktheencryption.”

Key

“Incryptography,apieceofdatawhichgivesyouthecapabilitytoencryptordecryptamessage.”

Malware

“Malware, is short formalicious software:programs that aredesigned toconductunwantedactionsonyourdevice.Computervirusesaremalware.Soareprogramsthatstealpasswords,secretlyrecordyou,ordeleteyourdata.”

Metadata



- 17 -

“Metadata (or "data about data") is everything about a piece ofinformation,apartfromtheinformationitself.Sothecontentofamessageisnotmetadata,butwhosent it,when,wherefrom,andtowhom,areallexamples of metadata. Legal systems often protect content more thanmetadata: for instance, in the United States, law enforcement needs awarrant to listen to a person's telephone calls, but claims the right toobtainthelistofwhoyouhavecalledfarmoreeasily.However,metadatacan often reveal a great deal, and will often need to be protected ascarefullyasthedataitdescribes.”

Onlineharassment

“Offensive name-calling, intentional efforts to embarrass someone,physical threats, stalking, harassment over a sustained period of time orsexualharassmentonline.”29

Operatingsystem

“A program that runs all the other programs on a computer. Windows,AndroidandApple'sOSXandiOSareallexamplesofoperatingsystems.”

PGP

“PGPorPrettyGoodPrivacywasoneofthefirstpopularimplementationsof publickey cryptography. Phil Zimmermann, its creator, wrote theprogramin1991tohelpactivistsandothersprotecttheircommunications.He was formally investigated by the US government when the programspreadoutsidetheUnitedStates.Atthetime,exportingtoolsthatincludedstrongpublic key encryptionwas a violationofUS law.PGP continues toexistasacommercialsoftwareproduct.AfreeimplementationofthesameunderlyingstandardthatPGPusescalledGnuPG(orGPG)isalsoavailable.Becausebothusethesameinterchangeableapproach,peoplewillrefertousing a “PGP key” or sending a “PGP message”, even if they are usingGnuPG.”

Riskanalysis

“In computer security,risk analysis is calculating the chance that threatsmightsucceed, soyouknowhowmucheffort tospenddefendingagainstthem. Theremay bemany differentways that youmight lose control oraccesstoyourdata,butsomeofthemarelesslikelythanothers.Assessingrisk means deciding which threats you are going to take seriously, and

29MaeveDugan,OnlineHarassment2017,PewResearchCenter–InternetandTechnology(Jul.11,2017),http://www.pewInternet.org/2017/07/11/online-harassment-2017/.



- 18 -

whichmaybetoorareortooharmless(ortoodifficulttocombat)toworryabout.Seethreatmodeling.”

Threatmodel

“A way of narrowly thinking about the sorts of protection youwant foryourdata.It'simpossibletoprotectagainsteverykindoftrickorattacker,so you should concentrate onwhich peoplemightwant your data,whattheymightwantfromit,andhowtheymightgetit.Comingupwithasetofpossibleattacksyouplantoprotectagainstiscalledthreatmodeling.Onceyouhaveathreatmodel,youcanconductariskanalysis.”

VPN

“A virtual private network is a method for connecting your computersecurelytothenetworkofanorganizationontheothersideoftheInternet.When you use aVPN, all of your computer's Internet communications ispackagedtogether,encryptedandthenrelayedtothisotherorganization,whereitisdecrypted,unpacked,andthensentontoitsdestination.Totheorganization's network, or any other computer on the wider Internet, itlookslikeyourcomputer'srequestiscomingfrominsidetheorganization,not from your location. VPNs are used by businesses to provide secureaccess to internal resources (like file servers or printers). They are alsoused by individuals to bypass local censorship, or defeat localsurveillance.”

Digital Security Guide.final - law-democracy.org · of surveillance (by both State and ... are...

Documents

Transcript of Digital Security Guide.final - law-democracy.org · of surveillance (by both State and ... are...